Re: [openssl.org #3203] Normalize PFS key exchange labels
On 1 January 2014 21:39, Daniel Kahn Gillmor d...@fifthhorseman.net wrote: On 01/01/2014 12:48 PM, Ben Laurie wrote: Pull requests on Github are quite useful - that way they also get tracked (so long as we remember to close them when applied, that is!). OK, i've rebased the series against the current master, and submitted a github-specific pull request: https://github.com/openssl/openssl/pull/37 Cool, tho didn't I read that Steve already pulled it? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3207] CVE-2013-6449
Hello OpenSSl team, Do you know when a fix for CVE-2013-6449 is going to be released? Also, do you know if the OpenSSL FIPS package is affected? Thanks, -- Daniel Shaul Fidelis Cybersecurity Solutions - Support Associate Support Engineer Support: 1.800.652.4020 option 3 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3208] Planned removal of SSL_OP_MSIE_SSLV2_RSA_PADDING breaks dependent software
It looks like OpenSSL 1.0.2 will no longer provide the constant SSL_OP_MSIE_SSLV2_RSA_PADDING in its header files (http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=dece3209f299ebcd82414868ee39b2c6feb3be0a). This will break dependent software, including all versions of MRI Ruby. Please consider keeping this constant around until a larger version change. -- Matijs signature.asc Description: PGP signature
[openssl.org #3209] Web man page for OPENSSL_VERSION_NUMBER claims it has 9 hex digits.
The web man page describing OPENSSL_VERSION_NUMBER claims it has 9 hex digits: DESCRIPTION OPENSSL_VERSION_NUMBER is a numeric release version identifier: MMNNFFPPS: major minor fix patch status The text of the man page is self-consistent since many of the examples also show 9 digits. Of course none of those actually fit in a 32-bit long. The flaw is that the page claims two digits for the major release MM when the opensslv.h supports only one digit, e.g MNNFFPPS. http://www.openssl.org/docs/crypto/OPENSSL_VERSION_NUMBER.html Doug Gibbons | Consulting Engineer | Avaya Inc. | 1300 W. 120th Ave | B3-C61 | Westminster, CO 80234 | 303-538-3538 | ldgibb...@avaya.commailto:ldgibb...@avaya.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3210] typo in SSL_CTX_use_serverinfo.pod
patch below should be self-explanatory diff --git a/doc/ssl/SSL_CTX_use_serverinfo.pod b/doc/ssl/SSL_CTX_use_serverinfo.pod index 4409322..da7935c 100644 --- a/doc/ssl/SSL_CTX_use_serverinfo.pod +++ b/doc/ssl/SSL_CTX_use_serverinfo.pod @@ -19,7 +19,7 @@ These functions load serverinfo TLS ServerHello Extensions into the SSL_CTX. A serverinfo extension is returned in response to an empty ClientHello Extension. -SSL_CTX_use_serverinfo_file() loads one or more serverinfo extensions from +SSL_CTX_use_serverinfo() loads one or more serverinfo extensions from a byte array into Bctx. The extensions must be concatenated into a sequence of bytes. Each extension must consist of a 2-byte Extension Type, a 2-byte length, and then length bytes of extension_data. -- Born in Roswell... married an alien... http://emptyhammock.com/ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3211] typo in SSL_CONF_cmd.pod
patch below should be self-explanatory diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index c55f631..38aebc9 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -29,7 +29,7 @@ or to process defaults. Currently supported Bcmd names for command lines (i.e. when the flag BSSL_CONF_CMDLINE is set) are listed below. Note: all Bcmd names -and are case sensitive. Unless otherwise stated commands can be used by +are case sensitive. Unless otherwise stated commands can be used by both clients and servers and the Bvalue parameter is not used. The default prefix for command line commands is B- and that is reflected below. -- Born in Roswell... married an alien... http://emptyhammock.com/ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3208] Planned removal of SSL_OP_MSIE_SSLV2_RSA_PADDING breaks dependent software
On Sat, Jan 04, 2014 at 11:25:27AM +0100, Matijs van Zuijlen via RT wrote: It looks like OpenSSL 1.0.2 will no longer provide the constant SSL_OP_MSIE_SSLV2_RSA_PADDING in its header files (http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=dece3209f299ebcd82414868ee39b2c6feb3be0a). This will break dependent software, including all versions of MRI Ruby. Please consider keeping this constant around until a larger version change. From the diff itself: -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0040L /* no effect since 0.9.7h and 0.9.8b */ That means it didn't do anything since 2005/2006. I'm not sure how removing it can be considered to break something if it didn't do anything. Are you still trying to use SSL v2? You really stop using that. Or is it just that you can no longer build the depend software? Then you really should stop using that flag. PS: 1.0.1f will already drop that flag if it gets released. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3207] CVE-2013-6449
On Sat, Jan 04, 2014, Daniel Shaul via RT wrote: Hello OpenSSl team, Do you know when a fix for CVE-2013-6449 is going to be released? Also, do you know if the OpenSSL FIPS package is affected? Please don't use the RT address for general queries. To answer your questions. A release is planned in the next few days and FIPS is not affected. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3208] Planned removal of SSL_OP_MSIE_SSLV2_RSA_PADDING breaks dependent software
On Sat, Jan 04, 2014, Kurt Roeckx wrote: On Sat, Jan 04, 2014 at 11:25:27AM +0100, Matijs van Zuijlen via RT wrote: It looks like OpenSSL 1.0.2 will no longer provide the constant SSL_OP_MSIE_SSLV2_RSA_PADDING in its header files (http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=dece3209f299ebcd82414868ee39b2c6feb3be0a). This will break dependent software, including all versions of MRI Ruby. Please consider keeping this constant around until a larger version change. From the diff itself: -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0040L /* no effect since 0.9.7h and 0.9.8b */ That means it didn't do anything since 2005/2006. I'm not sure how removing it can be considered to break something if it didn't do anything. Are you still trying to use SSL v2? You really stop using that. Or is it just that you can no longer build the depend software? Then you really should stop using that flag. PS: 1.0.1f will already drop that flag if it gets released. I think this is a case of mapping all the SSL_OP constants automatically. When I was looking to remove SSL_OP_PKCS1_CHECK_1 to add support for a TLSv1.2 I hit a similar issue. The fix is to keep the define and set it to zero. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
