On Wed, Oct 04, 2017, Mahesh Bhoothapuri wrote:
> Thanks for the hint. The problem is fixed.
>
> Server was setting:
>
> if (SSL_CTX_set1_groups_list(ctx, "X25519:P-256") == 0) {
> //
> }
>
> The call succeeds.
>
> But the old TLS 1.2 code was setting:
>
> int nid =
On Wed, Oct 04, 2017, Mahesh Bhoothapuri wrote:
> if (SSL_CTX_set1_groups_list(ctx, "P-521:P-384:P-256") == 0) {
>//error
> }
>
If you have the above line you're telling the client to advertise support for
P-521:P-384:P-256 in that order and the server to only use them.
>
On Wed, Oct 04, 2017, Matt Caswell wrote:
>
> As Tomas said - that ship has sailed. In my mind that change was a
> mistake. It could have been done in a non-breaking way by introducing a
> new header format at that time.
>
As regards a new header format. In the case of some of the structures
On Mon, Oct 02, 2017, Matt Caswell wrote:
>
>
> On 02/10/17 15:00, Blumenthal, Uri - 0553 - MITLL wrote:
> > Moving to openssl-dev, because I think OpenSSL-1.0.2 needs a fix.
> >
> >
> >
> > To be more specific, the following get methods are missing in 1.0.2:
> >
> >
> >
> > -
On Tue, Sep 26, 2017, Blumenthal, Uri - 0553 - MITLL wrote:
> Working on pkcs11 engine, I discovered a bug in crypto/rsa/rsa_pmeth.c in
> pkey_rsa_encrypt() and pkey_rsa_decrypt().
>
> They cause a crash when called with out==NULL. Normally it should not happen
> ??? but when an engine is
On Tue, Aug 29, 2017, Richard Levitte wrote:
> I'm late in the game, having only followed the development very
> superficially...
>
> If I understand correctly, the RAND_DRBG API is really a completely
> separate API that has nothing to do with the RAND_METHOD API pers se,
> i.e. any association
On Mon, Aug 28, 2017, Brett R. Nicholas wrote:
>
>
> One more follow up question:
>
>
> > If possible you should set the public key components anyway: some operations
>
> > such as generating certificate requests require them to be present
>
> I'm confused what you mean here, since my
On Mon, Aug 28, 2017, Leon Brits wrote:
> The upgrade is now working fine in one of the applications which make TLS
> connections. I can see the engine functions being called when some action
> (sign/verify) which require the privatekey.
>
> However, this engine is also used in a patched
On Mon, Aug 28, 2017, Brett R. Nicholas wrote:
> > The rsa_mod_exp function is only called for private key operations. You
> > can't
> > tell if it is a private encrypt or a private decrypt though but that
> > shouldn't matter because the operation performed at that level is the same
> > for
>
On Sun, Aug 27, 2017, Brett R. Nicholas wrote:
>
> This makes sense to me, and it seems that is the desired behavior. However,
> if I *only* reimplement the rsa_mod_exp() function, and leave the
> encrypt/decrypt functions to the default openSSL implementations, how can my
> engine know which of
On Tue, Aug 22, 2017, Lukasz Kostyra wrote:
> Hello,
>
> I've been trying recently to work with OpenSSL and use it to encrypt and
> decrypt data with AES cipher in GCM mode. While reading the documentation, I
> noticed an inconsistency between example code and manual.
>
> My concern is the
On Thu, Jul 20, 2017, Cristi Fati wrote:
> Apologies for spam, if this isn't the right place:
>
>
> *Details*:
>
>- *cygwin* *64bit* running on *Win10* (*CYGWIN_NT-10.0 cfati-e5550-0
>2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin*)
>- *openssl-1.0.2l* - irrelevant
>-
On Thu, Jul 13, 2017, Matthew Stickney wrote:
>
> You may have been looking at a different version of IE than what I've
> got on my Windows 7 VM, but at least here IE doesn't allow you to set
> certificate purposes: it has a dialog that looks just like that (under
> the "Advanced" button in the
On Sun, Jul 09, 2017, Matthew Stickney wrote:
> The Certificate Manager in Windows does allow you to change the trust
> settings for root certs (including the purposes reported by openssl
> x509 -purpose), although those changes don't appear to be reflected in
> the cert dumped from the store (so
On Sun, Jul 02, 2017, Salz, Rich via openssl-dev wrote:
> > I tried using OBJ_create() with NULL or an empty string for the OID, but
> > currently it checks that the given OID is actually a valid one. Is there
> > any workaround to avoid this other than issuing my own OID?
>
> No. Just get an
On Mon, Jun 26, 2017, Nicola Tuveri wrote:
> Hi,
>
> I'm working on ENGINE development, and I have the need to add an NID for a
> custom message digest, and eventually for ciphers and PKEY methods.
> Some of the associated object don't (and won't ever) have an associated
> OID, but I need to add
On Mon, Jun 26, 2017, Brett R. Nicholas wrote:
> AFAIK (and please correct me if this is wrong) my init_key function is
> invoked by the EVP interface when I call the EVP_[En/De]cryptInit_ex
> function, and the do_cipher function is called upon EVP_[En/De]cryptUpdate.
> But how should I
On Tue, Apr 11, 2017, Michael Reilly wrote:
> Hi,
>
> commit 222333cf01e2fec4a20c107ac9e820694611a4db added a check that the size
> returned by EVP_PKEY_size(ctx->pkey) in M_check_autoarg() in
> crypto/evp/pmeth_fn.c is != 0.
>
> We are in the process of upgrading from 1.0.2j to 1.0.2k and
On Thu, Mar 30, 2017, Winter Mute wrote:
> Hello,
> All certificates I have encountered with this extension seem to have a
> problem with the encoding of the distributionPoint.
> According to the specs:
>
>DistributionPointName ::= CHOICE {
> fullName[0]
On Tue, Dec 13, 2016, David Woodhouse wrote:
> On Tue, 2016-12-13 at 13:09 +0000, Dr. Stephen Henson wrote:
> > The reason for that is that the PEM forms which contain
> > the key algorithm in the PEM header were considered legacy types and new
> > methods
> > sh
On Tue, Dec 13, 2016, Dr. Stephen Henson wrote:
>
> So if we wanted to go down this route all that is needed to get a form of this
> functionality is a function to set the PEM decoder in EVP_PKEY_ASN1_METHOD.
>
Note however that this currently assumes the data between the PEM heade
On Wed, Nov 30, 2016, James Bottomley wrote:
> One of the principle problems of using TPM based keys is that there's
> no easy way of integrating them with standard file based keys. This
> proposal adds a generic method for handling file based engine keys that
> can be loaded as PEM files.
On Wed, Nov 16, 2016, James Bottomley wrote:
> The assumption in all the current engine code is that key_id can be
> passed as something like a file name.
Well no it's a null terminated string whose meaning is engine specific. In
some cases it is a key ID, in others it is a more complex string
On Wed, Nov 16, 2016, Richard Levitte wrote:
> If I understand correctly, the intention is to avoid having to use
> ENGINE_load_private_key() directly or having to say '-keyform ENGINE'
> to the openssl commands, and to avoid having to remember some cryptic
> key identity to give with '-key'.
On Thu, Sep 15, 2016, Sebastian Andrzej Siewior wrote:
> Hi,
>
> I've been looking at spice-gtk to get it compiled against openssl 1.1.0.
> One problem I have is that they are using a custom X509_LOOKUP_METHOD
> struct which is now not possible.
> It seems that this requirement was introduced
On Thu, Aug 04, 2016, Jim Carroll wrote:
> I had heard a patch was being worked on, but I do not believe it has been
> released (or if it is -- I can't find it).
>
> I can confirm that "OpenSSL 1.1.0-pre7-dev" still has the bug which
> prevents PKCS7 sign-->encrypt->decrypt from working.
>
On Wed, Jul 27, 2016, john gloster wrote:
> Hi,
>
> Can we use both the following APIs in the same application to load
> certificate to the SSL context?
>
> *SSL_CTX_use_certificate_file()*
> *SSL_CTX_use_certificate_chain_file()*
>
You should only use one. If you use
On Wed, Jul 27, 2016, Catalin Vasile wrote:
> Hi,
>
> I'm trying to use the EVP_PKEY_TLS1_PRF interface.
>
> The first thing I do inside my code is:
> pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
> But pctx is NULL after that call.
>
> I've watched test/evp_test.c and it does not
On Mon, Jul 25, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> I confess I did not test this with 1.1.x. But in 1.0.2h there???s a problem.
>
> CMS man page says:
>
> If the -decrypt option is used without a recipient certificate then an
> attempt is made to locate the
> recipient by trying each
On Wed, Jul 20, 2016, Dr. Stephen Henson wrote:
> On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote:
>
> > "X509_LOOKUP_hash_dir is a more advanced method, which loads certificates
> > and CRLs on demand, and caches them in memory once they are loaded. As of
> >
On Wed, Jul 20, 2016, Dr. Stephen Henson wrote:
> On Wed, Jul 20, 2016, Dr. Stephen Henson wrote:
>
> > On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote:
> >
> > > "X509_LOOKUP_hash_dir is a more advanced method, which loads certificates
> > > and
On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote:
> "X509_LOOKUP_hash_dir is a more advanced method, which loads certificates
> and CRLs on demand, and caches them in memory once they are loaded. As of
> OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so that newer
> CRLs are
On Tue, Jul 19, 2016, Hubert Kario wrote:
> I have few questions now though:
>
> I've noticed that 1.0.2 uses sha1 hmac for the PRF while the master
> uses sha256
>
> is there a way to set this?
>
Not currently no (at least not from the command line, maybe by delving
into the pkcs12
On Thu, Jul 07, 2016, c.hol...@ades.at wrote:
>
> I try to get RSA enryption/decryption (over the API) with MGF1
> OAEP-padding other then SHA1.
>
You need to use the EVP_PKEY API and pass the required algotithm to
EVP_PKEY_CTX_set_rsa_oaep_md() which is currently undocumented (fix coming
up).
On Wed, Jun 01, 2016, Mody, Darshan (Darshan) wrote:
>
> Does Openssl allows NULL ciphers when we put openssl in FIPS mode?
>
If you mean NULL ciphersuites then yes though they're not enabled by default
just like non-FIPS mode.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
On Tue, May 31, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> Does OpenSSL support ECC-based S/MIME as defined in RFC 5753?
>
> I was trying to create an encrypted S/MIME message using OpenSSL-1.0.2h,
> and got the following:
>
> $ openssl smime -encrypt -aes128 -inform SMIME -in
On Thu, May 12, 2016, Matt Caswell wrote:
>
>
> On 11/05/16 22:03, Russ Housley wrote:
> > Today, the IETF uses OpenSSL to digitally sign Internet-Drafts. If
> > you care about the details, please see RFC 5485.
> >
> > We are looking to expand Internet-Draft signing, and start signing
> >
On Tue, Apr 26, 2016, Kurt Roeckx wrote:
> Hi,
>
> I'm working on a tool that checks various things related to X509
> certificates. I want to check that the encoding is actually
> correct DER. With things like ASN1_TIME is seems easy to get to
> the raw data, it just seems to contain it. But
On Mon, Mar 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni"
>
> wrote:
>
> >On Mon, Mar 14, 2016 at 05:45:34PM +, Stephan Mühlstrasser via RT
> >wrote:
>
On Fri, Mar 04, 2016, Dmitry Belyavsky wrote:
> Dear Rich,
>
> Is it possible to add a command line option to select hash algorithm used
> in the PRF calculations?
> GOST ciphersuites, for example, use TLS1 PRF based on the GOST digest
> algorithms.
>
I think it's already there -pkeyopt md:
On Tue, Mar 01, 2016, Jakub Zelenka wrote:
> Hello,
>
> I'm just slowly porting PHP core openssl ext to work with OpenSSL 1.1 and
> just came across one thing that I can't find a function for.
>
> We have got a part in openssl_x509_parse where we display cert->name (cert
> is X509 struct) if it
On Mon, Feb 22, 2016, Wall, Stephen wrote:
> I wonder if I could get the thoughts of some of you developers on how
> difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of
> the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a
> legitimate way to get
On Mon, Feb 15, 2016, The Doctor wrote:
> Just tested this on the old BSD/OS machine
>
> works with openssl 1.0.2X
>
> Openssl 1.1.X issues
>
> cipher.h in openssl 1.1 needs to read
>
> struct sshcipher;
> struct sshcipher_ctx {
> int plaintext;
> int encrypt;
>
On Thu, Feb 11, 2016, Michel wrote:
> Hi,
>
>
>
> I have a test program which is failing using version 1.1 because
> PKCS12_Parse() doesn't return the certificate, just the key. No error is
> signaled.
>
> I supposed it is not intended. Is it work in progress ?
>
That's a bug which should
On Thu, Feb 11, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> ^
> Probably correct IN THIS ONE CASE, because Most Significant Bit is zero
> even without the leading zero byte. See below.
>
> >>The problem is that is an invalid encoding. An ASN.1 INTEGER cannot
>
On Wed, Jan 20, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> On 1/20/16, 5:10 , "Hubert Kario" wrote:
>
> It appears to me that pkeyutl is more an instrument to access those
> primitive operations, unlike dgst that provides access to the ???true???
> (complete) signature
On Sat, Jan 16, 2016, Bill Cox wrote:
>
> I feel keyed hashing is here to stay. Keccak also has this feature.
> Assuming I'm reading the EVP API correctly, should add support for keyed
> digests to EVP. What do you folks think?
>
Support for MAC already exists in EVP. It's possible to access
On Thu, Jan 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
> On 1/14/16, 16:51 , "openssl-dev on behalf of Dr. Stephen Henson"
> <openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote:
>
> >On Thu, Jan 14, 2016, Salz, Rich wrote:
> >
>
On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
>
>
> If the input to "pkeyutl ???sign??? is supposed to be digest output only ???
> then
> what???s the point of having command line arguments specifying the digest to
> use? And if the input can be an arbitrary file (like for
On Sat, Jan 09, 2016, Paul Kehrer wrote:
> The ASN1 functions for NAME_CONSTRAINTS are not declared or implemented in
> the current OpenSSL releases. This is inconsistent with other extension
> structs and (I believe) means you either need to declare them yourself or
> attempt to build
On Thu, Dec 24, 2015, Dmitry Belyavsky wrote:
>
> If you try to change the output length via the -macopt option of the dgst
> command, you'll see that the text output will be 4 bytes.
> It seems to happen because of the internal call to the EVP_MD_size()
> function.
>
> If we change the
On Wed, Dec 23, 2015, Dmitry Belyavsky wrote:
> Hello OpenSSL Team,
>
> I have a question.
>
> I need to implement a digest with variable length of output. The length of
> output can be easily specified by the control function, but EVP functions
> expect the constant length of the digest
On Fri, Dec 18, 2015, Alexander Gostrer wrote:
> Hi Steve,
>
> John and I completed writing an ECDH engine based on the
> OpenSSL_1_0_2-stable branch. We were planning to expand it to the master
> but found some major changes made by you recently. What is the status of
> this task? Is it stable
On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
> Much better now - but at this time I hit ???unsupported algorithm???. The key
> in question is RSA-2048, with SHA256.
>
> $ LOAD_CERT_CTRL=true VERBOSE=7 openssl pkeyutl -engine pkcs11 -sign
> -keyform engine -inkey
>
On Thu, Dec 10, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
> On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson"
> <openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote:
>
> >
> >As I indicated the fix I suggested it tem
On Fri, Dec 04, 2015, Carl Tietjen wrote:
> Folks,
>
> It looks like the Windows x86_64 build for OpenSSL version 1.0.1q is broken.
>
>
> I am building a FIPS capable version, and have verified that I have the
> corrected download build: SHA1 checksum:
>
On Fri, Dec 04, 2015, Carl Tietjen wrote:
> Folks,
>
> It looks like the Windows x86_64 build for OpenSSL version 1.0.1q is broken.
>
>
> I am building a FIPS capable version, and have verified that I have the
> corrected download build: SHA1 checksum:
>
On Fri, Nov 13, 2015, Benjamin Kaduk wrote:
>
> As another thread calls to mind, PKCS#12 could potentially just use
> triple-DES. (BTW, the CMS tests fail when openssl is configured with
> no-rc2, due to this; I have a WIP patch sitting around.)
>
The issue is that some cuurent software
On Sat, Oct 17, 2015, Roumen Petrov wrote:
> Hello,
>
> After embed some attributes OCSP in master stop to work.
>
> The current status is the client comment report "Cert Status:
> unknown" and "Nonce Verify error" for X.509 certificates used in my
> ssh regression tests.
>
> The last known
On Fri, Sep 11, 2015, Blumenthal, Uri - 0553 - MITLL wrote:
> I am trying to build the current Github version of openssl on Ubuntu-14.04
> LTS. Must add that this system has openssl-1.0.1f already installed (relict
> of Ubuntu software update process).
>
> Everything seems to compile fine, but
On Mon, Aug 17, 2015, Patil, Ashwini IN BLR STS via RT wrote:
Hi Mr. Stephen N. Henson,
Thankyou so much for the reply.
We would like to use the option1 mentioned by you. But unfortunately the
dll's were not generated, only static lib's were generated.
Please guide if we have
On Mon, Aug 17, 2015, Patil, Ashwini IN BLR STS wrote:
Please let me know if I need to make changes in ntdll.mak file to generate
the corresponding fipslibeay32.dll .
As I need to include this dll in my test application to turn on the fips
module.
There is no fipsleay32.dll
On Sun, Jul 19, 2015, The Doctor wrote:
On Sun, Jul 19, 2015 at 06:05:26AM -0600, The Doctor wrote:
What should I be looking at when
signed content test streaming S/MIME format, 2 DSA and 2 RSA keys: verify
error
occurs?
Further from the code
i =
On Mon, Jun 29, 2015, rst...@symsysresearch.com wrote:
I am getting incorrect False-Negative results when performing tests
with 186-4 vectors (generated by CAVS 17.6).
This vector is being reported false while CAVS says they should pass.
[mod = 1024]
n =
On Mon, Jun 29, 2015, rst...@symsysresearch.com wrote:
I am getting incorrect False-Negative results when performing tests
with 186-4 vectors (generated by CAVS 17.6).
This vector is being reported false while CAVS says they should pass.
[mod = 1024]
n =
On Fri, Jun 12, 2015, Bill Cox wrote:
Here's some code in master starting at line 594 in s3_srvr.c:
if (!s-s3-handshake_buffer) {
SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
return -1;
}
/*
On Sun, May 24, 2015, Dixon Xavier wrote:
Hi,
Going by the description in links:
http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-Studio-2010-fails-self-tests-td36372.html
On Tue, Apr 21, 2015, Richard Moore wrote:
On 21 April 2015 at 12:50, Dr. Stephen Henson st...@openssl.org wrote:
I think what would be useful here would be an API that can determine
appropriate characterictics of an SSL_CIPHER. For example a NID
corresponding to the key exchange
On Mon, Apr 20, 2015, Richard Moore wrote:
On 20 April 2015 at 21:25, Salz, Rich rs...@akamai.com wrote:
What is the information you're looking for? kx=X25519 or kx=2KRSA
or ... ? I picked those because sometimes there's a keysize, and other
times it's implicit, for example. The
On Mon, Apr 13, 2015, Pawe?? Ka??mierczak wrote:
Hello,
is there a support for aes-gcm in openSSL CMS implementaion?
Following code works when EVP_aes_128_cbc is used as CMS_encrypt param but
fails with EVP_aes_128_gcm. Am I missing something (like setting the gcm
header/tag) or
On Thu, Apr 09, 2015, Juan Antonio Osorio wrote:
Hi,
I've recently encountered that OpenSSL is sending some unexpected errors
when reading X.509 certificate requests, if the key is not specified, or
the CSR is not signed.
Well if a key is not specified ot the CSR isn't signed then it
On Thu, Apr 09, 2015, Pawe?? Ka??mierczak wrote:
I am affraid EC certs do not work in CMS openSSL 1.0.2. I just wrote a
simple test procedure:
void cmsTest()
{
//this RSA works
//auto certFileBio = BIO_new_file(c:\\a\\simplersa_noPem.cer, rb);
//auto prvKeyFileBio =
On Thu, Apr 09, 2015, Pawe?? Ka??mierczak wrote:
Hi,
currently openssl in CMS supports only RSA based certificates but EC based
certificates are supported in openssl TLS... so I assume that there is
already a code that can sing/verify and perform key agreement (ECKA-EG
ECKA-DH) using
On Tue, Mar 24, 2015, ?? wrote:
I use the openssl library in the project and use client certificate
verification. When using protocol TLSv1.2 I have a problem with data
encryption, using the private key of the client certificate. This is due to
the fact that the
On Tue, Mar 31, 2015, Julien Kauffmann wrote:
if (!combine)
*pval = NULL;
I'd suggest deleting the two lines above. The structure should be cleared
without this and the above line is wrong for non pointer fields anyway.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
On Tue, Mar 31, 2015, Julien Kauffmann wrote:
Basically what happens is that, somewhere inside the call to
PEM_write_bio_ECPrivateKey(), an ASN1 sequence of 3 elements is
allocated. The corresponding code is as follow (in
crypto/asn1/tasn_new.c:181):
if (!combine) {
*pval =
On Tue, Mar 24, 2015, Susumu Sai wrote:
time_t t;
time(t);
ASN1_TIME *tmptm = ASN1_TIME_new();
X509_gmtime_adj(tmptm, 0);
// ? With 0.9.8, the return value ret = 1
// ? With 1.0.2, the return value ret = -1
int ret =
On Thu, Mar 19, 2015, Randall S. Becker wrote:
On March 19, 2015 10:09 AM OpenSSL wrote:
To: OpenSSL Developer ML; OpenSSL User Support ML; OpenSSL Announce ML
Subject: [openssl-dev] OpenSSL version 1.0.2a released
OpenSSL version 1.0.2a released
===
On Thu, Mar 19, 2015, Erik Tkal wrote:
If I do not send a sessionID in the clientHello but do send a valid
sessionTicket extension, the server goes straight to changeCipherSpec and
the client generates an UnexpectedMessage alert.
Does the server send back an empty session ticket
On Tue, Mar 10, 2015, Steve Schefter wrote:
On 3/10/2015 8:03 PM, Dr. Stephen Henson wrote:
On Fri, Mar 06, 2015, Steve Schefter wrote:
Which OS and version of OpenSSL are you using?
I am using 1.0.1j on Linux. I've not tried to build 1.0.2, but I
see the same use of the private_
On Fri, Mar 06, 2015, Steve Schefter wrote:
Hi.
I am compiling OpenSSL with the FIPS options and seeing a build
error. My question is more about the intent than the problem.
One example: When apps/speed.c is compiled with FIPS enabled,
OPENSSL_FIPS is defined and DES_set_key_unchecked
On Sat, Mar 07, 2015, Allauddin Ahmad via RT wrote:
Dear Concerned:
Can you please confirm that OpenSSL branch 0.9.7 branch is not affected by:
As Viktor mentioned 0.9.7 is no longer being maintained.
However the following two issues will be present in 0.9.7:
*RSA silently
On Fri, Feb 27, 2015, Hong Cho wrote:
Hi,
I generated OpenSSL libcrypto (1.0.1l) with the OpenSSL FIPS crypto module
(2.0.8) on FreeBSD 8.4 amd64.
It seems to build fine, and with OPENSSL_FIPS, it seems to behave correctly
(e.g., MD5 is refused, DH with 512-bit key is refused, etc.).
On Fri, Feb 20, 2015, W Smith wrote:
Thanks, Rich.
Does anyone know how to walk through a BIO stack that includes a BIO pair
and get to the ultimate source/sink BIO? If I can get that, I'll be in good
shape. Anybody?
Not sure I follow you. A BIO pair is the ultimate source/sink BIO.
On Fri, Feb 20, 2015, W Smith wrote:
Rich,
Yeah, I have industrial strength Tylenol standing by. I'm expecting this to
be painful, but not insurmountable for the handshake. If I'm unable to even
get at the ultimate source/sink, I can't get anywhere.
I can deal with the HTTP side and
On Fri, Feb 13, 2015, Viktor Dukhovni wrote:
On Fri, Feb 13, 2015 at 11:59:13AM +, Salz, Rich wrote:
Some time ago, I had submitted a patch which allows administrators, but
most importantly OS distributors to set their own strings in the
configuration
file, which software can
On Tue, Feb 10, 2015, Viktor Dukhovni wrote:
We should also recall that the master branch has introduced security
levels, which may still need some work to become production-ready,
but are likely a better mechanism for applications to move to more
secure settings than incompatible changes
On Wed, Feb 04, 2015, Rex Bloom wrote:
Can someone help me understand what type of digital signature I can use for
FIPS compliance.
I used this command:
openssl genrsa -aes128 -passout pass:mypassphrase -out privkey.pem 2048
to generate a pem file but when I tried to load this as
On Fri, Jan 23, 2015, Thirumal, Karthikeyan wrote:
Team,
In order to fix the Poodle vulnerability on SSLv3, I tried to disable my
SSLv3 cipher using the below cipher set, but did not even initiate SSL in
0.9.8a.
On Fri, Jan 23, 2015, Susan Hinrichs wrote:
Hello All,
I work with Apache Traffic Server. Many of our users use the SNI
callback to select the certificate that the proxy will present to
the client. This selection can take some time. Rather than
blocking the callback thread, we would
On Tue, Dec 30, 2014, satish.kumarya...@cognizant.com wrote:
Hi
Is there any way to unload client certificate and private key from SSL
context?
I could not find any openss api to unload client cert from SSL object.
There is a function SSL_certs_clear() but it is only in OpenSSL 1.0.2+
On Thu, Dec 11, 2014, Steffen Nurpmeso via RT wrote:
are hard (not only to parse) for users but there is a lot of
information for good in very few bytes; sad is
Received SIGPIPE during IMAP operation
IMAP write error: error::lib(0):func(0):reason(0)
OpenSSL itself should
On Thu, Dec 11, 2014, Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES
LIMITED at Cisco) wrote:
Hi Team,
For Vulnerability issue, we are indeed to upgrade the openssl version to
0.9.8zc version. We have downloaded the source from
www.openssl.orghttp://www.openssl.org site. While
On Thu, Dec 04, 2014, Tomas Hoger wrote:
On Wed, 3 Dec 2014 22:55:06 +0100 Kurt Roeckx wrote:
Maybe applications may benefit from an API where they can pass string
set by the end user and let OpenSSL parse version number from that.
If mod_ssl had configuration directives as SSLProtocolMin
On Tue, Nov 25, 2014, Philip Prindeville via RT wrote:
On 11/25/2014 07:48 AM, Matt Caswell via RT wrote:
On Thu Nov 20 21:35:45 2014, phil...@redfish-solutions.com wrote:
Can the following function please be added:
int RSA_public_digest(const RSA* key, const EVP_MD *type, unsigned
On Mon, Nov 24, 2014, Philip Bellino wrote:
Hello,
I am looking for some help and I do not profess to be an expert in this
area, so forgive me for asking the following.
I am running openssl-fips-2.0.7 with openssl-1.0.1j in my application(in FIPs
mode) and am trying to figure out how to
On Wed, Aug 06, 2014, arun11299 wrote:
Hello Folks,
I am experiencing a hard to debug crash in openssl crypto library within our
process.
We have a client and server which communicates using SSL with NULL
encryption. The client when it connects to the server sends a Certificate
signing
On Thu, Aug 07, 2014, Arun Muralidharan wrote:
Thanks Stephen for your reply. I am doing OpenSSL_add_all_digests in
one of my class initialization routine, so it gets called whenever an
instance of this class gets created (I am now building my code with
this removed). But I am not removing
On Thu, Aug 07, 2014, Tomas Mraz wrote:
Hi,
during the review of OpenSSL commits I found this one:
https://github.com/openssl/openssl/commit/22a10c89d7c3f951339c385d57cc8fd23c0a800b
There is unfortunately not much detail in the commit message. Could this
be a possible security issue? Can
On Tue, Jul 29, 2014, Jitendra Lulla wrote:
Hi Steve,
Please refer the following mail from you:
http://www.mail-archive.com/openssl-dev%40openssl.org/msg32918.html
...
The high level MAC (including HMAC) interfaces go through EVP_PKEY treating it
as a signing operation. It *is*
1 - 100 of 1282 matches
Mail list logo