This idea comes via https://bugzilla.mozilla.org/show_bug.cgi?id=1083767
(which I realize isn't on openssl's rt, but given the enormity of the
security problem I hope you'll forgive me). The proposal at that bug is
to create an environment variable for NSS to enforce disablement of
particular vers
in the first
place. It's only applicable in areas where there are no error returns.
(A lack of error returns is often cited as a security liability in any
case.)
-Kyle H
On 7/11/2014 6:22 AM, balaji marisetti wrote:
> @Kyle Hamilton
> So should all the new programs stick to the idi
EC_POINT_is_on_curve is documented to return -1 on error, 0 if it's not
on the curve, and 1 if it is on the curve.
However, this breaks the standard idiom if(!EC_POINT_is_on_curve()) {
return BAD_KEY; }, because it requires an additional test for an error
condition.
I don't know what the best out
http://opensslrampage.org/post/88383880093
I don't know if this has in fact been given to the OpenSSL team yet. I
am not jsing, and I am not involved in the OpenBSD audit.
However, this is important. If MD5 passes, but SHA1 fails, then the MAC
verification will pass. This reduces the security
If you are using the same fipscanister (that was properly built), there is
no need to revalidate. Any other situation that has a validation doesn't
follow the supported validation, and the answer cannot be found here.
-Kyle H
On Jan 29, 2014 10:24 PM, "sam1982" wrote:
> Thanks Stevan for prompt
1.3.6.1.4.1.22232.15.0: Curve25519 (That's out of my arc)
X coordinate is an OCTET STRING.
Y coordinate is a 0-byte OCTET STRING (since it's not defined as optional
in ASN.1, it must be present -- but how can you compress what doesn't
exist?)
When does the Point Compression patent expire, anyway
Curve25519 public keys are 32-byte strings of digits. Private keys are
32-byte strings of digits. The agreement algorithm doesn't use the Y
coordinate at all.
djb has a fixed-clock-cycle algorithm he wrote in GNU assembly for Athlon.
I am unhappy with his insistence that nobody should try to impl
Sure, but you probably also didn't have them in /usr/local/ssl/man, instead
of /usr/local/man or /usr/man.
They need to go somewhere that the default man configuration on most
Linuxes will get to them, if not the BSDs.
-Kyle H
On Sat, Feb 16, 2013 at 6:41 AM, Kurt Roeckx via RT wrote:
> On Sa
Open-source ("publicly available") cryptographic software is covered under
EAR exemption TSU. The regulations themselves are available at
http://www.bis.doc.gov/policiesandregulations/ear/index.htm . They are the
definitive source for the procedures necessary, and addresses you need to
ping.
-Ky
Suggestions from my experience:
-Failing to verify the certificate after calling SSL_accept()
-Failing to verify minimum cipher strength for the application
-Failing to understand that the NULL suites give nothing and only take
extra bytes
-Misunderstanding that "DN=CN:CA1;DN=CN:you" does NOT match
On Thu, Apr 19, 2012 at 8:52 AM, Kevin Fowler wrote:
2. I am using OpenSSL/FIPS on a system with /dev/urandom. Although the
rand_unix.c RAND_poll() function is called only once with the released code,
after the system has been up for a bit after reboot, I have assumed that the
read from /dev/u
See also http://egd.sourceforge.net/ (Entropy Gathering Daemon, written in perl)
-Kyle H
On Thu, Aug 11, 2011 at 12:33 PM, Vegard Nossum wrote:
Hi,
I've written a small program that gathers randomness from the
uncertainty of scheduling between threads/cores in a multithreaded
program/system.
The names of the CAs accepted are already supposed to be sent as part of the
negotiation. It wasn't until after TLSv1.0 that the spec permitted a wildcard
CA name list.
This kind of information-leakage being a vulnerability also depends on the
application being authentication-naive. A web ap
The Security Policy is the document you need. Please see Steve
Marquess's link to the official copy at NIST. The Security Policy
explains everything, including what file you need to obtain, its HMAC,
how to verify it, what you must do to retain validation of the
canister, how to build the caniste
You must run './config', at the very least.
-Kyle H
On Tue, Oct 5, 2010 at 1:54 AM, kunal patel wrote:
>
> Hi Giles,
>
> The reason for undefined references (below is just an example I have
> encountered alot of them) is the function definitions are missing from
> 0.9.8n version. I compared the
A Gmail account, which allows you to send file attachments through
Google's smtp server up to 10MB in size, is free.
-Kyle H
On Sat, Sep 18, 2010 at 6:11 PM, Harold S. Henry wrote:
> No luck sending to r...@openssl.org; the mail server still said the .chm file
> exceeded its fixed size limit...
Please send this to r...@openssl.org so that it goes into the request
tracker, or else it will likely be lost in the shuffle.
-Kyle H
On 9/7/10 1:56 PM, Vincent Labie wrote:
Hi,
Please find attached a BN/AES/SHA1 asm implementation for SH4 and MIPS32 little
endian systems (common CPUs in So
n top of X.509, and only for public key certificates (i.e.
not attribute certificates).
Kyle Hamilton wrote:
I was asked this morning where to find the X.509 specification,
since http://itu.int/ is such a messy website.
It's sad the 2008 version is only available for a fee.
I always thought
I was asked this morning where to find the X.509 specification, since
http://itu.int/ is such a messy website.
I'll point you to the general location, because it's a better piece of information to
have than the exact location. (There are other recommendations that X.509 refers to, and
being ab
The OpenSSL development team typically don't comment on a request until
they've fixed it. (I believe this is "poor customer service", but I
also believe that I'm not entitled to "good customer service" until I've
paid for it.)
What appears to happen is this:
1) bug submitter sends an email to r
I don't particularly like advocating other products here, but NSS
(from Mozilla) has a (relatively) secure PKCS#11 softoken
implementation, and it can interface with other PKCS#11 middleware.
The softoken has been FIPS-validated, at certain versions.
-Kyle H
On Thu, Jun 3, 2010 at 3:15 AM, Martin
Please send patches (as attachments) to r...@openssl.org, so they can be
tracked. (rt will automatically assign a request number, and echo the
main content of the mail to openssl-dev.)
(Please note that I'm not a core developer, have no direct contact
with any of the core developers, and am essen
I think that line should be "ret->options |=
SSL_OP_LEGACY_SERVER_CONNECT;", not simply an =.
-Kyle H
On Wed, Feb 17, 2010 at 10:03 AM, Tomas Hoger via RT wrote:
> Hi!
>
> SSL_CTX_new currently contains:
>
> /* Setup RFC4507 ticket keys */
> if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name
If you're going to send a patch, please send it to r...@openssl.org.
That gets the patch into the request tracker, and gets it into the
(relatively) formal review process.
-Kyle H
On Thu, Jan 28, 2010 at 4:54 PM, NARUSE, Yui wrote:
> How about my previous patch, which lookup Windows' store with
On Fri, Jan 22, 2010 at 2:54 PM, Steven M. Schweda wrote:
> SSL_set_session_ticket_ext_cb 308 EXIST::FUNCTION:
> SSL_set1_param 309 EXIST::FUNCTION:
> SSL_CTX_set1_param 310 EXIST::FUNCTION:
> +ssl_add_clienthello_renegotiate_ext
Really, what needs to happen is that, in the case of VMS with a
limited C compiler that doesn't handle long symbols, the long symbols
need to be truncated in the *.num files. (This shouldn't need to be
done for any other platform at this instant, but...)
There's currently no conflict, so there's
My understanding is that OpenSSL doesn't really use the "trusted
certificate" system, which contains the information about what a
certificate is trusted for. Further, the bits available for the
Windows store don't have an isomorphic mapping within the trust
parameters that OpenSSL provides.
Is th
Er, *why* are you dropping the connection when renegotiation is tried?
The appropriate response, per RFC, if you don't want to renegotiate
is to send a warning "no_renegotiation" alert.
-Kyle H
On Mon, Nov 16, 2009 at 10:40 PM, joshi chandra
wrote:
>
> Hi ,
>
> I have lot patch from cvs of Open
How about something like '-certopt none,ext'? I'd like to see an
option where 'none' automatically says 'no_header, no_sigdump,
no_version, no_subject, no_issuer, no_validity, no_serial, no_pubkey,
no_signame, no_ext', and anything after it is used to add to the
set... rather like how ciphers are
You may use an SSL_CTX object to create multiple sessions under multiple
threads. Each session must have all of its I/O done in one thread (due to
some rather nasty locking issues), but the SSL_CTX, once created and
populated, is generally not updated -- which means that it's safe to perform
read-
Because the 'fipsld' script isn't actually necessary to pass FIPS
validation. The steps that that script does are necessary to maintain
validation, but they can be done by anything (once the FIPS canister
is created, anyway). Try setting "OPENSSL_FIPS=1" in your
environment, and make sure that th
It goes without saying that any changes you have to make to the FIPS
module would be quite welcome if you passed them along upstream, along
with any information about the Priesthood of the CMVP that you're
dealing with which required the change, and why.
Then again, I don't know if there's an NDA
You forgot:
./config fipscanisterbuild asm
Since you're on an x86_64 platform, you can benefit a lot from the asm speedups.
-Kyle H
On Fri, Aug 28, 2009 at 2:48 AM, Mark Phalan wrote:
>
> On Thu, 2009-08-27 at 10:23 -0400, Steve Marquess wrote:
>> Mark Phalan wrote:
>> > I've been working on g
Don't worry 'bout it too much.
Could you please create that as a .diff file and attach it to an email
to r...@openssl.org? The rt system creates a case that can be tracked.
-Kyle H
On Mon, Jul 27, 2009 at 3:26 PM, Ben Nason wrote:
> Hi,
>
> I am new to the list, so apologies if I fail to follow
A client has a sign that a server wants to negotiate TLS if it
receives a byte 0x00 (the code for 'HelloRequest'). A server has a
sign that a client wants to negotiate TLS if it receives a byte 0x01
(ClientHello).
There are multiple ways to use TLS. The one that webservers use is to
create the T
OpenSSL is distributed under a clause in US law which allows
openly-available cryptographic software to be exempt from ECCN filing,
under exemption TSU (EAR, section 740.13(e)).
It is very possible that what you are doing with it falls under ECCN
5D002 or another in the 5Dnnn series.
I am not a l
Please mail these each as attachments to r...@openssl.org. This will
ensure that each gets entered into a trackable state, and also ensures
that the formatting for the patch files stays consistent.
-Kyle H
On Mon, Jun 29, 2009 at 7:54 PM, David
McCullough wrote:
>
> Hi openssl-dev,
>
> Here is a
To get zlib, use MacPorts. Then, './config --with-zlib=/opt/local/lib/'.
MacOS already has a supplicant, though, yes?
-Kyle H
On Tue, Jun 23, 2009 at 7:28 PM, loubot wrote:
>
> I have port the supplicant with openssl.0.9.8k on Linux platform, and it's
> working ok.
> I test the supplicant with
The PrivateKey structure includes both the private and the public
parts. Once you read the private key, you don't need to separately
load the public.
-Kyle H
On Thu, Jun 18, 2009 at 3:36 AM, Vadim Lebedev wrote:
> Hello,
>
> I wonder if somebody can enlighten me:
> At Page 283 of "Network Secur
openssl-1.0.0-beta2 has the following output:
==
=== SANITY TESTING!
=== No configuration will be done, all other arguments will be ignored!
==
SANITY ERROR: 'beo
These scripts pull the latest version of the Mozilla-approved CAs.
OpenSSL is not in the business of making CA certificates available,
but having the ability to do this in the stock package might be very
good for the users. (Make sure that such a tool warns the user that
the CA certificates are th
Please, read INSTALL.W32. Also, please read
http://openssl.org/support/faq.html#PROG2 for more information. (This
is one of the most frequently asked questions.)
If you can, build OpenSSL yourself. This may not necessarily be
practical for you, but if you can it should help a lot.
-Kyle H
On
default_policy is only mandated if you don't use -policy.
-Kyle H
2009/5/27 Victor B. Wagner :
> Documentation for openssl ts command says following:
>
>>Timestamp responce generation
>>...skip...
>>-policy object_id
>> The default policy to use for the response unless the client
>> e
The pre-built OpenSSL library is provided by someone else. If you
want to get debug libraries for OpenSSL, you can compile them
yourself. Please see the FAQ, however; there are a couple of gotchas
on Windows systems which need to be addressed within your environment
during the compilation and tes
This is actually an openssl-users question, but don't worry too much
about it. :)
genrsa generates both the public and the private keys in the same
structure (PKCS#1). The command 'openssl rsa -in domainname.key
-pubout -out domainname.pub' will take the portion that has been
designated as the pr
Hey all,
I'm trying to figure out (for my own reference) what functions I need
to provide for:
1) Implementing a new stream cipher
2) Implementing a new block cipher
3) Implementing a new asymmetric cipher
4) Implementing a new hash
5) Implementing a new mode (ECB, CFB, etc)
6) Implementing a ne
This is an openssl-users question, and should not be on openssl-dev.
"unable to get local issuer certificate" means that the CA root
certificate has not been loaded.
The "local issuer certificate" is the local copy of the certifying
authority certificate which issued the certificate you're trying
Most of the OpenSSL functions and structures are generated by macros.
(OpenSSL is the most lispish C I've ever seen.) Look at apps/cms.c
for information on how to use them; in its basic configuration, it has
no dependencies on anything external. (It can be built to have
dependencies on external t
http://www.ietf.org/internet-drafts/draft-ietf-tls-extractor-05.txt is
the current draft, and its name has now been changed to "tls
exporter".
-Kyle H
On Thu, Jan 29, 2009 at 4:30 AM, Robin Seggelmann via RT
wrote:
> This patch adds the TLS key material extractor described in http://
> www.iet
printf()s ;)
-Kyle H
On Thu, Apr 9, 2009 at 10:20 PM, Ger Hobbelt wrote:
> On Fri, Apr 10, 2009 at 5:03 AM, Steven M. Schweda wrote:
>> Hey. Don't give up so easily. While it's possible to find backing
>> for almost any opinion involving an apostrophe, a rule like "plural, not
>> possessive
I'd prefer that IBM release whatever library they're using to identify
and handle Julian days. ;)
-Kyle H
On Thu, Apr 2, 2009 at 12:17 PM, Michael Tüxen
wrote:
> Hi Steve,
>
> Robin will port all the patches from
> http://sctp.fh-muenster.de/dtls-patches.html
> to the beta version when he is bac
On Wed, Apr 1, 2009 at 6:09 AM, Lutz Jaenicke wrote:
>
> Probably you are not around long enough for the last (0.9.8) release :-)
> In the past we tended to have the success reports sent to openssl-dev.
> The problem with the success reports is that they are actually invalidated
> with every new i
On Wed, Apr 1, 2009 at 4:55 AM, Lutz Jaenicke wrote:
> Hi Kyle,
>
> thank you very much for reports, they are currently sitting in the
> moderation queue. I would kindly ask you and other testers to either
> * send success messages to the list with just the platform mentioned
> * send failures to
I hope the test reports I sent to -bugs are useful. I'm on a Mac OSX
10.5.6 machine, Intel-based, and I ran tests in both 32 and 64 bit
modes, both without and with the optional features. I do not have gmp
installed, nor zlib, so I cannot vouch for their usability; I did not
test krb5, and I also
On Wed, Apr 1, 2009 at 2:12 AM, Marc Haisenko wrote:
> On Wednesday 01. April 2009 11:03:55 Kyle Hamilton wrote:
> I was refering to the two threads cited in my patch e-mail:
> [1] - http://marc.info/?l=openssl-dev&m=123754568501758&w=2
> [2] - http://marc.info/?l=openssl-use
e Request Tracking system that is used by the core
developers.
-Kyle H
On Wed, Apr 1, 2009 at 1:59 AM, Marc Haisenko wrote:
> On Wednesday 01. April 2009 10:54:39 Kyle Hamilton wrote:
>> Submit your patch to r...@openssl.org, and it'll go into the request
>> tracking system. I
Submit your patch to r...@openssl.org, and it'll go into the request
tracking system. I would also recommend that you wait for a bit more
than a single day before getting irritated with people who work on
this in their spare time, and have day jobs.
-Kyle H
On Wed, Apr 1, 2009 at 1:48 AM, Marc H
If SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE are returned, the
arguments *must* be *exactly* the same. This includes the data
pointed to by the buffer. There is a way to set a mode on the SSL
connection to allow a moving buffer, but that's it. SSL will not
buffer the data passed to it.
If SSL
This list is *not* supposed to be a platform for trying to sell
product. Or even advocating for product.
You come in here, complaining about how a particular feature used in
one of the libraries breaks one of your instrumentation programs.
Okay, fine. We'll try to work with you on that.
But now
OCSP is not part of the SSL handshake (except, as you mention, for
OCSP stapling).
You can look at apps/ocsp.c for information on how to use the OCSP
API. The best place to use it would be in the callback called by
SSL[_CTX]_set_verify().
-Kyle H
On Sun, Mar 29, 2009 at 11:02 PM, Yaweh wrote:
This is a -users question, not a -dev question.
If openssl was installed from a package provided by or in the format
of your OS vendor, uninstall it using the vendor's packaging tools.
I've attached a list of files that are installed on my MacOSX machine
by 'make install'. (the './' at the begin
The best way to submit patches is to email them as attachments to
r...@openssl.org. That is the Request Tracker, and it makes things a
lot easier for the developers to keep track of.
-Kyle H
On Thu, Mar 26, 2009 at 2:59 AM, Ilya O. wrote:
> On Wed, Mar 25, 2009 at 5:37 PM, Patrick Patterson
>
There is no such message in OpenSSL. That looks like it's a
diagnostic message from libcurl (or whatever component it uses to
perform its FTP functionality.)
-Kyle H
2009/3/18 曹婷 :
> Hi developer,
>
> OPENSSL_0.9.8A_AIX5.3_64BIT is the version installed on my working server.
>
> Recently, i usin
You need to get off your high-horse.
-Kyle H
On Mon, Mar 16, 2009 at 2:23 PM, Kenneth Robinette
wrote:
>
> You need to take this discussion offline.
>
> Ken
>
>
>
> --- On Mon, 3/16/09, Allan K Pratt wrote:
>
>> From: Allan K Pratt
>> Subject: Re: SPARC assembly trick in libcrypto breaks IBM R
ntly to you, in this case -- automatically
sends a mail to openssl-dev when a new request is submitted -- which
allows for the discussion that you're looking for to take place.
-Kyle H
On Mon, Mar 9, 2009 at 4:52 PM, Allan K Pratt wrote:
> Kyle Hamilton wrote:
>> The best way
-create_serial does not exist in CA.sh, either.
-Kyle H
On Tue, Feb 24, 2009 at 1:46 PM, Nguyen, Kim via RT wrote:
> The CA.sh script in 0.9.8j is missing the -extensions v3_ca flag. This
> doesn't seem to be a problem in CA.pl
>
>
> In comparision, CA.pl has:
>
> print "Making CA certificate .
The best way is to send a patch (unified diff) to r...@openssl.org.
This allows for ease of patching, and ensuring that the actual intent
of the patch is preserved at the source level.
The module owner will review the patch and apply it if appropriate,
and your name (and the fact that IBM contribu
Please send this patch as an attachment to r...@openssl.org. This will
track it as a ticket.
-Kyle H
On Tue, Mar 3, 2009 at 2:37 PM, Oliver Martin wrote:
> Hello,
>
> this patch adds support for GeneralizedTime for startdate/enddate in
> openssl ca. I submitted an earlier version to openssl-use
This is a question that should go on openssl-users, since it does not
relate to the development of the library itself. However, since it's
asked here, I'll answer.
apps/dgst.c has the appropriate code.
Most of the OpenSSL public API documentation is poorly-written and
out-of-date. I wish there
If you have an IANA "Private Enterprise Number", you can invent your
own OID (since you own an OID tree).
For example, mine is 1.3.6.1.4.1.22232. (To be explicit: you are NOT
authorized to invent any OID under this tree, as it belongs to me, not
you.)
http://pen.iana.org/pen/PenApplication.page
*** virgin/crypto/objects/obj_xref.h2009-02-10 05:01:06.0 -0800
--- openssl-SNAP-20090207/crypto/objects/obj_xref.h 2009-02-10
05:02:43.0 -0800
***
*** 1,4
! /* AUTOGENERATED BY objxref.pl, DO NOT EDIT */
typedef struct
{
--- 1,4
! /* AUTOGEN
n Mon, Feb 9, 2009 at 2:04 PM, Dr. Stephen Henson wrote:
> On Sat, Feb 07, 2009, The Doctor wrote:
>
>> On Sat, Feb 07, 2009 at 12:46:52PM -0800, Kyle Hamilton wrote:
>> > The bug does appear on OSX 10.5.6 (openssl-SNAP-20090207) with the
>> > following command line: ./co
Date: Sat, Feb 7, 2009 at 2:30 AM
Subject: Re: Openssl-SNAP still erroring out
To: openssl-dev@openssl.org
On Fri, Feb 06, 2009, Kyle Hamilton wrote:
> This does not appear on MacOSX 10.5.6 (with 0.9.8-stable-SNAP-20090206).
>
> ./config threads shared no-sse2 enable-whrlpool enable-mon
This does not appear on MacOSX 10.5.6 (with 0.9.8-stable-SNAP-20090206).
./config threads shared no-sse2 enable-whrlpool enable-montasm
enable-capieng enable-cms enable-seed enable-tlsext enable-camellia
enable-rfc3779 enable-mdc2 enable-rc5 zlib-dynamic
--prefix=/usr/contrib --openssldir=/usr/co
Does the release of 0.9.8j also include the FIPS module support?
(i.e., is this a bug-fix only release, or does this include what you
have been working on for the past few months as well?)
-Kyle H
On Wed, Jan 7, 2009 at 4:10 AM, Dr. Stephen Henson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Ha
SSL_get_peer_certificate(3ssl), SSL_get_peer_cert_chain(3ssl) will get
the certificate and certificate chain, respectively.
To control the verification process, you can use SSL_set_verify(3ssl)
and/or SSL_CTX_set_verify(3ssl). Note that the server must present a
certificate if it wants to ask for
Not at all, sorry. OpenSSL is entirely C, and has no relation at all with C#.
-Kyle H
On Mon, Dec 22, 2008 at 12:33 PM, Steven MacLeod
wrote:
> Hello, I have a quick question regarding open ssl, which so far I haven't
> been able to make head or tail of. I have a .net win forms app and I want t
You are cross-compiling, which means that the platform that you're on
cannot actually run the binaries that it builds.
If you do not have any .so files, it may not be able to create shared
libraries in that environment. The .a files, in that case, are static
libraries.
-Kyle H
On Sun, Dec 21, 2
Can the source be made available? I would like to use it on MacOSX.
-Kyle H
On Fri, Dec 19, 2008 at 11:43 PM, Shahin Khorasani
wrote:
> Hi,
>
> You can download simple utility to transform PKCS#1 RSA public key to
> opnessh public key format from here:
> http://www.parssign.com/openssh_pk_linux
forwarding from -users for a query.
This is the second time that I've heard of "bad end line" or "could
not decode base64" today. Did a change go into 0.9.8i that changed
base64 handling?
-Kyle H
On Thu, Dec 11, 2008 at 11:31 PM, Lutz Jaenicke wrote:
> Forwarded to openssl-users for public dis
On Mon, Dec 1, 2008 at 9:13 PM, Brad Mitchell <[EMAIL PROTECTED]> wrote:
> I don't think there is anything in the openssl (ts) functions to accept
> revocation to make this decision anyway.
External daemons do exist, such as (e.g.)
http://www.carillon.ca/tools/pathfinder.php
> At the end of the d
On Mon, Dec 1, 2008 at 8:53 PM, David Schwartz <[EMAIL PROTECTED]> wrote:
>
>> Problem Description:
>> When a digest has been signed and a response is produced,
>> the current version of openssl will not verify the contents
>> correctly if the certificate used to sign the digest has expired.
>> Sol
I'm not sure that CC is the appropriate place for fipsld. Maybe LD,
but CC has other uses.
-Kyle H
On Sat, Nov 29, 2008 at 5:41 PM, Brad House
<[EMAIL PROTECTED]> wrote:
>> Well, it's still not as finished as I'd like but since I'll be out of town
>> and offline until next week I'm releasing the
I dunno who I'm supposed to give feedback to, but this format of FIPS
announcement needs some work.
First, the subject line doesn't say anything about the version of the
FIPS module that has been validated. (In this case, it should be
something like "OpenSSL FIPS 140-2 validation for module v1.2"
Please submit your patch to [EMAIL PROTECTED] so it can be tracked in the
issue tracker?
-Kyle H
On Sun, Nov 9, 2008 at 2:37 PM, Philip Prindeville
<[EMAIL PROTECTED]> wrote:
> This fixes the lack of tracing in Makefiles...
>
> Replacing @ with $(Q) in all places except before '@echo' rule comman
The algorithm for checking of the digital signature of the peer
certificate is covered in PKIX (RFC 3280, obsoleted by RFC 5280) and
the ITU standard X.509.
The library-client code for verifying a certificate can be found in
the apps/verify.c .
You might want to look at the man pages for SSL_set_
The GPL is explicitly not compatible with OpenSSL's license. This
makes it rather difficult to use GPL code in the project.
-Kyle H
On Mon, Oct 20, 2008 at 5:55 AM, George Romaniuk via RT <[EMAIL PROTECTED]>
wrote:
> Do you have plans to support security engine in AMCC PPC440EPx
> processor? A
Fips folk: Should the 'fipsdso' target complain if it gets any other
command line arguments in ./Configure? Since specifying it means that
you're trying to build the shared object...
-Kyle H
On Sat, Sep 20, 2008 at 8:56 AM, The Doctor <[EMAIL PROTECTED]> wrote:
> Need to split the FIPS and non-F
On Mon, Sep 8, 2008 at 1:39 PM, Rafael Jorge Csura Szendrodi via RT
<[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> On Mon, 8 Sep 2008 16:44:43 +0200 (CEST), Steve Pincaud via RT wrote
>> Hi,
>>
>> I have seen the issue will be fixed in the next release, do you have an ETA
> ? (0.9.8i or 0.9.9 ?) , I woul
"ETA" is "Estimated Time of Arrival". Basically, he's asking when
OpenSSL 0.9.8i is going to be released.
-Kyle H
On Mon, Sep 8, 2008 at 1:39 PM, Rafael Jorge Csura Szendrodi via RT
<[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> On Mon, 8 Sep 2008 16:44:43 +0200 (CEST), Steve Pincaud via RT wrote
>> H
OpenSSL itself contains all sorts of apps that do it. openssl (or
openssl.exe) implements all the programs in the apps/ directory.
Also, 'make test' runs all the internal self-tests.
If you need to verify interoperability with something, figure out what
protocol it's using -- pkcs8, pkcs12, and p
bn_mul_add_words is very CPU intensive, simply because the operation
it performs is very CPU-intensive. Public-key cryptography should not
be done lightly -- it should be done primarily to verify the security
of a per-session key (stream or block ciphering).
What exactly are you trying to do?
-K
Option 2 works iff pthreads exists.
-Kyle H
On Thu, Aug 28, 2008 at 11:45 PM, Sander Temme via RT <[EMAIL PROTECTED]> wrote:
> This affects OpenSSL 0.9.8 and trunk.
>
> In engines/e_chil.c around line 594, the engine checks if it has mutex
> callbacks to work with and, if not, errors out with the
On Tue, Aug 19, 2008 at 5:10 PM, Steve Marquess
<[EMAIL PROTECTED]> wrote:
>> Note YOU MUST FOLLOW THE SECURITY POLICIES EXACTLY OR ELSE THE
>> RESULTING LIBRARY WILL NOT BE COMPLIANT. This includes shutting your
>> UNIX machine down to single-user mode during the build process. It
>> probably w
It's FIPS validation, not certification. (Not that I'm entirely sure
what the difference is, because when a validation is completed a
certificate is issued, but I've been corrected enough times by the
reps from the Open Source Software Institute that I don't dare call it
anything else. :))
fips-1
On Thu, Aug 7, 2008 at 6:59 AM, David Schwartz <[EMAIL PROTECTED]> wrote:
>
> Kyle Hamilton wrote:
>
>> David S: to my knowledge you're at least somewhat incorrect, and part
>> of your advice is rather dangerous to rely upon (from a cryptographic
>> the
hat /dev/urandom was safe to use for cryptographic purposes.
> It isn't, and I didn't then and don't now advise its use. I said it never
> blocks. It doesn't. So what was incorrect?
>
> Kyle Hamilton wrote:
>>
>> David S: to my knowledge you're a
David S: to my knowledge you're at least somewhat incorrect, and part
of your advice is rather dangerous to rely upon (from a cryptographic
theory perspective).
/dev/urandom will never, under normal circumstances, block -- its
output is generated algorithmically by the random/urandom device
driver
IBM limited the C compiler on AIX to only allow a certain number of
simultaneous invocations systemwide, based on the number of licenses
that have been purchased and installed on the system. If you have 1
simultaneous-invocation license, then anyone else who invokes the
compiler will block you fro
()) to an SSL
connection. The housekeeping work is up to you as the client of the
library, though, not something that can be left to the library.
-Kyle H
On Tue, Aug 5, 2008 at 6:53 AM, Darryl Miles
<[EMAIL PROTECTED]> wrote:
> Kyle Hamilton wrote:
>>
>> I cannot find any ref
1 - 100 of 217 matches
Mail list logo
