[openssl-dev] [openssl.org #4174] Support the TLS Feature (aka Must Staple) X.509v3 extension (RFC7633)

2015-12-07 Thread Rob Stradling via RT
https://github.com/openssl/openssl/pull/495 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] [openssl.org #4043] monitoring software depending onopenssl not working on cloudflare ssl websites

2015-09-15 Thread Rob Stradling via RT
Hi Horatiu. To connect to a site that uses CloudFlare Universal SSL [1], you need to specify the SNI (Server Name Indication) header. Modern browsers do this by default, but for s_client you need to do this... openssl s_client -connect :443 -servername This isn't an OpenSSL bug, so I suggest

Re: [openssl-dev] [openssl.org #3665] Bug report and a patch forOpenSSL 1.0.1l (and 1.0.1k)

2015-01-19 Thread Rob Stradling via RT
On 19/01/15 14:47, Stephen Henson via RT wrote: On Mon Jan 19 14:40:32 2015, steve wrote: The problem is that the two fields containing the signature algorithm do not match. The current 'x509' utility can't show this difference (I have an option I'm testing which will). Steve, while you're

[openssl.org #3169] [PATCH] Additional chain_cert functions for 1.0.2-dev

2013-11-11 Thread Rob Stradling via RT
This patch, which currently applies successfully against master and 1_0_2, adds the following functions: SSL_[CTX_]select_current_cert() - set the current certificate without disturbing the existing structure. SSL_[CTX_]get0_chain_certs() - get the current certificate's chain.

[openssl.org #3068] [PATCH] Safari broken ECDHE-ECDSA workaround

2013-06-04 Thread Rob Stradling via RT
The Safari browser on OSX versions 10.8 to 10.8.3 advertises support for several ECDHE-ECDSA ciphers but fails to negotiate them. When a Safari client connects to an OpenSSL-based server that has the attached patch (against the master branch) applied, the server will prefer other mutually

Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-10-05 Thread Rob Stradling via RT
On 21/09/12 15:38, Rob Stradling via RT wrote: On 21/09/12 15:12, Rob Stradling via RT wrote: On 21/09/12 15:04, Stephen Henson via RT wrote: snip Easiest solution is to also backport ssl_get_server_send_pkey see: http://cvs.openssl.org/chngview?cn=22840 I didn't think of that. Thanks

Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-21 Thread Rob Stradling via RT
Attached are patches for 1.0.0 and 0.9.8. -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26

Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-21 Thread Rob Stradling via RT
Hi Steve. I saw your update (to 1.0.2 and HEAD), and I did start looking at backporting it into my 1.0.1/1.0.0/0.9.8 patches. ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the t1_lib.c patch would have to be something like... + X509 *x; + x =

Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-21 Thread Rob Stradling via RT
On 21/09/12 15:04, Stephen Henson via RT wrote: [rob.stradl...@comodo.com - Fri Sep 21 15:55:39 2012]: Hi Steve. I saw your update (to 1.0.2 and HEAD), and I did start looking at backporting it into my 1.0.1/1.0.0/0.9.8 patches. ssl_get_server_send_pkey() is not available in 1.0.1 and

Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-21 Thread Rob Stradling via RT
On 21/09/12 15:12, Rob Stradling via RT wrote: On 21/09/12 15:04, Stephen Henson via RT wrote: snip Easiest solution is to also backport ssl_get_server_send_pkey see: http://cvs.openssl.org/chngview?cn=22840 I didn't think of that. Thanks! I'll prepare patches to backport 22840 to 1.0.0

Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-12 Thread Rob Stradling via RT
On 07/09/12 11:51, Rob Stradling wrote: Attached is an updated patch for CVS HEAD, plus a patch for the 1.0.2 branch. Are you still accepting patches for 1.0.1? Attached is a patch for 1.0.1. -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online Index:

Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-07 Thread Rob Stradling via RT
Attached is an updated patch for CVS HEAD, plus a patch for the 1.0.2 branch. Are you still accepting patches for 1.0.1? Any chance of reviewing these patches soon? Thanks. On 19/06/12 21:15, Rob Stradling via RT wrote: The OCSP Stapling Callback function (s-ctx-tlsext_status_cb) is called

[openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-06-19 Thread Rob Stradling via RT
The OCSP Stapling Callback function (s-ctx-tlsext_status_cb) is called during the parsing of the ClientHello message, before the server has decided which cipher to use. However, since the choice of cipher can influence which server certificate is sent, this means that the wrong OCSP Response

[openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits

2010-09-29 Thread Rob Stradling via RT
NIST (SP800-57 Part 1) recommends a minimum RSA key size of 2048-bits beyond 2010. From January 1st 2011, in order to comply with the current Microsoft[1] and Mozilla[2] CA Policies, Commercial CAs will no longer be permitted to issue certificates with RSA key sizes of 2048-bit. Please accept

[openssl.org #2206] [PATCH] Implicitly support non-delegated OCSP response signing

2010-03-26 Thread Rob Stradling via RT
The attached patches (generated against OpenSSL 0.9.8n and OpenSSL-1.0.0- beta5) cause openssl ocsp to implicitly trust the Issuing CA Certificate (as denoted by the -issuer parameter) as a candidate OCSP Response signer. This non-delegated model is allowed by RFC 2560. With this patch, it's