Re: How to locate the X.509 specifications

2010-08-08 Thread David Shambroom
See: http://www.ietf.org/rfc/rfc5280.txt Kyle Hamilton wrote: I was asked this morning where to find the X.509 specification, since http://itu.int/ is such a messy website. I'll point you to the general location, because it's a better piece of information to have than the exact location.

Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Georgi Guninski
i was pointing out this: ~/local/bin/openssl s_client -connect localhost: depth=0 CN = CA verify return:1 *** glibc detected *** /home/build/local/bin/openssl: double free or corruption (fasttop): 0x00979300 *** the glibc message means that the current heap operation is on invalid

Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Mounir IDRASSI
Hi, You are right : there is a double free bug in the function *ssl3_get_key_exchange* which leads to crash if an error occurs. The bug is in line 1510 of s3_clnt.c where we forget to set the variable bn_ctx to NULL after freeing it and this leads to the double free error when BN_CTX_free is

Re: [openssl-dev] Re: How to locate the X.509 specifications

2010-08-08 Thread Erwann ABALEA
Hodie VII Id. Aug. MMX, David Shambroom scripsit: See: http://www.ietf.org/rfc/rfc5280.txt RFC5280 is only a profile for X.509 certificates and CRLs, just were RFC3280 and RFC2459 before it. Hopefully, RFC5280 is of better quality than its predecessors, but doesn't replace the standard at

[openssl.org #2314] [PATCH] fix double free in ssl3_get_key_exchange in case of error

2010-08-08 Thread Mounir IDRASSI via RT
Hi, This patch corrects a double free bug in ssl3_get_key_exchange (s3_clnt.c) when an error happens during the connection to a server. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr --- E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c.original Sun Feb 28 01:24:24 2010 +++

[openssl.org #2315] PSS certificates with keysize n*8+1 don't validate

2010-08-08 Thread Hanno Boeck via RT
command is: 139831192893096:error:0407E06D:rsa routines:RSA_verify_PKCS1_PSS:data too large:rsa_pss.c:127: 139831192893096:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:215: Tested with openssl-SNAP-20100808

Re: [openssl.org #2315] PSS certificates with keysize n*8+1 don't validate

2010-08-08 Thread Mounir IDRASSI
: 139831192893096:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:215: Tested with openssl-SNAP-20100808. __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Georgi Guninski
is the certificate at http://marc.info/?l=openssl-devm=128118163216952w=2 (with the malformed key) *syntactically* correct modulo the bad self signature? with 1.0.0a ~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert /tmp/CA-P.cert: CN = CA error 7 at 0 depth