Re: [PATCH] ec/ec_pmeth.c: fix unsigned char issue

Hi, any news on that? On Tue, Oct 29, 2013 at 05:01:03PM -0200, Marcelo Cerri wrote: In some platforms, such as POWER, char is defined as unsigned. This patch fix a problem when comparing a char to -1. Signed-off-by: Marcelo Cerri mhce...@linux.vnet.ibm.com --- crypto/ec/ec_pmeth.c | 2 +-

[openssl.org #3164] [PATCH] require DH group of 1024 bits

Reject connections to TLS servers that select DH key exchange but offer a weak DH group. --- ssl/s3_clnt.c | 6 ++ ssl/ssl.h | 1 + ssl/ssl_err.c | 1 + 3 files changed, 8 insertions(+) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index bf1ef47..ef638c4 100644 --- a/ssl/s3_clnt.c +++

[openssl.org #3165] tru64-alpha-cc compatibility fixes

I encountered a number of unusual (but mostly minor) errors in building 1.0.1e on Tru64 V4.0G, configuration tru64-alpha-cc. I've addressed the majority of these in the 20131106 snapshot, and the changes are in the attached patch. Here is a walk-through: crypto/Makefile, crypto/bn/Makefile,

[openssl.org #3166] RE: Possible bug/leak in OpenSSL ssl/bio_ssl.c:ssl_ctrl(BIO_CTRL_POP)

Part of the problem reported here was resolved, namely the reference count increment/decrement. However, there is still a problem but I have a simple patch that fixes it. The problem is that the SSL may have the bbio in place when the pop happens. If that is the case, then rbio != wbio and the

Re: [PATCH] ec/ec_pmeth.c: fix unsigned char issue

On Thu, Nov 07, 2013, Marcelo Cerri wrote: Hi, any news on that? On Tue, Oct 29, 2013 at 05:01:03PM -0200, Marcelo Cerri wrote: In some platforms, such as POWER, char is defined as unsigned. This patch fix a problem when comparing a char to -1. Signed-off-by: Marcelo Cerri

Re: OpenSSL client DH group limits

On Tue, Nov 05, 2013 at 11:43:54PM -0500, Daniel Kahn Gillmor wrote: I noticed recently that OpenSSL as a client is happy to connect to a server that offers a trivially-crackable DH group. You can try it out at https://demo.cmrg.net/ Other modern TLS implementations will refuse to connect

RE: [openssl.org #3164] [PATCH] require DH group of 1024 bits

I think a better way to do this would be to have a config param that set the minimum acceptable size. I.e., a #define -- Principal Security Engineer Akamai Technology Cambridge, MA -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On

Re: [openssl.org #3164] [PATCH] require DH group of 1024 bits

On Thu, Nov 07, 2013, Salz, Rich wrote: I think a better way to do this would be to have a config param that set the minimum acceptable size. I.e., a #define I think the best option is to have a compile time default with a runtime override for this and other related issues. The idea being

Re: Need get() and clear() functions for chain_certs in 1.0.2-dev

On 06/11/13 17:27, Dr. Stephen Henson wrote: On Wed, Nov 06, 2013, Rob Stradling wrote: These 2 #defines exist for SSL_CTX-extra_certs: SSL_CTX_add_extra_chain_cert SSL_CTX_get_extra_chain_certs SSL_CTX_clear_extra_chain_certs In 1.0.2-dev, the #defines such as

[openssl.org #3167] openssl pkcs8 does not convert from PKCS8 to traditional format private key

[slass@jenkins01 ~]$ openssl version OpenSSL 1.0.0-fips 29 Mar 2010 [slass@jenkins01 ~]$ uname -a Linux jenkins01 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [slass@jenkins01 ~]$ According to the docs: http://www.openssl.org/docs/apps/pkcs8.html

Re: OpenSSL client DH group limits

On 11/07/2013 09:15 AM, Kurt Roeckx wrote: I filed a ticket about this ealier (#3120) You can see the discussion about that here: http://openssl.6102.n7.nabble.com/openssl-org-3120-Minimum-size-of-DH-td46401.html ah, thanks. It's too bad that discussion isn't mirrored on