Avoid multiple locks in FIPS mode commit to OpenSSL_1_0_1-stable

2013-12-10 Thread Geoff_Lowe
Dr. Henson, I'm not understanding the code changes in your recent commit to the OpenSSL_1_0_1-stable branch. >From the associated commit comment: "To avoid multiple locks disable use of >CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes." But it looks as though the calls to "CRYPTO_w_[un]lock

[PATCH] Fix to x509v3_config docs

2013-12-10 Thread Ryan Castellucci
I've discovered that having a trailing slash in an OCSP URL can cause problems with MS-CAPI. This is a minimal patch to make the example non-broken. I haven't added any additional text to the documentation to explain this because all that was there in the first place was the example. Please let me

Re: Avoid multiple locks in FIPS mode commit to OpenSSL_1_0_1-stable

2013-12-10 Thread Dr. Stephen Henson
On Mon, Dec 09, 2013, geoff_l...@mcafee.com wrote: > Shouldn't the code read: > > if (!FIPS_mode()) > CRYPTO_w_[un]lock(CRYPTO_LOCK_RAND); > > Note the '!' operator. > Yes it should, sorry about that. Fixed now. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Co

Re: Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

2013-12-10 Thread Rob Stradling
On 09/12/13 23:34, Jeffrey Walton wrote: Reference: http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html and http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html. BL > ...and don't intend to fix their broken ECDSA suppor

[openssl.org #3194] [PATCH] Provide asn1parse with capability to show raw OIDs

2013-12-10 Thread Johannes Bauer via RT
Resubmitted (the first try I had the wrong mailing list, sorry): Hello list, the asn1parse application does provide a mechanism to enhance the output by providing additional OID/string mappings. As of now it is not possible to display the raw OIDs (without any name resolution done). This is somet