On Thu, 2015-02-12 at 18:39 +0100, Steffen Nurpmeso wrote:
I absolutely support all statements of Daniel Kahn Gillmore, but
especially that dynamism must be handled at a place that can be
adjusted without the necessity for any recompilation.
And i want to point to OPENSSL_config(3) which
Some time ago, I had submitted a patch which allows administrators, but
most importantly OS distributors to set their own strings in the configuration
file, which software can then rely on, to provide a consistent security level:
https://github.com/openssl/openssl/pull/192
And my intent is
Trying to build FIPS capable OpenSSL on sparc.
Using openssl-fips-2.0.9.tar.gz and openssl-1.0.2.tar.gz.
Building per the UserGuide-2.0.pdf (although it does not say that 1.0.2 can be
used ... Any 1.0.1 release can be
used for this purpose. Except that 1.0.1j still has a sparc assembly error
In apps/s_client.c there is an invalid if-clause:
if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx))) {
/*
* BIO_printf(bio_err,error setting default
verify locations\n);
*/
ERR_print_errors(bio_err);
/* goto end; */
}
Hello,
Nikos Mavrogiannopoulos n...@redhat.com wrote:
|On Thu, 2015-02-12 at 18:39 +0100, Steffen Nurpmeso wrote:
| And i want to point to OPENSSL_config(3) which states for a longer
| time duration:
|
|It is strongly recommended that all new applications call
|
Dear OpenSSL-dev list members,
there might be a bug in the OpenSSL s_client app. The s_client app does
not verify against root CA certificates in the store, unless either
-CAfile or -CApath is present (even with a bogus value). The problem
seems to be on apps/s_client.c:1187:
if
In SSL_new, s-references is set to 1 AFTER ssl_new successfully completes. If
it errors out, SSL_free() is called which decrements it but since it was never
set to 1, it will cause a crash if REF_CHECK is defined since i will be less
than zero. There are also a few other goto err cases in
No need to a keep a duplicate API.
---
crypto/crypto.h | 1 -
crypto/jpake/jpake.c | 5 +++--
crypto/mem.c | 8
3 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/crypto/crypto.h b/crypto/crypto.h
index 9762398..7dd2223 100644
--- a/crypto/crypto.h
+++
---
crypto/asn1/tasn_utl.c| 4 ++--
crypto/cms/cms_enc.c | 4 ++--
crypto/ec/ec_mult.c | 4 ++--
crypto/engine/eng_cryptodev.c | 4 ++--
crypto/evp/e_aes.c| 4 ++--
crypto/evp/evp_enc.c | 4 ++--
engines/ccgost/gost_pmeth.c | 7 +++
Old ticket, cannot reproduce. Please post the code if this is still an issue.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
On Fri, Feb 13, 2015, Viktor Dukhovni wrote:
On Fri, Feb 13, 2015 at 11:59:13AM +, Salz, Rich wrote:
Some time ago, I had submitted a patch which allows administrators, but
most importantly OS distributors to set their own strings in the
configuration
file, which software can
On Fri, Feb 13, 2015 at 03:54:50PM +, Dr. Stephen Henson wrote:
Config modules were intended to be used for application setup so would
be a good place to add a system cipher string instead of a whole new
mechanism.
The only problem is that it would only work with application that
On Fri, Feb 13, 2015 at 11:59:13AM +, Salz, Rich wrote:
Some time ago, I had submitted a patch which allows administrators, but
most importantly OS distributors to set their own strings in the
configuration
file, which software can then rely on, to provide a consistent security
Hello openssl-dev:
We at Akamai have a number of enhancements and fixes for OpenSSL that we would
like to contribute. Before I inundate r...@openssl.orgmailto:r...@openssl.org
and openssl-dev mailing lists, I am asking if there’s a desire to provide the
changes as one large patch file, or as
Hi,
There's a memory allocation on the stack in engines/e_capi.c which
allocates only half of the required memory.
This then leads to stack corruption.
Attached a simple and small patch that fixes this.
Sorry, false alarm.
'len' is already in bytes.
Very cool.
Short, Todd tsh...@akamai.com wrote:
* Check that in matching issuer/subject certs, that a self-signed subject
also has a self-signed issuer
Could you explain this one? It isn't necessarily the case that a
self-signed subject has a self-signed issuer in PKIX, if I am
understanding
Hi,
There's a memory allocation on the stack in engines/e_capi.c which
allocates only half of the required memory.
This then leads to stack corruption.
Attached a simple and small patch that fixes this.
Stefan
Index: e_capi.c
===
Hello openssl team,
here is the patch providing -nameopt option to the openssl verify command.
It makes possible to print certificate subject correctly in case of error.
Thank you.
--
SY, Dmitry Belyavsky
--- ../openssl-1.0.1i/apps/verify.c 2014-08-07 01:10:56.0 +0400
+++
We're looking for one or two full-time OpenSSL developers. One job must be in
Cambridge, MA; the other has more flexibility.
If you are interested, contact me off-list.
--
Principal Security Engineer, Akamai Technologies
IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz
19 matches
Mail list logo