OpenSSL does not have anything that creates a My Safe folder in
Windows. Please contact the developer directly for support.
-Kyle H
On Feb 10, 2007, at 3:11 PM, Leo Sunpayco via RT wrote:
When I try to initialize the My Safe folder in Windows XP Pro SP2,
I got
this error:
Fingerprint
Please test your versions of 0.9.7 and 0.9.8 with 'make test', and
report your results. There are hard-coded test values in place, that
are compared with the values generated by the software during the
testing phase. If they don't match, then we have some idea of where
the problem is.
Also,
This belongs on openssl-users, not openssl-dev.
I. I don't have the precise information, but I think it likely will
be if it was a project committer who stated it will be.
II. Your guess is as good as mine.
III. If it applies, compiles, and functions then there shouldn't be
a problem. It
Oh. I'm sorry. Someone needs to use a keyword 'volatile'.
Bingo. Problem solved on the improper optimization issue.
Can we commit the patch so that we don't have to keep getting hit by 2
or 3 threads about valgrind complaining about reachable pointers at
the end of program execution every
On 3/28/07, Darryl Miles [EMAIL PROTECTED] wrote:
Actually 'volatile' doesn't provide a useful fix.
[...]
The problem occurs after the beginning of the function. If the compare is
done on a cached copy in a register. Look at this example:
if (variable!=NULL)
{
free(variable);
If you have multiple threads accessing it, you manage access using a
mutex. If locking is important to the application that it's in.
(Clearing the compression is as important as clearing the library
state. If there's a lock around the library state clearing, a lock
needs to exist around the
This bug is actually documented. See the file PROBLEMS in the root
directory. The solution is not as simple as you make it out to be,
unfortunately.
-Kyle H
On 6/18/07, Wesley Sutton via RT [EMAIL PROTECTED] wrote:
I may have found the problem. OS X comes with a default installation of
This needs to go on openssl-users, not openssl-dev.
AES can only be used in TLS, not SSL2. To use it, call
SSL_CTX_set_cipher_list(ptrSSL_CTX,!DEFAULT:AES128-SHA); or
SSL_set_ciphers(ptrSSL, !DEFAULT:AES128-SHA);.
For more details, look at the man pages for
SSL_CTX_set_cipher_list(3),
I would hope the web site is some semi-automatic thing.
I should also note that since MD5 has an easy
hash-collision-generation function against it, the contents of the
openssl-0.9.8f file that was available there that didn't match the
sha1 should be evaluated and diffed.
I think this should be
I think you're right, there's an issue with AKID/SKID in x509 -
signkey. (I'm sending this on to [EMAIL PROTECTED], to open a ticket
for it.)
Repeat the mantra: Only the Certifier has AKID == SKID.
Certificates have AKID == CA's SKID.
Now, forget the mantra, cuz the only exception is
I'm wondering if part of the OS X behavior problem is rooted in -
Bsymbolic, based on the explanation given by Kurt Roeckx? (i.e., it
overrides the shared library loader, preventing shared versions of
the library from working properly -- instead, forcing the system-
supplied one?)
-Kyle H
The FIPS validation process is... odd. And not at all conducive to the
open-source development model.
There is no available OpenSSL FIPS Object Module v1.2. Until it passes
validation, anyway, at which point the openssl-fips-1.2.0.tar.gz file will
be made available. I don't think the source is
validation cycle it'll still be a
lot easier to see what's going on.
-Kyle H
On Nov 29, 2007 5:59 PM, Steve Marquess [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
There is no available OpenSSL FIPS Object Module v1.2.
Well, yes and no. Check out the OpenSSL-fips-0_9_8-stable branch. The
code
On Nov 30, 2007 11:33 AM, Steve Marquess [EMAIL PROTECTED] wrote:
Brad House wrote:
Brad, sorry, I didn't mean to come across as negative. The point I was
trying to make is that once a validation starts I can't afford to delay
it to deal with problems that are discovered in the already
On Dec 2, 2007 4:31 PM, Steve Marquess [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
I just want to have the opportunity to know that what is submitted
will actually run on the platform I must use.
You best approach is to report problems (or provide patches) for the
head of OpenSSL-fips
Obtained source from rsync'd repository.
$ cvs -d/Users/kylehamilton/workspace/openssl-repo co openssl
$ cd openssl
$ cvs update -t FIPS_098_TEST_8
I'm going to assume that I need to follow the CONFIG.FIPS file, and use:
$ ./config fipscanisterbuild
'make' completes (Mac OS X 10.4.11 Intel).
Any argument which begins with on Linux or (generalized) on
[platform] is automatically suspect, regardless of whether there is
any currently-extant platform which violates the assumptions put
forward.
For an example of why this is a problem, remember the assumption on 32-
bit platforms
First: This is something to go to openssl-users, not openssl-dev.
(You are attempting to use the library, not develop inside the
library.)
Next: Why on earth are you using such an outdated version? The
supported versions are 0.9.7m and 0.9.8g. 0.9.2b is from 1999, and
there have been 8 years of
It's extremely unfortunate that anyone would want to remove tracking
information about queries. I don't think it's worth fully deleting
the request -- it's important to track information about the confusion
that the current advisory wording leaves in its readers, so that
perhaps feedback can be
fips-1.1.2 does not have validation for Diffie-Hellmann.
Which version are you looking at?
-Kyle H
On Tue, Jul 8, 2008 at 2:57 AM, Nilay Tripathi [EMAIL PROTECTED] wrote:
Hi All,
I have a query regarding FIPS compliance for Diffie-Hellman api's in the
openssl stack.
FIPS uses the
deterministic to me, what is the approach which can be taken to tackle this
compliance issue.
Appreciate your help!!
Nilay
On Tue, Jul 8, 2008 at 3:48 PM, Kyle Hamilton [EMAIL PROTECTED] wrote:
fips-1.1.2 does not have validation for Diffie-Hellmann.
Which version are you looking at?
-Kyle H
With the caveat that any changes you make will not have validation,
http://www.cryptopp.com/ has a C++ library which has certain binary
versions FIPS-validated. It may be helpful as reference material.
-Kyle H
On Tue, Jul 8, 2008 at 4:06 AM, Nilay Tripathi [EMAIL PROTECTED] wrote:
Hi,
I am
Debian c suffered from simply removing all calls to seed the random
number generator with enough entropy to make it secure.
When it comes to entropy, every little bit helps. The calls to add
uninitialized static variable locations are never relied upon to seed
the PRNG with enough entropy, but
If the firewall blocks FTP, and there is no proxy that responds to
requests for FTP URLs, the browser will not be able to follow the
link. Do you have a webserver (http or https) upon which you can
place the file?
-Kyle H
On Wed, Jul 30, 2008 at 2:11 AM, petekolle123 [EMAIL PROTECTED] wrote:
I cannot find any reference to AF_INET6 in the sources, though I can
find AF_INET. This means that IPv6 is not supported.
Michael: software does need to support IPv6 in order to use it without
going through a gateway of some kind. The reason is that nobody's
figured out how to fit 128 bits of
Also: My web browser does support IPv6. (kame.net shows the moving
image.) My monitor and keyboard do not create socket connections, so
they have no need to.
-Kyle H
On Wed, Jul 30, 2008 at 8:02 AM, Michael Sierchio [EMAIL PROTECTED] wrote:
Ravindra wrote:
I'm looking for information
()) to an SSL
connection. The housekeeping work is up to you as the client of the
library, though, not something that can be left to the library.
-Kyle H
On Tue, Aug 5, 2008 at 6:53 AM, Darryl Miles
[EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
I cannot find any reference to AF_INET6
IBM limited the C compiler on AIX to only allow a certain number of
simultaneous invocations systemwide, based on the number of licenses
that have been purchased and installed on the system. If you have 1
simultaneous-invocation license, then anyone else who invokes the
compiler will block you
David S: to my knowledge you're at least somewhat incorrect, and part
of your advice is rather dangerous to rely upon (from a cryptographic
theory perspective).
/dev/urandom will never, under normal circumstances, block -- its
output is generated algorithmically by the random/urandom device
to use for cryptographic purposes.
It isn't, and I didn't then and don't now advise its use. I said it never
blocks. It doesn't. So what was incorrect?
Kyle Hamilton wrote:
David S: to my knowledge you're at least somewhat incorrect, and part
of your advice is rather dangerous to rely upon
On Thu, Aug 7, 2008 at 6:59 AM, David Schwartz [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
David S: to my knowledge you're at least somewhat incorrect, and part
of your advice is rather dangerous to rely upon (from a cryptographic
theory perspective).
You are at least somewhat incorrect
It's FIPS validation, not certification. (Not that I'm entirely sure
what the difference is, because when a validation is completed a
certificate is issued, but I've been corrected enough times by the
reps from the Open Source Software Institute that I don't dare call it
anything else. :))
On Tue, Aug 19, 2008 at 5:10 PM, Steve Marquess
[EMAIL PROTECTED] wrote:
Note YOU MUST FOLLOW THE SECURITY POLICIES EXACTLY OR ELSE THE
RESULTING LIBRARY WILL NOT BE COMPLIANT. This includes shutting your
UNIX machine down to single-user mode during the build process. It
probably would not
Option 2 works iff pthreads exists.
-Kyle H
On Thu, Aug 28, 2008 at 11:45 PM, Sander Temme via RT [EMAIL PROTECTED] wrote:
This affects OpenSSL 0.9.8 and trunk.
In engines/e_chil.c around line 594, the engine checks if it has mutex
callbacks to work with and, if not, errors out with the
bn_mul_add_words is very CPU intensive, simply because the operation
it performs is very CPU-intensive. Public-key cryptography should not
be done lightly -- it should be done primarily to verify the security
of a per-session key (stream or block ciphering).
What exactly are you trying to do?
OpenSSL itself contains all sorts of apps that do it. openssl (or
openssl.exe) implements all the programs in the apps/ directory.
Also, 'make test' runs all the internal self-tests.
If you need to verify interoperability with something, figure out what
protocol it's using -- pkcs8, pkcs12, and
ETA is Estimated Time of Arrival. Basically, he's asking when
OpenSSL 0.9.8i is going to be released.
-Kyle H
On Mon, Sep 8, 2008 at 1:39 PM, Rafael Jorge Csura Szendrodi via RT
[EMAIL PROTECTED] wrote:
Hi,
On Mon, 8 Sep 2008 16:44:43 +0200 (CEST), Steve Pincaud via RT wrote
Hi,
I have
On Mon, Sep 8, 2008 at 1:39 PM, Rafael Jorge Csura Szendrodi via RT
[EMAIL PROTECTED] wrote:
Hi,
On Mon, 8 Sep 2008 16:44:43 +0200 (CEST), Steve Pincaud via RT wrote
Hi,
I have seen the issue will be fixed in the next release, do you have an ETA
? (0.9.8i or 0.9.9 ?) , I would then ask
Fips folk: Should the 'fipsdso' target complain if it gets any other
command line arguments in ./Configure? Since specifying it means that
you're trying to build the shared object...
-Kyle H
On Sat, Sep 20, 2008 at 8:56 AM, The Doctor [EMAIL PROTECTED] wrote:
Need to split the FIPS and
The GPL is explicitly not compatible with OpenSSL's license. This
makes it rather difficult to use GPL code in the project.
-Kyle H
On Mon, Oct 20, 2008 at 5:55 AM, George Romaniuk via RT [EMAIL PROTECTED]
wrote:
Do you have plans to support security engine in AMCC PPC440EPx
processor? AMCC
The algorithm for checking of the digital signature of the peer
certificate is covered in PKIX (RFC 3280, obsoleted by RFC 5280) and
the ITU standard X.509.
The library-client code for verifying a certificate can be found in
the apps/verify.c .
You might want to look at the man pages for
Please submit your patch to [EMAIL PROTECTED] so it can be tracked in the
issue tracker?
-Kyle H
On Sun, Nov 9, 2008 at 2:37 PM, Philip Prindeville
[EMAIL PROTECTED] wrote:
This fixes the lack of tracing in Makefiles...
Replacing @ with $(Q) in all places except before '@echo' rule commands.
I dunno who I'm supposed to give feedback to, but this format of FIPS
announcement needs some work.
First, the subject line doesn't say anything about the version of the
FIPS module that has been validated. (In this case, it should be
something like OpenSSL FIPS 140-2 validation for module
I'm not sure that CC is the appropriate place for fipsld. Maybe LD,
but CC has other uses.
-Kyle H
On Sat, Nov 29, 2008 at 5:41 PM, Brad House
[EMAIL PROTECTED] wrote:
Well, it's still not as finished as I'd like but since I'll be out of town
and offline until next week I'm releasing the
On Mon, Dec 1, 2008 at 8:53 PM, David Schwartz [EMAIL PROTECTED] wrote:
Problem Description:
When a digest has been signed and a response is produced,
the current version of openssl will not verify the contents
correctly if the certificate used to sign the digest has expired.
Solution:
When
On Mon, Dec 1, 2008 at 9:13 PM, Brad Mitchell [EMAIL PROTECTED] wrote:
I don't think there is anything in the openssl (ts) functions to accept
revocation to make this decision anyway.
External daemons do exist, such as (e.g.)
http://www.carillon.ca/tools/pathfinder.php
At the end of the day,
forwarding from -users for a query.
This is the second time that I've heard of bad end line or could
not decode base64 today. Did a change go into 0.9.8i that changed
base64 handling?
-Kyle H
On Thu, Dec 11, 2008 at 11:31 PM, Lutz Jaenicke jaeni...@openssl.org wrote:
Forwarded to
Can the source be made available? I would like to use it on MacOSX.
-Kyle H
On Fri, Dec 19, 2008 at 11:43 PM, Shahin Khorasani
khoras...@amnafzar.com wrote:
Hi,
You can download simple utility to transform PKCS#1 RSA public key to
opnessh public key format from here:
You are cross-compiling, which means that the platform that you're on
cannot actually run the binaries that it builds.
If you do not have any .so files, it may not be able to create shared
libraries in that environment. The .a files, in that case, are static
libraries.
-Kyle H
On Sun, Dec 21,
Not at all, sorry. OpenSSL is entirely C, and has no relation at all with C#.
-Kyle H
On Mon, Dec 22, 2008 at 12:33 PM, Steven MacLeod
steven.macl...@syfir.com wrote:
Hello, I have a quick question regarding open ssl, which so far I haven't
been able to make head or tail of. I have a .net win
SSL_get_peer_certificate(3ssl), SSL_get_peer_cert_chain(3ssl) will get
the certificate and certificate chain, respectively.
To control the verification process, you can use SSL_set_verify(3ssl)
and/or SSL_CTX_set_verify(3ssl). Note that the server must present a
certificate if it wants to ask
Does the release of 0.9.8j also include the FIPS module support?
(i.e., is this a bug-fix only release, or does this include what you
have been working on for the past few months as well?)
-Kyle H
On Wed, Jan 7, 2009 at 4:10 AM, Dr. Stephen Henson st...@openssl.org wrote:
-BEGIN PGP SIGNED
This does not appear on MacOSX 10.5.6 (with 0.9.8-stable-SNAP-20090206).
./config threads shared no-sse2 enable-whrlpool enable-montasm
enable-capieng enable-cms enable-seed enable-tlsext enable-camellia
enable-rfc3779 enable-mdc2 enable-rc5 zlib-dynamic
--prefix=/usr/contrib
, 2009 at 2:30 AM
Subject: Re: Openssl-SNAP still erroring out
To: openssl-dev@openssl.org
On Fri, Feb 06, 2009, Kyle Hamilton wrote:
This does not appear on MacOSX 10.5.6 (with 0.9.8-stable-SNAP-20090206).
./config threads shared no-sse2 enable-whrlpool enable-montasm
enable-capieng enable
. Stephen Henson st...@openssl.org wrote:
On Sat, Feb 07, 2009, The Doctor wrote:
On Sat, Feb 07, 2009 at 12:46:52PM -0800, Kyle Hamilton wrote:
The bug does appear on OSX 10.5.6 (openssl-SNAP-20090207) with the
following command line: ./config threads shared no-sse2
enable-whrlpool enable-montasm
*** virgin/crypto/objects/obj_xref.h2009-02-10 05:01:06.0 -0800
--- openssl-SNAP-20090207/crypto/objects/obj_xref.h 2009-02-10
05:02:43.0 -0800
***
*** 1,4
! /* AUTOGENERATED BY objxref.pl, DO NOT EDIT */
typedef struct
{
--- 1,4
! /*
If you have an IANA Private Enterprise Number, you can invent your
own OID (since you own an OID tree).
For example, mine is 1.3.6.1.4.1.22232. (To be explicit: you are NOT
authorized to invent any OID under this tree, as it belongs to me, not
you.)
http://pen.iana.org/pen/PenApplication.page
This is a question that should go on openssl-users, since it does not
relate to the development of the library itself. However, since it's
asked here, I'll answer.
apps/dgst.c has the appropriate code.
Most of the OpenSSL public API documentation is poorly-written and
out-of-date. I wish there
Please send this patch as an attachment to r...@openssl.org. This will
track it as a ticket.
-Kyle H
On Tue, Mar 3, 2009 at 2:37 PM, Oliver Martin oli...@volatilevoid.net wrote:
Hello,
this patch adds support for GeneralizedTime for startdate/enddate in
openssl ca. I submitted an earlier
The best way is to send a patch (unified diff) to r...@openssl.org.
This allows for ease of patching, and ensuring that the actual intent
of the patch is preserved at the source level.
The module owner will review the patch and apply it if appropriate,
and your name (and the fact that IBM
-create_serial does not exist in CA.sh, either.
-Kyle H
On Tue, Feb 24, 2009 at 1:46 PM, Nguyen, Kim via RT r...@openssl.org wrote:
The CA.sh script in 0.9.8j is missing the -extensions v3_ca flag. This
doesn't seem to be a problem in CA.pl
In comparision, CA.pl has:
print Making CA
-- automatically
sends a mail to openssl-dev when a new request is submitted -- which
allows for the discussion that you're looking for to take place.
-Kyle H
On Mon, Mar 9, 2009 at 4:52 PM, Allan K Pratt apr...@us.ibm.com wrote:
Kyle Hamilton aerow...@gmail.com wrote:
The best way is to send
You need to get off your high-horse.
-Kyle H
On Mon, Mar 16, 2009 at 2:23 PM, Kenneth Robinette
supp...@securenetterm.com wrote:
You need to take this discussion offline.
Ken
--- On Mon, 3/16/09, Allan K Pratt apr...@us.ibm.com wrote:
From: Allan K Pratt apr...@us.ibm.com
Subject: Re:
There is no such message in OpenSSL. That looks like it's a
diagnostic message from libcurl (or whatever component it uses to
perform its FTP functionality.)
-Kyle H
2009/3/18 曹婷 bupt_caot...@hotmail.com:
Hi developer,
OPENSSL_0.9.8A_AIX5.3_64BIT is the version installed on my working
The best way to submit patches is to email them as attachments to
r...@openssl.org. That is the Request Tracker, and it makes things a
lot easier for the developers to keep track of.
-Kyle H
On Thu, Mar 26, 2009 at 2:59 AM, Ilya O. vrgh...@gmail.com wrote:
On Wed, Mar 25, 2009 at 5:37 PM,
This is a -users question, not a -dev question.
If openssl was installed from a package provided by or in the format
of your OS vendor, uninstall it using the vendor's packaging tools.
I've attached a list of files that are installed on my MacOSX machine
by 'make install'. (the './' at the
OCSP is not part of the SSL handshake (except, as you mention, for
OCSP stapling).
You can look at apps/ocsp.c for information on how to use the OCSP
API. The best place to use it would be in the callback called by
SSL[_CTX]_set_verify().
-Kyle H
On Sun, Mar 29, 2009 at 11:02 PM, Yaweh
This list is *not* supposed to be a platform for trying to sell
product. Or even advocating for product.
You come in here, complaining about how a particular feature used in
one of the libraries breaks one of your instrumentation programs.
Okay, fine. We'll try to work with you on that.
But
If SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE are returned, the
arguments *must* be *exactly* the same. This includes the data
pointed to by the buffer. There is a way to set a mode on the SSL
connection to allow a moving buffer, but that's it. SSL will not
buffer the data passed to it.
If
Submit your patch to r...@openssl.org, and it'll go into the request
tracking system. I would also recommend that you wait for a bit more
than a single day before getting irritated with people who work on
this in their spare time, and have day jobs.
-Kyle H
On Wed, Apr 1, 2009 at 1:48 AM, Marc
that is used by the core
developers.
-Kyle H
On Wed, Apr 1, 2009 at 1:59 AM, Marc Haisenko haise...@comdasys.com wrote:
On Wednesday 01. April 2009 10:54:39 Kyle Hamilton wrote:
Submit your patch to r...@openssl.org, and it'll go into the request
tracking system. I would also recommend that you
On Wed, Apr 1, 2009 at 2:12 AM, Marc Haisenko haise...@comdasys.com wrote:
On Wednesday 01. April 2009 11:03:55 Kyle Hamilton wrote:
I was refering to the two threads cited in my patch e-mail:
[1] - http://marc.info/?l=openssl-devm=123754568501758w=2
[2] - http://marc.info/?l=openssl-usersm
I hope the test reports I sent to -bugs are useful. I'm on a Mac OSX
10.5.6 machine, Intel-based, and I ran tests in both 32 and 64 bit
modes, both without and with the optional features. I do not have gmp
installed, nor zlib, so I cannot vouch for their usability; I did not
test krb5, and I
On Wed, Apr 1, 2009 at 4:55 AM, Lutz Jaenicke l...@lutz-jaenicke.de wrote:
Hi Kyle,
thank you very much for reports, they are currently sitting in the
moderation queue. I would kindly ask you and other testers to either
* send success messages to the list with just the platform mentioned
*
I'd prefer that IBM release whatever library they're using to identify
and handle Julian days. ;)
-Kyle H
On Thu, Apr 2, 2009 at 12:17 PM, Michael Tüxen
michael.tue...@lurchi.franken.de wrote:
Hi Steve,
Robin will port all the patches from
http://sctp.fh-muenster.de/dtls-patches.html
to the
http://www.ietf.org/internet-drafts/draft-ietf-tls-extractor-05.txt is
the current draft, and its name has now been changed to tls
exporter.
-Kyle H
On Thu, Jan 29, 2009 at 4:30 AM, Robin Seggelmann via RT r...@openssl.org
wrote:
This patch adds the TLS key material extractor described in
Most of the OpenSSL functions and structures are generated by macros.
(OpenSSL is the most lispish C I've ever seen.) Look at apps/cms.c
for information on how to use them; in its basic configuration, it has
no dependencies on anything external. (It can be built to have
dependencies on external
Hey all,
I'm trying to figure out (for my own reference) what functions I need
to provide for:
1) Implementing a new stream cipher
2) Implementing a new block cipher
3) Implementing a new asymmetric cipher
4) Implementing a new hash
5) Implementing a new mode (ECB, CFB, etc)
6) Implementing a
This is actually an openssl-users question, but don't worry too much
about it. :)
genrsa generates both the public and the private keys in the same
structure (PKCS#1). The command 'openssl rsa -in domainname.key
-pubout -out domainname.pub' will take the portion that has been
designated as the
The pre-built OpenSSL library is provided by someone else. If you
want to get debug libraries for OpenSSL, you can compile them
yourself. Please see the FAQ, however; there are a couple of gotchas
on Windows systems which need to be addressed within your environment
during the compilation and
Please, read INSTALL.W32. Also, please read
http://openssl.org/support/faq.html#PROG2 for more information. (This
is one of the most frequently asked questions.)
If you can, build OpenSSL yourself. This may not necessarily be
practical for you, but if you can it should help a lot.
-Kyle H
On
These scripts pull the latest version of the Mozilla-approved CAs.
OpenSSL is not in the business of making CA certificates available,
but having the ability to do this in the stock package might be very
good for the users. (Make sure that such a tool warns the user that
the CA certificates are
openssl-1.0.0-beta2 has the following output:
==
=== SANITY TESTING!
=== No configuration will be done, all other arguments will be ignored!
==
SANITY ERROR:
The PrivateKey structure includes both the private and the public
parts. Once you read the private key, you don't need to separately
load the public.
-Kyle H
On Thu, Jun 18, 2009 at 3:36 AM, Vadim Lebedevva...@mbdsys.com wrote:
Hello,
I wonder if somebody can enlighten me:
At Page 283 of
To get zlib, use MacPorts. Then, './config --with-zlib=/opt/local/lib/'.
MacOS already has a supplicant, though, yes?
-Kyle H
On Tue, Jun 23, 2009 at 7:28 PM, loubotloubot.l...@quantatw.com wrote:
I have port the supplicant with openssl.0.9.8k on Linux platform, and it's
working ok.
I test
Please mail these each as attachments to r...@openssl.org. This will
ensure that each gets entered into a trackable state, and also ensures
that the formatting for the patch files stays consistent.
-Kyle H
On Mon, Jun 29, 2009 at 7:54 PM, David
McCulloughdavid_mccullo...@securecomputing.com
OpenSSL is distributed under a clause in US law which allows
openly-available cryptographic software to be exempt from ECCN filing,
under exemption TSU (EAR, section 740.13(e)).
It is very possible that what you are doing with it falls under ECCN
5D002 or another in the 5Dnnn series.
I am not a
Don't worry 'bout it too much.
Could you please create that as a .diff file and attach it to an email
to r...@openssl.org? The rt system creates a case that can be tracked.
-Kyle H
On Mon, Jul 27, 2009 at 3:26 PM, Ben Nasonbna...@netflix.com wrote:
Hi,
I am new to the list, so apologies if
You forgot:
./config fipscanisterbuild asm
Since you're on an x86_64 platform, you can benefit a lot from the asm speedups.
-Kyle H
On Fri, Aug 28, 2009 at 2:48 AM, Mark Phalanmark.pha...@sun.com wrote:
On Thu, 2009-08-27 at 10:23 -0400, Steve Marquess wrote:
Mark Phalan wrote:
I've been
It goes without saying that any changes you have to make to the FIPS
module would be quite welcome if you passed them along upstream, along
with any information about the Priesthood of the CMVP that you're
dealing with which required the change, and why.
Then again, I don't know if there's an NDA
Because the 'fipsld' script isn't actually necessary to pass FIPS
validation. The steps that that script does are necessary to maintain
validation, but they can be done by anything (once the FIPS canister
is created, anyway). Try setting OPENSSL_FIPS=1 in your
environment, and make sure that the
You may use an SSL_CTX object to create multiple sessions under multiple
threads. Each session must have all of its I/O done in one thread (due to
some rather nasty locking issues), but the SSL_CTX, once created and
populated, is generally not updated -- which means that it's safe to perform
How about something like '-certopt none,ext'? I'd like to see an
option where 'none' automatically says 'no_header, no_sigdump,
no_version, no_subject, no_issuer, no_validity, no_serial, no_pubkey,
no_signame, no_ext', and anything after it is used to add to the
set... rather like how ciphers are
Er, *why* are you dropping the connection when renegotiation is tried?
The appropriate response, per RFC, if you don't want to renegotiate
is to send a warning no_renegotiation alert.
-Kyle H
On Mon, Nov 16, 2009 at 10:40 PM, joshi chandra
joshichandran...@gmail.com wrote:
Hi ,
I have lot
Download Version: openssl-0.9.8a.tar.gz.
My setup: Visual C++ 2005 Express Edition (available for free
download from Microsoft), Windows Server 2003 SP1 SDK. Windows Server
2003 SP1 SDK comes first in my PATH, then the VC2k5EE directories.
(Neither comes with ml.exe, so I cannot use the MASM
On 12/31/05, Goetz Babin-Ebell [EMAIL PROTECTED] wrote:
Pavel Gorshkov wrote:
I agree that it would be better to have a generalized approach.
Here's a relevant excerpt from gnutls-cli(1):
-s, --starttls
Connect, establish a plain session and start TLS when EOF or a
Feel free to hack this up as you see fit. Copyright assigned to the
OpenSSL Project 2006, Kyle Hamilton.
DRAFT!
HOWTO: Key Management (best practice information)
(written by Kyle A Hamilton, [EMAIL PROTECTED])
1. Introduction
Keys are the heart and soul of how cryptography work
This is aimed at the manager of a technical team, primarily, but also
at people getting into the field of cryptography and its application
via Apache. I tried to write it approximating the tone of Schneier's
Applied Cryptography, but it probably came out sounding much more
low-brow.
There should
There's an SSL/TLS sniffer package that, when given the server's
private key, can obtain the master key used for a session and decrypt
the frames. I'm not quite sure what you mean by 'for development
reasons'.
It would (I'm not looking at the source here) probably be available
from one of the
I'd really like to see this, as it allows for TLS 1.0/1.1 extensions
(per RFC 3546) based on my initial reading of the patch.
-Kyle H
On 1/26/06, Brian Long [EMAIL PROTECTED] wrote:
Hello,
I just joined the list after perusing the mailing list archives for
openssl and wpa_supplicant and I
1 - 100 of 198 matches
Mail list logo
