de is free
and easy to install.
No server administrator will want to deploy ECDHE-ECDSA if it means
breaking compatibility with even a small fraction of deployed browsers.
Hence why this patch is, unfortunately, necessary.
--
Rob Stradling
Senior Research & Development Scientist
COMO
On 14/06/13 10:20, Ben Laurie wrote:
On 14 June 2013 09:39, Rob Stradling wrote:
On 13/06/13 17:39, Ben Laurie wrote:
...and don't intend to fix their broken ECDSA support in Safari.
Ben, you've got your wires a bit crossed there.
The ECDHE-ECDSA ciphersuites are indeed broken
On 14/06/13 12:31, Ben Laurie wrote:
On 14 June 2013 12:25, Rob Stradling wrote:
Ah, so you're criticizing Apple for not being willing to force all OSX
10.8.x users to update to 10.8.4.
No.
If OSX 10.8.x has a mechanism that allows Apple to force updates to be
installed, then I
On 14/06/13 13:58, Ben Laurie wrote:
On 14 June 2013 13:57, Rob Stradling wrote:
Safari's User-Agent string reveals the OSX version that it is running on. A
few weeks ago I analyzed some webserver logs to get an idea of historical
OSX update rates. Based on that analysis, I forecast
c0a4d
What do people think?
No keep the patch.
I think you misunderstood what Ben meant by "pull".
See "man git-pull"
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_
euse one of the existing *ancient* flags. Does
anyone really care about compatibility with a bug in SSLeay 0.80 for example?
I'd wondered about that. If you're happy to reallocate one of the
ancient flags, please do!
--
Rob Stradling
Senior Research & Development Scientist
C
, the 0x400 bit used to be set in
SSL_OP_ALL, and has previously been used for at least 2 other purposes!
http://cvs.openssl.org/chngview?cn=18974
http://cvs.openssl.org/chngview?cn=22501
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Cr
On 14/06/13 14:16, Ben Laurie wrote:
On 14 June 2013 14:08, Rob Stradling wrote:
Apparently the ECDHE-ECDSA bug is in SecureTransport, which is an integral
component of OSX.
https://developer.apple.com/library/mac/#documentation/security/Reference/secureTransportRef/Reference
?
Or, is "SSL_CTX_set_ecdh_auto(ctx, 1);" the only supported way of doing
it in 1_0_2?
Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project
#define), but I'm unsure whether or
not that would be better than the first option.
Any preference?
Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Pro
On 06/11/13 17:27, Dr. Stephen Henson wrote:
On Wed, Nov 06, 2013, Rob Stradling wrote:
These 2 #defines exist for SSL_CTX->extra_certs:
SSL_CTX_add_extra_chain_cert
SSL_CTX_get_extra_chain_certs
SSL_CTX_clear_extra_chain_certs
In 1.0.2-dev, the #defines such
8-SHA
RC4-SHA
RC4-MD5
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA
(Obviously you'll need 2 server certificates, one with an RSA key and
one with an ECC key).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trus
www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax:
;ALL:!aNULL:!eNULL:!SSLv2"
I wonder how many of these ciphers are actually ever negotiated in
real-world use.
The padding extension is only used if the ClientHello would be between 256 and
511 bytes in length so if you reduce the number of ciphersuites it wont be
used.
--
Rob Stradling
as a bit behind the times. The configuration files
were set to use UTF8 only well before then but not the default in the source.
The bug is in any software which relies on the DirectoryString being a
PrintableString and not in OpenSSL.
Steve.
--
Rob Stradling
Senior Research & Development Scient
s that the full chain needs to be validated, the
validation procedure should be able to bridge the cert included on the
'-issuer' flag with a single root specified on the '-CA' flag. (It currently
does not.)
-cem
--
Rob Stradling
Senior Research &
This can presumably be resolved as fixed, given the commit on #2626 just
now.
On 29/09/10 20:54, Rob Stradling via RT wrote:
NIST (SP800-57 Part 1) recommends a minimum RSA key size of 2048-bits beyond
2010. From January 1st 2011, in order to comply with the current Microsoft[1]
and Mozilla[2
uess I've drifted a bit off-topic for this list).
> OCSP stapling is defined in RFC 2560.
RFC 2560 defines OCSP, but not OCSP Stapling.
OCSP Stapling is the popular term for the Certificate Status Request TLS
Extension defined most recently by RFC 6066 (previous versions: RFC 4366, RFC
st openssl-dev@openssl.org
> Automated List Manager majord...@openssl.org
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO C
t the server will actually send?
Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List
fixed without breaking binary compatibility.
See if adding:
c->key = c->pkeys + i;
to ssl_get_server_send_cert fixes this.
Which it wont because the status callback is called too soon as you noted.
Would moving the status callback to a sufficiently later point in the
handshake wor
On 18/06/12 11:40, Rob Stradling wrote:
On 16/06/12 23:31, Dr. Stephen Henson wrote:
Is there a way to patch httpd so that it can work around the
limitations in the OpenSSL API and always send the correct OCSP
Response?
Possible changes to OpenSSL:
Should the Stapling Callback function be
n the function's last if
statement: if (sign_nid && hash_nid)
I suggest:
- int sign_nid, hash_nid;
+ int sign_nid, hash_nid = 0;
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
dl...@comodo.com - Fri Sep 21 15:02:54 2012]:
Attached are patches for 1.0.0 and 0.9.8.
Note, I updated the original change to retain compatibility with
existing behaviour as far as possible. See:
http://cvs.openssl.org/chngview?cn=22808
Steve.
--
Rob Stradling
Senior Research &
p://cvs.openssl.org/chngview?cn=22840
I didn't think of that. Thanks!
I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or
Ben get there first).
--
Rob Stradling
Senior Research & Develop
On 21/09/12 15:12, Rob Stradling via RT wrote:
On 21/09/12 15:04, Stephen Henson via RT wrote:
Easiest solution is to also backport ssl_get_server_send_pkey see:
http://cvs.openssl.org/chngview?cn=22840
I didn't think of that. Thanks!
I'll prepare patches to backport 22840 to
Thank you very much!
The pciture is captured from the openssl0.9.8y,and the bugs and fixs
show like the following:
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
__
using affected Safari versions a few years from now.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7ad8a54..fff73eb 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3076,7 +3076,10 @@ void ssl3_clear(SSL
[CTX_]clear_chain_certs() - clear the current certificate's chain.
The patch also adds these functions to, and fixes some existing errors
in, SSL_CTX_add1_chain_cert.pod.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
diff -
;ve tested this patch successfully with an installation of httpd 2.4.2
that has both an RSA cert and an ECC cert configured.
If this patch is OK, I'd like to backport it to the OpenSSL 1.0.x branch
as well.
--
Rob Stradling
Senior Research & Development Scientist
C
Attached is an updated patch for CVS HEAD, plus a patch for the 1.0.2
branch.
Are you still accepting patches for 1.0.1?
Any chance of reviewing these patches soon?
Thanks.
On 19/06/12 21:15, Rob Stradling via RT wrote:
> The OCSP Stapling Callback function (s->ctx->tlsext_stat
On 07/09/12 11:51, Rob Stradling wrote:
> Attached is an updated patch for CVS HEAD, plus a patch for the 1.0.2
> branch.
>
> Are you still accepting patches for 1.0.1?
Attached is a patch for 1.0.1.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trus
Attached are patches for 1.0.0 and 0.9.8.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd F
b.stradl...@comodo.com - Fri Sep 21 15:02:54 2012]:
>>
>> Attached are patches for 1.0.0 and 0.9.8.
>>
>>
>
> Note, I updated the original change to retain compatibility with
> existing behaviour as far as possible. See:
>
> http://cvs.openssl.org/chngview
keys
> and certificates not matching, certificate types not matching and memory
> leaks).
That's what I thought.
> Easiest solution is to also backport ssl_get_server_send_pkey see:
>
> http://cvs.openssl.org/chngview?cn=22840
I didn't thi
On 21/09/12 15:12, Rob Stradling via RT wrote:
> On 21/09/12 15:04, Stephen Henson via RT wrote:
>> Easiest solution is to also backport ssl_get_server_send_pkey see:
>>
>> http://cvs.openssl.org/chngview?cn=22840
>
> I didn't think of that. Thanks!
>
> I
On 21/09/12 15:38, Rob Stradling via RT wrote:
> On 21/09/12 15:12, Rob Stradling via RT wrote:
>> On 21/09/12 15:04, Stephen Henson via RT wrote:
>
>>> Easiest solution is to also backport ssl_get_server_send_pkey see:
>>>
>>> http://cvs.openssl.org/chngvie
hange in behaviour? If so, I'll submit my
> patch to the Request Tracker.
>
> > Steve.
> > --
> > Dr Stephen N. Henson. OpenSSL project core developer.
> > Commercial tech support now available see: http://www.openssl.org
> > ___
ate and end-entity
certificates from roots with RSA key sizes smaller than 2048 bits. All CAs
should stop issuing intermediate and end-entity certificates with RSA key size
smaller than 2048 bits under any root".
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust
0)
goto err;
#if 0
if (BIO_printf(bp,"%8sSignature Algorithm: ","") <= 0)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
on
>> OpenSSL 1.0.1k 8 Jan 2015
>
>
> dpkg -l openssl
>> ii openssl 1.0.1k-3+deb8u1amd64 Secure
>> Sockets Layer toolkit - cryptographic utility
>
> tried also to compile the newest one fr
https://github.com/openssl/openssl/pull/495
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-
42 matches
Mail list logo