Re: [openssl.org #1466] X.509 name's printing

RFC 2254 : The String Representation of LDAP Search Filters This patch add support for rfc2254 escaping. With patched source method ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags); , where flags are XN_FLAG_RFC2253|ASN1_STRFLGS_ESC_2254 can be used in generation of LDAP

[openssl.org #1552] mingw patch for openssl-0.9.8e

I would like to propose following patch to openssl-0.9.8e source (see attachment openssl-0.9.8e-mingw.patch.gz). This patch is intended to create executables compatible with other win32 compilers. Modifications: ./Makefiles.shared: - link_o.cygwin(used to build engines): modified use def-files

[openssl.org #1553] mscrypto engine for 0.9.8

Please find attached file openssl-mscrypto-20070625.tar.gz with openssl engine that can use keys from windows key-store. The engine can work with external keys too. Source is for openssl version 0.9.8 and mingw build require openssl source with mingw patch for 0.9.8 from request #1552 ( see

Re: [openssl.org #1552] mingw patch for openssl-cvs

And now against CVS openssl-cvs-mingw.diff.gz Description: application/gzip

Re: [openssl.org #1552] mingw patch for openssl-cvs

patch updated to current cvs 20080217 Roumen openssl-cvs20080217-mingw.patch.gz Description: application/gzip

[openssl.org #1747] capi engine and mingw

The attached patch is for openssl head and allow capi engine to be build with mingw (tested with cross-compilation). Details for the patch follow: Build: - export of OPENSSL_isservice: The new capi engine require function OPENSSL_isservice() if engine dialog is enabled. To get correct record in

Re: [openssl.org #1753] snapshot 20081003 broke mingw build

Alon Bar-Lev via RT wrote: Attached are patches, please address this issues, it is hard to keep sync this way. The order of the issue is according to importance, (1, 2, 3) blockers. Thanks! 1. _XOPEN_SOURCE cannot be used in mingw, strptime is never used anyway? 2. Make domd use cross

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

Maarten Litmaath wrote: Hi Stephen, I can't see how anything could cause an issue with 85 CAs. The attached descriptions imply it might be a mod_ssl issue (not reproducible with s_server). There is a bit more information now in our ticket: https://savannah.cern.ch/bugs/?48458

Re: [openssl.org #2071] Few more manual page

May be is good to document that numbers in hash dir starts from zero. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated

Re: [openssl.org #2137] [PATCH] mingw fixups

Alon Bar-Lev via RT wrote: The following is required in order to make beta4 compile using mingw (w64). Every time there is #includewindows.h some symbols should be removed. Also, there is no need to #includewindows.h if e_os2.h was included. [SNIP] diff -urNp

Re: [openssl.org #832] ocsp and dsa key+socket option SO_REUSEADDR for responder

evp_md = EVP_get_digestbynid(rkey-type) return: - DSA key: same as EVP_dss1() - RSA key: NULL - OBJ_nid2sn(rkey-type) return rsaEncryption Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Fri, 27 Feb 2004 14:00:24 +0100 (MET), Stephen Henson via RT [EMAIL PROTECTED]

Re: [openssl.org #1400] spurious CRs in S/MIME clearsigned mails

Hello Bruno, Please could you defail used software. During the past weekend I have time to setup a test network: linux box: - sendmail 8.12.9 - popa3d 0.6.1 - Mozilla 1.7.13 email client ms windows me (at last i found a PC with operating system that use CRLF as EOL): - Mozilla 1.7.13 email

Re: [openssl.org #1400] spurious CRs in S/MIME clearsigned mails

Proposed patches: a.) apps-smime.patch : proper eol for To,From and Subject headers in case of -crlfeol command line option. b.) crypto-pkcs7-pk7_mime.patch : - add header in case of binary procesing - add empty line (mandatory) if procesing type is not specified (case without -text and

[openssl.org #1466] X.509 name's printing

This ticket is opened to solve issues related to printing of subject and/or issuer name of a X.509 certificate and related documentation. Roumen __ OpenSSL Project http://www.openssl.org

Re: [openssl.org #1466] X.509 name's printing

This patch correct escape form in ASN1_STRING_print_ex documentation. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List

Re: [openssl.org #1466] X.509 name's printing

This patch correct options for command line argument -nameopt of x509 application. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org

Re: [openssl.org #1466] X.509 name's printing

Third issue is how to print certificate subject/issuer distinguished name in UTF-8 in more user friendly way ? Example from manual page work fine: $ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb I prefer to use command more compatible to so called compatible format: $

Re: [openssl.org #2137] [PATCH] mingw fixups

Hi Alon, Alon Bar-Lev via RT wrote: Hello, I use i686-w64-mingw32... We discussed this in past (I think) LEAN_AND_MEAN was added to win64 but not win32. As w64 compiler much more complete and maintained I use it to compile win32 as-well. Alon. On Tue, Jan 12, 2010 at 11:14 PM, Roumen

Re: [openssl.org #2195] [PATCH] Set default field separator in do_name_ex() (nameopt switch)

Kaspar Brand via RT wrote: When using -nameopt with the x509/req/ca commands, OpenSSL will currently abort the output if no sep_xxx option is provided. Examining the certificate from https://rt.openssl.org with openssl 509 -noout -text -nameopt utf8 e.g. gives Certificate: Data:

Re: [openssl.org #2246] dtls1.h includes winsock.h, overriding the #undefs from ossl_typ.h on Windows

M.-A. Lemburg via RT wrote: An application that only includes openssl/ssl.h from OpenSSL 1.0.0 and doesn't use winsock.h will run into problems on Windows, since the dtls1.h header file includes the winsock.h header file long after the ossl_typ.h header file was loaded. What about to define

Re: [openssl.org #2374] [PATCH] mingw32 cant compile e_capi.c (1.0.0b)

Guenter via RT wrote: Hi, it seems that all native MingW32 versions (tested with MingW32 4.50) lack of stuff to compile e_capi.c: [SNIP] make[1]: *** [e_capi.o] Error 1 make[1]: Leaving directory `/d/openssl-1.0.0b/engines' Therefore I've added some more define tests to OpenSSL 1.0.0b

[openssl.org #2443] mkdef.pl cannot handle FIPS related functions

The mingw cross-build of current HEAD(2011-01-31) fail : WARNING: mkdef.pl doesn't know the following algorithms: NEXTPROTONEG Creating library file: libcrypto.dll.a Cannot export FIPS_dh_free: symbol not defined . Cannot export RSA_X931_generate_key_ex: symbol not defined collect2:

Re: [openssl.org #2443] mkdef.pl cannot handle FIPS related functions

Dr. Stephen Henson wrote: [snip] I've updated the sources so they are now avaiable outside FIPS mode. Steve. 10x solved, please close. Roumen __ OpenSSL Project http://www.openssl.org

[openssl.org #2454] enable engine key for dsa command

Obsolete code prevent dsa command to use keys stored into engine. The attached patch remove open of input file and left all to load_xxx functions. See for reference rsa command that work fine. Roumen Index: apps/dsa.c === RCS file:

[openssl.org #2455] print dsa pubin/pubout options

See attached file with patch for openssl dsa command: print -pubin/-pubout options. Also -engine flags is moved at same position as for rsa command. Roumen Index: apps/dsa.c === RCS file:

Re: [openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.

Andrey Kulikov via RT wrote: Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. [SNIP] After applying this patch s_server will accept -certform ENGINE option. This patch supplied by Stonesoft Corporation,

Re: [openssl.org #2504] Cross Compile MinGW DLLs on Linux

Marc Wäckerlin via RT wrote: Hi OpenSSL I managed to Cross Compile OpenSSL on Linux so that I can develop OpenSSL applications that run on Windows entireliy inside a Linux build environment. It even builds the executables and the DLLs on Linux. Please add my changes to the official

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Nick Lewis via RT wrote: The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not work correctly for some combinations of ctx-chain, x and issuer. For example when the cert x is in the chain at a location other than the top, a path loop is incorrectly declared. Also if the

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Nick Lewis via RT wrote: Roumen Thank you for looking at the patch [SNIP] + if (issuer_num (issuer_num x_num)) Please find a corrected version below Best Regards Nick [SNIP] With update version i confirm that regression test of a software now pass with OpenSSL HEAD

Re: [openssl.org #2718] openssl-fips-1.2.3: testsuite failures (SIGILL / Illegal instruction)

Hi Guido, Guido Trentalancia via RT wrote: Hello. I was trying to run the testsuite for openssl-fips-1.2.3 but I get a problems with several tests. [SNIP] OpenSSL self-test report: [SNIP] Target: linux-x86_64 [SNIP] gcc version 4.6.1 (GCC) Please could you confirm that during the

Re: [openssl.org #2750] [BUG] spec file doesn't properly build for lib64

Kevin Vargo via RT wrote: Some minor updates to the openssl.spec: wrapping ifarch around the various lib dirs to get the right files in the right places. See attached diff Configure script and spec are not consistent regarding multilib. It seems to me spec file should use libdir script

[openssl.org #2752] objects.txt - update of extended key usage

Hi, RFC 6187 X.509v3 Certificates for Secure Shell Authentication defines two extended key usage ( http://tools.ietf.org /html/rfc6187#section-2.2.2 ) with numbers 21 and 22 for secure shell client and server respectively. Currently in OpenSSL last number defined is 10. This request is only

Re: [openssl.org #2781] OpenSSL 1.x doesn't compile on mingw-w64 (targeting win32)

Leandro Santiago via RT wrote: I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on mingw-w64 (gcc 4.7), but I'm having errors. I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10 64-bit and Windows 7 32-bit having the same errors. The command line I used

Re: [openssl.org #2745] Fwd: GOST engine memory problems

Stephen Henson via RT wrote: I've finally had time to look into this. Please see if this fixes the issue: May be is not related, but this engine lack call of ENGINE_register_pkey_asn1_meths . It seems to me without this registration initialization is different . If engine configuration is

Re: [openssl.org #832] ocsp and dsa key+socket option SO_REUSEADDR for responder

Rich Salz via RT wrote: SO_REUSEADDR is done. It is not activated in ocsp.c . The rest is fixed in 1.+ [SNIP] __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: [openssl-dev] [PATCH] [openssl.org #2558] [patch] make windres controllable via build env var settings

Mike Frysinger via RT wrote: atm, the windres code in openssl is only usable via the cross-compile prefix option unlike all the other build tools. So add support for the standard $RC / $WINDRES env vars as well. --- [SNIP] else{ s/^CC=.*$/CC= $cc/;

[openssl-dev] [openssl.org #4029] incomplete get methods for X509_VERIFY_PARAM

Hello, In master branch structure X509_VERIFY_PARAM is declared as opaque. For following attributes "get"-method is not defined: - check_time : applicable if flag X509_V_FLAG_USE_CHECK_TIME is set - inh_flags - purpose - trust - policies: stack of opaques ASN1 objects - id : opaque structure,

[openssl-dev] [openssl.org #4207] engine key format in 1.1

Hi, Implementation of common option processing for OpenSSL commands broke ENGINE key format. The patches attached to this email are only for tested command. 1) dgst command (see 0003-dgst-cmd-restore-keys-from-engine.patch) Key form is described as any but value type of input ('<') is too

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Salz, Rich via RT wrote: > I don't know that I would call it a regression, but rather a difference. :) > I'll fix the summary but not the old uncommon behavior. Unlike other commands engine is flexible and documented behaviour (see previous post with quoted text). As result in samples first is

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Rich Salz via RT wrote: > [SNIP] > out = dup_bio_out(FORMAT_TEXT); > - prog = opt_init(argc, argv, engine_options); > if (!engines || !pre_cmds || !post_cmds) > goto end; > + while ((argv1 = argv[1]) != NULL && *argv1 != '-') { > + sk_OPENSSL_STRING_push(engines, *argv1); > + argc--; > + argv++; >

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Salz, Rich via RT wrote: > Tweaked, sigh. > ; ./util/opensslwrap.sh engine - dynamic -pre > engine: Cannot mix flags and engine names. > engine: Use -help for summary. > exit 1 > If engine name cannot be at any position then please keep it as is. i.e. at last position. In this

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Salz, Rich via RT wrote: > Please see this: > > https://github.com/openssl/openssl/compare/master...richsalz:rt4194?expand=1 > It should fail with openssl engine - dynamic -pre SO_PATH:/lib/libfoo.so Help string looks good. Roumen ___

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Salz, Rich via RT wrote: > So you're saying just close this ticket? > No. My request is to restore flexible engine command line and optionally help string. I only disagree with proposed partial correction for command line. ___ openssl-dev mailing list

[openssl-dev] [openssl.org #4195] remove duplicates in util/libeay.num

Hello, After remove of some global variables in export file left double information for non existent functions. For instance before: X509_CERT_PAIR_it 3534 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_CERT_PAIR_it 3534

[openssl-dev] [openssl.org #4194] engine command regression in 1.1

Hello, OpenSSL engine command allows user to specify cryptographic module name at any position. For instance README.ENGINE recommend following: openssl engine dynamic \ -pre SO_PATH:/lib/libfoo.so \ The master branch (future 1.1) requires engine names to be specified after all

[openssl-dev] [openssl.org #4200] extra data for ec keys

Update patch sent to request tracker - without gap for CRYPTO_EX_INDEX Salz, Rich wrote: >> External cryptographic modules may store addition information to key. >> What about to define CRYPTO_EX_DATA for ec keys? > That is the plan -- we will remove EX_EX_DATA and the internal API and just >

Re: [openssl-dev] [openssl.org #4207] engine key format in 1.1

Also patches for commands: - pkey : "0017-pkey-cmd-restore-keys-from-engine.patch" - req : "0018-req-cmd-restore-keys-from-engine.patch" >From 0ea1c0b9b600977e93efed4545166ec4ae245bc9 Mon Sep 17 00:00:00 2001 From: Roumen Petrov Date: Sat, 9 Jan 2016 14:52:14 +0200

[openssl-dev] [openssl.org #4249] ECDSA method flags

In 1.0.2 branch commit 94c2f77a62be7079ab1893ab14b18a30157c4532 add functions to set ECDSA_METHOD structure. One on functions is to set flags. Until now ECDSA flags are defined only in non-installed header. 1) "0003-move-some-ECDSA_METHOD-declarations-after-descriptio.patch" First patch is

[openssl-dev] [openssl.org #4590] accessors without const return arguments

Hello, Recently declaration of a number of get0 methods was changed to return constant values (BIGNUM). Lets me quote description of an allocator "/ECDSA_SIG_new()/ allocates a new *ECDSA_SIG* structure (note: this function also allocates the BIGNUMs) and initialize it." Now lets try to

Re: [openssl-dev] [openssl.org #4320] [Patch] OpenSSL 1.1.0-pre3: "unable to load Key" error in PEM_get_EVP_CIPHER_INFO()

Hi Rich, Rich Salz via RT wrote: > fixed in commit 985c3146967633707f7c165df82bb0fd8f279758 thanks for the > report! From initial patch is missing line with header += 9. Please could you review parsing with ENCRYPTED Roumen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4320

Re: [openssl-dev] [openssl.org #2363] bug: memory allocated by DH_new() may never be free()ed

It is expected DH_free(DH_new()); to leaks memory. Usually XXX method initialize "extra data". Sample code is without code that clear library, at least CRYPTO_cleanup_all_ex_data is missing. Roumen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2363 Please log in as guest

[openssl-dev] [openssl.org #4312] documentation: RSA_new_method argument

Hello, Function argument is pointer to ENGINE - please find attached patch Regards, Roumen Petrov -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4312 Please log in as guest with password guest if prompted >From 2f2e1f210ec3c8452ecd041604fd14071a4b59ca Mon Sep 17 00:00:00 2001

Re: [openssl-dev] [openssl.org #4590] accessors without const return arguments

Stephen Henson via RT wrote: > On Sat Jun 25 22:09:59 2016, open...@roumenpetrov.info wrote: >> Above is reason the request to remove const from return argument of get0 >> methods. > We had a discussion about this and the preference was to have get methods > retain const for various reasons. > >

[openssl-dev] [openssl.org #4681] X.509 load method

This is an enhancement request. OpenSSL 1.1 hides details of structures used to load X.509 certificates, in particular - x509_lookup_method_st , x509_lookup_st and x509_object_st. This impact non OpenSSL projects as external application has to duplicated those structures. Request is OpenSSL do