[openssl-dev] [openssl.org #3624] Unify SSL_CONF_* interface to be SSL_CONF_CTX_*, with patch against [master/33d5ba8]

Does: - Fixes a typo in s_client.pod (2x in the). - Changes .pod to reflect reality: it is SSL_CONF_CTX_finish(), not SSL_CONF_finish(). - While here it seems best to change the remaining SSL_CONF_cmd(), SSL_CONF_cmd_argv() and SSL_CONF_cmd_value_type() to have a SSL_CONF_CTX_ prefix,

Re: [openssl-dev] [openssl.org #3624] Unify SSL_CONF_* interface to be SSL_CONF_CTX_*, with patch against [master/33d5ba8]

Oh yes: and on top of that former patch there really where also dangling SSL_CTX_cmd() use cases in .pod files, which are thus and finally changed to SSL_CONF_CTX_cmd via the attached patch, too. Thank you. --steffen diff --git a/doc/ssl/SSL_CONF_CTX_cmd.pod b/doc/ssl/SSL_CONF_CTX_cmd.pod index

[openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Hello, and finally i propose three new values for the Protocol slot of SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. I included OLDEST for completeness sake, NEWEST is in effect what i've always forced for my thing whenever possible, and encouraged users to use themselve, but of course it

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Richard Moore richmoor...@gmail.com wrote: |On 8 December 2014 at 19:20, Steffen Nurpmeso via RT r...@openssl.org wrote: | and finally i propose three new values for the Protocol slot of | SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. | |In Qt we've added an enum value for TLS versions

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Richard Moore richmoor...@gmail.com wrote: |On 9 December 2014 at 11:35, Steffen Nurpmeso sdao...@yandex.com wrote: | Richard Moore richmoor...@gmail.com wrote: ||On 8 December 2014 at 19:20, Steffen Nurpmeso via RT r...@openssl.org | wrote: || and finally i propose three new values

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Kurt Roeckx via RT r...@openssl.org wrote: |On Mon, Dec 08, 2014 at 08:20:44PM +0100, Steffen Nurpmeso via RT wrote: | and finally i propose three new values for the Protocol slot of | SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. | |I actually find the option unfortunate and I think

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

Kurt Roeckx via RT r...@openssl.org wrote: |On Mon, Dec 08, 2014 at 07:58:31PM +0100, Steffen Nurpmeso via RT wrote: | set ssl-protocol=ALL,-SSLv2 | | This results in the obvious problem that when they (get) | upgrade(d) their OpenSSL library they will see a completely | intransparent

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

|Kurt Roeckx via RT r...@openssl.org wrote: ||been one that sets the minimum and maximum version. But I think ||we're too late 1.0.2 process to still change this. Attached a git format-patch MBOX for 1.0.2 (on top of [6806b69]). It boils anything down into two changesets (SSL_CONF_CTX and

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Salz, Rich rs...@akamai.com wrote: |I think magic names -- shorthands -- are a very bad idea. \ I _completely_ disagree. | They are point-in-time statements whose meaning evolves, \ |if not erodes, over time. Because i don't think that a normal user, or even normal administrators and

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

Hello, Stephen Henson via RT r...@openssl.org wrote: |On Mon Dec 08 19:58:31 2014, sdao...@yandex.com wrote: | If people start using SSL_CONF_CTX as they are supposed to with | v1.0.2, then it can be expected that users start using strings | like, e.g. (from my thing), | | set

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Salz, Rich via RT r...@openssl.org wrote: | Personally i am willing to put enough trust in the OpenSSL team *even | insofar* as i now do 'set ssl-protocol=ALL,-VULNERABLE' | and leave the task of deciding what is VULNERABLE up to you. | |That is not a responsibility we want. No how, no way.

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Yoav Nir ynir.i...@gmail.com wrote: | On Dec 9, 2014, at 1:24 PM, Steffen Nurpmeso via RT r...@openssl.org \ | wrote: | Salz, Rich rs...@akamai.com wrote: ||I think magic names -- shorthands -- are a very bad idea. \ | | I _completely_ disagree. | || They are point-in-time statements

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Salz, Rich via RT r...@openssl.org wrote: | Y causes a ciphersuite (or TLS version) to be dropped into VULNERABLE, |I am more concerned about the case where a common crypto type \ |is broken, and zillions (a technical term :) of websites are \ |now at-risk because there wasn't an immediate

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Salz, Rich via RT r...@openssl.org wrote: | I'd love to see a version of bettercrypto.org that only \ | has to say to configure | OpenSSL version 1.0.3 and higher, you should use the string BEST_PRACTICE | |That can happen but not by embedding magic strings into code. See But isn't TLSv1.2

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Hi. Richard Moore richmoor...@gmail.com wrote: | Programs which use the OpenSSL library generally just want to flip a | switch and know that they've turned on security, instead of trying to |My experience suggests that while that might be what some developers want, |that's not what users

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

Salz, Rich via RT r...@openssl.org wrote: | So you want a separate openssl-conf package. Fine, then provide it and | give an easy mechanism for applications to hook into it. | And for users to be able to overwrite system defaults. | But this has not that much to do with #3627. | |Yes it

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

Dr. Stephen Henson st...@openssl.org wrote: |On Thu, Dec 11, 2014, Steffen Nurpmeso via RT wrote: | are hard (not only to parse) for users but there is a lot of | information for good in very few bytes; sad is | | Received SIGPIPE during IMAP operation | IMAP write error: error:

[openssl-dev] [openssl.org #3632] Enhancement request: CONF_modules_load_file(): please include filename in error message

So i follow Rich Salz and am adding support for SSL_CONF_modules_load_file() (but i'm still wondering a bit why i do that) and while testing (with v1.0.2 beta4) i see messages like error:02001002:system library:fopen:No such file or directory error:0200100D:system library:fopen:Permission

[openssl-dev] [openssl.org #3633] Enhancement request: CONF_modules_load_file(): please add a CONF_MFLAGS_LOAD_USER_FILE

Hello, while following Rich Salz's suggestion to make use of CONF_modules_load_file() i stumbled personally over the restriction that only a global openssl.cnf seems to be supported. There is no support for automatic loading of a $HOME/.openssl.cnf on top of the global version. And whereas

[openssl-dev] [openssl.org #3634] Docfix: doc/apps/enc.pod says aes-[128|192|256] but means aes[..]

..so that even after OpenSSL_add_all_algorithms(3) EVP_get_cipherbyname(3) fails to load aes-128 as an alias for aes-128-cbc. --steffen diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 41791ad..88e8b79 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -282,7 +282,7 @@ authentication

Re: [openssl-dev] [openssl.org #3633] Enhancement request: CONF_modules_load_file(): please add a CONF_MFLAGS_LOAD_USER_FILE

Stephen Henson via RT r...@openssl.org wrote: All i can parse from your answer is that the statement that is long in OpenSSL documentation and was referred to by Rich Salz (unless i'm mistaken) in a different #issue, namely the following paragraph from OPENSSL_config(3): It is strongly

[openssl-dev] [openssl.org #3954] Enhancement suggestion: extend x509(1) with -key-fingerprint

Hello, for certificates which get renewed -- mine do twice a year, for example -- the fingerprint changes ?0[tmp]$ openssl x509 -fingerprint -noout cert.old SHA1 Fingerprint=00:10:F0:2C:EA:50:1F:11:FE:8D:CC:A0:A9:40:91:A2:D0:4D:65:4E ?0[tmp]$ openssl x509 -fingerprint -noout cert.crt

[openssl-dev] [openssl.org #3949] Bug: PKCS_final.7 not installed

And on [1] (at least) the link Please see the list of new or open bugs and requests. leads to nowhere. Ciao, [1] http://openssl.org/support/rt.html --steffen ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] [openssl.org #4556] Unknown: mysterious perl(1) error during [master:8d054a5] installation process

I hope i don't "open" this one! Richard Levitte via RT wrote: |On Thu Jun 02 15:50:31 2016, stef...@sdaoden.eu wrote: |> I have never seen something like this: |> |> Parser.c: loadable library and perl binaries are mismatched (got |> handshake key 0xdb00080, needed

[openssl-dev] [openssl.org #4557] Nit: temporary files left over after [master:8d054a5] installation process

Yep: -rw--- 1 steffen steffen 1848 Jun 2 14:46 VhXl383LiQ -rw--- 1 steffen steffen 1612 Jun 2 14:46 F1RkvxEZi0 -rw--- 1 steffen steffen 1848 Jun 2 14:46 qg_wML0XIF -rw--- 1 steffen steffen 1848 Jun 2 14:46 4MUN7KIs69 -rw--- 1 steffen steffen 1840 Jun 2

[openssl-dev] [openssl.org #4555] Enhancement request: allow installation without manuals, but anyway without HTML manuals

Oh yes, please! --steffen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4555 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4556] Unknown: mysterious perl(1) error during [master:8d054a5] installation process

Hello. I have never seen something like this: Parser.c: loadable library and perl binaries are mismatched (got handshake key 0xdb00080, needed 0xdb80080) This is v5.24 on a Linux system, and it flawless afaik. Thanks. --steffen -- Ticket here:

[openssl-dev] [openssl.org #4627] Doc patch: fix constant names

Against [80f397e] diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index fb39f94..7b38489 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -124,8 +124,8 @@ than the deprecated alternative commands below. =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>,

Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

Richard Levitte via RT wrote: |On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote: |> From the documentation i cannot tell what is wrong with the |> following: |> |> echo abc > a; echo def > b; echo ghi > c |> openssl genpkey -algorithm RSA -out k.prv |> openssl pkey

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

Richard Levitte via RT wrote: |On Thu Sep 01 13:13:44 2016, stef...@sdaoden.eu wrote: |> Before sending the last message i looked around on the website (it |> has become particularly complicated to find the bug tracker), and |> looking at the "go-back" list i saw dozens of

[openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

Before sending the last message i looked around on the website (it has become particularly complicated to find the bug tracker), and looking at the "go-back" list i saw dozens of "OpenSSL" entries, rather than rt, "Getting started as a contributor", etc. --steffen -- Ticket here:

[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

Hello. >From the documentation i cannot tell what is wrong with the following: echo abc > a; echo def > b; echo ghi > c openssl genpkey -algorithm RSA -out k.prv openssl pkey -in k.prv -pubout -out k.pub openssl dgst -sha512 -sign k.prv -out .sig a b c openssl dgst -sha512 -verify

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

"Salz, Rich" wrote: .. |for and fix? (I'm kinda slow sometimes) Do you know the story of the couple that had been married for decades when suddenly, at a Sunday morning breakfast, it has been revealed that she, who was given the upper half of the bread rolls for so long --