Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

> On Apr 17, 2018, at 11:27 PM, Salz, Rich wrote: > > So far, if there's no SNI then we shouldn't do TLS 1.3 (as a client). That > seems easy to code. That might be a sensible work-around, with a bit of care to make sure that the user has not also disabled TLS 1.2 (i.e.

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

So far, if there's no SNI then we shouldn't do TLS 1.3 (as a client). That seems easy to code. ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

In message on Tue, 17 Apr 2018 14:32:37 -0400, Viktor Dukhovni said: openssl-users> openssl-users> openssl-users> > On Apr 17, 2018, at 2:15 PM, Richard Levitte wrote: openssl-users> >

[openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

Applications that have hitherto used TLS <= 1.2 have often not needed to use SNI. The extension, though useful for virtual-hosting on the Web, was optional. TLS 1.3 has raised the status of SNI from optional to "mandatory to implement". What this means that is that implementations must support

Re: [openssl-project] TLS 1.3 and SNI

On 17/04/18 23:36, Viktor Dukhovni wrote: > > Just wanted to check. The TLS 1.3 draft lists SNI as mandatory to implement, > but is not mandatory to use. Clients should, but do not have to send SNI, > and servers may require SNI, but can just use some default chain instead. > > Does

[openssl-project] TLS 1.3 and SNI

Just wanted to check. The TLS 1.3 draft lists SNI as mandatory to implement, but is not mandatory to use. Clients should, but do not have to send SNI, and servers may require SNI, but can just use some default chain instead. Does OpenSSL's TLS 1.3 support mandate SNI in either the client or

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

> On Apr 17, 2018, at 2:15 PM, Richard Levitte wrote: > > Depends on what "the best thing you know to do" is. In my mind, > simply refusing to run as before because the new kid in town didn't > like the environment (for example a cert that's perfectly valid for > TLSv1.2

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

In message <87d0yxq0m7@fifthhorseman.net> on Tue, 17 Apr 2018 09:05:52 -0700, Daniel Kahn Gillmor said: dkg> On Mon 2018-04-16 08:22:59 +0200, Richard Levitte wrote: dkg> > Generally speaking, I don't necesseraly agree. If the use of an API dkg> > is perfectly valid

[openssl-project] Release done, repository unfrozen

OpenSSL 1.1.1 pre release 5 done! Repository is now unfrozen. Thank you Matt for the review! Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-project mailing list

[openssl-project] OpenSSL verssion 1.1.1 pre release 5 published

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 5 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 5 has now

Re: [openssl-project] Constant time by default

On Mon, Apr 16, 2018 at 06:06:33PM +0100, Matt Caswell wrote: > > As I say in the PR (marked as WIP) I am seeking feedback as to whether > this is something we should pursue now (i.e. for 1.1.1) or later (post > 1.1.1) or not at all. A related question I have is, do we consider this security

Re: [openssl-project] Fwd: New Defects reported by Coverity Scan for openssl/openssl

On 17/04/18 06:06, Dr. Matthias St. Pierre wrote: > Matt, > > I wasn't aware that I can register for coverity reports (which I just > did). If no one else has done it yet, I can look into the three drbg > issues mentioned in your mail. Great! Thanks Matt > > Matthias > > BTW: isn't beta

[openssl-project] Release of OpenSSL beta release 3 (pre5) happens

Hi, just a reminder that we're scheduled to release openssl-1.1.1-pre5 today. I'll do the release this time. If someone could freeze the repo for me, I'd be grateful: ssh openssl-...@git.openssl.org freeze openssl levitte Cheers, Richard -- Richard Levitte levi...@openssl.org