Re: [openssl-project] Release Criteria Update
In message <20180907.025152.1131079938025695690.levi...@openssl.org> on Fri, 07 Sep 2018 02:51:52 +0200 (CEST), Richard Levitte said: > For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable That was a bit of an over-statement... but it seems that there are things in the wild that were accepted in 1.1.0 (because LONG is used) that aren't accepted in 1.1.1. A regression still, even though with less drama. -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
I think this one should be part of the lot as well: #7144 ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00 (proper zero). That's simply because the internal version number was changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32 (new custom ASN.1 type, mapping to a C int32). (no, we don't want to go back to using LONG) Cheers, Richard In message on Thu, 6 Sep 2018 23:41:59 +0100, Matt Caswell said: > We currently have 8 1.1.1 PRs that are open. 3 of which are in the > "ready" state. There are 2 which are alternative implementations of the > same thing - so there are really on 4 issues currently being addressed: > > #7145 SipHash: add separate setter for the hash size > > Owner: Richard > Awaiting review (CIs are failing) > > > #7141 Ensure certificate callbacks work correctly in TLSv1.3 > > Owner: Matt > Trivial change. Awaiting review > > > #7139 Remove a reference to SSL_force_post_handshake_auth() > > Owner: Matt > Trivial change. Awaiting review > > > #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify > Alternative implementation for #7058 > > Owner: Matt > Awaiting review. Anyone? > > > There 5 1.1.1 issues open - 3 of which should be solved by outstanding > PRS. The remaining 2 are: > > > #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of > 18-Aug) > > We thought we had a fix for this, but the PR in question does not seem > to have solved the OPs issue > > > #7133 X509_sign SIGSEGVs with NULL private key > > Should be an easy fix > > > Matt > ___ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
PR for 7133 submitted. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Tim Hudson [mailto:t...@cryptsoft.com] Sent: Friday, 7 September 2018 8:51 AM To: openssl-project@openssl.org Subject: Re: [openssl-project] Release Criteria Update All PRs except #7145 now reviewed and marked ready. Tim On Fri, Sep 7, 2018 at 8:41 AM, Matt Caswell mailto:m...@openssl.org"m...@openssl.org> wrote: We currently have 8 1.1.1 PRs that are open. 3 of which are in the "ready" state. There are 2 which are alternative implementations of the same thing - so there are really on 4 issues currently being addressed: #7145 SipHash: add separate setter for the hash size Owner: Richard Awaiting review (CIs are failing) #7141 Ensure certificate callbacks work correctly in TLSv1.3 Owner: Matt Trivial change. Awaiting review #7139 Remove a reference to SSL_force_post_handshake_auth() Owner: Matt Trivial change. Awaiting review #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify Alternative implementation for #7058 Owner: Matt Awaiting review. Anyone? There 5 1.1.1 issues open - 3 of which should be solved by outstanding PRS. The remaining 2 are: #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of 18-Aug) We thought we had a fix for this, but the PR in question does not seem to have solved the OPs issue #7133 X509_sign SIGSEGVs with NULL private key Should be an easy fix Matt ___ openssl-project mailing list HYPERLINK "mailto:openssl-project@openssl.org"openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
All PRs except #7145 now reviewed and marked ready. Tim On Fri, Sep 7, 2018 at 8:41 AM, Matt Caswell wrote: > We currently have 8 1.1.1 PRs that are open. 3 of which are in the > "ready" state. There are 2 which are alternative implementations of the > same thing - so there are really on 4 issues currently being addressed: > > #7145 SipHash: add separate setter for the hash size > > Owner: Richard > Awaiting review (CIs are failing) > > > #7141 Ensure certificate callbacks work correctly in TLSv1.3 > > Owner: Matt > Trivial change. Awaiting review > > > #7139 Remove a reference to SSL_force_post_handshake_auth() > > Owner: Matt > Trivial change. Awaiting review > > > #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify > Alternative implementation for #7058 > > Owner: Matt > Awaiting review. Anyone? > > > There 5 1.1.1 issues open - 3 of which should be solved by outstanding > PRS. The remaining 2 are: > > > #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of > 18-Aug) > > We thought we had a fix for this, but the PR in question does not seem > to have solved the OPs issue > > > #7133 X509_sign SIGSEGVs with NULL private key > > Should be an easy fix > > > Matt > ___ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] Release Criteria Update
We currently have 8 1.1.1 PRs that are open. 3 of which are in the "ready" state. There are 2 which are alternative implementations of the same thing - so there are really on 4 issues currently being addressed: #7145 SipHash: add separate setter for the hash size Owner: Richard Awaiting review (CIs are failing) #7141 Ensure certificate callbacks work correctly in TLSv1.3 Owner: Matt Trivial change. Awaiting review #7139 Remove a reference to SSL_force_post_handshake_auth() Owner: Matt Trivial change. Awaiting review #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify Alternative implementation for #7058 Owner: Matt Awaiting review. Anyone? There 5 1.1.1 issues open - 3 of which should be solved by outstanding PRS. The remaining 2 are: #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of 18-Aug) We thought we had a fix for this, but the PR in question does not seem to have solved the OPs issue #7133 X509_sign SIGSEGVs with NULL private key Should be an easy fix Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
> On Sep 6, 2018, at 6:25 PM, Matt Caswell wrote: > > I'm not keen on that. What do others think? No objections to issuing a release. We're unlikely to have to change the API/ABI or feature set based on further beta feedback. Any late bugs can be fixed in 1.1.1a, and unless they trigger CVEs, there's no compelling reason to wait. Barring specific concerns, I am not opposed to release as planned. -- Viktor. ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
We need to get this release out and available - there are a lot of people waiting on the "production"release - and who won't go forward on a beta (simple fact of life there). I don't see the outstanding items as release blockers - and they will be wrapped up in time. Having the release date as a drive I think helps for a lot of focus - and more stuff has gone into 1.1.1 that we originally anticipated because we held it open waiting on TLSv1.3 finalisation. So a +1 for keeping to the release date. Tim. On Fri, Sep 7, 2018 at 8:25 AM, Matt Caswell wrote: > > > On 06/09/18 17:32, Kurt Roeckx wrote: > > On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: > >> Current status of the 1.1.1 PRs/issues: > > > > Since we did make a lot of changes, including things that > > applications can run into, would it make sense to have an other > > beta release? > > I'm not keen on that. What do others think? > > Matt > > ___ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On 06/09/18 17:32, Kurt Roeckx wrote: > On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: >> Current status of the 1.1.1 PRs/issues: > > Since we did make a lot of changes, including things that > applications can run into, would it make sense to have an other > beta release? I'm not keen on that. What do others think? Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: > Current status of the 1.1.1 PRs/issues: Since we did make a lot of changes, including things that applications can run into, would it make sense to have an other beta release? Kurt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On Wed, Sep 05, 2018 at 06:04:08PM -0500, Benjamin Kaduk wrote: > On Wed, Sep 05, 2018 at 11:59:34PM +0100, Matt Caswell wrote: > > Today's update is that we still have 6 open PRs for 1.1.1. 5 of these > > are the same as yesterday. The 1 that was marked as "ready" yesterday > > has now been merged, and a new PR addressing issue #7014 has been opened. > > > > There are still 2 open issues for 1.1.1 but both of these are now being > > addressed by one of the open PRs. > > > > That means there are still 4 "critical path" PRs open: > > > > #7115 Restore historical SSL_get_servername() behavior > > > > Updates made following earlier review. Ready for another round of reviews?? > > Owner: Ben. > > I believe it's ready for another round of reviews, yes. > Do we think we want to wait for confirmation from @MSP-Greg? I see that Matt has marked this one as Ready. I'm going to be "on a plane" (not exactly, but effectively so) for the next 9-ish hours and am not confident that I'll be able to merge it until tomorrow. I also see that the original reporter is still not having success; is anyone in a position to try to set up those Ruby EventMachine tests (it's unclear if it needs to be on windows or not)? -Ben ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project