[openssl-project] Fwd: Request for comments on 'Certificate Management Protocol (CMP, RFC 4210) extension #681'"

2018-08-14 Thread Matt Caswell
I went to approve this post, but I don't see it in the pending queue. Not sure why not - so forwarding this anyway. Please see below. Matt Forwarded Message Subject: Request for comments on 'Certificate Management Protocol (CMP, RFC 4210) extension #681'" Date: Tue, 14 Aug

Re: [openssl-project] Certificate fractional time processing in upcoming openssl releases

2018-08-14 Thread Barry Fussell (bfussell)
As you might imagine we've continued investigating the overall impact. I've been told that in addition to IAIK that Bouncy Castle had similar issues. We are also aware of customers that will be impacted by the upcoming releases if certificates with fractional time fails to verify. I think

[openssl-project] Change to fractional time processing in cert verify

2018-08-14 Thread Barry Fussell (bfussell)
My team was recently made aware of a change in the time comparison logic in openssl to adhere to RFC5280 requirements . This change will be in the upcoming 1.0.2p and 1.1.0i releases. We've had discussions regarding the impact to legacy devices in the field and feel the change could be detrimental

Re: [openssl-project] Fractional seconds, etc.

2018-08-14 Thread Matthias St. Pierre
Note: There was a reason why Emilias pull request #2668 was backported to 1.0.2, see github #6182: It was done to fix issue #4915. So if possible we should not revert it entirely but just try to relax the fractional seconds part.     https://github.com/openssl/openssl/pull/6182    

Re: [openssl-project] Fractional seconds, etc.

2018-08-14 Thread Salz, Rich
I mean keep the *previous* behavior. On 8/14/18, 9:25 AM, "Salz, Rich" wrote: >This seems to have been done in both the 1.0.2 and 1.1.0 after the release. Do you want to revert it in both branches, but keep it in 1.1.1? Or only revert it in 1.0.2? Keep the

Re: [openssl-project] Please freeze the repo

2018-08-14 Thread Matt Caswell
Release is done and the repo is unfrozen. Thanks again to Richard for all the help. Matt On 13/08/18 17:15, Mark J Cox wrote: > done. > > On Mon, Aug 13, 2018 at 5:11 PM, Matt Caswell wrote: >> Please could someone freeze the repo for me? >> >> $ ssh openssl-...@git.openssl.org freeze

Re: [openssl-project] Fractional seconds, etc.

2018-08-14 Thread Salz, Rich
>This seems to have been done in both the 1.0.2 and 1.1.0 after the release. Do you want to revert it in both branches, but keep it in 1.1.1? Or only revert it in 1.0.2? Keep the existing behavior for 1.0.2, 1.1.0 and 1.1.1. Sadly. And fix in a future release (I would re-open the

[openssl-project] OpenSSL version 1.1.0i published

2018-08-14 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.0i released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0i of our open

[openssl-project] OpenSSL version 1.0.2p published

2018-08-14 Thread OpenSSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.0.2p released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2p of our open

Re: [openssl-project] Fractional seconds, etc.

2018-08-14 Thread Kurt Roeckx
On Tue, Aug 14, 2018 at 12:16:25PM +, Salz, Rich wrote: > I think we should revert https://github.com/openssl/openssl/pull/2668 > > The stricter RFC compliance turns out to impact many certs embedded in > devices. Some estimates had thousands to millions. It affects interop with > IAIK

Re: [openssl-project] Fractional seconds, etc.

2018-08-14 Thread Salz, Rich
It is unfortunate that this thread started too late for the 1.0.2p release. From: Rich Salz Reply-To: "openssl-project@openssl.org" Date: Tuesday, August 14, 2018 at 8:17 AM To: "openssl-project@openssl.org" Subject: [openssl-project] Fractional seconds, etc. I think we should revert

[openssl-project] Fractional seconds, etc.

2018-08-14 Thread Salz, Rich
I think we should revert https://github.com/openssl/openssl/pull/2668 The stricter RFC compliance turns out to impact many certs embedded in devices. Some estimates had thousands to millions. It affects interop with IAIK and Bouncy Castle. I looked at the code, and tried to figure out how to

Re: [openssl-project] Releases tomorrow

2018-08-14 Thread Matt Caswell
On 14/08/18 11:05, Kurt Roeckx wrote: > On Tue, Aug 14, 2018 at 01:50:39AM +, Salz, Rich wrote: >>>- If we're going to make any changes for issue 6904 (broken pipe for >> clients that only write/server that only reads), then we should do that >> >> Yeah, I don't like the library

Re: [openssl-project] Releases tomorrow

2018-08-14 Thread Kurt Roeckx
On Tue, Aug 14, 2018 at 01:50:39AM +, Salz, Rich wrote: > >- If we're going to make any changes for issue 6904 (broken pipe for > clients that only write/server that only reads), then we should do that > > Yeah, I don't like the library messing with signals tho. I don't think it's