[openssl-project] Release Criteria Update

2018-09-08 Thread Matt Caswell
We have 2 outstanding 1.1.1 PRs. These are: #7144 ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes Owner: Richard Awaiting updates following review feedback #7145 SipHash: add separate setter for the hash size Owner: Richard Awaiting updates following review feedback

Re: [openssl-project] Release Criteria Update

2018-09-08 Thread Matt Caswell
On 07/09/18 10:09, Richard Levitte wrote: > In message on Fri, 7 Sep > 2018 09:56:01 +0100, Matt Caswell said: > >> >> >> On 07/09/18 01:51, Richard Levitte wrote: >>> I think this one should be part of the lot as well: >>> >>> #7

Re: [openssl-project] Release Criteria Update

2018-09-08 Thread Matt Caswell
mapping to a C int32). > (no, we don't want to go back to using LONG) So...that PR seems to be labelled for 1.1.0 too? So why is the problem specific to 1.1.1? Matt > > Cheers, > Richard > > In message on Thu, 6 Sep > 2018 23:41:59 +0100, Matt Caswell said: > &

[openssl-project] Release Criteria Update

2018-09-06 Thread Matt Caswell
We currently have 8 1.1.1 PRs that are open. 3 of which are in the "ready" state. There are 2 which are alternative implementations of the same thing - so there are really on 4 issues currently being addressed: #7145 SipHash: add separate setter for the hash size Owner: Richard Awaiting review

Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Matt Caswell
On 06/09/18 17:32, Kurt Roeckx wrote: > On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: >> Current status of the 1.1.1 PRs/issues: > > Since we did make a lot of changes, including things that > applications can run into, would it make sense to have an other &g

Re: [openssl-project] Release Criteria Update

2018-09-05 Thread Matt Caswell
nd of reviews. Owner: Paul Yang #7073 Support EdDSA in apps/speed Updates made following earlier review. Awaiting another round of reviews. Owner: Paul Yang Matt On 04/09/18 17:11, Matt Caswell wrote: > Current status of the 1.1.1 PRs/issues: > > There are currently 6 open PRs for 1.1.1. H

[openssl-project] Release Criteria Update

2018-09-04 Thread Matt Caswell
Current status of the 1.1.1 PRs/issues: There are currently 6 open PRs for 1.1.1. However in 2 cases there are 2 alternative implementations for the same thing - so really there are only 4 issues being addressed. One of these is in the "ready" state. The remaining 3 are: #7114 Process KeyUpdate

[openssl-project] Monthly Status Report (August)

2018-09-04 Thread Matt Caswell
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Attended a number of conference calls related to FIPS - Attended the week long FIPS summit in Brisbane. A lot was achieved and write ups of the

[openssl-project] Current status of our release criteria

2018-09-03 Thread Matt Caswell
We are currently 1 week away from release, so I've assessed the release criteria below. TL;DR summary: Mostly we are green but we have 9 outstanding PRs to get closed. There are specific questions/actions for the following people below: @levitte, @paulidale, @t-j-h, @kroeckx All of OMC (for

[openssl-project] Final release date for 1.1.1

2018-08-22 Thread Matt Caswell
I'd like to propose that we target Tuesday 11th September as the final release date for 1.1.1. Next week there is a big meeting about the next OpenSSL release, and specifically FIPS support. This means that I, and others on the OMC, will have limited time to deal with any 1.1.1 issues. Our early

Re: [openssl-project] Please freeze the repo

2018-08-21 Thread Matt Caswell
The repository is now unfrozen and the release is complete. Thanks to Tim for all the help. Matt On 20/08/18 18:00, Bernd Edlinger wrote: > Hi Matt, > > The repo should be frozen now. > > Bernd. > > On 08/20/18 18:01, Matt Caswell wrote: >> Please could som

[openssl-project] Please freeze the repo

2018-08-20 Thread Matt Caswell
Please could someone freeze the repo for me for tomorrow's release: ssh openssl-...@git.openssl.org freeze openssl matt Thanks Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] Fwd: Request for comments on 'Certificate Management Protocol (CMP, RFC 4210) extension #681'"

2018-08-15 Thread Matt Caswell
On 14/08/18 20:20, Matt Caswell wrote: > Hi > > Back in 2007 Nokia started developing a CMP client based on OpenSSL that > is currently in use in LTE infrastructure components. Siemens joined in > the project some years ago to extend and utilize the code for further > indust

Re: [openssl-project] Inappropriate fallback triggered when "holes" in client protocol list indirectly exclude TLSv1.3

2018-08-15 Thread Matt Caswell
On 15/08/18 16:46, Viktor Dukhovni wrote: > When I configure a client with a legacy TLS 1.2 protocol exclusion, > e.g. by setting SSL_OP_NO_TLSv1_2 (rather than the new min/max > version interface), as a result of the new TLS 1.3 protocol > suport configurations that previously negotiated "up

Re: [openssl-project] Reuse of PSKs between TLSv1.2 and TLSv1.3

2018-08-15 Thread Matt Caswell
On 10/08/18 09:43, Matt Caswell wrote: > > > On 09/08/18 10:31, Matt Caswell wrote: > >> I think perhaps a vote is the only way forward then. Does this vote text >> seem reasonable? >> >> "We should remove the TLSv1.2 to TLSv1.3 PSK compatibilit

[openssl-project] Fwd: Request for comments on 'Certificate Management Protocol (CMP, RFC 4210) extension #681'"

2018-08-14 Thread Matt Caswell
I went to approve this post, but I don't see it in the pending queue. Not sure why not - so forwarding this anyway. Please see below. Matt Forwarded Message Subject: Request for comments on 'Certificate Management Protocol (CMP, RFC 4210) extension #681'" Date: Tue, 14 Aug

Re: [openssl-project] Please freeze the repo

2018-08-14 Thread Matt Caswell
Release is done and the repo is unfrozen. Thanks again to Richard for all the help. Matt On 13/08/18 17:15, Mark J Cox wrote: > done. > > On Mon, Aug 13, 2018 at 5:11 PM, Matt Caswell wrote: >> Please could someone freeze the repo for me? >> >> $ ssh openssl

Re: [openssl-project] Releases tomorrow

2018-08-14 Thread Matt Caswell
On 14/08/18 11:05, Kurt Roeckx wrote: > On Tue, Aug 14, 2018 at 01:50:39AM +, Salz, Rich wrote: >>>- If we're going to make any changes for issue 6904 (broken pipe for >> clients that only write/server that only reads), then we should do that >> >> Yeah, I don't like the library

Re: [openssl-project] Please freeze the repo

2018-08-13 Thread Matt Caswell
On 13/08/18 17:49, Andy Polyakov wrote: > It would be appropriate to merge > https://github.com/openssl/openssl/pull/6916 (1.0.2, commit message > would need adjustment for merged from) and This one appears to be not quite as ready as first thought. >

[openssl-project] Please freeze the repo

2018-08-13 Thread Matt Caswell
Please could someone freeze the repo for me? $ ssh openssl-...@git.openssl.org freeze openssl matt Thanks Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] Releases tomorrow

2018-08-13 Thread Matt Caswell
On 13/08/18 14:20, Kurt Roeckx wrote: > On Mon, Aug 13, 2018 at 02:00:47PM +0100, Matt Caswell wrote: >> Just a reminder that we are doing the 1.0.2p and 1.1.0i releases >> tomorrow so I will be freezing the repo later this afternoon. If you >> still have PRs to merge for t

[openssl-project] Releases tomorrow

2018-08-13 Thread Matt Caswell
Just a reminder that we are doing the 1.0.2p and 1.1.0i releases tomorrow so I will be freezing the repo later this afternoon. If you still have PRs to merge for the release please get them in asap! Thanks Matt ___ openssl-project mailing list

Re: [openssl-project] Reuse of PSKs between TLSv1.2 and TLSv1.3

2018-08-10 Thread Matt Caswell
On 09/08/18 10:31, Matt Caswell wrote: > I think perhaps a vote is the only way forward then. Does this vote text > seem reasonable? > > "We should remove the TLSv1.2 to TLSv1.3 PSK compatibility mechanism as > discussed in issue 6490. If TLSv1.2 PSKs are configured (an

Re: [openssl-project] Reuse of PSKs between TLSv1.2 and TLSv1.3

2018-08-09 Thread Matt Caswell
On 08/08/18 11:28, Matt Caswell wrote: > For the full background to this issue see: > > https://github.com/openssl/openssl/issues/6490 > > TL;DR summary: > > The TLSv1.2 and TLSv1.3 PSK mechanisms are quite different to each > other. OpenSSL (along with at least

Re: [openssl-project] EdDSA and "default_md"?

2018-08-08 Thread Matt Caswell
On 08/08/18 21:22, Viktor Dukhovni wrote: > Don't know whether everyone here also reads openssl-users, so to recap, > Robert Moskowitz reports considerable frustration > as a result of "default_md = sha256" being incompatible with Ed25519 > (and Ed448). He's working around this with "-md

[openssl-project] Reuse of PSKs between TLSv1.2 and TLSv1.3

2018-08-08 Thread Matt Caswell
For the full background to this issue see: https://github.com/openssl/openssl/issues/6490 TL;DR summary: The TLSv1.2 and TLSv1.3 PSK mechanisms are quite different to each other. OpenSSL (along with at least GnuTLS maybe others) has implemented an upgrade path which enables the reuse of a

[openssl-project] Removal of NULL checks

2018-08-08 Thread Matt Caswell
We've had a policy for a while of not requiring NULL checks in functions. However there is a difference between not adding them for new functions and actively removing them for old ones. See https://github.com/openssl/openssl/pull/6893 In this case the removal of a NULL check in the stack code

Re: [openssl-project] Forthcoming OpenSSL releases

2018-08-07 Thread Matt Caswell
On 07/08/18 15:15, Andy Polyakov wrote: >> Forthcoming OpenSSL releases >> > > I have some RSA hardening fixes in pipeline... Do you have PR numbers for them? Matt > ___ > openssl-project mailing list >

[openssl-project] Forthcoming OpenSSL releases

2018-08-07 Thread Matt Caswell
Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0i and 1.0.2p. These releases will be made available on 14th August 2018 between approximately 1200-1600 UTC. These are bug-fix releases.

[openssl-project] Monthly Status Report (July)

2018-08-03 Thread Matt Caswell
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Attended a number of meetings re FIPS - Fixed a bug in 1.1.0/1.0.2 which can result in an invalid CertificateRequest message being sent - Reviewed

[openssl-project] 1.1.1 Release criteria update

2018-08-02 Thread Matt Caswell
A quick update on the status of the 1.1.1 release criteria: - All open github issues/PRs older than 2 weeks at the time of release to be assessed for relevance to 1.1.1. Any flagged with the 1.1.1 milestone to be closed Status: We have 5 open issues (4 of which were opened within the last 2

Re: [openssl-project] To distribute just the repo file, or the result of 'make dist'?

2018-07-28 Thread Matt Caswell
On 24/07/18 14:50, Richard Levitte wrote: > In message <20180724122839.ga2...@roeckx.be> on Tue, 24 Jul 2018 14:28:40 > +0200, Kurt Roeckx said: > > kurt> On Tue, Jul 24, 2018 at 02:08:46PM +0200, Richard Levitte wrote: > kurt> > > kurt> > The original intention (way back, I think we're

[openssl-project] Current 1.1.1 status compared to Release criteria

2018-07-20 Thread Matt Caswell
I've done a review of the 1.1.1 release criteria against the current status. See below. TL;DR summary: Status is generally good. There are some outstanding issues and PRs that need input from various people. Specifically there are actions for: @levitte, @paulidale, @dot-asm, @mspncp, @t-j-h

[openssl-project] Forthcoming holiday

2018-07-18 Thread Matt Caswell
I have some more holiday coming up :-) I'll be away next week: Tuesday 24th July - Friday 27th July. Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] Forthcoming holidays

2018-07-06 Thread Matt Caswell
Just a reminder that I am on holiday from Sunday with limited/no access to email. I will be back working from Friday. Matt On 27/06/18 09:56, Matt Caswell wrote: > FYI, I have a few days off coming up which will mean I am less > responsive than normal. I will have very limited/no access to

[openssl-project] Monthly Status Report (June)

2018-07-05 Thread Matt Caswell
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Implemented a feature enabling anti-replay to be switched off - Enabled SSL_OP_NO_TICKET support for TLSv1.3 - Added getters for raw

Re: [openssl-project] Milestones and the 1.1.1 release

2018-07-03 Thread Matt Caswell
On 02/07/18 18:36, Salz, Rich wrote: > Thanks for finishing this off. > > > https://github.com/openssl/openssl/issues?q=is%3Aopen+is%3Aissue+milestone%3A1.1.1 > > Are 6512 and 6396 the same, and closed because we made things more secure? They may be the same, or maybe not. Almost

Re: [openssl-project] Milestones and the 1.1.1 release

2018-07-02 Thread Matt Caswell
On 27/06/18 16:10, Matt Caswell wrote: > Well, no one has objected so far. I'm not around tomorrow and Friday to > action this but, unless anyone shouts between now and then, I'll start > doing this on Monday. All issues have been reviewed and their milestones updated accordingl

Re: [openssl-project] Milestones and the 1.1.1 release

2018-06-27 Thread Matt Caswell
Well, no one has objected so far. I'm not around tomorrow and Friday to action this but, unless anyone shouts between now and then, I'll start doing this on Monday. Matt On 26/06/18 21:15, Matt Caswell wrote: > > > On 26/06/18 20:43, Salz, Rich wrote: >> That's interesting

Re: [openssl-project] [openssl-commits] Build failed in Jenkins: master_noec #574

2018-06-27 Thread Matt Caswell
Also - does this only happen with no-ec? Matt On 27/06/18 10:32, Matt Caswell wrote: > I am slightly confused because the code sample below and the commit id > you gave is for 1.1.0, but the original email seems to be about master. > > Is the same issue affectin

Re: [openssl-project] [openssl-commits] Build failed in Jenkins: master_noec #574

2018-06-27 Thread Matt Caswell
I am slightly confused because the code sample below and the commit id you gave is for 1.1.0, but the original email seems to be about master. Is the same issue affecting both? Note: the pderive_test_run() function looks quite different between 1.1.0 and master. Matt On 26/06/18 19:32, Barry

[openssl-project] Forthcoming holidays

2018-06-27 Thread Matt Caswell
FYI, I have a few days off coming up which will mean I am less responsive than normal. I will have very limited/no access to email during these periods: Thursday 28th - Friday 29th June and Sunday 8th - Thursday 12th July Matt ___ openssl-project

Re: [openssl-project] Milestones and the 1.1.1 release

2018-06-26 Thread Matt Caswell
t seems justifiable to me. The latter. I mean it doesn't *prevent* us from fixing something that's in both 1.1.0 and 1.1.1 - but our focus should be on fixing issues that are newly introduced in 1.1.1. Matt > > On 6/26/18, 3:32 PM, "Matt Caswell" wrote: > > > >

Re: [openssl-project] Milestones and the 1.1.1 release

2018-06-26 Thread Matt Caswell
elease. At the moment though it is impossible to tell which are the high priority issues we should be focussing on. Matt > > > > On 6/26/18, 11:56 AM, "Matt Caswell" wrote: > > I'm thinking that we should maybe re-asses the current milestones in > github. >

[openssl-project] Milestones and the 1.1.1 release

2018-06-26 Thread Matt Caswell
I'm thinking that we should maybe re-asses the current milestones in github. We currently use the following milestones: Assessed - Anything against this milestone isn't relevant to the 1.1.1 release (e.g. 1.0.2 specific issue) 1.1.1 - This is relevant to the 1.1.1 release but may not be

Re: [openssl-project] GitHub labels

2018-06-22 Thread Matt Caswell
On 22/06/18 09:26, Richard Levitte wrote: > In message <20180622010813.gy4...@kduck.kaduk.org> on Thu, 21 Jun 2018 > 20:08:13 -0500, Benjamin Kaduk said: > > kaduk> What's still unclear to me in the current scheme is how I'm supposed to > kaduk> indicate something that is (intentionally)

Re: [openssl-project] Beta release today

2018-06-20 Thread Matt Caswell
inadvertently triggered recently): https://travis-ci.org/openssl/openssl/builds/394565396 Therefore we are going to press ahead with the release. Matt On 20/06/18 11:32, Matt Caswell wrote: > The build is currently not stable. We have a number of outstanding issues: > > - external p

[openssl-project] Beta release today

2018-06-20 Thread Matt Caswell
The build is currently not stable. We have a number of outstanding issues: - external pyca tests are failing - no-sm2 fails (see PR#6531)...I'm doing some more investigation on that at the moment - failures in test_internal_sm2. Bernd has been working on that and we now have a fix that I just

Re: [openssl-project] Beta release today

2018-06-19 Thread Matt Caswell
On 19/06/18 17:14, Matt Caswell wrote: > Actually, it feels a bit rushed, so I think I'm going to do it tomorrow > instead. > > It would still be good if someone can freeze the repo though please: > > ssh openssl-...@git.openssl.org freeze openssl matt The repo is now fr

Re: [openssl-project] Beta release today

2018-06-19 Thread Matt Caswell
IM or email me. > > On 6/19/18, 11:16 AM, "Matt Caswell" wrote: > > Oops, there is supposed to be a beta release today... > > > If someone is available to review it (any volunteers), I'll do it this > evening. Starting around 17.30 UTC

[openssl-project] Beta release today

2018-06-19 Thread Matt Caswell
Oops, there is supposed to be a beta release today... If someone is available to review it (any volunteers), I'll do it this evening. Starting around 17.30 UTC (although it looks like we might have to fix travis first). In the meantime please could someone freeze the repo? Matt

[openssl-project] ECDSA blinding

2018-06-13 Thread Matt Caswell
FYI see commit a3e9d5aa98 (and equivalent commits in 1.1.0 and 1.0.2). These fixes were reviewed in private due to an embargo from the reporter. In spite of that we have chosen not to issue a CVE for these fixes since they are localhost side channels only. Matt

Re: [openssl-project] Please approve 6457 for backport

2018-06-12 Thread Matt Caswell
On 12/06/18 10:16, Matt Caswell wrote: > This is the PR for the CVE. I forgot to add the branches to the > PR...this is for 1.1.0 and 1.0.2. Please can someone approve the > backport asap? This is now done (thanks Tim). Now looking for an approval for the web updates: https://g

[openssl-project] Please approve 6457 for backport

2018-06-12 Thread Matt Caswell
This is the PR for the CVE. I forgot to add the branches to the PR...this is for 1.1.0 and 1.0.2. Please can someone approve the backport asap? Thanks Matt ___ openssl-project mailing list openssl-project@openssl.org

Re: [openssl-project] stepping down from OMC

2018-06-08 Thread Matt Caswell
On 08/06/18 20:56, Emilia Käsper wrote: > Hi all, > > I'm leaving the project. This should come as no surprise. I've had > little to no time to work on OpenSSL lately, and I firmly believe that > OpenSSL should be driven by engineers that are actively engaged in the > project and writing code

[openssl-project] Monthly Status Report (May)

2018-06-04 Thread Matt Caswell
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Fixed a mem leak in CMS_RecipientInfo_set0_pkey() and added some CMS tests - Added a note around performance and Nagle's algorithm on the

[openssl-project] Github to be acquired by Microsoft

2018-06-04 Thread Matt Caswell
See: https://blog.github.com/2018-06-04-github-microsoft/ Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] OpenSSL repo frozen

2018-05-29 Thread Matt Caswell
The release is complete and the repo is now unfrozen. Thanks to Richard for his help during the release. Matt On 29/05/18 07:25, Richard Levitte wrote: > This should have been done yesterday... the openssl repo is now > frozen pending the beta release that's happening later today. > >

Re: [openssl-project] Current votes FYI

2018-05-29 Thread Matt Caswell
On 29/05/18 06:45, Dr. Matthias St. Pierre wrote: >> VOTE: 1.1.1 beta release schedule changed so that the next two beta releases >> are now 29th May, 19 June and we will re-review release readiness after >> that. We will also ensure that there is at least one beta release post >> TLS-1.3

Re: [openssl-project] build/test before merging

2018-05-23 Thread Matt Caswell
On 23/05/18 16:50, Benjamin Kaduk wrote: > On Wed, May 23, 2018 at 03:12:30PM +, Dr. Matthias St. Pierre wrote: >>> So do you guys use the ghmerge script or own procedures? I'm curious. >> >> At the beginnning, I tried to use ghmerge but it was not flexible >> enough for my needs. In

Re: [openssl-project] Current votes FYI

2018-05-23 Thread Matt Caswell
FYI, all of these votes are now closed. The final vote results are inserted below. On 07/05/18 02:37, Salz, Rich wrote: > VOTE: openssl-web and tools repositories shall be under the same review > policy as per the openssl repository where the reviewers are OMC members +1: 5 0: 1

Re: [openssl-project] build/test before merging

2018-05-23 Thread Matt Caswell
On 23/05/18 01:43, Salz, Rich wrote: > > I do the same, but I am reluctant having a script doing it for me using > some fixed recipe... > >>I'm happy doing the build/test manually before merging, too. > > > So do you guys use the ghmerge script or own procedures? I'm curious.

Re: [openssl-project] FW: [openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2

2018-05-10 Thread Matt Caswell
It should be fixed already - but the fixes didn't go in in time for the latest run-checker run. By tomorrow it should be ok (hopefully). Matt On 10/05/18 13:57, Salz, Rich wrote: > sigh > > On 5/10/18, 6:57 AM, "OpenSSL run-checker" wrote: > > Platform and

Re: [openssl-project] FW: [TLS] WGLC for draft-ietf-tls-tls13-vectors

2018-05-08 Thread Matt Caswell
tls13secretstest was originally based on these vectors: https://github.com/openssl/openssl/blob/master/test/tls13secretstest.c However, because we were moving faster with updating the vectors to match all the latest changes to the secrets calculations in the main spec, and because it's a major

[openssl-project] Monthly Status Report (April)

2018-05-01 Thread Matt Caswell
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Performed the 1.1.1 pre-4 release - Supported the 1.1.1 pre-5 release - Liason with Billy Bob Brumley and team regarding various EC/constant time

Re: [openssl-project] Freezing the repo

2018-05-01 Thread Matt Caswell
Release is complete and the repo is unfrozen. Matt On 30/04/18 20:04, Salz, Rich wrote: > Done. > > On 4/30/18, 3:02 PM, "Matt Caswell" <m...@openssl.org> wrote: > > Please could someone freeze the repo for me for tomorrow's release: > > $ s

Re: [openssl-project] Beta release on Tuesday

2018-04-30 Thread Matt Caswell
On 30/04/18 21:00, Salz, Rich wrote: > >>I would normally start around 12.00 UTC, but could push it a bit > later > > if it works better for you. > > > > So that's 7am, it would be best to delay an hour. > > > > Ok, lets make it 13.00 UTC. > > Gaah,

Re: [openssl-project] Beta release on Tuesday

2018-04-30 Thread Matt Caswell
On 27/04/18 12:12, Salz, Rich wrote: >>As normal we are planning a new beta release on Tuesday. This means that >>we will be freezing the repo from Monday afternoon (UTC). > > I'm in US but available if nobody "closer" can do it. Nobody else has stepped forward. Are you still

[openssl-project] Freezing the repo

2018-04-30 Thread Matt Caswell
Please could someone freeze the repo for me for tomorrow's release: $ ssh openssl-...@git.openssl.org freeze openssl matt Thanks Matt ___ openssl-project mailing list openssl-project@openssl.org

Re: [openssl-project] OpenSSL 1.1.1 library(OpenSSL 1.1.0 compile) Postfix to Postfix test

2018-04-23 Thread Matt Caswell
On 23/04/18 02:49, Viktor Dukhovni wrote: > > I tested a Postfix server and client built against OpenSSL 1.1.0, > using 1.1.1 run-time libraries. This exercised peer certificate > fingerprint matching and session resumption. No major issues. > > The only interesting observations are: > >

Re: [openssl-project] When to enable TLS 1.3

2018-04-20 Thread Matt Caswell
On 20/04/18 09:11, Kurt Roeckx wrote: > On Fri, Apr 20, 2018 at 09:11:39AM +0200, Kurt Roeckx wrote: >> >> Maybe we can convert the blog post into a wiki, update it to the >> current status, and point people to that. > > I've converted to blog to the wiki: >

Re: [openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

2018-04-19 Thread Matt Caswell
On 19/04/18 18:31, David Benjamin wrote: > I might suggest conditioning it on the compile-time version of OpenSSL > headers. This is a common transition strategy for systems working > through ABI constraints. (In some systems, this is implemented as some > target SDK version.) This is exactly

Re: [openssl-project] TLS 1.3 and SNI

2018-04-17 Thread Matt Caswell
On 17/04/18 23:36, Viktor Dukhovni wrote: > > Just wanted to check. The TLS 1.3 draft lists SNI as mandatory to implement, > but is not mandatory to use. Clients should, but do not have to send SNI, > and servers may require SNI, but can just use some default chain instead. > > Does

Re: [openssl-project] Fwd: New Defects reported by Coverity Scan for openssl/openssl

2018-04-17 Thread Matt Caswell
> > BTW: isn't beta release 3 (pre5) due today? There was no announcement of > a code freeze yet. > > Am 16.04.2018 um 19:47 schrieb Matt Caswell: >> Can anyone enlighten me as to why I can't find half of these defects in >> the coverity dashboard? None of the reporte

[openssl-project] Fwd: New Defects reported by Coverity Scan for openssl/openssl

2018-04-16 Thread Matt Caswell
Can anyone enlighten me as to why I can't find half of these defects in the coverity dashboard? None of the reported defects in the test cases seem to exist any more (and I'm fairly sure we didn't fix them). Actually I didn't think we scanned the tests at all, so I'm a little confused. Matt

[openssl-project] Constant time by default

2018-04-16 Thread Matt Caswell
I'd like to draw everyone's attention to PR #5969 Given CVE-2018-0737, and the fact that this is far from the first time this has happened I think we should change the default so that we always use the constant time implementation unless specifically flagged otherwise. E.g see these issues:

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

2018-04-16 Thread Matt Caswell
On 15/04/18 17:18, Viktor Dukhovni wrote: > > >> On Apr 15, 2018, at 2:24 AM, Bernd Edlinger >> wrote: >> >> One possible example of application failure that I am aware of is #5743: >> A certificate that is incompatible with TLS1.3 but works with TLS1.2. >>

Re: [openssl-project] Some TLS 1.3 drafts don't have branches

2018-04-12 Thread Matt Caswell
On 12/04/18 02:42, Salz, Rich wrote: > ; g branch -r -v -a | grep -i draft > >   remotes/origin/tls1.3-draft-18 669c623 Update PR#3925 > >   remotes/origin/tls1.3-draft-19     d4d9864 Update PR#3925 > > ; > >   > > I recently had someone need draft-21 and they did > >  

Re: [openssl-project] build broken?

2018-04-06 Thread Matt Caswell
On 05/04/18 20:13, Salz, Rich wrote: > I thought someone else would beat me to it. Like, maybe, the person who > broke things :) > > But the fix is part of 5886 which you approved and I am merging now ... Oops! Sorry :-) The fix needs to go into 1.1.0 too to keep the numbers consistent:

[openssl-project] Monthly Status Report (March)

2018-04-04 Thread Matt Caswell
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Performed the 1.1.1 beta 1 (pre-3) release - Performed a security release for 1.1.0 and 1.0.2 - Carried out a number of different tasks around the

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-03 Thread Matt Caswell
On 03/04/18 15:55, Salz, Rich wrote: > This is one reason why keeping around old assembly code can have a cost. :( Although in this case the code is <2 years old: commit e33826f01bd78af76e0135c8dfab3387927a82bb Author: Andy Polyakov AuthorDate: Sun May 15 17:01:15 2016

Re: [openssl-project] About PR 5702, etc.

2018-03-29 Thread Matt Caswell
On 29/03/18 11:06, Matt Caswell wrote: > "Feature changes in 1.1.1 directly related to TLSv1.3 will be allowed > during the beta as long as at least 3 OMC members approve the change" I started a vote with this text, and will report back here when I have th

Re: [openssl-project] Is making tests faster a bugfix?

2018-03-29 Thread Matt Caswell
On 29/03/18 14:00, Salz, Rich wrote: > Please see https://github.com/openssl/openssl/pull/5788 > > I don’t think it is, but I’d like to know what others think. I do think this should be applied. The tests in question are not just slow but *really* slow to the point that I often exit them

Re: [openssl-project] About PR 5702, etc.

2018-03-27 Thread Matt Caswell
On 27/03/18 14:00, Salz, Rich wrote: > Discussion seems to have stalled out on this.  Please review > https://github.com/openssl/openssl/pull/5702 if necessary. > >   > > Do folks want a general “TLS 1.3 is okay post-freeze” policy? I think that is ok and doesn't stray too far from what we

Re: [openssl-project] Repo frozen

2018-03-27 Thread Matt Caswell
The release is complete and the repo is unfrozen. Thanks to Richard yet again for all your help. Matt On 27/03/18 10:08, Matt Caswell wrote: > In case anyone was wondering the repo is currently frozen. > > Matt > ___ openssl-project

Re: [openssl-project] Code Repo

2018-03-20 Thread Matt Caswell
Of course I should have mentioned that although the feature freeze is in place, the code freeze is not, i.e. you can make pushes to the repo now. Matt On 20/03/18 14:17, Matt Caswell wrote: > The beta release is now complete. > > Important: > > We did *not* create the OpenS

[openssl-project] Code Repo

2018-03-20 Thread Matt Caswell
The beta release is now complete. Important: We did *not* create the OpenSSL_1_1_1-stable branch as planned (see https://github.com/openssl/openssl/pull/5690 for the discussion that led to that decision). For now the release was done from the master branch in the same way as we did for the

Re: [openssl-project] Anything else to go in before I call the freeze?

2018-03-19 Thread Matt Caswell
Please can someone freeze the repo for me: $ ssh openssl-...@git.openssl.org freeze openssl matt I will still take #5677 "Fix no-sm3 (and no-sm2)" after the freeze. Also if anyone can come up with a fix for the failing master in Travis that would be good. Matt On 19/03/18 16:48, Ma

Re: [openssl-project] Anything else to go in before I call the freeze?

2018-03-19 Thread Matt Caswell
BTW please review #5673. I'd like a clean run from run-checker for the release tomorrow. Matt On 19/03/18 16:33, Matt Caswell wrote: > Let me know asap... > > > Matt > ___ > openssl-project mailing list > openssl-projec

[openssl-project] Anything else to go in before I call the freeze?

2018-03-19 Thread Matt Caswell
Let me know asap... Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] GitHub milestone for 1.1.1

2018-03-19 Thread Matt Caswell
f-12f99b44b...@openssl.org> on Mon, 19 Mar > 2018 11:14:27 +, Matt Caswell <m...@openssl.org> said: > > matt> > matt> > matt> On 19/03/18 10:58, Richard Levitte wrote: > matt> > Andy has indicated that the rather special construction to get > co

Re: [openssl-project] GitHub milestone for 1.1.1

2018-03-19 Thread Matt Caswell
On 19/03/18 08:27, Dr. Matthias St. Pierre wrote: > Hi, > > in view of the upcoming beta release and the release strategy (see > below) it is a little bit disturbing that our GitHub milestone for 1.1.1 > shows only 30% > completion. How are we

[openssl-project] Code freeze later today

2018-03-19 Thread Matt Caswell
Just a reminder that beta1 is scheduled for release tomorrow so, in preparation for that, I will be freezing the repo later today. Of course this really means feature freeze as well since this will be your last opportunity to push features before the beta release. So if there is anything still

Re: [openssl-project] GitHub milestone for 1.1.1

2018-03-19 Thread Matt Caswell
ly "option"), like this: > > /DEFINE=(MACRO1, MACRO2="Foo", "Macro3=bar") > > The same goes for include paths, similarly collected in the qualifier /INCLUDE > > > Matt Caswell <m...@openssl.org> skrev: (19 mars 2018 10:12:06 CET) >

Re: [openssl-project] OID policy

2018-03-15 Thread Matt Caswell
On 14/03/18 23:40, Paul Dale wrote: >> We should have OID's for the things we implement > > Sounds like a policy :) > Vote time? In the past we've also put in OIDs on request (i.e. not necessarily for something we implement) if someone has given a reasonable argument for its inclusion. Matt

[openssl-project] Looking for Christophe Renou

2018-03-05 Thread Matt Caswell
Hi all As many of you know we are looking to change the licence for OpenSSL to the Apache Licence. To do that we are trying to trace all previous committers. We have a small number of people left to find. See: https://license.openssl.org/trying-to-find Of these one stands out as being a

[openssl-project] Monthly Status Report (February)

2018-03-05 Thread Matt Caswell
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Performed both the alpha1 and alpha2 1.1.1 releases - Completed work on the primitives, EVP layer and TLS implementation for X448 and Ed448. -

Re: [openssl-project] Next release is beta1

2018-03-05 Thread Matt Caswell
On 04/03/18 16:30, Kurt Roeckx wrote: > On Sun, Mar 04, 2018 at 02:44:01PM +, Salz, Rich wrote: >> I also intend to merge the config file .include PR (5351), and I want us to >> decide about 4848. > > I have to agree that I want to resolv 4848 (reading config file to > select things like

Re: [openssl-project] to fully overlap or not to

2018-02-28 Thread Matt Caswell
On 28/02/18 17:09, Andy Polyakov wrote: I'd like to request more opinions on https://github.com/openssl/openssl/pull/5427. Key dispute question is whether or not following fragment should work unsigned char *inp = buf, *out = buf; for (i = 0; i <

Re: [openssl-project] to fully overlap or not to

2018-02-28 Thread Matt Caswell
On 28/02/18 16:32, Viktor Dukhovni wrote: > > >> On Feb 28, 2018, at 11:25 AM, Viktor Dukhovni >> wrote: >> >>> I'd like to request more opinions on >>> https://github.com/openssl/openssl/pull/5427. Key dispute question is >>> whether or not following fragment

<    1   2   3   >