On Tue, Jun 17, 2014, Viktor Dukhovni wrote:
On Mon, Jun 16, 2014 at 02:12:07PM -0700, Steve Bush wrote:
We have openssl installed with an apache server and we just
upgraded from openssl-0.9.8u to openssl-0.9.8za, however we suddenly
have large numbers of clients failing to connect.
Hi all,
I was surprised that decryption succeeded in GCM mode althought the tag
was shorter than the one produced when encrypting,
as it is not the case in CCM. Is it the intended behaviour ?
In order to rule out a possible bug in my program, I finally used the
example code at :
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof(gcm_tag), gcm_tag);
When you change tag length with the above statement, you are telling
the decrypt context to consider only those many number of bytes
for tag comparision.
On Wed, Jun 18, 2014 at 4:52 PM, Michel msa...@paybox.com wrote:
Thank for your answer.
But isn't this strategy very hazardous ?
And why just for GCM and not CCM ?
Le 18/06/2014 14:37, Thulasi Goriparthi a écrit :
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof(gcm_tag), gcm_tag);
When you change tag length with the above statement, you are
On Tue, 6/17/14, Viktor Dukhovni openssl-us...@dukhovni.org wrote:
Subject: Re: mod_ssl - client certificates broken after yum update of openssl
To: openssl-users@openssl.org
Date: Tuesday, June 17, 2014, 10:53 PM
On Tue, Jun 17, 2014 at
Truncate-able tags gave a way to truncated hmac extension.
Haven't gone through CCM RFC 3610 completely.
I can see the restriction of possible M values(Tag lengths) to 2, 4, 6, 8,
10, 12, 14, 16. Can you try reducing the tag size accordingly and see if it
succeeds.
On Wed, Jun 18, 2014 at 6:52
On Wed, Jun 18, 2014 at 01:06:31PM +0200, Dr. Stephen Henson wrote:
This commit does not introduce the alert generation. The alert is
generated when the server callback returns SSL_TLSEXT_ERR_ALERT_WARNING,
as in Apache's ssl_callback_ServerNameIndication() function in some
Apache
That's the code I saw. Should OpenSSL do Apache a favour and not send a
warning alert anyway, when the extension callback is the SNI callback?
NO!!!
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz
I tried all of 2, 4, 6, 8, 10, 12, 14, 16 values, and always got a
Plaintext not available: tag verify failed.
Even when tag length of decryption was equal to tag length of encryption.
:-(
It just works for : tag length of decryption = tag length of encryption
= 16.
Thanks again for your
On Wed, Jun 18, 2014 at 07:07:25AM -0700, Nelson wrote:
Apache was upgraded with openssl as well as mod_ssl.
You need to read the documentation, release notes, ... and determine
any changes in policy or supported algorithms in the updated release.
My best guess is that this release objects to
Hello,
I have a question about the following statement in advisory notice
http://www.openssl.org/news/secadv_20140605.txt regarding CVE-2014-0198.
This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.
I am using
That is the value for the flag, it does not say whether or not it is enabled.
To enable it you need to call something like SSL_CTX_set_options() with that
flag passed in.
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.memailto:rs...@jabber.me; Twitter:
In the test program, you are feeding a fixed ccm_tag to decryption process.
This will not work for CCM, as tag length itself will also be an input for
tag generation. Change in tag length, will change the tag produced. I
modified the decryption api(aes_ccm_decrypt) to take the tag generated by
One more thing to correct myself.
2 as tag length is not allowed. only 4, 6, 8, 10, 12, 14, 16 are allowed.
On Wed, Jun 18, 2014 at 11:55 PM, Thulasi Goriparthi
thulasi.goripar...@gmail.com wrote:
In the test program, you are feeding a fixed ccm_tag to decryption
process. This will not work
On Wed, 6/18/14, Viktor Dukhovni openssl-us...@dukhovni.org wrote:
Subject: Re: mod_ssl - client certificates broken after yum update of openssl
To: openssl-users@openssl.org
Date: Wednesday, June 18, 2014, 11:08 AM
On Wed, Jun 18, 2014 at
15 matches
Mail list logo
