Hello,
Is there a method that is always in the path of execution when a crypto error
occurs ? The reason for asking is that I would like to very slightly modify
the OpenSSL FIPS version so that it will write a file in tmpfs when an error
occurs. That place will be observed by another app
On Tue, Mar 10, 2015 at 08:44:57AM +, Christian Georg wrote:
I understand that the downgrading of the ciphersuites is a bug in the
library that should be patched. Doing this can however be dificult when
talking about mobile apps that use OS Libraries. From my understanding
the bug only
From: Steve Marquess marqu...@openssl.com
Date: 03/10/15 08:56
Hello,
Thanks for your reply.
You're talking about a Level 2 validation (or higher)? You most
definitely do *not* want to include the OS or applications in the
cryptographic module boundary for Level 1.
It's a level 2.
On 03/10/2015 08:20 AM, jonetsu wrote:
...
Steve has replied that indeed the validation will be lost - I wonder
if that would have any impact on the total validation costs for a
whole unit, OS and apps ?
You're talking about a Level 2 validation (or higher)? You most
definitely do *not* want
On Tue, Mar 10, 2015, jonetsu wrote:
Hello,
Is there a method that is always in the path of execution when a crypto
error occurs ? The reason for asking is that I would like to very slightly
modify the OpenSSL FIPS version so that it will write a file in tmpfs when
an error occurs.
Is there a method that is always in the path of execution when a crypto error
occurs ?
It looks like fips_set_selftest_fail() would be a likely candidate where to
create an empty file on a tmpfs in order to let the OS know about the error.
Comments and suggestions welcomed. Based on
Viktor's description agrees with Matthew Green's explanation.[1] The FREAK
attack can work against non-patched OpenSSL clients even if they disable
export-grade ciphers; in fact, that's precisely the problem.
The attack works like this:
1. Client sends ClientHello with a suite list that
Hmm. I am pretty sure I was linking against the FIPS capable OpenSSL but I will
double check tomorrow to make sure I did it right.
Thanks.
On Mar 10, 2015, at 7:28 PM, Dr. Stephen Henson st...@openssl.org wrote:
On Tue, Mar 10, 2015, Jason Schultz wrote:
Is this function available to
Nobody knows?
Does OpenSSL support renegotiation?
I will be very grateful for answers because there is no any info about this in
the net.
09.03.2015, 00:36, Serj Rakitov ra...@yandex.com:
Hello
I want to test SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
I have client and server. Server is
On 09/03/2015 14:13, Waldin wrote:
Am 08.03.2015 um 09:14 schrieb Waldin:
Now, I also want to check ciphers enabled in (mobile) mail clients.
I've tried to make OpenSSL listen on port 110 (for POP with TLS) and
redirected the client to the OpenSSL server. But when trying to pull
mail I can't
Nobody knows?
09.03.2015, 15:30, Serj Rakitov ra...@yandex.com:
I have to open discussion again.
I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ.
But I can't do this. SSL_read never wants write and SSL_write never wants
read!
I don't know how to catch
From: Dr. Stephen Henson st...@openssl.org
Date: 03/10/15 10:21
Although you cannot modify the FIPS module itself without voiding the
validation you *can* change the FIPS capable OpenSSL.
You might (for example) change FIPS_mode_set() to always add a callback
which logs any errors.
I
On Tue, Mar 10, 2015 at 10:23:41PM +0300, Serj Rakitov wrote:
Hello,
I see some delay about 30-40 min for my emails. They arrive and I see them in
the incoming messages in the list only after 30-40 min. And one email was
delivered for 2 hours. Is it normal for the
On 09/03/2015 13:21, Serj Rakitov wrote:
I have to open discussion again.
I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But
I can't do this. SSL_read never wants write and SSL_write never wants read!
I don't know how to catch these situations. I don't know how to
From: openssl-users On Behalf Of Viktor Dukhovni
Sent: Monday, March 09, 2015 12:47
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH
with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56
and 1024?
You only need
I guess I didn't have the correct fips.h file in my include path when I
couldn't get it to compile. But I don't think it will work for my purposes
since if I install my application on another system, that entry point is not
defined in libcrypto.so or libssl.so.
Does anyone know if it's really
Does OpenSSL support renegotiation?
Yes.
You probably need more than that. :) Take a look at the apps/s_client and look
for the 'R' constant to see how to do client-initiated reneg.
___
openssl-users mailing list
To unsubscribe:
Hello,
I see some delay about 30-40 min for my emails. They arrive and I see them in
the incoming messages in the list only after 30-40 min. And one email was
delivered for 2 hours. Is it normal for the openssl-users@openssl.org?
Some time ago I see an email with message: Welcome to the
I see some delay about 30-40 min for my emails. They arrive and I see them
in the incoming messages in the list only after 30-40 min. And one email was
delivered for 2 hours. Is it normal for the openssl-users@openssl.org?
It happens sometimes.
Some time ago I see an email with message:
Hi, Jakob. Thanks for reply.
Now I have seen OpenSSL code and something clear for me.
WANT_READ/WANT_WRITE it's just an implementation for WOULDBLOCK: not fatal
error for non-blocking IO. So, for example for socket and Windows it's just
WSAEWOULDBLOCK returns by WSAGetLastError. Peforms by
Hi Viktor,
please help me to understand your sentence:
Note that doing so does not address the FREAK CVE in SSL clients.
Even with EXPORT ciphers disabled they are still vulnerable, unless patched!
I understand that the downgrading of the ciphersuites is a bug in the library
that
On Tue, Mar 10, 2015, jonetsu wrote:
From: Dr. Stephen Henson st...@openssl.org
Date: 03/10/15 10:21
Although you cannot modify the FIPS module itself without voiding the
validation you *can* change the FIPS capable OpenSSL.
You might (for example) change FIPS_mode_set() to
On Tue, Mar 10, 2015, Jason Schultz wrote:
Is this function available to call in OpenSSL 1.0.1? I'm trying to call it
from my application running a FIPS capable version of OpenSSL (everything
else works, turning FIPS on, etc), but I include fips.h but I get a compile
error saying the
23 matches
Mail list logo