Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Hi Matt, Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with the device. 1. Root CA- Baltimore CyberTrust Root 2. Intermediate CA-1 - Microsoft

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Thanks all for your feedback! I asked for mainstream use-cases for algorithms whose removal could cause widespread pain. Some individual users, undoubtedly, will be hit by this, and I acknowledge that they may not be reading this list. But I wanted to know if I'd missed something endemic. I also

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On Mon, Nov 16, 2015 at 04:51:10PM +0100, Emilia Käsper wrote: > As for specific deprecation strategies: > - Don't forget that all applications will have to recompile against 1.1. The EVP_get_cipherbyname() and EVP_get_digestbyname() interfaces remain, so nothing changes at compile-time. Most

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On 16/11/2015 16:51, Emilia Käsper wrote: Thanks all for your feedback! I asked for mainstream use-cases for algorithms whose removal could cause widespread pain. Some individual users, undoubtedly, will be hit by this, and I acknowledge that they may not be reading this list. But I wanted

[openssl-users] Incompatibility between OpenSSL 1.0.2 and FIPS 2.0.10

Hi, I am seeing crashes in OpenSSL 1.0.2d when using it with the FIPS 2.0.10 object module. Apparently the size of struct ec_group_st (in crypto/ec/ec_lcl.h) differs between 1.0.1 and 1.0.2, since BN_MONT_CTX *mont_data; /* data for ECDSA inverse */ has been added to it. The FIPS module

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

One more time, I know that someone, somewhere is probably using any given feature of OpenSSL. I am looking to gather information about concrete, actively maintained applications that may be using one of those algorithms, to build a more complete picture. If you are aware of a concrete use of MD2

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Could it be because your CA-2 has the following: Extended Key Usage - Client Authentication, Server Authentication? Some fields that in general only apply to end certificates, e.g. name constraints, when used in a CA certificate, are interpreted as constraints on the certificates that can be

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On 16 November 2015 at 19:05, Hubert Kario wrote: > Example: CAdES V1.2.2 was published in late 2000, the first serious > attacks on MD2 were not published until 2004. I think it is not > unreasonable for CAdES-A documents to exist today which were originally > signed with MD2

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Probably not, that constraint is satisfied since this is SSL/TLS and the end cert has that same EKU. On 16/11/2015 22:37, E T wrote: Could it be because your CA-2 has the following: Extended Key Usage - Client Authentication, Server Authentication? Some fields that in general only apply to

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

At most one of CA-1 and CA-2 would be part of the chain from Baltimore to the end cert. However your end cert (apparently for hosted Sharepoint services) was issued by a 3rd MSIT CA that was not provided. If it wasn't provided to the code either, the chain would not validate for that reason

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On 16/11/15 15:51, Emilia Käsper wrote: > Thanks all for your feedback! > > I asked for mainstream use-cases for algorithms whose removal could > cause widespread pain. Some individual users, undoubtedly, will be hit > by this, and I acknowledge that they may not be reading this list. But I >

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Ø If you are aware of a concrete use of MD2 or any of the other algorithms, please let us know! Also, note that we have an extended alpha and-beta test period, so we can add things back if mistakes are made. /r$ ___ openssl-users

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

On 16/11/15 06:52, Jayalakshmi bhat wrote: > Hi Victor, > > Thanks a lot for details explanation. > > Our device acts as TLS/SSL client. The device receives chain of > certificates as part of SSL handshake, when it is trying to get > connected to TLS/SSL server like sharepoint 365. > >

Re: [openssl-users] Available ciphers

Anybody able to help? Thanks Dirk On 10.11.2015 17:09, Dirk Menstermann wrote: > Hi, > > I'm using openssl 1.0.2 (as web server application) and utilize the APLN > callback to react on protocols offered by the client. In this callback I need > a > way to get the list of ciphers that the client