On 2022-11-15 21:36, Phillip Susi wrote:
Jakob Bohm via openssl-users writes:
Performance wise, using a newer compiler that implements int64_t etc. via
frequent library calls, while technically correct, is going to run
unnecessarily slow compared to having algorithms that actually use
On 2022-11-06 23:14, raf via openssl-users wrote:
On Sat, Nov 05, 2022 at 02:22:55PM +, Michael Wojcik
wrote:
From: openssl-users On Behalf Of raf via
openssl-users
Sent: Friday, 4 November, 2022 18:54
On Wed, Nov 02, 2022 at 06:29:45PM +, Michael Wojcik via openssl-users
wrote:
On 2022-10-31 01:11, Alexei Khlebnikov wrote:
Hello Geoff,
Try the following function, receive the serial number via the
"pserial" pointer. But avoid changing the number via the pserial
pointer because it points inside the OCSP_CERTID structure.
int OCSP_id_get0_info(ASN1_OCTET_STRING
On 17/01/2022 09:49, Tomas Mraz wrote:
On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
Hi,
I successfully implemented OpenSSL v3 provider which provides store
and keymgmt and I can use it to sign a cms with the following
command:
openssl cms -sign -signer myprov:cert=0014 -provider myprov
On 2022-01-05 09:45, Tomas Mraz wrote:
...
So you're basically asking to put something like - "The parameter most
probably won't fit into unsigned int." - to every such parameter
documented for PKEYs?
"unsigned BIGNUM" instead of "unsigned integer" would be short and much
clearer
in the
On 26/12/2021 16:21, Grégory Widmer via openssl-users wrote:
Dear OpenSSL users,
I have a question about OpenSSL. Recently, I asked myself if there was
a maximum bit length for the modulus of a RSA key.
I tried to type :
user@host:~$ openssl genrsa 32768
Warning: It is not recommended to
On 2021-11-25 15:00, Matt Caswell wrote:
Please see the new blog post by Tim Hudson giving an update on the
OpenSSL Project.
https://www.openssl.org/blog/blog/2021/11/25/openssl-update/
Followup:
While the OpenSSL leadership may think they have made things easier
for algorithm developers,
Please note that the embedded github links don't work for me, as all
I get is an error page with a log in form.
One major issue with any QUIC implementation is how closely that
protocol is tied to Google and their desire to have web browsers
quickly load elements from 3rd part webservers, such
Which is indeed what I do in our notarized MacOsX and iOS applications.
However to do so, I have historically needed to clean up OpenSSL source
code to actually behave as a proper static library where only used
functions are linked in. Most notably, the source files named xxx_lib.c
tend to
On 2021-10-14 18:43, Philip Prindeville wrote:
Hi,
I need to generate CSR's with some Extensions included that use our PEN's as
allocated by IANA.
Are there any examples of this?
Also, I'm looking at X509_REQ_add_extensions_nid() and it takes a
STACK_OF(X509_EXTENSION) but it doesn't seem
So is there no longer an API to feed entropy to the default or FIPS
default RNG?
Creating an entire provider just to feed input to the FIPS provider
seems overkill.
On 2021-09-14 01:00, Dr Paul Dale wrote:
Try working from providers/implementations/rands/seed_src.c You'll
need to
On 2021-09-14 12:14, Dr Paul Dale wrote:
> ...low security RNGs and other antifeatures.
Huh Where? Why plural?
The only **one** I'm aware of is the one I added to stochastically
flush the property cache where it doesn't need to be cryptographically
secure.
Some applications need
Hi fellow sufferer,
I used to do a lot of manual patching of OpenSSL 1.0.x to remove the
insane object interdependencies (such as objects named foolib.c being
nexus points that bring in tonnes of irrelevant code because someone was
too unfamiliar with basic library concepts to make an actual
For the below symptoms, I would recommend a watching the application
port with WireShark.
This should show any the TLS protocol deviations and any problems in
handling and establishing the TCP connections.
On 2021-08-19 00:38, David Bowers via openssl-users wrote:
* We have a server that
On 21/08/2021 19:42, Michael Wojcik wrote:
From: rgor...@centerprism.com
Sent: Saturday, 21 August, 2021 11:26
My openssl.cnf (I have tried `\` and `\\` and `/` directory separators):
Use forward slashes. Backslashes should work on Windows, but forward slashes work
everywhere. I don't know
This is a known deficiency of how Apple rushed adding support for their
M1 ARM Desktop CPU to the XCode build suite.
When building a desktop macOs program file with XCode, it will
implicitly try to build both an x86_64 and an arm64 variant, and will
get very surprised your compiled open
On 2021-08-11 13:52, Keine Eile wrote:
Hi list members,
I have a .p7f in hands, which seems to be a DER encoded PKCS7
structure in some way, I can use 'openssl pkcs' to transform it in a
PEM form, I also can pull a bunch of certificates out of it. But I
know, there is some encrypted pay load
Question was how to retrieve those lists for any given certificate,
using currently supported OpenSSL APIs.
The lists of usage bits and extusage OIDs in any given certificate
are finite, even if the list of values that could be in other
certificates is infinite.
On 2021-07-16 06:44, Kyle
On 2021-06-25 22:26, Richard Levitte wrote:
On Wed, 23 Jun 2021 10:51:05 +0200,
Tomas Mraz wrote:
On Wed, 2021-06-23 at 08:12 +, Kumar Mishra, Sanjeev wrote:
Notice: This e-mail together with any attachments may contain
information of Ribbon Communications Inc. and its Affiliates that is
On 2021-06-18 17:07, Viktor Dukhovni wrote:
On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
Now the client simply works backwards through that list, checking if
each certificate signed the next one or claims to be signed by a
certificate in /etc/certs
On 2021-06-18 16:23, Michael Wojcik wrote:
From: openssl-users On Behalf Of Jakob
Bohm via openssl-users
Sent: Friday, 18 June, 2021 07:10
To: openssl-users@openssl.org
Subject: Re: reg: question about SSL server cert verification
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I'm
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I'm curious how exactly an SSL client verifies an SSL server's
certificate which is signed by a CA. So, during the SSL handshake,
when the server sends its certificate, will the SSL client first
checks the `Issuer`'s `CN` field from the x509
On 2021-06-17 15:49, Viktor Dukhovni wrote:
On Sat, Jun 12, 2021 at 10:20:22PM +0200, Gaardiolor wrote:
When I compare those, they are exactly the same. But that's the thing, I
think server.sig.decrypted should be prepended with a sha256 designator
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01
Dear team,
It would be nice if there was a user- and security-friendly best
practice document for distributions (such as Linux distributions) that
freeze on an OpenSSL release version (such as 1.1.1z) and then backport
any important fixes.
Perhaps something like the following:
1. The
On 2021-05-28 22:50, Michael Wojcik wrote:
Just realized I sent this directly to Graham instead of to the list.
-Original Message-
From: Michael Wojcik
Sent: Friday, 28 May, 2021 09:37
To: 'Graham Leggett'
Subject: RE: X509_verify_cert() rejects all trusted certs with "default"
': No such file or directory
$ ls -alF /usr/local/bin/openssl
ls -alF /usr/local/bin/openssl
ls: cannot access '/usr/local/bin/openssl': No such file or directory
$ /usr/local/bin/openssl version -a
/usr/local/bin/openssl version -a
-bash: /usr/local/bin/openssl: No such file or directory
*
On 2021-05-19 19:56, Michael McKenney wrote:
I installed Openssl 1.1.1k and Ubuntu 20.04 did an upgrade and
reverted it back to 1.1.1f. Usually Ubuntu upgrades don’t break it.
OpenSSL 1.1.1f 31 Mar 2020 (Library: OpenSSL 1.1.1k 25 Mar 2021)
built on: Thu Apr 29 14:11:04 2021 UTC
On 2021-04-15 12:57, Michal Moravec wrote:
Follow-up on my previous email:
I modified my proof-of-problem program to load PKCS7 file into PKCS7
and convert it to CMS_ContentInfo using the BIO (See convert.c in the
attachment). It is similar to this:
handle_encrypted_content(SCEP *handle,
On 2021-03-01 17:28, Viktor Dukhovni wrote:
On Mon, Mar 01, 2021 at 09:21:29PM +0530, Archana wrote:
I am new to SSL programming. On our SSL Server implementation, we are
trying to enforce Mutual Authentication. Is it Mandatory to provide a user
defined Callback using SSL_ctx_setverify()
No
If only one or a few parsers are broken, they need to be fixed.
If many broken parsers have proliferated due to generators
semi-violating DER by not omitting the empty field, that has become the
new reality that generators must deal with.
PKIX arbitrarily limiting serial numbers to 159 bits has
Also note that the official ASN.1 declaration for
AlgorithmIdentifier (from X.509 (2012), section 7.2) marks
the parameters field as OPTIONAL, so parsers really should
accept its absence.
However if broken parsers are common (this thread
only found one such parser), maybe it would be
good
. Because it can
be used only with obsolete encryption algorithms anyway - the best one
being 3DES for the encryption and SHA1 for the KDF.
Tomas
On Thu, 2021-01-28 at 11:08 +0100, Jakob Bohm via openssl-users wrote:
If the context does not limit the use of higher level compositions,
then
OpenSSL
ntext.
Anyway OpenSSL 3.0 gives you all the flexibility needed.
Tomas
On Thu, 2021-01-28 at 10:24 +0100, Jakob Bohm via openssl-users wrote:
Does FIPS 140 or the related legal requirements limit the use of
higher
level compositions such as PKCS12KDF, when using only validated
cryptography for the und
ule with legacy
algorithms it only shows that the "true" FIPS mode was not as "true" as
you might think. There were some crypto algorithms like the KDFs
outside of the FIPS module boundary.
Tomas Mraz
On Thu, 2021-01-28 at 09:26 +0100, Jakob Bohm via openssl-users wrote:
Does that mean
, it doesn't belong in the FIPS provider.
Pauli
On 26/1/21 10:48 pm, Tomas Mraz wrote:
On Tue, 2021-01-26 at 11:45 +0000, Matt Caswell wrote:
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote:
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_pa
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse,
PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips
provider. It looks like that is because they try to load PKCS12KDF
which is not implemented in the fips provider. These
On 2021-01-07 18:05, Ken Goldman wrote:
On 1/7/2021 10:11 AM, Michael Wojcik wrote:
$ cat /etc/redhat-release && openssl version
CentOS Linux release 7.9.2009 (Core)
OpenSSL 1.0.2k-fips 26 Jan 2017
Ugh. Well, OP should have made that clear in the original message.
And this is one of the
On 07/12/2020 12:39, Matt Caswell wrote:
On 04/12/2020 13:28, Narayana, Sunil Kumar wrote:
Hi,
We are trying to upgrade our application from openssl
usage of 1.0.2 to openssl 3.0, during which we observe following errors.
Looks like the below #def been removed from 1.1
(Top posting to match what Mr. André does):
TCP without keepalive will time out the connection a few minutes after
sending any data that doesn't get a response.
TCP without keepalive with no outstanding send (so only a blocking
recv) and nothing outstanding at the other end will probably hang
On 2020-11-09 09:58, Venkata Mallikarjunarao Kosuri via openssl-users wrote:
Hi
We are trying to work scenario to openssl OCSP responder busy, but we
are not sure how to make OCSP responder busy could please throw some
pointer to work on.
Ref
Recently, the EJBCA developers publicly warned (via the Mozilla root store
policy mailing list) other CA vendors that they had incorrectly implemented
the handling of the "notAfter" X509 field, resulting in certificates that
lasted 1 second longer than intended.
Prompted by this warning, I
, but failing to
pass that job to the CAPI engine. I was commenting on how that might be
made to work.
On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users
mailto:openssl-users@openssl.org>> wrote:
On 2020-10-23 15:45, Matt Caswell wrote:
>
> On 23/10/2020
On 2020-10-23 15:45, Matt Caswell wrote:
On 23/10/2020 14:10, Brett Stahlman wrote:
It seems that the CAPI engine is breaking the server verification somehow.
Note that the only reason I'm using the ca-bundle.crt is that I couldn't
figure out how to get CAPI to load the Windows "ROOT"
On 2020-09-10 09:03, Tomas Mraz wrote:
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
Wouldn't a more reasonable response for 1.0.2 users have been to
force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
cipher
suites
and telling affected people
On 2020-09-09 14:39, OpenSSL wrote:
OpenSSL Security Advisory [09 September 2020]
=
Raccoon Attack (CVE-2020-1968)
==
Severity: Low
The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker
On 2020-09-03 12:25, Marc Roos wrote:
Why are you defending amazon? Everyone processing significant mail and
http traffic is complaining about them. They were even listed in
spamhaus's top 10 abuse networks (until they started contributing to
them?)
Because we are sending non-spam mail from
On 2020-09-03 09:42, Marc Roos wrote:
PTR record, SPF, DKIM and DMARC are also set by spammers, and sometimes
even just before a spam run. It is either choosing to do amazons work or
not having any work. If more and more are blocking the amazon cloud it
would make their clients leave and this
On 2020-09-01 06:57, Viktor Dukhovni wrote:
On Mon, Aug 31, 2020 at 11:00:31PM -0500, David Arnold wrote:
1. Construe symlinks to current certs in a folder (old or new / file by file)
2. Symlink that folder
3. Rename the current symlink to that new symlink atomically.
This is fine, but does
On 2020-09-01 04:26, Viktor Dukhovni wrote:
On Aug 31, 2020, at 10:57 PM, Jakob Bohm via openssl-users
wrote:
Given the practical imposibility of managing atomic changes to a single
POSIX file of variable-length data, it will often be more practical to
create a complete replacement file
On 2020-09-01 01:52, Viktor Dukhovni wrote:
On Sun, Aug 30, 2020 at 07:54:34PM -0500, Kyle Hamilton wrote:
I'm not sure I can follow the "in all cases it's important to keep
the key
and cert in the same file" argument, particularly in line with openat()
usage on the cert file after privilege
On 2020-08-31 16:28, Marc Roos wrote:
Why don't you block the whole compute cloud of amazon?
ec2-3-21-30-127.us-east-2.compute.amazonaws.com
Please note, that at least our company hosts a secondary MX in the EC2
cloud, with the option to direct my posts to the list through that
server. However
The key thing to do is to make those client applications not request the
ssl23-method from OpenSSL 0.9.x .
ssl23 explicitly requests this backward-compatibility feature while
OpenSSL 3.x.x apparently deleted the
ability to respond to this "historic" TLS hello format, which is also
sent by some
On 06/08/2020 22:17, Quanah Gibson-Mount wrote:
--On Thursday, August 6, 2020 1:21 PM -0700 Dan Kegel
wrote:
lists 861 packages, belonging to something like 400 projects, that
depend
on openssl
Unfortunately, due to Debian's odd take on the OpenSSL license, many
projects that can
On 2020-07-26 01:56, Jan Just Keijser wrote:
On 23/07/20 02:35, Jakob Bohm via openssl-users wrote:
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Thanks, I somehow missed that document as I was grepping the code
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Looking at x86_64cpuid.pl, I see jumps to ".Lintel" etc. being conditional
on stuff other than the CPU being an Intel CPU, while the code in there is
generally unreadable
You may also check out the results of the popular ssllabs.com test here:
https://www.ssllabs.com/ssltest/analyze.html?d=jnior.com=on
Note however that in recent years they have become quite aggressive in
labeling things as "weak" when they are simply "slightly less than the
best that the
On 2020-06-25 13:25, Hubert Kario wrote:
On Thursday, 25 June 2020 12:15:00 CEST, Angus Robertson - Magenta
Systems Ltd wrote:
A client is having problems reading Polish Centum issued personal
certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
mostly.
Using PEM_read_bio_X509
On 2020-06-18 18:13, Salz, Rich via openssl-users wrote:
BN_bin2bn assumes that the size of a BN_ULONG (the type of a bn->d) is
BN_BYTES. You have already told us that sizeof(*d) is 4. So BN_BYTES
should also be 4. If BN_BYTES is being incorrectly set to 8 on your
platform
On 2020-06-15 09:37, Viktor Dukhovni wrote:
On Mon, Jun 15, 2020 at 06:07:20AM +, Jordan Brown wrote:
Supplying names for the arguments in function prototypes makes them
easier to read, but risks namespace problems.
Yes, which I why, some time back, I argued unsuccessfuly that we SHOULD
On 12/05/2020 16:01, Matt Caswell wrote:
On 12/05/2020 14:50, Jakob Bohm via openssl-users wrote:
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
Looking at the code here:
https://
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
This obviously causes "make test" to do nothing with the message "Tests are
not supported with your chosen Configure options" .
Unfortunately,
On 2020-04-22 15:22, Hubert Kario wrote:
On Tuesday, 21 April 2020 21:29:58 CEST, Jakob Bohm via openssl-users
wrote:
That link shows whatever anyone's browser is configured to handle
when clicking
the link.
The important thing is which browsers you need to support, like the
ones on
https
A few corrections:
OpenSSL included CMS (RFC3369) support since 1.0.0 (see the CHANGES
file), though for a long time, there was an arbitrary disconnect between
functions named CMS and functions named PKCS#7 even though it should
have been a continuum.
The PKCS#7 and CMS standards equally
Summary: The OpenSSL 1.1.1g test suite contains at least two bugs:
TestBug#1: Test suite fails if local network has no IPv6, error message
(non-
verbose) doesn't say that's the issue. [ Testing IPv6 makes sense,
rejecting
regression tests on inadequate machines is important to avoid
That link shows whatever anyone's browser is configured to handle when
clicking
the link.
The important thing is which browsers you need to support, like the ones on
https://www.ssllabs.com/ssltest/clients.html
Beware that the list I just linked is woefully incomplete for those of
us who
On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the
On 2020-03-03 07:46, Phani 2004 wrote:
Hi Team,
I am trying to implement mac-then-encrypt for aes_cbc_hmac_sha1
combined cipher. From the code i could understand that the first 16
bytes were being used as explicit IV while decrypting and the hmac is
done for 13 bye AAD and 16 byte Fin record
On 2020-02-28 03:37, Salz, Rich via openssl-users wrote:
*>*Per section Supported Groups in RFC 8446 [1], FFDHE groups could be
supported.
I was wrong, sorry for the distraction.
As others have pointed out, it will be in the next (3.0) release.
Note that the group identifiers for the
On 13/11/2019 15:23, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Aijaz Baig
Sent: Wednesday, November 13, 2019 01:45
I am trying to statically link libssl.a and libcrypto.a into a static library
of my own
which I will be using in an
Regarding #1: Using libSSL.a instead of libSSL.so should avoid using
libSSL.so by definition. Otherwise something went seriously wrong
with the linking. Same for any other library.
On 05/11/2019 18:22, Aijaz Baig wrote:
Thank you for the information.
I will address your points here:
1. I was
On 30/10/2019 04:04, ratheesh kannoth wrote:
Hi,
1. what are these h0h4 ?
2. How are they generated ?
3. Could you help to locate code in openssl ?
typedef struct SHAstate_st {
SHA_LONG h0, h1, h2, h3, h4;
SHA_LONG Nl, Nh;
SHA_LONG data[SHA_LBLOCK];
unsigned int num;
does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.
On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl
On 15/10/2019 15:43, Stephan Seitz wrote:
Hi!
I was looking at the output of „openssl ecparam -list_curves” and
trying to choose a curve for the web server together with letsencrypt.
It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1.
Then I found the site
On 03/10/2019 14:32, russellb...@gmail.com wrote:
fetchmail fails when openssl reports an error 114 (I think)
stat("/etc/ssl/certs/4a6481c9.0", {st_mode=S_IFREG|0644, st_size=1354, ...}) = 0
openat(AT_FDCWD, "/etc/ssl/certs/4a6481c9.0", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644,
On 18/09/2019 20:58, Salz, Rich via openssl-users wrote:
Please take a look at
https://lore.kernel.org/lkml/CAHk-=wiGg-G8JFJ=r7qf0b+utqa_weouk6v+mcmfsljlrq6...@mail.gmail.com/
and consider giving your comments.
TL;DR: see the comment below.
+ * Hacky workaround for the fact that some
On 09/09/2019 20:56, Nikki D'Ambra wrote:
Hello,
I was wondering when the latest version openssl, version 1.0.2t will
be available for public download?
Announcement is 2019-09-10 between 12:00 and 16:00 UTC approximately.
That's about 17 to 21 hours after your question.
Enjoy
Jakob
--
On 29/08/2019 17:05, Hubert Kario wrote:
On Wednesday, 28 August 2019 23:20:49 CEST Marcelo Lauxen wrote:
...
that server is willing to negotiate ECDHE_RSA ciphers, you'd be better off
disabling ciphers that use DHE and RSA key exchange and using ECDHE_RSA
instead of trying to make 1024 bit
via openssl-users
mailto:openssl-users@openssl.org>> wrote:
[Top posting for consistency]
More than OS dependency, this depends on the exact hardware on the
platform:
CPU, support chips, peripheral chips. Usually some of these can provide
much more randomness than the highly predictabl
[Top posting for consistency]
More than OS dependency, this depends on the exact hardware on the platform:
CPU, support chips, peripheral chips. Usually some of these can provide
much more randomness than the highly predictable time of day/year RTC clock.
And if none do, there are simple RNG
-shelf CAs is nil.
Note to consumed with things in your stomach:
https://tools.ietf.org/html/draft-ietf-anima-autonomic-control-plane-20#section-6.1.2
Jakob Bohm via openssl-users wrote:
> As the author of a proposal in this area, could you define a
notation
> for IPv6 D
On 15/08/2019 00:33, Jordan Brown wrote:
On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
[...]
commonName="/CN=IPv6::2001:24:28:24/64"
[...]
req: Hit end of string before finding the equals.
problems making Certificate Request
Some systems present distinguished names using slashes as
On 14/08/2019 04:55, Robert Moskowitz wrote:
I am fiddling around with an intermediate CA signing cert that the
CA's 'name' is it HIP (RFC 7401) HIT which is a valid IPv6 address.
Actually a Hierarchical HIT as in draft-moskowitz-hierarchical-hip (to
be revised soon).
For a client cert, it
On 09/08/2019 23:21, Felipe Gasper wrote:
On Aug 9, 2019, at 3:42 PM, Osama Mazahir via openssl-users
wrote:
Is there a way to serialize and deserialize the ssl_st state (i.e. including
any child objects)?
Background: I would like to handoff all the SSL state (along my own managed state,
Having reviewed the git commit for 1.1.1 I notice the following issue:
The environment variables that usually point to the secure administrator
directories (such as "Program Files") are not themselves secured, and not
intended as a secure means of obtaining these directory locations, which
are
On 08/07/2019 10:12, Dr Paul Dale wrote:
I have to disagree with the “decision not to make a FIPS module for
the current 1.1.x series” comment. Technically, this is true. More
practically, 3.0 is intended to be source compatible with 1.1.x. Thus
far, nothing should be broken in this
On 06/07/2019 16:30, Salz, Rich wrote:
>> They would have to get their own validation, their own lab to verify,
etc., etc.
That seems to contradict the other answer, which is that legally, the
FIPS cannister (properly built) can be used with any software outside
the
Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the
On 02/07/2019 22:13, Larry Jordan via openssl-users wrote:
I want to build an openssl-fips canister to force IANA cipher suite
compliance.
With the help of an openssl-iana mapping
(https://testssl.sh/openssl-iana.mapping.html) I can identify the
corresponding OpenSSL cipher suites.
Not
On 11/06/2019 19:21, Viktor Dukhovni wrote:
On Jun 11, 2019, at 1:02 PM, Michael Wojcik
wrote:
And, of course, there are no doubt still people out there running internal CAs
that generate X.509v1 certs, which won't have any extensions at all. No KU, no
EKU, no SAN, no SKID/AKID ...
On 11/06/2019 12:50, Hareesh D wrote:
TLSv12 client is sending RSA certificate even when it dont have
digitalSignature bit in keyUsage extension. But RFC5246 sectiin-7.4.6
says its MUST condition for client to send RSA certificate with
digitalSignature bit set in keyUsage extension.
1.
On 03/06/2019 14:35, Chitrang Srivastava wrote:
Hi,
I am porting Openssl 1.1.1b for an embedded platform.
I see that EC folder generate some of function in assembly for e.g
These functions are generated based on environment like
x86-64/ppc/armv8 etc.
Is there any C version of these function
On 30/05/2019 02:10, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of J.
J. Farrell
Sent: Wednesday, May 29, 2019 15:02
On 29/05/2019 18:39, ramakrushna mishra wrote:
In Openssl 1.1.1, the file "rc4-ia64.pl" is missing. This cause degradation
On 28/05/2019 23:48, Steffen Nurpmeso wrote:
Jay Foster wrote in <84571f12-68b3-f7ee-7896-c891a2e25...@roadrunner.com>:
|On 5/28/2019 10:39 AM, Jay Foster wrote:
|> I built OpenSSL 1.1.1c from the recent release, but have noticed what
|> seems like a significant performance drop compared
On 22/05/2019 19:32, Dennis Clarke wrote:
Good options inspired by other cryptographic libraries include:
- Number of bits of entropy passed in call (For example, a
perfectly balanced coin flipper could provide the 4 byte
values "head" or "tail" with an entropy of 1 bit).
Let's drop the
On 21/05/2019 16:44, Salz, Rich via openssl-users wrote:
When I overhauled the RAND mechanism, I tried to deprecate this use of floating
point, in favor of just a number from 0 to 100 but was voted down.
It *is* stupid. Luckily, on a modern system with system-provided randomness to
seed the
On 16/05/2019 02:11, Paul Dale wrote:
Just noting that any module built in this manner is *not* FIPS compliant.
The distribution must be unmodified and build exactly as per the documentation.
Any change to the files or the build process renders the result invalid from a
FIPS perspective.
On 14/05/2019 18:39, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Karl Denninger
Sent: Tuesday, May 14, 2019 09:22
On 5/14/2019 09:48, Michael Wojcik wrote:
I can't think of what remnant of the old certificate would be there,
except the
Alternative suggestion (from my understanding of the documentation quoted
below):
Issue #pragma weak for a symbol only in the files that define that symbol,
not in the ones that merely reference it.
The hoped effect would be:
1. Object files that merely reference a symbol will contain regular
Your transcript below seems to show a successful connection to Microsoft's
cloud mail, then Microsoft rejecting the password and closing the
connection.
You are not connecting to your own Exchange server, but to a central
Microsoft
service that also handles their consumer mail accounts
By the way, has anyone worked on a feature or patch to use browser
provided crypto functions (WebCrypto etc.) when compiled to
pseudo-javascript via EmScripten or WebAssembly?
On 10/05/2019 07:43, Dr Paul Dale wrote:
Configure with the _no-asm_ option.
It will be a **lot** slower.
On 10 May
1 - 100 of 180 matches
Mail list logo
