bn_ops not being used in Android recipes

Hi Everyone, I have a custom 15-android.conf that is used with a custom setenv-android.sh. setenv-android.sh sets the environment and exports the necessary variables for a cross-compile. 15-android.conf was copied from the OpenSSL library, and then modified to avoid some problems with the one

What option is not recognized by OpenSSL 1.1.1d?

I'm trying to convert some scripts from OpenSSL 1.0.2 to OpenSSL 1.1.1d. Configure is dying: * Unsupported options: no-comp --prefix=/home/jwalton/tmp/build-test --libdir=/home/jwalton/tmp/build-test/lib According to INSTALL at https://github.com/openssl/openssl/blob/master/INSTALL, all

Re: [openssl-users] WG: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Tue, Jan 23, 2018 at 4:33 PM, Salz, Rich wrote: > On Tue, Jan 23, 2018 at 3:45 PM, Salz, Rich wrote: > > ➢ The docs have _not_ changed: > https://www.openssl.org/docs/standards.html. > > > > Nor is there any need for that page to change.

Re: [openssl-users] WG: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Tue, Jan 23, 2018 at 3:45 PM, Salz, Rich wrote: > ➢ The docs have _not_ changed: > https://www.openssl.org/docs/standards.html. > > Nor is there any need for that page to change. READ WHAT IT SAYS. I'm surprised you are arguing against clear documentation on behaviors.

Re: [openssl-users] WG: TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Tue, Jan 23, 2018 at 12:43 PM, Viktor Dukhovni wrote: > > >> On Jan 23, 2018, at 7:31 AM, Gladewitz, Robert via openssl-users >> wrote: >> >> Despite being wrong it is also absolutely irrelevant, because FreeRADIUS >> retrieves the

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Sun, Jan 21, 2018 at 6:38 PM, Salz, Rich via openssl-users wrote: > ➢ The sensible thing at this point is to publish an update to RFC5280 > that accepts reality. > > Yes, and there’s an IETF place to do that if anyone is interested; see the > LAMPS working

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Mon, Jan 22, 2018 at 10:04 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > > >> On Jan 22, 2018, at 9:39 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> >> If OpenSSL want to change the standard so that it aligns with the >> project's

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Mon, Jan 22, 2018 at 9:27 PM, Salz, Rich wrote: > ➢ I don't see CA/Browser Forums listed, but I do see RFC 3280 listed. > > The page also says it’s “casually maintained.” Feel free to create a PR on > openssl/web repo. :) > > IETF RFC’s aren’t perfect; that’s why there are

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Mon, Jan 22, 2018 at 9:01 PM, Salz, Rich via openssl-users wrote: > > > Here's the standards OpenSSL claims to implement: > > Read the whole text. It doesn’t say anything like “claims to implement.” My bad. Here's the corrected text: This page is a partial

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Mon, Jan 22, 2018 at 2:50 PM, Viktor Dukhovni wrote: > > >> On Jan 22, 2018, at 12:07 PM, Gladewitz, Robert via openssl-users >> wrote: >> >> the problem is, that i cant change the cisco implementation :-(. > > YOU DO NOT need to change

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Mon, Jan 22, 2018 at 1:44 AM, Gladewitz, Robert via openssl-users wrote: > > Thank you all for all the answers. > The problem is that Cisco prescribes the attributes. > ... > > Unfortunately, the Cisco CUCM telephone systems do not seem to accept > certificates

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Sun, Jan 21, 2018 at 6:23 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > > >> On Jan 21, 2018, at 6:04 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> >> Maybe OpenSSL should allow users to choose between IETF issuing >> policies and CA/Bro

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Sun, Jan 21, 2018 at 5:59 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > > >> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> >>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates >&g

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

On Sun, Jan 21, 2018 at 1:31 PM, Viktor Dukhovni wrote: > > ... > OpenSSL interprets the "extendedKeyUsage" extension in CA certificates > as a restriction on the allowed extended key usages of leaf certificates > that can be issued by that CA. > > You should typically

Re: [openssl-users] CMAC Authentication

On Mon, Jan 15, 2018 at 8:22 AM, Rol Phil wrote: > Hello all, > > I have been using to tag data with an example I had found. > However when it comes to authenticate/decrypt a tag with given AES key I > could not find examples. > using cmac.h or evp.h. > Can anybody help me

Re: [openssl-users] How to respond to TLS heartbeat in openssl

On Fri, Dec 22, 2017 at 1:32 AM, Keshava Krishna Bhat K wrote: > Ok, I got to know that > openssl version -a gives out the flags used while building openssl. > so the output of this was > > OpenSSL 1.0.2g 1 Mar 2016 > built on: reproducible build, date unspecified >

Re: [openssl-users] Lattice Ciphers

On Mon, Dec 18, 2017 at 1:38 AM, Colony.three via openssl-users wrote: > > G**gle's Eric Schmidt says, "If you have something that you don't want > anyone to know, maybe you shouldn't be doing it in the first place. This is > a profoundly undemocratic attitude. What

Re: [openssl-users] Generating CSR based on an x25519 public key

On Mon, Oct 23, 2017 at 6:47 PM, Kyle Hamilton wrote: > Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519? > The ones I am aware of are available in http://tools.ietf.org/html/draft-josefsson-pkix-newcurves. Jeff -- openssl-users mailing list To

Re: [openssl-users] Generating CSR based on an x25519 public key

On Sat, Oct 21, 2017 at 9:38 AM, Codarren Velvindron wrote: > https://tls13.crypto.mozilla.org is using : The connection to this site is > encrypted and authenticated using a strong protocol (TLS 1.3), a strong key > exchange (X25519), and a strong cipher (AES_128_GCM).

Re: [openssl-users] ca md too weak

On Fri, Oct 6, 2017 at 12:22 PM, Fabrice Delente wrote: > OK, I understand, thanks for your answer! I'll look into building > openvpn 2.4.3 from source. I believe you only have to set Fedora's security policy to allow MD5. That is covered in the Fedora wiki page you were

Re: [openssl-users] ca md too weak

> Until two days ago I used OpenVPN to connect to my workplace, on a > non-security sensitive tunnel (just for convenience). > > However, OpenSSL updated on my machine (Fedora 26), and now the > certificate is rejected: > > ... > routines:SSL_CTX_use_certificate:ca md too weak > Fri Oct 6

Re: [openssl-users] DH_generate_key Hangs

>> You should avoid calls to RAND_poll altogether on Windows. Do so by >> explicitly seeding the random number generator yourself. > > As a starting point, try something like this: > > - > static ENGINE *rdrand; > > void init_prng(void) { > /* Try to seed the PRNG with the Intel RDRAND

Re: [openssl-users] DH_generate_key Hangs

On Thu, Oct 5, 2017 at 3:27 PM, Jason Qian via openssl-users wrote: > Compared code of RAND_poll(void) between 1.0.1 and 1.0.2 and it seems no > change I believe it was fixed earlier than that. Also see https://rt.openssl.org/Ticket/Display.html?id=2100=guest=guest As

Re: [openssl-users] DH_generate_key Hangs

On Thu, Oct 5, 2017 at 2:55 PM, Jason Qian via openssl-users wrote: > Thanks Michael, > > I saw a lot of discussion for this issue on, > >https://mta.openssl.org/pipermail/openssl-dev/2015-July/002210.html > > Not sure if openSSL has a workaround or

Re: [openssl-users] Hardware client certificates moving to Centos 7

>> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos: > > Ugh. No need for 0.9.8e (which is from, what, the early Industrial > Revolution?). MD5 is still available in OpenSSL

Re: [openssl-users] Trusting certificates with the same subject name and overlapping validity periods

On Wed, Sep 20, 2017 at 5:48 PM, Jordan Brown wrote: > ... > The above also works with "authorityCertSerialNumber", see > >https://tools.ietf.org/html/rfc5280#section-4.2.1.1 > > If, however, the newer certificate has a different key, and the same > subject DN,

Re: [openssl-users] Problem with DER private key file into openssl ca

> openssl req -outform $format -config $cadir/openssl-root.cnf -set_serial > 0x$(openssl rand -hex $sn)\ > -inform $format -key private/ca.key.$format -subj "$DN"\ > -new -x509 -days 7300 -sha256 -extensions v3_ca -out > certs/ca.cert.$format > > unable to load Private Key >

Re: [openssl-users] Throwing in the towel on ENV for DN

> It is coming down that I would need a unique cnf for each cert type, rather > than one per signing CA. Things just don't work well without prompting or > very consistent DN content. So I am going to pull most of my. ENV. I am > leaving it in for dir and SAN. > > I feel it is a bug that if in

Re: [openssl-users] Cant get the subjectALtName inot the root cert

On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote: > I guess I am making progress. I am not getting SAN into the root cert. my > cnf has in it: > > [ req ] > # Options for the `req` tool (`man req`). > default_bits= 2048 > prompt = no >

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea <erwann.aba...@docusign.com> wrote: > >> Le 17 août 2017 à 17:26, Jeffrey Walton <noloa...@gmail.com> a écrit : >> >>>> When you see a name like "example.com" in the CN, its usually a CA >>>&g

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

>> When you see a name like "example.com" in the CN, its usually a CA >> including a domain name and not a hostname. > > That's nonsense. If a certificate is issued under CA/B policies, and CN=example.com but it _lacks_ SAN=example.com, then its a not a hostname and it should not be matched. I'm

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz wrote: > I have skimmed through a few RFCs following today's postings and a few web > sites. It would seem to me that I should: > > Remove commonName and emailAddress completely from the cnf file. They no > longer belong in

Re: [openssl-users] How to get a bye or word from BIGNUM in OpenSSL 1.1?

On Wed, Aug 2, 2017 at 12:38 AM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 02/08/2017 04:21, Jeffrey Walton wrote: >> >> I'm trying to extract the low-order byte or word from a BIGNUM in >> OpenSSL 1.1. We were told to use BN_bn2binpad, but its not clear to me >

[openssl-users] How to get a bye or word from BIGNUM in OpenSSL 1.1?

I'm trying to extract the low-order byte or word from a BIGNUM in OpenSSL 1.1. We were told to use BN_bn2binpad, but its not clear to me how to specify the location we want to extract. For example: const char v[] = "ffeeddccbbaa99887766554433221100"; BIGNUM n = BN_new(); if

Re: [openssl-users] Is RDRAND the default engine in OpenSSL 1.1.0?

On Fri, Jul 28, 2017 at 3:53 PM, Salz, Rich wrote: >> I thought RDRAND was disabled as the default random engine since >> 1.0.1f. Has that changed in OpenSSL 1.1.0? > > No. Do "git grep ENGINE_set_default_RAND" Ack, thanks. I wonder where that's coming from for 1.1.0.

[openssl-users] Is RDRAND the default engine in OpenSSL 1.1.0?

I thought RDRAND was disabled as the default random engine since 1.0.1f. Has that changed in OpenSSL 1.1.0? Related, see: * https://stackoverflow.com/q/45370852/608639 * http://seclists.org/fulldisclosure/2013/Dec/99 *

Re: [openssl-users] Fwd: CAVP fips_rsastest.c not producing the correct signature?

On Fri, Jul 28, 2017 at 12:15 AM, Swetha Hariharan wrote: > > > I am trying test the rsa 186-2 openssl fips module 2.0.16 implementation > using the NIST Testvectors. Using the fips_rsastest.c file the > FIPS_rsa_x931_generate_key_ex(rsa, keylen, bn_e, NULL)

Re: [openssl-users] OpenSSL 1.1+: How to disable building of Manpages etc.?

On Sat, Jul 22, 2017 at 2:37 PM, Oliver Niebuhr wrote: > Hi. > > I searched the Web and checked the Configure File. Am I blind or is > there really no Parameter to disable the creation of the Documentation? > > As I also test the Qt Framework, I often recompile

[openssl-users] Configure 1.0.2 for Windows without readscreen()

Hi Everyone, Windows 10 makes CreateCompatibleBitmap (and friends) available for Desktop Apps only. For other builds, like phones and IoT gadgets, the functions are not available. My question is, is it possible to configure OpenSSL 1.0.2 to avoid the missing Windows APIs, like readscreen()? If

Re: [openssl-users] Openssl 1.1.0f support for building Openssh7.2p2 and above

On Mon, Jul 10, 2017 at 2:01 AM, Sravani Maddukuri via openssl-users wrote: > > Is there any plans in the future to get the support of OpenSSL 1.1.0 for > OpenSSH? You should ask the OpenSSH folks. Jeff -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Openssl 1.1.0f support for building Openssh7.2p2 and above

On Sun, Jul 9, 2017 at 11:31 PM, Sravani Maddukuri via openssl-users wrote: > Dear Concern, > > Can you please update me on my below query? > > Does openssl 1.1.0f version support building Openssh7.2p2 and above > versions? As far as I know, OpenSSH does not support

Re: [openssl-users] OpenSSL and RPATH's (was: Cannot find SSL_CTX_get0_param in libssl library)

> RPATHs have advantages, but they have some major issues, too. For > instance, if for whatever reason you need to move files around so that > things are stored in a different location, suddenly you'll need to > recompile everything -- because the RPATH is a hardcoded location of the > library in

Re: [openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?

On Sun, Jun 4, 2017 at 8:57 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > On Sun, Jun 4, 2017 at 7:56 PM, PGNet Dev <pgnet@gmail.com> wrote: >> On 6/4/17 4:51 PM, Jeffrey Walton wrote: >>>> >>>> but the process STARTS with an apparently

Re: [openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?

On Sun, Jun 4, 2017 at 7:56 PM, PGNet Dev <pgnet@gmail.com> wrote: > On 6/4/17 4:51 PM, Jeffrey Walton wrote: >>> >>> but the process STARTS with an apparently non-fatal error ... >>> >>> Using configuration from /home/sec/newCA/openssl.c

Re: [openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?

> but the process STARTS with an apparently non-fatal error ... > > Using configuration from /home/sec/newCA/openssl.cnf > Can't open root/database.attr for reading, No such file or directory > 140013244086016:error:02001002:system >

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

On Sun, Jun 4, 2017 at 1:01 AM, Pravesh Rai wrote: > Hi, > > Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k) > & server (Java 1.8 with Tomcat), still getting following handshake error, > while executing: > > "openssl s_client -connect a.b.c.d:

[openssl-users] OpenSSL and RPATH's (was: Cannot find SSL_CTX_get0_param in libssl library)

On Sun, May 28, 2017 at 5:31 PM, Salz, Rich wrote: >> The openssl program will use the wrong libssl.so and libcrypto.so. > > Yes, got it. > > But that's small potatoes compared to everyone else finding the wrong shared > library, and just saying "use rpath" doesn't help all

Re: [openssl-users] Cannot find SSL_CTX_get0_param in libssl library

On Sun, May 28, 2017 at 5:25 PM, Salz, Rich wrote: >> We still don't know what use case is being represented by omitting the >> RPATH in the OpenSSL build. > > Because only one program, apps/openssl, presumably needs rpath. But that > doesn't solve the problem for *external

Re: [openssl-users] Build from source; library not found?

On Sun, May 28, 2017 at 5:16 PM, Hiran Chaudhuri wrote: > It seems I misread the referenced documentation the first time. > > This stuff contains the answer, it just was not clear to me that also works > on Linux. >

Re: [openssl-users] Cannot find SSL_CTX_get0_param in libssl library

On Sun, May 28, 2017 at 2:59 AM, Mohit Batra wrote: > Hello All, > > I am trying to compile / install a utility from Source on CentOS that > utilizes OpenSSL 1.1.0 (latest version) . However, I get the following > error: > > configure: WARNING: Cannot find SSL_CTX_get0_param

Re: [openssl-users] Build from source; library not found?

On Sat, May 20, 2017 at 7:10 AM, Hiran Chaudhuri wrote: > Am 19-May-2017 00:36:18 +0200 schrieb openssl-us...@dukhovni.org: > >> hiran.chaudhuri> Now this is interesting. Yes, openssl can find both the >> libraries >> hiran.chaudhuri> libssl and libcrypto. Would that

Re: [openssl-users] Dumb question about DES

On Thu, May 11, 2017 at 2:13 PM, Scott Neugroschl wrote: > OK. Are the 3DES CBC ciphers still part of DEFAULT? >From OpenSSL 1.0.1t: $ openssl ciphers "DEFAULT" ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-

Re: [openssl-users] How many SAN entries...?

On Wed, Apr 26, 2017 at 1:03 PM, Blumenthal, Uri - 0553 - MITLL wrote: > A naïve question. A certificate that contains SAN attribute(s) – is there a > limit on how many, say, RFC822 SAN attributes can a valid certificate have? > > > > It’s been my understanding that a cert can

Re: [openssl-users] EVP_CIPHER_CTX array not compiling

On Sun, Apr 23, 2017 at 9:36 AM, Salz, Rich via openssl-users wrote: >>#define OTEXT_AES_KEY_INIT(ctx, buf) { \ >>EVP_CIPHER_CTX_init(ctx); \ >>EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, buf, ZERO_IV); \ >>} > > Most of the datatypes are

Re: [openssl-users] openssl-compat patch for OpenSSL 1.0.2 and below?

On Mon, Apr 3, 2017 at 5:49 PM, Benjamin Kaduk <bka...@akamai.com> wrote: > On 04/02/2017 07:42 PM, Jeffrey Walton wrote: > > I was looking at Kurt Roeckx 's patches for OpenSSH at > https://github.com/openssh/openssh-portable/pull/48/files. See > libcrypto-compat.h a

[openssl-users] openssl-compat patch for OpenSSL 1.0.2 and below?

I was looking at Kurt Roeckx 's patches for OpenSSH at https://github.com/openssh/openssh-portable/pull/48/files. See libcrypto-compat.h and libcrypto-compat.c. Are the source files distributed by OpenSSL? If so, where is the download? If not, can the OpenSSL project consider adding them. They

[openssl-users] install libcrypto.so.1.1 -> /usr/local//usr/local/lib64/libcrypto.so.1.1 ?

I'm working with OpenSSL 1.1.0. I'm trying to set prefix=/usr/local, openssldir=/usr/local and libdir=/usr/local/lib64. The configure looks like: INSTALL_PREFIX=/usr/local INSTALL_LIBDIR=$INSTALL_PREFIX/lib64 KERNEL_BITS=64 ./config no-ssl2 no-ssl3 no-comp shared \ enable-ec_nistp_64_gcc_128

[openssl-users] speed test rdrand

Hi Everyone, Is it possible to speed test RDRAND and RDSEED generators? If so, then how do we do it? $ openssl speed -engine rdrand engine "rdrand" set. Doing md4 for 3s on 16 size blocks: 8339773 md4's in 3.00s Doing md4 for 3s on 64 size blocks: 6616610 md4's in 3.00s Doing md4 for 3s on 256

Re: [openssl-users] Compiling OpenSSL 1.1.0e with AF_ALG engine

>> Sorry, never mind. After taking a closer look at the source code I saw >> that there are further compile time and run-time kernel version >> checks in e_afalg.c. I adjusted the version number and got that to >> work now. > > Well, why does the afalg engine depend on Linux 4.1? > AF_ALG is part

Re: [openssl-users] Issues while "configuring before compiling" OpenSSL on Raspberry-Pi

On Sun, Feb 12, 2017 at 8:13 AM, Ajay Garg wrote: > Any ideas please? > Is compiling openssl even possible on Raspberry-Pi? > Try 'config' rather than 'Configure'. It looks like it does the job. I'm not sure why the same triplet produces different results. Maybe you need

Re: [openssl-users] Decrypt old openssl files

> I have two systems one with openssl 1.0.1e (debian wheezy) and the new one > with openssl 1.1.0c (debian stretch) > > The files encrypted with 1.0.1e are not decryptable via 1.1.0c > These are the investigations I have done > > on my system with 1.0.1e openssl > $ echo some text > file > $ cat

Re: [openssl-users] Issue on Windows Server 2003 Resigning Expired CA certificate

On Fri, Feb 3, 2017 at 12:37 PM, Brandon Shiers wrote: > I have a client that has a CA certificate that has expired. > > They are running Windows Server 2003 and OpenSSL 0.9.8d and FreeRadius for > authentiaction. Their certificate expired yesterday afternoon and I've

Re: [openssl-users] How to detect AES-NI compatible CPU

On Fri, Feb 3, 2017 at 1:55 PM, Chris Clark wrote: > My application links to OpenSSL 1.1.0 dynamically, and I would like to > be able to determine if the CPU supports the AES-NI instruction set. > Is there an OpenSSL API that can do this? Also note that even though the

Re: [openssl-users] FW: problem with missing STDINT.H file

> The attached text file is a snippet from attempting to install > openssl-1.1.0c on a Solaris 8 machine. As can be seen, failed when > could not be found. There is no such file anywhere on this > machine. As root, searched from the root directory for the file. Do have > in more than one

Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

On Mon, Jan 30, 2017 at 5:03 AM, Matthias Ballreich wrote: > thanks for explanation. > > But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as > serial number instead of BEED73EE (which openssl shows)? Its just a presentation detail. It

Re: [openssl-users] ECDSA_SIG_new and ECDSA_SIG_free details

> Could someone from the OpenSSL team please explain the rationale for this > decision? What is the problem with using assignments with 0 or NULL to > initialize pointers? I'm not from the team, so take it for what its worth... On some systems, NULL is _not_ 0. NULL can be anywhere in memory the

Re: [openssl-users] Build problems on Windows

> IF EXIST libcrypto-1_1-x64.dll.manifest DEL /F /Q > libcrypto-1_1-x64.dll.manifest > link /nologo /debug /dll /implib:libcrypto.lib > /out:libcrypto-1_1-x64.dll /def:libcrypto-1_1-x64.def > @C:\Users\jesaremi\AppData\Local\Temp\nm8557.tmp || (DEL /Q libcrypto.* >

Re: [openssl-users] stronger Kex

> I have two servers for testing purpose : > - debian 6, apache 2.2, openssl 1.0.1t (mutu) > - centos 7, apache 2.4.6, openssl 1.0.1e-fips (dedicated) > > Now, these 2 serveurs offers only those ciphers : > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) >

Re: [openssl-users] MinGW64 / MSYS2 and ./Configure : use of Windows style path causing failures to 'make'

On Tue, Dec 27, 2016 at 12:24 AM, Ron Gaw via openssl-users wrote: > I am using a MinGW64 / MSYS2 environment to compile OpenSSL1.1.0c, but > failing consistently after multiple attempts with a few variations each > attempt (including deleting entire source directory

Re: [openssl-users] Compile OpenSSL for Android

On Wed, Dec 21, 2016 at 6:16 PM, Salz, Rich wrote: >> checking for library containing SSL_library_init... no >> configure: error: libfko needs ssl > > The application is not prepared to build against 1.1.0 That function was > removed, and a #define for backward compatibility

Re: [openssl-users] big endian vs little endian

On Sun, Dec 18, 2016 at 5:09 PM, Viktor Dukhovni wrote: > >> On Dec 18, 2016, at 2:55 PM, Walter H. via openssl-users >> wrote: >> >> encrypt >> openssl enc -e -in file -out encryptfile -aes-256-gcm > > GCM is not supported with "openssl

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

> So what is the correct way, 1 or 2? > > 1) > > RAND_poll() > /* RAND_bytes is unnecessary */ > /* RAND_add is unnecessary */ > > 2) > > RAND_poll() > RAND_bytes(buf, 128); > /* RAND_add is unnecessary */ On Windows, you call CryptGenRandom to obtain your seed for the OpenSSL PRNG. On Linux, you

Re: [openssl-users] TLS Heartbeat

On Sat, Dec 10, 2016 at 9:25 PM, Rasool, Kaja Mohideen (Nokia - IN) wrote: > Ok, maybe, TCP is doing it. Is there any other API using which I can specify > the payload length & number of bytes for padding to send a TLS Heartbeat > request? Then, I can use that API

Re: [openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

> I'm trying to speed up the initialization of a legacy HTTP client > application. Debugging that code, I found the following functions being > called each application startup: > > initialization > SSL_library_init() > SSL_load_error_strings() > OpenSSL_add_all_algorithms() >

[openssl-users] How to use Poly1305 with EVP interfaces?

I'm working from Master. I'm having trouble locating the message digest for Poly1305, and how to use it with https://wiki.openssl.org/index.php/EVP_Message_Digests. At the moment I can only find EVP_chacha20_poly1305. It seems like if Poly1305 is going to be paired with something, it would be

[openssl-users] CONF-less OpenSSL configuration?

Is it possible to setup a CONF-less OpenSSL? If so, how? The use case is mobile apps, like Android, iOS and Windows Phone. There is no OPENSSLDIR per se; and the app's install directory will be a moving target like a UUID. I know hacks can be applied for iOS, like forgoing a macro and returning

[openssl-users] How to sort cipher list by ephemeral/non-ephemeral?

I prefer to use a cipher list like "HIGH:!aNULL:!RC4:!MD5". I prefer it because its fairly easy to parse and understand. Its also easy to teach to developers. I want the resulting ciphers sorted with the ephemeral suites at the head of the list. How does one sort the list with ephemeral suites

Re: [openssl-users] Alert number 43

> When I tested a remote server using s_client, it responded with: > > verify return:1 > > 139790582232992:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 > alert unsupported certificate:s3_pkt.c:1259:SSL alert number 43 > > 139790582232992:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >

Re: [openssl-users] Use of openssl

> I've a free certificate from startssl for my email address. Now I would > like to create a certificate for one of my internet domain. How can I do > that? Can I use openssl? Is there a free service like cacert.org that allow > to deploy free class IV certificates that are recognized? > Sorry

[openssl-users] What define(s) does enable-ec_nistp_64_gcc_128 translate to?

I'm working on OS X and I want to audit for configure-time use of enable-ec_nistp_64_gcc_128. Grepping the sources shows 1 relevant hit, but I don't see a define: $ grep -IR 'enable-ec_nistp_64_gcc_128' * CHANGES: Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command

Re: [openssl-users] calloc vs kssl_calloc

On Sat, Oct 1, 2016 at 5:18 PM, Salz, Rich wrote: > >> However there are very many OpenSSL users (myself included) who rely on >> the legal status of OpenSSL/SSLeay as having no US origin parts. If this has >> changed, it needs a big red banner at the top of the

[openssl-users] OpenSSL and sourc'ing countries (was: calloc vs kssl_calloc)

>>> Is there something more I should do on this issue? I recall the OpenSSL >>> terms of use strongly discouraged people from the US from helping, due to US >>> export restrictions. >> >> That's kinda outdated. > > However there are very many OpenSSL users (myself included) > who rely on the

Re: [openssl-users] calloc vs kssl_calloc

On Sat, Oct 1, 2016 at 4:32 PM, Geoffrey Coram wrote: > I reported a bug, I'm not a developer > / on the developer list; will someone else take this, or is there some > bug database that I should enter an issue into? If its an OpenSSL bug, then I believe you send an email

Re: [openssl-users] Coverity Scan projects for OpenSSL?

> openssl/openssl is for current maser. > OpenSSL_release is for 1.0.2 > > Note1: we might review that now that 1.1.0 has been released. > > Note2: we recently changed our policy on Coverity access. Previously we > did not typically allow access to the defect reports. Now we allow > Defect viewer

[openssl-users] OpenSSL 1.1.0 release (was: new FIPS module)

> Work on the new FIPS module has so far taken a backseat to higher > priority topics like the 1.1 release ... OpenSSL 1.1.0 was a very strong release. The team did an awesome job. Hats off to them for a job that exceeded well done. I did not observe problems at places where you can take the

[openssl-users] Coverity Scan projects for OpenSSL?

Hi Everyone, Coverity Scan has two projects for OpenSSL (https://scan.coverity.com/dashboard) * openssl/openssl * OpenSSL_release Which should we request access to for the reports? Thanks in advance. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Failed to install OpenSSL 1.1.0 using 'nmake install'

On Wed, Sep 21, 2016 at 8:35 AM, Jing Liu wrote: > I’ve tried all my best to solve this problem but failed. Can you help me? > > - OS: Windows 10 > > - Perl: ActivePerl 5.12.2 build 1202 > > - Development environment: MS Visual Studio 2010 SP1 > > - OpenSSL version: OpenSSL

Re: [openssl-users] OpenSSL Release Strategy and Blog

On Fri, Sep 9, 2016 at 8:26 AM, Pfluegl, Andreas wrote: > We started using OpenSSL in 2010 for Windows and Linux. We gladly followed > the release strategy suggestion, as it allowed us to deliver patches without > recompiling our code. So we still compile and link our code

Re: [openssl-users] More secure use of DSA?

> Only if you think everything has to be equally protected. That's the > assertion I am not thrilled with. Sometimes knowing who sent it is more > important -- the metadata -- and sometimes the content -- say, the value of > the check -- is more important. And its probably easier to go

Re: [openssl-users] More secure use of DSA?

On Fri, Sep 2, 2016 at 11:50 AM, Leam Hall wrote: > Thanks to Matt Caswell for helping me fix the DSA question. His solution, > based of the information I provided, was: > > openssl genpkey -genparam -algorithm DSA -pkeyopt \ > dsa_paramgen_bits:2048 -out

Re: [openssl-users] (no subject)

On Fri, Aug 26, 2016 at 6:56 PM, Juliano Souza wrote: > I just found it. > > Hope to help someone with same requirement. > > http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html > There's also Origin Bound Certificates

Re: [openssl-users] Migration from AES_ctr128_encrypt to EVP

> Could you please point me on some useful documentation, piece of code or any > other source of information which would provide the guidelines for > accomplishing my task? Or maybe somebody of you already have the experience > in such migration which could be shared.

Re: [openssl-users] Load secrets to context.

>> Scenario 1 - Failing case >> >> SSL_CTX_use_certificate_file() : Loaded cert_file >> SSL_CTX_use_certificate_chain_file() : Loaded chain_file > > Doing this makes no sense. If you're loading the complete chain > file, there's no reason to first load just the certificate. > > Just use

[openssl-users] OpenSSL and Microsoft fork on GitHub

Hi Everyone, This just made my radar... Microsoft has a fork of OpenSSL at http://github.com/Microsoft/openssl . It looks like it is actively maintained. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting error 'SSLv2_client_method': identifier not found

On Mon, Jun 27, 2016 at 3:49 PM, Michael Wojcik wrote: > SSLv2 is no longer supported, and neither are the SSLv2_*_method calls. (And > yes, this causes build problems when updating to newer OpenSSL builds; and > while that causes some pain, it was the Right Thing

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

On Sun, Jun 19, 2016 at 10:10 AM, Blumenthal, Uri - 0553 - MITLL wrote: > I'm also speaking out of turn, but having both ends trying to be both server > and client *on the same connection* just does not make sense, TLS or DTLS. > Yeah, I was having trouble envisioning the use

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

On Sun, Jun 19, 2016 at 9:47 AM, Test ssl wrote: > Hi Matt, > > This is a DTLSv1.0 connection, so the hosts on both sides will connect to > each other acting as both TLS client and TLS server. > > We think the dtls failure is due to cipher suites. But we are not able to >

Re: [openssl-users] Symbol(s) not found _TLSv1_2_method _BIO_test_flags

On Mon, Jun 13, 2016 at 6:32 PM, Dan S wrote: > So I had a suggestion to verify the correct linking by renaming the libssl > and libcrypto built locally to something else, and linking to them- turns > out that was the problem, apparently adding the search path in xcode does

Re: [openssl-users] regarding ssl_server test

On Thu, May 26, 2016 at 5:51 PM, Jakob Bohm wrote: > On 26/05/2016 18:33, R-D intern wrote: >> >> Hello, >> I have implemented ssl for my internal server that listens over >> a >> private ip. Can anyone suggest how can I test my ssl_server? For eg. >> Qualys >>

Re: [openssl-users] good riddance to PayPal

On Thu, May 5, 2016 at 4:41 PM, Steve Marquess wrote: > We've had a PayPal account for years, as the most convenient way for > individuals to send small donations. However, as the person who has > managed that account I can attest that PayPal has always been rather

  1   2   3   4   5   6   7   8   >