Hi Everyone,
I have a custom 15-android.conf that is used with a custom
setenv-android.sh. setenv-android.sh sets the environment and exports
the necessary variables for a cross-compile. 15-android.conf was
copied from the OpenSSL library, and then modified to avoid some
problems with the one
I'm trying to convert some scripts from OpenSSL 1.0.2 to OpenSSL 1.1.1d.
Configure is dying:
* Unsupported options: no-comp
--prefix=/home/jwalton/tmp/build-test
--libdir=/home/jwalton/tmp/build-test/lib
According to INSTALL at
https://github.com/openssl/openssl/blob/master/INSTALL, all
On Tue, Jan 23, 2018 at 4:33 PM, Salz, Rich wrote:
> On Tue, Jan 23, 2018 at 3:45 PM, Salz, Rich wrote:
> > ➢ The docs have _not_ changed:
> https://www.openssl.org/docs/standards.html.
> >
> > Nor is there any need for that page to change.
On Tue, Jan 23, 2018 at 3:45 PM, Salz, Rich wrote:
> ➢ The docs have _not_ changed:
> https://www.openssl.org/docs/standards.html.
>
> Nor is there any need for that page to change. READ WHAT IT SAYS.
I'm surprised you are arguing against clear documentation on behaviors.
On Tue, Jan 23, 2018 at 12:43 PM, Viktor Dukhovni
wrote:
>
>
>> On Jan 23, 2018, at 7:31 AM, Gladewitz, Robert via openssl-users
>> wrote:
>>
>> Despite being wrong it is also absolutely irrelevant, because FreeRADIUS
>> retrieves the
On Sun, Jan 21, 2018 at 6:38 PM, Salz, Rich via openssl-users
wrote:
> ➢ The sensible thing at this point is to publish an update to RFC5280
> that accepts reality.
>
> Yes, and there’s an IETF place to do that if anyone is interested; see the
> LAMPS working
On Mon, Jan 22, 2018 at 10:04 PM, Viktor Dukhovni
<openssl-us...@dukhovni.org> wrote:
>
>
>> On Jan 22, 2018, at 9:39 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
>>
>> If OpenSSL want to change the standard so that it aligns with the
>> project's
On Mon, Jan 22, 2018 at 9:27 PM, Salz, Rich wrote:
> ➢ I don't see CA/Browser Forums listed, but I do see RFC 3280 listed.
>
> The page also says it’s “casually maintained.” Feel free to create a PR on
> openssl/web repo. :)
>
> IETF RFC’s aren’t perfect; that’s why there are
On Mon, Jan 22, 2018 at 9:01 PM, Salz, Rich via openssl-users
wrote:
>
> > Here's the standards OpenSSL claims to implement:
>
> Read the whole text. It doesn’t say anything like “claims to implement.”
My bad. Here's the corrected text:
This page is a partial
On Mon, Jan 22, 2018 at 2:50 PM, Viktor Dukhovni
wrote:
>
>
>> On Jan 22, 2018, at 12:07 PM, Gladewitz, Robert via openssl-users
>> wrote:
>>
>> the problem is, that i cant change the cisco implementation :-(.
>
> YOU DO NOT need to change
On Mon, Jan 22, 2018 at 1:44 AM, Gladewitz, Robert via openssl-users
wrote:
>
> Thank you all for all the answers.
> The problem is that Cisco prescribes the attributes.
> ...
>
> Unfortunately, the Cisco CUCM telephone systems do not seem to accept
> certificates
On Sun, Jan 21, 2018 at 6:23 PM, Viktor Dukhovni
<openssl-us...@dukhovni.org> wrote:
>
>
>> On Jan 21, 2018, at 6:04 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
>>
>> Maybe OpenSSL should allow users to choose between IETF issuing
>> policies and CA/Bro
On Sun, Jan 21, 2018 at 5:59 PM, Viktor Dukhovni
<openssl-us...@dukhovni.org> wrote:
>
>
>> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
>>
>>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
>&g
On Sun, Jan 21, 2018 at 1:31 PM, Viktor Dukhovni
wrote:
>
> ...
> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates
> as a restriction on the allowed extended key usages of leaf certificates
> that can be issued by that CA.
>
> You should typically
On Mon, Jan 15, 2018 at 8:22 AM, Rol Phil wrote:
> Hello all,
>
> I have been using to tag data with an example I had found.
> However when it comes to authenticate/decrypt a tag with given AES key I
> could not find examples.
> using cmac.h or evp.h.
> Can anybody help me
On Fri, Dec 22, 2017 at 1:32 AM, Keshava Krishna Bhat K
wrote:
> Ok, I got to know that
> openssl version -a gives out the flags used while building openssl.
> so the output of this was
>
> OpenSSL 1.0.2g 1 Mar 2016
> built on: reproducible build, date unspecified
>
On Mon, Dec 18, 2017 at 1:38 AM, Colony.three via openssl-users
wrote:
>
> G**gle's Eric Schmidt says, "If you have something that you don't want
> anyone to know, maybe you shouldn't be doing it in the first place. This is
> a profoundly undemocratic attitude. What
On Mon, Oct 23, 2017 at 6:47 PM, Kyle Hamilton wrote:
> Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519?
>
The ones I am aware of are available in
http://tools.ietf.org/html/draft-josefsson-pkix-newcurves.
Jeff
--
openssl-users mailing list
To
On Sat, Oct 21, 2017 at 9:38 AM, Codarren Velvindron
wrote:
> https://tls13.crypto.mozilla.org is using : The connection to this site is
> encrypted and authenticated using a strong protocol (TLS 1.3), a strong key
> exchange (X25519), and a strong cipher (AES_128_GCM).
On Fri, Oct 6, 2017 at 12:22 PM, Fabrice Delente wrote:
> OK, I understand, thanks for your answer! I'll look into building
> openvpn 2.4.3 from source.
I believe you only have to set Fedora's security policy to allow MD5.
That is covered in the Fedora wiki page you were
> Until two days ago I used OpenVPN to connect to my workplace, on a
> non-security sensitive tunnel (just for convenience).
>
> However, OpenSSL updated on my machine (Fedora 26), and now the
> certificate is rejected:
>
> ...
> routines:SSL_CTX_use_certificate:ca md too weak
> Fri Oct 6
>> You should avoid calls to RAND_poll altogether on Windows. Do so by
>> explicitly seeding the random number generator yourself.
>
> As a starting point, try something like this:
>
> -
> static ENGINE *rdrand;
>
> void init_prng(void) {
> /* Try to seed the PRNG with the Intel RDRAND
On Thu, Oct 5, 2017 at 3:27 PM, Jason Qian via openssl-users
wrote:
> Compared code of RAND_poll(void) between 1.0.1 and 1.0.2 and it seems no
> change
I believe it was fixed earlier than that. Also see
https://rt.openssl.org/Ticket/Display.html?id=2100=guest=guest
As
On Thu, Oct 5, 2017 at 2:55 PM, Jason Qian via openssl-users
wrote:
> Thanks Michael,
>
> I saw a lot of discussion for this issue on,
>
>https://mta.openssl.org/pipermail/openssl-dev/2015-July/002210.html
>
> Not sure if openSSL has a workaround or
>> I don't know offhand which OpenSSL versions did away with MD5, but you
>> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
>> straight off CentOS 7 repos:
>
> Ugh. No need for 0.9.8e (which is from, what, the early Industrial
> Revolution?). MD5 is still available in OpenSSL
On Wed, Sep 20, 2017 at 5:48 PM, Jordan Brown
wrote:
> ...
> The above also works with "authorityCertSerialNumber", see
>
>https://tools.ietf.org/html/rfc5280#section-4.2.1.1
>
> If, however, the newer certificate has a different key, and the same
> subject DN,
> openssl req -outform $format -config $cadir/openssl-root.cnf -set_serial
> 0x$(openssl rand -hex $sn)\
> -inform $format -key private/ca.key.$format -subj "$DN"\
> -new -x509 -days 7300 -sha256 -extensions v3_ca -out
> certs/ca.cert.$format
>
> unable to load Private Key
>
> It is coming down that I would need a unique cnf for each cert type, rather
> than one per signing CA. Things just don't work well without prompting or
> very consistent DN content. So I am going to pull most of my. ENV. I am
> leaving it in for dir and SAN.
>
> I feel it is a bug that if in
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote:
> I guess I am making progress. I am not getting SAN into the root cert. my
> cnf has in it:
>
> [ req ]
> # Options for the `req` tool (`man req`).
> default_bits= 2048
> prompt = no
>
On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea
<erwann.aba...@docusign.com> wrote:
>
>> Le 17 août 2017 à 17:26, Jeffrey Walton <noloa...@gmail.com> a écrit :
>>
>>>> When you see a name like "example.com" in the CN, its usually a CA
>>>&g
>> When you see a name like "example.com" in the CN, its usually a CA
>> including a domain name and not a hostname.
>
> That's nonsense.
If a certificate is issued under CA/B policies, and CN=example.com but
it _lacks_ SAN=example.com, then its a not a hostname and it should
not be matched.
I'm
On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz wrote:
> I have skimmed through a few RFCs following today's postings and a few web
> sites. It would seem to me that I should:
>
> Remove commonName and emailAddress completely from the cnf file. They no
> longer belong in
On Wed, Aug 2, 2017 at 12:38 AM, Jakob Bohm <jb-open...@wisemo.com> wrote:
> On 02/08/2017 04:21, Jeffrey Walton wrote:
>>
>> I'm trying to extract the low-order byte or word from a BIGNUM in
>> OpenSSL 1.1. We were told to use BN_bn2binpad, but its not clear to me
>
I'm trying to extract the low-order byte or word from a BIGNUM in
OpenSSL 1.1. We were told to use BN_bn2binpad, but its not clear to me
how to specify the location we want to extract.
For example:
const char v[] = "ffeeddccbbaa99887766554433221100";
BIGNUM n = BN_new();
if
On Fri, Jul 28, 2017 at 3:53 PM, Salz, Rich wrote:
>> I thought RDRAND was disabled as the default random engine since
>> 1.0.1f. Has that changed in OpenSSL 1.1.0?
>
> No. Do "git grep ENGINE_set_default_RAND"
Ack, thanks. I wonder where that's coming from for 1.1.0.
I thought RDRAND was disabled as the default random engine since
1.0.1f. Has that changed in OpenSSL 1.1.0?
Related, see:
* https://stackoverflow.com/q/45370852/608639
* http://seclists.org/fulldisclosure/2013/Dec/99
*
On Fri, Jul 28, 2017 at 12:15 AM, Swetha Hariharan
wrote:
>
>
> I am trying test the rsa 186-2 openssl fips module 2.0.16 implementation
> using the NIST Testvectors. Using the fips_rsastest.c file the
> FIPS_rsa_x931_generate_key_ex(rsa, keylen, bn_e, NULL)
On Sat, Jul 22, 2017 at 2:37 PM, Oliver Niebuhr
wrote:
> Hi.
>
> I searched the Web and checked the Configure File. Am I blind or is
> there really no Parameter to disable the creation of the Documentation?
>
> As I also test the Qt Framework, I often recompile
Hi Everyone,
Windows 10 makes CreateCompatibleBitmap (and friends) available for
Desktop Apps only. For other builds, like phones and IoT gadgets, the
functions are not available.
My question is, is it possible to configure OpenSSL 1.0.2 to avoid the
missing Windows APIs, like readscreen()?
If
On Mon, Jul 10, 2017 at 2:01 AM, Sravani Maddukuri via openssl-users
wrote:
>
> Is there any plans in the future to get the support of OpenSSL 1.1.0 for
> OpenSSH?
You should ask the OpenSSH folks.
Jeff
--
openssl-users mailing list
To unsubscribe:
On Sun, Jul 9, 2017 at 11:31 PM, Sravani Maddukuri via openssl-users
wrote:
> Dear Concern,
>
> Can you please update me on my below query?
>
> Does openssl 1.1.0f version support building Openssh7.2p2 and above
> versions?
As far as I know, OpenSSH does not support
> RPATHs have advantages, but they have some major issues, too. For
> instance, if for whatever reason you need to move files around so that
> things are stored in a different location, suddenly you'll need to
> recompile everything -- because the RPATH is a hardcoded location of the
> library in
On Sun, Jun 4, 2017 at 8:57 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> On Sun, Jun 4, 2017 at 7:56 PM, PGNet Dev <pgnet@gmail.com> wrote:
>> On 6/4/17 4:51 PM, Jeffrey Walton wrote:
>>>>
>>>> but the process STARTS with an apparently
On Sun, Jun 4, 2017 at 7:56 PM, PGNet Dev <pgnet@gmail.com> wrote:
> On 6/4/17 4:51 PM, Jeffrey Walton wrote:
>>>
>>> but the process STARTS with an apparently non-fatal error ...
>>>
>>> Using configuration from /home/sec/newCA/openssl.c
> but the process STARTS with an apparently non-fatal error ...
>
> Using configuration from /home/sec/newCA/openssl.cnf
> Can't open root/database.attr for reading, No such file or directory
> 140013244086016:error:02001002:system
>
On Sun, Jun 4, 2017 at 1:01 AM, Pravesh Rai wrote:
> Hi,
>
> Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k)
> & server (Java 1.8 with Tomcat), still getting following handshake error,
> while executing:
>
> "openssl s_client -connect a.b.c.d:
On Sun, May 28, 2017 at 5:31 PM, Salz, Rich wrote:
>> The openssl program will use the wrong libssl.so and libcrypto.so.
>
> Yes, got it.
>
> But that's small potatoes compared to everyone else finding the wrong shared
> library, and just saying "use rpath" doesn't help all
On Sun, May 28, 2017 at 5:25 PM, Salz, Rich wrote:
>> We still don't know what use case is being represented by omitting the
>> RPATH in the OpenSSL build.
>
> Because only one program, apps/openssl, presumably needs rpath. But that
> doesn't solve the problem for *external
On Sun, May 28, 2017 at 5:16 PM, Hiran Chaudhuri
wrote:
> It seems I misread the referenced documentation the first time.
>
> This stuff contains the answer, it just was not clear to me that also works
> on Linux.
>
On Sun, May 28, 2017 at 2:59 AM, Mohit Batra wrote:
> Hello All,
>
> I am trying to compile / install a utility from Source on CentOS that
> utilizes OpenSSL 1.1.0 (latest version) . However, I get the following
> error:
>
> configure: WARNING: Cannot find SSL_CTX_get0_param
On Sat, May 20, 2017 at 7:10 AM, Hiran Chaudhuri
wrote:
> Am 19-May-2017 00:36:18 +0200 schrieb openssl-us...@dukhovni.org:
>
>> hiran.chaudhuri> Now this is interesting. Yes, openssl can find both the
>> libraries
>> hiran.chaudhuri> libssl and libcrypto. Would that
On Thu, May 11, 2017 at 2:13 PM, Scott Neugroschl wrote:
> OK. Are the 3DES CBC ciphers still part of DEFAULT?
>From OpenSSL 1.0.1t:
$ openssl ciphers "DEFAULT"
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-
On Wed, Apr 26, 2017 at 1:03 PM, Blumenthal, Uri - 0553 - MITLL
wrote:
> A naïve question. A certificate that contains SAN attribute(s) – is there a
> limit on how many, say, RFC822 SAN attributes can a valid certificate have?
>
>
>
> It’s been my understanding that a cert can
On Sun, Apr 23, 2017 at 9:36 AM, Salz, Rich via openssl-users
wrote:
>>#define OTEXT_AES_KEY_INIT(ctx, buf) { \
>>EVP_CIPHER_CTX_init(ctx); \
>>EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, buf, ZERO_IV); \
>>}
>
> Most of the datatypes are
On Mon, Apr 3, 2017 at 5:49 PM, Benjamin Kaduk <bka...@akamai.com> wrote:
> On 04/02/2017 07:42 PM, Jeffrey Walton wrote:
>
> I was looking at Kurt Roeckx 's patches for OpenSSH at
> https://github.com/openssh/openssh-portable/pull/48/files. See
> libcrypto-compat.h a
I was looking at Kurt Roeckx 's patches for OpenSSH at
https://github.com/openssh/openssh-portable/pull/48/files. See
libcrypto-compat.h and libcrypto-compat.c.
Are the source files distributed by OpenSSL? If so, where is the download?
If not, can the OpenSSL project consider adding them. They
I'm working with OpenSSL 1.1.0. I'm trying to set prefix=/usr/local,
openssldir=/usr/local and libdir=/usr/local/lib64. The configure looks
like:
INSTALL_PREFIX=/usr/local
INSTALL_LIBDIR=$INSTALL_PREFIX/lib64
KERNEL_BITS=64 ./config no-ssl2 no-ssl3 no-comp shared \
enable-ec_nistp_64_gcc_128
Hi Everyone,
Is it possible to speed test RDRAND and RDSEED generators? If so, then
how do we do it?
$ openssl speed -engine rdrand
engine "rdrand" set.
Doing md4 for 3s on 16 size blocks: 8339773 md4's in 3.00s
Doing md4 for 3s on 64 size blocks: 6616610 md4's in 3.00s
Doing md4 for 3s on 256
>> Sorry, never mind. After taking a closer look at the source code I saw
>> that there are further compile time and run-time kernel version
>> checks in e_afalg.c. I adjusted the version number and got that to
>> work now.
>
> Well, why does the afalg engine depend on Linux 4.1?
> AF_ALG is part
On Sun, Feb 12, 2017 at 8:13 AM, Ajay Garg wrote:
> Any ideas please?
> Is compiling openssl even possible on Raspberry-Pi?
>
Try 'config' rather than 'Configure'. It looks like it does the job.
I'm not sure why the same triplet produces different results. Maybe
you need
> I have two systems one with openssl 1.0.1e (debian wheezy) and the new one
> with openssl 1.1.0c (debian stretch)
>
> The files encrypted with 1.0.1e are not decryptable via 1.1.0c
> These are the investigations I have done
>
> on my system with 1.0.1e openssl
> $ echo some text > file
> $ cat
On Fri, Feb 3, 2017 at 12:37 PM, Brandon Shiers
wrote:
> I have a client that has a CA certificate that has expired.
>
> They are running Windows Server 2003 and OpenSSL 0.9.8d and FreeRadius for
> authentiaction. Their certificate expired yesterday afternoon and I've
On Fri, Feb 3, 2017 at 1:55 PM, Chris Clark wrote:
> My application links to OpenSSL 1.1.0 dynamically, and I would like to
> be able to determine if the CPU supports the AES-NI instruction set.
> Is there an OpenSSL API that can do this?
Also note that even though the
> The attached text file is a snippet from attempting to install
> openssl-1.1.0c on a Solaris 8 machine. As can be seen, failed when
> could not be found. There is no such file anywhere on this
> machine. As root, searched from the root directory for the file. Do have
> in more than one
On Mon, Jan 30, 2017 at 5:03 AM, Matthias Ballreich
wrote:
> thanks for explanation.
>
> But why did Windows Cert Manager and Firefox Cert Manager show 00BEED73EE as
> serial number instead of BEED73EE (which openssl shows)?
Its just a presentation detail. It
> Could someone from the OpenSSL team please explain the rationale for this
> decision? What is the problem with using assignments with 0 or NULL to
> initialize pointers?
I'm not from the team, so take it for what its worth...
On some systems, NULL is _not_ 0. NULL can be anywhere in memory the
> IF EXIST libcrypto-1_1-x64.dll.manifest DEL /F /Q
> libcrypto-1_1-x64.dll.manifest
> link /nologo /debug /dll /implib:libcrypto.lib
> /out:libcrypto-1_1-x64.dll /def:libcrypto-1_1-x64.def
> @C:\Users\jesaremi\AppData\Local\Temp\nm8557.tmp || (DEL /Q libcrypto.*
>
> I have two servers for testing purpose :
> - debian 6, apache 2.2, openssl 1.0.1t (mutu)
> - centos 7, apache 2.4.6, openssl 1.0.1e-fips (dedicated)
>
> Now, these 2 serveurs offers only those ciphers :
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
>
On Tue, Dec 27, 2016 at 12:24 AM, Ron Gaw
via openssl-users wrote:
> I am using a MinGW64 / MSYS2 environment to compile OpenSSL1.1.0c, but
> failing consistently after multiple attempts with a few variations each
> attempt (including deleting entire source directory
On Wed, Dec 21, 2016 at 6:16 PM, Salz, Rich wrote:
>> checking for library containing SSL_library_init... no
>> configure: error: libfko needs ssl
>
> The application is not prepared to build against 1.1.0 That function was
> removed, and a #define for backward compatibility
On Sun, Dec 18, 2016 at 5:09 PM, Viktor Dukhovni
wrote:
>
>> On Dec 18, 2016, at 2:55 PM, Walter H. via openssl-users
>> wrote:
>>
>> encrypt
>> openssl enc -e -in file -out encryptfile -aes-256-gcm
>
> GCM is not supported with "openssl
> So what is the correct way, 1 or 2?
>
> 1)
>
> RAND_poll()
> /* RAND_bytes is unnecessary */
> /* RAND_add is unnecessary */
>
> 2)
>
> RAND_poll()
> RAND_bytes(buf, 128);
> /* RAND_add is unnecessary */
On Windows, you call CryptGenRandom to obtain your seed for the
OpenSSL PRNG. On Linux, you
On Sat, Dec 10, 2016 at 9:25 PM, Rasool, Kaja Mohideen (Nokia - IN)
wrote:
> Ok, maybe, TCP is doing it. Is there any other API using which I can specify
> the payload length & number of bytes for padding to send a TLS Heartbeat
> request? Then, I can use that API
> I'm trying to speed up the initialization of a legacy HTTP client
> application. Debugging that code, I found the following functions being
> called each application startup:
>
> initialization
> SSL_library_init()
> SSL_load_error_strings()
> OpenSSL_add_all_algorithms()
>
I'm working from Master. I'm having trouble locating the message
digest for Poly1305, and how to use it with
https://wiki.openssl.org/index.php/EVP_Message_Digests.
At the moment I can only find EVP_chacha20_poly1305. It seems like if
Poly1305 is going to be paired with something, it would be
Is it possible to setup a CONF-less OpenSSL? If so, how?
The use case is mobile apps, like Android, iOS and Windows Phone.
There is no OPENSSLDIR per se; and the app's install directory will be
a moving target like a UUID.
I know hacks can be applied for iOS, like forgoing a macro and
returning
I prefer to use a cipher list like "HIGH:!aNULL:!RC4:!MD5". I prefer
it because its fairly easy to parse and understand. Its also easy to
teach to developers.
I want the resulting ciphers sorted with the ephemeral suites at the
head of the list.
How does one sort the list with ephemeral suites
> When I tested a remote server using s_client, it responded with:
>
> verify return:1
>
> 139790582232992:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3
> alert unsupported certificate:s3_pkt.c:1259:SSL alert number 43
>
> 139790582232992:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
>
> I've a free certificate from startssl for my email address. Now I would
> like to create a certificate for one of my internet domain. How can I do
> that? Can I use openssl? Is there a free service like cacert.org that allow
> to deploy free class IV certificates that are recognized?
> Sorry
I'm working on OS X and I want to audit for configure-time use of
enable-ec_nistp_64_gcc_128.
Grepping the sources shows 1 relevant hit, but I don't see a define:
$ grep -IR 'enable-ec_nistp_64_gcc_128' *
CHANGES: Specify "enable-ec_nistp_64_gcc_128" on the Configure (or
config) command
On Sat, Oct 1, 2016 at 5:18 PM, Salz, Rich wrote:
>
>> However there are very many OpenSSL users (myself included) who rely on
>> the legal status of OpenSSL/SSLeay as having no US origin parts. If this has
>> changed, it needs a big red banner at the top of the
>>> Is there something more I should do on this issue? I recall the OpenSSL
>>> terms of use strongly discouraged people from the US from helping, due to US
>>> export restrictions.
>>
>> That's kinda outdated.
>
> However there are very many OpenSSL users (myself included)
> who rely on the
On Sat, Oct 1, 2016 at 4:32 PM, Geoffrey Coram wrote:
> I reported a bug, I'm not a developer
> / on the developer list; will someone else take this, or is there some
> bug database that I should enter an issue into?
If its an OpenSSL bug, then I believe you send an email
> openssl/openssl is for current maser.
> OpenSSL_release is for 1.0.2
>
> Note1: we might review that now that 1.1.0 has been released.
>
> Note2: we recently changed our policy on Coverity access. Previously we
> did not typically allow access to the defect reports. Now we allow
> Defect viewer
> Work on the new FIPS module has so far taken a backseat to higher
> priority topics like the 1.1 release ...
OpenSSL 1.1.0 was a very strong release. The team did an awesome job.
Hats off to them for a job that exceeded well done.
I did not observe problems at places where you can take the
Hi Everyone,
Coverity Scan has two projects for OpenSSL (https://scan.coverity.com/dashboard)
* openssl/openssl
* OpenSSL_release
Which should we request access to for the reports?
Thanks in advance.
--
openssl-users mailing list
To unsubscribe:
On Wed, Sep 21, 2016 at 8:35 AM, Jing Liu wrote:
> I’ve tried all my best to solve this problem but failed. Can you help me?
>
> - OS: Windows 10
>
> - Perl: ActivePerl 5.12.2 build 1202
>
> - Development environment: MS Visual Studio 2010 SP1
>
> - OpenSSL version: OpenSSL
On Fri, Sep 9, 2016 at 8:26 AM, Pfluegl, Andreas wrote:
> We started using OpenSSL in 2010 for Windows and Linux. We gladly followed
> the release strategy suggestion, as it allowed us to deliver patches without
> recompiling our code. So we still compile and link our code
> Only if you think everything has to be equally protected. That's the
> assertion I am not thrilled with. Sometimes knowing who sent it is more
> important -- the metadata -- and sometimes the content -- say, the value of
> the check -- is more important.
And its probably easier to go
On Fri, Sep 2, 2016 at 11:50 AM, Leam Hall wrote:
> Thanks to Matt Caswell for helping me fix the DSA question. His solution,
> based of the information I provided, was:
>
> openssl genpkey -genparam -algorithm DSA -pkeyopt \
> dsa_paramgen_bits:2048 -out
On Fri, Aug 26, 2016 at 6:56 PM, Juliano Souza wrote:
> I just found it.
>
> Hope to help someone with same requirement.
>
> http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
>
There's also Origin Bound Certificates
> Could you please point me on some useful documentation, piece of code or any
> other source of information which would provide the guidelines for
> accomplishing my task? Or maybe somebody of you already have the experience
> in such migration which could be shared.
>> Scenario 1 - Failing case
>>
>> SSL_CTX_use_certificate_file() : Loaded cert_file
>> SSL_CTX_use_certificate_chain_file() : Loaded chain_file
>
> Doing this makes no sense. If you're loading the complete chain
> file, there's no reason to first load just the certificate.
>
> Just use
Hi Everyone,
This just made my radar... Microsoft has a fork of OpenSSL at
http://github.com/Microsoft/openssl . It looks like it is actively
maintained.
Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Mon, Jun 27, 2016 at 3:49 PM, Michael Wojcik
wrote:
> SSLv2 is no longer supported, and neither are the SSLv2_*_method calls. (And
> yes, this causes build problems when updating to newer OpenSSL builds; and
> while that causes some pain, it was the Right Thing
On Sun, Jun 19, 2016 at 10:10 AM, Blumenthal, Uri - 0553 - MITLL
wrote:
> I'm also speaking out of turn, but having both ends trying to be both server
> and client *on the same connection* just does not make sense, TLS or DTLS.
>
Yeah, I was having trouble envisioning the use
On Sun, Jun 19, 2016 at 9:47 AM, Test ssl wrote:
> Hi Matt,
>
> This is a DTLSv1.0 connection, so the hosts on both sides will connect to
> each other acting as both TLS client and TLS server.
>
> We think the dtls failure is due to cipher suites. But we are not able to
>
On Mon, Jun 13, 2016 at 6:32 PM, Dan S wrote:
> So I had a suggestion to verify the correct linking by renaming the libssl
> and libcrypto built locally to something else, and linking to them- turns
> out that was the problem, apparently adding the search path in xcode does
On Thu, May 26, 2016 at 5:51 PM, Jakob Bohm wrote:
> On 26/05/2016 18:33, R-D intern wrote:
>>
>> Hello,
>> I have implemented ssl for my internal server that listens over
>> a
>> private ip. Can anyone suggest how can I test my ssl_server? For eg.
>> Qualys
>>
On Thu, May 5, 2016 at 4:41 PM, Steve Marquess
wrote:
> We've had a PayPal account for years, as the most convenient way for
> individuals to send small donations. However, as the person who has
> managed that account I can attest that PayPal has always been rather
1 - 100 of 744 matches
Mail list logo