, bmeeke...@buckeye-express.com
>>> <mailto:bmeeke...@buckeye-express.com> wrote:
>>>
>>> I simply wanted a clear statement so I can make an informed decision
>>> whether or not I should use OpenSSL in future projects. I now have my
>>> answer. Th
* [root@puoasvorsr07 ~]# openssl version
* OpenSSL 1.1.1 FIPS 11 Sep 2018
Is that a version you built yourself, or from RedHat? I believe it is RedHat’s
version, which did their own FIPS work.
The OpenSSL FIPS module is starting development.
--
openssl-users mailing list
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
sed using an
OpenSSL "engine" plugin, if instead you are inserting code in NGINX
to hand over the complete SSL/TLS record processing to the hardware,
then a different approach is needed.
OpenSSL Crypto Engines are not limited to SSL/TLS but can be used
for other tasks using the OpenSSL libcr
of unused bits) for a 2048bits RSA
key with 16 custom bytes.
That’s perfectly normal for OpenSSL to refuse to load that beast, and for
asn1parse to return errors (the first bytes do not represent a correct DER
encoding of anything).
Think of it as « I took a Jpeg file, replaced some bytes
On 10/12/2018 14:41, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Michael Ströder
Sent: Saturday, December 08, 2018 06:59
On 12/7/18 11:44 PM, Michael Wojcik wrote:
Homograph attacks combined with phishing would be much cheaper and
easier
On 10/12/2018 11:30, Hemant Ranvir wrote:
Dear all,
After extracting openssl-1.1.1.tar.gz, openssl can be configured
without asm by passing no-asm flag during config command.
The expanded key can be obtained like follows:
//Getting expanded key from inside openssl
//Copied from crypto
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 06/12/2018 11:48, Michael Ströder wrote:
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security. So
On 05/12/2018 00:50, Viktor Dukhovni wrote:
On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote:
Care to create a PR against the "master" branch? Something
along the lines of:
"Provided chain ends with untrusted self-signed certificate&quo
experts.
[ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ]
However Firefox code also contains lots of idiotic usability bugs,
even in the code that talks to the TLS stack. It is quite possible
that the "OCSP must be on" rule is another bad usability hangover
Hi Wim,Thank you for your quick response.1. Yes. I called EVP_PKEY_new()
before calling EVP_PKEY_assign_RSA(pEvpkey, rsa);
2. For your second quetion: no. I have not checked there is anything in the
openssl error stack.
I will check the openssl error stack.
3. (1). If it works
Hello,I am working on a small homework which requires convert pvk private key
to PKCS#8 format. The code is based on OpenSSL 1.0.2. I can get pvk private key
components (Public exponent, modulus, prime1, prime2, exponent1, exponent2,
coefficient, private exponent) properly, and convert
Thanks again Rich. If anyone else has any ideas please share.
From: "Salz, Rich"
Date: Tuesday, December 4, 2018 at 12:56 PM
To: "anipa...@cisco.com" , "openssl-users@openssl.org"
Subject: Re: [openssl-users] OCSP response signed by self-signed trusted
respond
Perhaps you can build a trust store to handle your needs. I am not sure.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
f time. Are you
saying option 2 from the RFC is not supported within OpenSSL and would require
changes? Or am I misinterpreting option 2 above.
Lastly, I assuming my understanding is correct, I was thinking
X509_check_trust() allows for communicating this ‘out of band’ trust to OpenSSL
for vali
the source to support it,
however.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
explicit trust so that it is allowed via the call to X509_check_trust() or
is there something else I’m missing here?
Thanks,
Animesh
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
releases
if any to change the text, since the change may cause issues
for some users.
Sure, this is always a concern. Maybe the change could be considered for
OpenSSL 3.0, since that's a major release.
Care to create a PR against the "master" branch? Something
along the lines of:
> >
> > > I agree the text could be better, but not sure in what releases
> > > if any to change the text, since the change may cause issues
> > > for some users.
> >
> > Sure, this is always a concern. Maybe the change could be
> > considered f
hat would suggest to the user that the problem might be an issue
> with the trust store.
>
My .02: The message "Self-signed certificate in certificate chain"
does make it sound like OpenSSL rejected the certificate precisely
because it's self signed, and not because it's an u
:
...
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 28/11/2018 23:42, Jonathan Larmour wrote:
On 28/11/18 21:41, Daniel Kahn Gillmor wrote:
On Wed 2018-11-28 19:54:34 +, Jonathan Larmour wrote:
On 28/11/18 17:02, Matt Caswell wrote:
Please see the following blog post about OpenSSL Versioning and License:
https://www.openssl.org/blog
This was discussed around when OpenSSL first talked about the project. You
might find it worth reading the various blog entries (and comment/responses)
https://www.openssl.org/blog/blog/categories/license/ One thing to note is that
cryptography can be a patent minefield, and the patent
On Wed, Nov 28, 2018 at 08:48:10PM +, Jeremy Harris wrote:
> OpenSSL 1.1.1 FIPS 11 Sep 2018
> RHEL 8.0 beta
>
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail. It carrie
If GSCheck is just a tool to check if you remembered to build
code with the buffer overflow checks that Microsoft C can
insert, then you should just treat this as a warning that the
tool doesn't know how to check code from other compilers (in
this case the manual work of the OpenSSL team).
On 28
Hi All,
The 32bit OpenSSL 1.1.0i library 'libeay32.dll' fails for binscope GSCheck on
Windows.
E:\libeay32.dll: error BA2022: libeay32.dll was compiled with the following
modules for which a language could not be identified. Ensure these were
compiled with debug information and run BinScope
unique
numbers for fast lookup during application load.
There is a source file in OpenSSL giving the assigned numbers.
You will need to add numbers for you additional exports, and
deal with the risk that a future OpenSSL release uses that
number for something else.
Enjoy
Jakob
--
Jakob Bohm, CIO
On 26/11/2018 20:04, Viktor Dukhovni wrote:
On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users
wrote:
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TL
Hi,
The ability of a TLS client to optionally send a list of trusted
CAs to the TLS server is not new in TLS 1.3.
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TL
On 25/11/2018 22:30, Viktor Dukhovni wrote:
On Nov 25, 2018, at 4:23 PM, Jeremy Harris wrote:
That isn't the package name, it is text defined in openssl/opensslv.h
That happens when "OPENSSL_FIPS" is defined:
# define OPENSSL_VERSION_NUMBER 0x101000b0L
# ifdef OP
* I am unable to get the API to access bn->top value or any bn members in
openssl 1.1.1 .
Can you help me with the pointers to those APIs ?
They do not exist. This is the first time someone has asked for them. You
will need to open an issue on GitHub, and explain *why* you need acc
* BIGNUM structure also has been made opaque. How to refer the members of
BIGNUM structure like bn->top ?
You cannot. That is the definition of “opaque structure.” :) Why do you need
to access “top” ?
* And I don't see this API implementation ""lh_OPENSSL_CSTRING_new
>For example, I want the string "SSL_R_TOO_MANY_WARN_ALERTS" for an
error with that value, not just the "too many alerts" description.
You're correct, it's not done.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
n CBC mode.
On 20/11/2018 10:54, ASHIQUE CK wrote:
Hi,
Any replys ?
On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <mailto:ckashique...@gmail.com>> wrote:
Also I use OpenSSL 1.1.0h.
On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK
mailto:ckashique...@gmail.com>> wrote:
N
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1a released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1a of our open
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.0j released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.0j of our open
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.0.2q released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.2q of our open
>My question: How can I make LibOpenSSL-1.0.2g to send a ServerHello to the
>Client on demand? The socket should not close, nor perform a renegotiation.
You have to shutdown and restart the TLS layer. You cannot send arbitrary
ServerHello messages, it’s a protocol violation.
--
o
Apologies for my mistake. I think I was profiling the whole CPU instead
of just my process. Please disregard.
Paulo Matos
On 16/11/2018 09:08, Paulo Matos via openssl-users wrote:
> Hi,
>
> I have a program where I am doing millions of calculations of SHA1 per
> second. This is
seeding is related to SHA1. At the same time, I can't break into it
in gdb and I can't understand where it's being called.
Could you please shed some light on why this function is called and if
there's something I can do about it?
Kind regards,
--
Paulo Matos
--
openssl-users mailing list
the kernel handles TLS, and how the keys are extracted from OpenSSL:
https://github.com/torvalds/linux/blob/master/Documentation/networking/tls.txt
https://github.com/openssl/openssl/pull/5253
--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by
You can do this by writing your own BIO (probably based on memory) that then
dribbles data out to its own internal socket.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
It was great to see you last week.
You and the entire “Russian crypto cohort” :)
From: Dmitry Belyavsky
Reply-To: openssl-users
Date: Sunday, November 11, 2018 at 6:34 AM
To: openssl-users
Subject: Re: [openssl-users] x509 manual
Hello,
https://github.com/openssl/openssl/pull/7614<ht
Hi - I created a question on Super User about questions on file permissions and
what the file permissions should be on created files. See link here:
https://superuser.com/questions/1368747/file-permissions-for-openssl-created-files-for-https-web-server-lighttpd
Could someone comment on what
On Debian systems, the standard procedure on Debian is to build your
private/different versions of openssl (or anything else) in /usr/local,
while leaving the Debain modified OpenSSL in /usr .
This should keep your own code and Debian code out of each others way.
Any programs you need to use
On 03/11/2018 10:11, Hanno Böck wrote:
On Sat, 3 Nov 2018 12:28:02 +0500
Марк Коренберг wrote:
Try openssl cms ( as newer alternative to s/mime)
cms is not newer than s/mime, it's the underlying message format of
s/mime.
According to this
https://www.openssl.org/docs/man1.0.2/apps
:1408E0F4:SSL
routines:SSL3_GET_MESSAGE:unexpected message
but
https://www.ssllabs.com/ssltest/analyze.html?d=www.3bg.at
says its ok ...
is the problem on my side or on their side?
You'll need to give us more information. I can connect to that server
using OpenSSL 1.0.2 s_client.
What version
On 05/11/2018 15:56, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of lu zhihong
Sent: Thursday, November 01, 2018 05:58
when complie openssl 1.1.1 on linux 32bit platform, i met some compile
warning,like:
crypto/ec/curve448
assumes the other test does it.
On Fri, 2 Nov 2018 at 16:53, Jakob Bohm via openssl-users
wrote:
On 02/11/2018 08:50, Thulasi Goriparthi wrote:
Hi,
I am going through the checks done by EC_KEY_check_key method. I see
the following checks in order.
1. Is point at infinity? - reject.
2. Is point
, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https
On 26/10/2018 23:08, Ken Goldman wrote:
I've been happily using the Shining Light 32-bit binaries with both
openssl 1.0 and 1.1 and mingw.
On a new machine, I tried the 64-bit binaries. However, they're
missing the openssl/lib/mingw directory where the .a files resided.
It looks like
n(1)
means that there was no cipher overlap between the client and server.
For some clients, SSL_accept() succeeds and the rest of the application
runs properly. I have not been able to sort out what the difference
is.
First, note the OpenSSL FAQ about how to turn on readable error messages.
Lack
On 10/23/2018 05:22 PM, Selva Nair wrote:
> On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
> wrote:
>> Hi!
>>
>> I'm trying to get a handle on the CAPI engine, because I need to have a
>> secure Keystore on Windows. Furthermore I need it to wo
On 23/10/2018 17:22, Selva Nair wrote:
On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
wrote:
Hi!
I'm trying to get a handle on the CAPI engine, because I need to have a
secure Keystore on Windows. Furthermore I need it to work with Qt's
QSslKey, which fortunately can
);
Trace Output is:
Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
Opening certificate store MY
capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
Called CAPI_rsa_sign()
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Ah, I guess it wanted you to also compile OpenSSL for i386 and putting
that (different!) opensslconf.h in the i386-specific directory.
That also means you should have moved opensslconf.h to the subdir, not
copied it.
On 22/10/2018 20:42, Skip Carter wrote:
Found the problem!
Thanks to Selva
>Yes the macro is there, its just not being expanded by the pre-
compiler.
That makes no sense.
Please look at your compiler manpages and figure out how to turn on verbose
compiler output. Something is strange in your environment.
--
openssl-users mailing list
To unsubscr
On 20/10/2018 15:59, Kaushal Shriyan wrote:
On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah
mailto:murugesh.pitcha...@gmail.com>>
wrote:
Hi,
You may list down what ciphers configured : "openssl ciphers"
Choose CBC ciphers and add them to the list
>DEPRECATEDIN_1_2_0(int EC_GROUP_get_curve_GF2m(const EC_GROUP *group,
That is "proof" that the pre-processor doesn’t have the right -I flags. Try
running with the -v option or something.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/lis
>And I still have the problem with those macros.
The problem is almost definitely this: the files that you are compiling (not
openssl) are picking up the wrong header files from openssl.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
You probably do not have the headers installed into the right include path.
You should do "make install" and not cp things by hand, as you'll need the
headers and the libraries, etc.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
to your real handler
and not to one added by a buffer overflow attack on your process.
For C/C++ code, the compiler uses only handlers in the C runtime,
each of which already include those directives. But for Assembler
source code (such as the optimized assembler modules in OpenSSL),
there is no way
Hello ,
I use openssl 1.1.1 and cannot find function :
lh_X509_NAME_free, lh_X509_NAME_insert, lh_X509_NAME_retrieve referenced in
function _SSL_load_client_CA_file in file ssl_cert.c
Please help me to solve this problem
Mark
--
openssl-users mailing list
To unsubscribe: https
On 16/10/2018 16:39, Dmitry wrote:
Hello!
I have a C++ programme, ECDSA key pair and some string to sign. The
programme generates signature and saves it into a file
(signature.bin). Then I check the validity of the signature via the
following command:
openssl dgst -verify ec_public.pem
with:
$ openssl s_client -requestCAfile bundle.pem -connect localhost:12345
Running this under a debugger the failure happens at certificate #143
because the client hello packet overflows its maximum allocation:
$6 = {
buf = 0x000100724200
staticbuf = 0x
curr = 16364
* I want to use fips certify crypto libs. Is it possible to use crypto lib
from Openssl-fips 2.0.16 and ssl lib from Openssl1.1.1?
No, it is not possible. The current FIPS code only works with 1.0.2. The
project is working on a new FIPS module. You can find some details at the
blog
the final size should be smaller for the current time.
The documentation on this by the backup software provider is very
simplistic and simply pipes the stream of data through openssl and
then gzip:
mariabackup --user=root --backup --stream=xbstream | gzip | openssl enc
-aes-256-cbc -k mypass
As with essentially all open source software, there is no warranty with OpenSSL.
Having said that, people use the OpenSSL applications for all sorts of things,
including what you are doing.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 10/10/2018 13:55, RudyAC wrote:
Hello,
when verifying a signed email with CMS_verify() the verification failed.
That is not the main problem.
My problem is that the out data is empty. Using the library I got following
error:
OpenSSL Error code all:<772382878d>
OpenSSL Error co
m
(b) CN=example.com
and subjectAltName = DNS:example.com, DNS:*.example.com
(c) CN=example.com
and subjectAltName = DNS:*.example.com, DNS:example.com
(d) CN=hello world
and subjectAltName = DNS:example.com, DNS:*.example.com
Thanks,
Walter
--
openssl-users mailing list
To u
hould be expected behaviour:
> * max_path_length=n (initialisation)
> * max_path_length=n-1 (first decrement)
> * max_path_length=0 (copied from root certificate constraint)
> * VERIFY(max_path_length>0) error upon preparing transition from i=1
> (Root) to i=2 (EvilCA).
>
> Open
Could that be LibreSSL? (Or some similar wrapper for OpenSSL?)
https://github.com/Ruzzz/LibreSSL
This above repo creates libraries in the named format below; to match how
Microsoft provides multiple versions of libraries.
Looks to be debug (d) and multi-thread (MT?) versions of the libraries
>This is not correct.
Thanks for the corrections, Matt.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
We disagree, and as I wrote the latest RNG code and docs, I'm biased (sic).
I'll leave on that weak pun.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 04/10/2018 17:38, Salz, Rich wrote:
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?
Poor locking; been known to crash.
Simple bug, not a reason to change the algorithm.
Does not reseed.
But can be reseeded if so desired
>What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?
Poor locking; been known to crash.
Does not reseed.
Global across the process, rather than isolated for private-key generation or
per-connection.
Mixes in getpid and time to get &quo
On 04/10/2018 17:14, Salz, Rich via openssl-users wrote:
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded. 1.1.1 has a good random number generator and auto-seeds.
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded. 1.1.1 has a good random number generator and auto-seeds.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ion file?
>
> On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <
> openssl-users@openssl.org> wrote:
>
> >
> >- The debug logs display two "SSL-Session" blocks in a full handshake.
> >
> > Only one "SSL-Session" block is d
a client may resume with a different session, and therefore
prevent an observer from “linking” two different activities.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
To update this thread. Please follow the commentary on the
https://github.com/OpenSC/libp11/issues/249
From: "Blumenthal, Uri - 0553 - MITLL"
Date: Friday, September 21, 2018 at 5:07 AM
To: "Paras Shah (parashah)" , "openssl-users@openssl.org"
Cc: Nicola
Subjec
I opened the issue https://github.com/openssl/openssl/issues/7258
Also, opened issue https://github.com/OpenSC/libp11/issues/249
and https://github.com/opendnssec/SoftHSMv2/issues/417
Found the root cause to be the openssl version 1.1.1 that was used to compile
the engine_pkcs11 and SoftHSM
It's hard enough for the openssl team to document the basic config/build
things, let alone all the operating systems and vendor-supplied stuff.
Perhaps a wiki page, that the community could help maintain?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo
if by land, two if by sea, three if by the Internet."
On Sep 17, 2018, at 4:20 PM, Neil Craig
mailto:neil.cr...@bbc.co.uk>> wrote:
Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running
t 1:04 PM, Viktor Dukhovni
mailto:openssl-us...@dukhovni.org>> wrote:
On Sep 16, 2018, at 11:44 AM, Murugaiyan Perumal via openssl-users
mailto:openssl-users@openssl.org>> wrote:
dso_dlfcn.c:84:12: fatal error: dlfcn.h: No such file or directory
# include
http://w
>The users who delay or block automatic updates tend to greatly overlap
with the users who actively block remote telemetry of their update
habits, thus skewing such statistics of "get almost full coverage within
a month or two".
But not downloads. :)
Shrug.
--
two, for example. Edge hasn't shipped TLS 1.3
yet. Safari encourages auto-update. That's most of the browser market.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Sure. I will open the issue.
From: Nicola
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" , "openssl-users@openssl.org"
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys
fail.
Would it be possible for you to open this a
This is factually incorrect; the TLS values are lower than the FIPS values, for
example. And also, what “everyone in the know” has always stated isn’t really
true any more.
It would be nice to keep politics out of this list.
--
openssl-users mailing list
To unsubscribe: https
I had the same doubt. I have x-posed this question on the opensc mailing list
as well.
On 9/17/18, 3:37 PM, "openssl-users on behalf of Matt Caswell"
wrote:
Perhaps the pkcs11 engine does not support ed25519 keys?
Matt
On 17/09/18 22:05, Paras Shah (par
That is not it. It results in the same error for the EC key.
It is not the URL or the ID. Because for a RSA key in the softhsm with id =
, it works fine with url containing id=%33%33
$ openssl pkey -in
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b75
I get the following error when I try to access the ed25519 key stored in
SoftHSM via the openssl engine interface using engine_pkcs11.
[]:~$ openssl pkey -in
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%22%22;object=ed25519%2
I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to
use these keys from openssl CLI using the pkcs11 engine, it fails.
1. SoftHSM version
[]:~$ softhsm2-util --version
2.5.0rc1
2. SoftHSM token init
[]:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.
Hi,Am trying to build the openssl source for QNX 6.5/6.6 OS. I have tried to
build after the instructions given in internet.
1. QNX 6.6 build environment variable is set. 2. Executed below command.
sh-3.1$ ./Configure QNX6 shared --prefix=./qnx660/release
--openssldir=./qnx660/release
3. make
Much work for little gain and purpose.
You can mix drafts, but mixing the draft and the official version is hard,
there's too many semantic changes (e.g., around fallback vs
no-fallback-protection).
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo
On Thu, Sep 13, 2018 at 08:13:41PM +0200, Jakob Bohm wrote:
> On 13/09/2018 09:57, Klaus Keppler wrote:
> >Hi,
> >
> >thank you for all your responses.
> >
> >I've just tested with Firefox Nightly 64.0a1, and both s_server and our
> >own app (using
our goal, as stated.--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Wed, Sep 12, 2018 at 03:50:17PM +0200, Klaus Keppler wrote:
> Hi,
>
> when I create a TLS-1.3-only "web" server with s_server (from OpenSSL
> 1.1.1-release), Firefox/Chrome can't access it.
> According to all docs I've read so far, the TLS 1.3 implementations
On Tue, Sep 11, 2018 at 03:04:06PM -0600, The Doctor wrote:
> On Tue, Sep 11, 2018 at 02:57:09PM -0500, Benjamin Kaduk via openssl-users
> wrote:
> > On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote:
> > > On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:
801 - 900 of 1657 matches
Mail list logo