Re: [openssl-users] OpenSSL in Linux kernel

> Can SSL library be used in Linux kernel mode? The crypto libraries can, and are in some places, in the kernel. If you want to put the SSL/TLS protocol into the kernel, you will need to do some work, just as writing a BIO type that works in the kernel and perhaps malloc/free routines,

Re: [openssl-users] Spam

> the wider problem case is how non-subscribers are given two-way access to the > list that exposes so much subscriber info (name, professional affiliation, > email addr, ...) to whomever. i cannot fathom why the list does not make use > of aliases so that each subscriber can control what they

[openssl-users] API question; v3_asid/v3_addr

Do you use the v3_asid_xxx or v3_addr_xxx API's? Please let me know. (They are not going away, we just need to know if they're internal-only or if people are using them.) -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To

Re: [openssl-users] Are double-quotes valid characters in certifcates/keys?

> Except when you want more people (usually everybody) access to the CRT, > but few people (usually one or two trusted server > processes) access to the private KEY. > > Then using two different files will make a lot of sense. Oh yes, absolutely! Don't give out the private kkey :) --

Re: [openssl-users] Are double-quotes valid characters in certifcates/keys?

You can merge the two files into one. As long as they are in PEM format, it will just work. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CMS with Symmetric key

> I'm trying to use the CMS operations in libcrypto but with a symmetric key > encryption key instead of x509. We don't support this. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Fwd: CONGRATULATION____REF#87670

> why is junk like this not being caught? Almost all of it is. Nothing is perfect. Thanks for your understanding and patience. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Properly manage CA-signed certificates that have expired

> Yep, and give the new ones a slightly different "full" > distinguished name (important for CRL and "ca" database). > My approach is to include the year-month as an extra OU e.g. > >  CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany >Inc,L=YourTown,C=XX Ooh, that's neat advice!

Re: [openssl-users] How to configure without OPENSSL_die?

> How do we configure without OPENSSL_die? You can't. you can replace the function with something that does something better for your needs. But the times you get there, a catastrophic error has happened and the library cannot proceed. It would be great to fix those things; start by picking

Re: [openssl-users] About no-ssl2

>​The problem is the concept itself since it will require every app to have >coded into it when a given feature was removed should it attempt to support it >when present. Yes. It dates back to the very early days (when SSLeay was developed on clay tablets), when the default was "get it all"

[openssl-users] Removing some systems

We are planning on removing the following systems from OpenSSL 1.1: Netware OS/2 There are a few reasons for this. In no particular order they include: these platforms are no longer supported by the vendor; the configurations and builds have not been testable by the team for years and

Re: [openssl-users] SSL_CTX_new fails some times

> I suspect that "Freelibrary" causes openssl libraries to be unloaded from my > process's context. Yes. That's what it does. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] DROWN (CVE-2016-0800)

> am [I] still vulnerable to this if my customer's server is not up to date? Yes, maybe. If you use SSL3/TLS without PFS ciphers, then someone who has captured the traffic can send SSLv2 messages to the server and decrypt your traffic. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] DROWN (CVE-2016-0800)

Other implementations MAY be susceptible. It's a protocol flaw. The fix is to completely remove SSLv2. See the blog post: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz --

[openssl-users] "These are not the patches you are looking for"

We recently posted some patches to to our public repo. Since they came out just before the announced security release, many people have been confused and thought that perhaps we posted CVE fixes prematurely. This is not the case. The commit were for fixing low-priority CVE issues, and

Re: [openssl-users] default cipher suit

If no cipher suite is named, then the value of DEFAULT will be used. What that is depends on which version of OpenSSL is used. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz From: John Hunter [mailto:zhjw...@gmail.com] Sent: Sunday, February 28, 2016 8:11 AM

Re: [openssl-users] Problem getting actual Client protocol version on server side

> How can I get actual protocol sent by client at server side...? If the handshake fails, the server doesn't send a version. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] automatic renegotiation

I don't believe OpenSSL actually does automatic renegotiation, but I could be wrong. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECDHE PSK ciphersuites

It will probably work for your needs. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECDHE PSK ciphersuites

> Please could you explain which stable code should I use to have those cipher > suites? Master, which will be 1.1 It's not done yet. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Ubsec and Chil engines

> If we integrate the support natively into OpenSSL, then PKCS#11 URIs (see > RFC7512) can be first-class citizens throughout the crypto and SSL APIs. Any > function which takes a filename for a cert or key should also accept¹ a > PKCS#11 URI. It'd be great to see a crypto/pkcs11 directory with

Re: [openssl-users] Problem in decryption using python which cipher text is encrypted in c++

> Then i am passing this cipher text to my another end which is using a > python(PyCrypto library) code to decrypt a cipher text using same Key and > IV. The IV, key, and ciphertext are all binary arrays of bytes. Not C (or ASCII or UTF8 or anything) strings. You will have to convert back/and

Re: [openssl-users] [openssl-dev] Ubsec and Chil engines

> In both cases I would like to remove these engines from 1.1.0. I'd like to > hear > from the community if there is any active use of these. One option if there is > found to be some small scale use is to spin out the engine into a separately > managed repo (as has happened recently with the

Re: [openssl-users] follow-up to: ChaCha20/Poly1305 in OpenSSL?

> (1) 1.0.2f + cloudflare patch > (2) 1.1.0-alpha3 Did CF update their patch to the official version and codepoints? Cool. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] follow-up to: ChaCha20/Poly1305 in OpenSSL?

> What's current plan status for these ciphers? > > Not until 1.1.0 release? Or earlier? Yup, 1.1. It's a new feature so it doesn't go into current releases which only get fixes. And the code that's in master, which just released alpha-3, rocks. :) -- openssl-users mailing list To

Re: [openssl-users] ciphers

If all you want is TLS 1.2, then this line is enough: > >> SSLProtocol -All +TLSv1.2 > >> SSLCompression off > >> SSLInsecureRenegotiation off -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL version 1.1.0 pre release 3 published

>OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 3 has now >been made available. For details of changes and known issues see the >release notes at: Just to emphasize one important point: Our next release is planned to be Beta-1, in about a month. After that, no new

Re: [openssl-users] Errors in building 1.0.2f

Do an initial config to get the symlinks copied, then do your 'real' config. This will be fixed next time :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL library/development problems on OpenSUSE 13.2

   // Generates Garbage    memcpy(encbuf, encbuf+100, enclen); For overlapping copies you are supposed to use memmove. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Do you use the JPAKE feature?

It's currently "experimental" and we're thinking of dropping it completely from the next release. If you use it, please reply here soon. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Extra EPOLLIN event at end of SSL connection

Are you getting WANT_READ or WANT_WRITE? That is common for non-blocking. And also, yeah, way back when, it was common to return zero when read on a non-blocking socket had no data :) And what release are you using? -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] WARNING message "can't open config file” when running openssl command

> It works, thank you for your suggestions! I am just wondering is there any > other options, for example eliminate the WARNING message while building > the openssl libraries and executables? You could modify the source (e_os2.h, somewhere in that #ifdef maze sorry) to set the default ot be

Re: [openssl-users] WARNING message "can't open config file” when running openssl command

> $ openssl x509 -in cert.pem -noout -text > $ WARNING: can't open config file: /usr/local/ssl/openssl.cnf > How can I eliminate this WARNING message even though the > “/usr/local/ssl/openssl.cnf” file does not exist? Among other options, "OPENSSL_CONF=/dev/null ; export OPENSSL_CONF"

Re: [openssl-users] OpenSSL FIPS modules and APIs compatibility

> Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? No. For example, only the EVP interface to crypto. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS Certification

>Everybody else is better off not trying to use FIPS-restricted modes and >setups. Strongly agree!! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Openssl 1.1 and Bind 9.6 ESV R11

> That's my issue. I cannot get a more recent bind version to stay to stable on > one box. Then I think that's going to be a tough issue, and you'll either have to modify that source or stay at 1.0.2 ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Getting the current key exchange algorithm mode from an SSL_CIPHER

The most portable, and longest-lasting, way is probably to get the name and then use that as a key to look up things in your own table of characteristics. A PR that adds API's (and doc) for extracting various things, and returning them as nid's or oid's or something, would be helpful.

Re: [openssl-users] [openssl-dev] OPenssl and dependencies such as openssh

> All right, can the above be committed and any other source-backwards- > compatible behaviour ? > > This will help API developers a lot. It was done and is part of the yesterday's alpha release. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] simplifying rand_egd API

> truly think that saying "please keep this interface" isn't backed by noone, > wether they speak up or not today.) Yes, I know. It is however the best we can do. My issue with the other two API's is that they are really EGD functions, not OpenSSL functions. > P.S.: i like the new website; i

Re: [openssl-users] [openssl-dev] pkeyutl does not invoke hash?

Okay, how about this. First, remove the NOTES subhead. Add this to the end of the first paragraph: This program does not hash the input data and requires the input data to be of the proper size, and must not be greater than the size of the public key field or modulus.

Re: [openssl-users] Signing a csr with subjectAltName using x509 command

In your ca_defualt you should have a x509_extensions field that references another stanza. That other stanza needs the copy. I don’t know if copy_extensions copies everything. ☹ ___ openssl-users mailing list To unsubscribe:

[openssl-users] simplifying rand_egd API

There are currently three functions related to the EGD: int RAND_egd(const char *path); int RAND_egd_bytes(const char *path, int bytes); int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes); I would like to just have a single function Int

Re: [openssl-users] Signing a csr with subjectAltName using x509 command

>But when I try to sign it using my own CA using the x509 command this data is >removed  You need to make sure that subjectAltName is marked as copy in your config file. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] Do you need EGD support?

>>Will you still support PRNGD?  I need PRNGD, as I’m on a platform without a >>built-in random device or cpu instructions. > PRNGD is a direct replacement for EGD, so if the interface to EGD is removed > from OpenSSL, PRNGD stops to work for it as well. Thanks. That means we should not

[openssl-users] Do you need EGD support?

We are considering removing EGD support in 1.1 If your platform still needs it, please reply soon. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] openSSL and SLOTH attack

Are you going to keep posting and posting until you get a response? :( Master branch, 1.1, is not released but will not be vulnerable (may already be fixed) 1.0.2 is not vulnerable. 1.0.1f and later are not vulnerable. 1.0.0 might be, and is end of life anyway so you should move of that. 0.9.8

Re: [openssl-users] mailing list issues? Re: CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

> A few zombie messages today: There were some that had been held up on the queue because of things like size limits. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Openssl 1.1

> We do our best to get this informing done. > > I do not know why yet, but I had a problem with openssh. Thank you very much for your help! Happy New Year. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] Openssl 1.1

> Are Openssh, DNS developers, SMTP/POP3/IMAP developers, FTP > devleopers, HTTPD developers and LDAP developers aware of changes > coming down the pipe? > > If not, they should be informed. We've posted about it several times. We're making explicit pre-release testing versions available.

Re: [openssl-users] openssl-101m server and openssl-101q client TLS1.2 failure

>But In my case  replacing the client side binary built with openssl-101m this >issue > goes away.  So wondering could this be a bug in openssl code ? Very very doubtful. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] openssl-101m server and openssl-101q client TLS1.2 failure

Try https://groups.google.com/forum/#!topic/node-apn/H1B6iCJlZYo ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS 140-2 X9.31 RNG transition expenses

> Just want to confirm on this item. Are we saying that to get openssl back to > be FIPS compliance is just a paper shuffle. If so is there any expected eta > on it as our team is using openssl version for a security project and we need > a fips compliance library. No. We have answered this

Re: [openssl-users] Need to store RSA Structure in Sqlite database

> I am new to openssl. In my developement i need to store the RSA Public and > Private keys into sqlite database. Convert to DER and then perhaps base-64 encode it. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

> What would then be the permitting conditions to pursue a new validation ? > If you don't mind me asking. I have read several notes you have on the > subject and I agree that the whole thing is of Dedalus proportions. In a > nutshell what would be these conditions ? In a nutshell: someone

[openssl-users] Changing malloc/debug stuff

I want to change the memory alloc/debug things. Right now there are several undocumented functions to allow you to swap-out the malloc/realloc/free routines, wrappers that call those routines, debug versions of those wrappers, and functions to set the set-options versions of those functions.

Re: [openssl-users] Changing malloc/debug stuff

> I don't need it so I don't object. But if anyone objects, you could write a > ... Good point! > I guess this is because that interface is not a part of a commercial grade > full > featured SSL/TLS and general purpose crypto library, it is just a means to do > quality assurance on said

Re: [openssl-users] [openssl-dev] Changing malloc/debug stuff

> > https://github.com/openssl/openssl/pull/450 > > This seems much more sane. I'll settle for less insane :) ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

> And we don't know on which client OP will have to use that pem file, thus > give advise that works on all clients, not just OpenSSL or GnuTLS or whatever. It is quite reasonable to give openssl-specific answers on the openssl-users mailing list, isn’t it?

Re: [openssl-users] Question about TLS record length limitations

I suggest you ask on the TLS mailing list, t...@ietf.org /r$ -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] explicitly including other ciphers.

> but if I do a: openssl ciphers -v "ALL:eNULL" | grep eNULL Look for NULL, not eNULL. Or "Enc=None" ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Does openssl server always choose highest TLS version offered?

? I have seen rumors (nothing reliable) that the TLS WG is proposing to disable a whole lot of good cipher suites in TLS 1.3. Well, it's pretty easy to verify. Look at the IETF TLS-WG web page, and get a pointer to the current draft doc. Yes, TLS removes non-AEAD ciphers, and has only PFS key

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Ø If you are aware of a concrete use of MD2 or any of the other algorithms, please let us know! Also, note that we have an extended alpha and-beta test period, so we can add things back if mistakes are made. /r$ ___ openssl-users

Re: [openssl-users] Elliptic curves approved or recommended by government

> Is there a up to date list of elliptic curves approved or recommended for > government use in OpenSSL? You'll have to look outside OpenSSL for advice like that. I would suggest looking at the CFRG, part of the IETF basically. Do web search for curve recommendations. Good luck. It's a

Re: [openssl-users] Does openssl server always choose highest TLS version offered?

> Rfc5246 basically says that the server will choose the highest version but I > wanted to confirm that that's what openssl does (just to be certain). That is what openssl does. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] s_server (and maybe s_client) misbehaves with binary data

> It would thus be useful for s_server (and if applicable > s_client) to accept the "-binary" option (already provided by the cms/smime > commands), to turn off this behavior and provide a clean data pass through > to/from the other end. This is a good idea, thanks!

Re: [openssl-users] Clarification about content of folder /ocsp

> I could not find any API documentation about the code in /crypto/ocsp. Does > it mean that these functions are not part of the official API and therefore > should not be directly used?   No, it just means that the documentation has not been written.

Re: [openssl-users] OpenSSL public repository, bug tracker ?

> Is the version control repository as well as the bug tracker of public read > access ? https://www.openssl.org/source/ ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Key Deriviation Function Tests for TLS

>Did you miss the detail about the contribution agreement not granting any >rights to third parties until the OpenSSL Foundation has "published" the >contribution. No I didn't. They are free to post code as apache 2 and frequently rebase against master. Or whatever they want. We don't have

Re: [openssl-users] Key Deriviation Function Tests for TLS

> Speaking just for myself, and not my fellow team mates, I see no upside and > a lot of downsides to our hosting of "does not work" code contributions. > Especially for FIPS specific code. The originators of that code are free to > give > it to anyone else at any time; they don't need us to do

Re: [openssl-users] Is there any patch for OpenSSH for it to work with OpenSSL FIPS?

> Is there any reliable patch for OpenSSH to support FIPS mode? Try the openssh mailing lists? >From what I've seen the OpenBSD folks actively dislike FIPS, so good luck. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Behaviour facing a broken OCSP responder

> Are these the only three error codes ? Nope. It's not standardized at all sadly ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about Openssl FIPS module and Python-openssl

>Is there anyway to make the FIPS mode always enabled by default in the library >layer, so that there's no need to invoke the FIPS_mode_set API? No. You'd have to end up calling some explicit routine of your own which called FIPS_mode_set. ___

Re: [openssl-users] Behaviour facing a broken OCSP responder

> The documentation does not seem too clear about what the behaviour > exactly is when OpenSSL deals with a broken OCSP responder.  For instance, > one that would send an OK without any contents.  We call openssl from an > application and would like to know what is returned in such a case, or in

Re: [openssl-users] Best way to combine ControlPersist and ProxyCommand?

> What's the best way to set up a persistent master connection, along with a > proxy jump host? Ideally the persistent master would speed up connections to > machines behind the proxy, not just the connection to the proxy. I think you’ve got the wrong mailing list. -- Senior Architect,

Re: [openssl-users] Cleanup and changing the malloc routines

1. I trust that functions to allocate specific data   types (such as bignums) are not changed by this. They are not. 2. Macros that take zero arguments (such as   "OPENSSL_malloc_init()") are not accepted by all   compilers.  In my own API designs this has forced   me to give such

Re: [openssl-users] Cleanup and changing the malloc routines

> > Remove {OPENSSL,CRYPTO}_strdup; use BUF_strdup. Reconsidering, I did this backward. The right thing is to use OPENSSL_strdup, not BUF_strdup. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] PEM X509 certificate with no newline

> PEM_read_bio_X509() fails because of the missing newlines. The underlying base64 decoder is horrible. It accepts invalid 8bit chars, and silently enforces a line-length limit. Wanna rewrite it? :) ___ openssl-users mailing list To unsubscribe:

[openssl-users] Cleanup and changing the malloc routines

We are considering a big cleanup to the memory-allocation API's in the next release. Please take a look at the attached documentation, which describes *ALL* of the public functions, and let us know if it will cause a problem. Thanks. -- Senior Architect, Akamai Technologies IM:

Re: [openssl-users] [openssl-dev] FW: Website changing this weekend

Yes, cross-refs within the manpages are still often broke. We're working on that. Thanks to the generous help of Phil Pearl, the links within the manpages are fixed! ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] FW: Website changing this weekend

From the https://www.openssl.org/docs/manmaster/crypto/crypto.html page - the links to x509v3, asn1, stack and txt_db are broken. Yes, cross-refs within the manpages are still often broke. We're working on that. - it's unclear what INTERNAL FUNCTIONS means. UTILITY is a better word,

Re: [openssl-users] [openssl-announce] Website changing this weekend

It seems to be that when a new branch was released then none of the ​subsequent changes for older branches are available. So almost all the recent 0.9.8 changelogs, and 1.0.0 changelogs are missing. Well, yeah, kinda. I updated the page to explain this a bit. And I also put all the branch

Re: [openssl-users] Privacy considerations - identity hiding from eavesdropping in (D)TLS

Are there any recommended ways to avoid certificates being sent in cleartext? That is, to first establish an anonymous encrypted channel, and then to authenticate within the encrypted channel. Not without breaking the protocol. I am also aware of some of the work in progress on TLS 1.3. It

Re: [openssl-users] [openssl-announce] Website changing this weekend

It seems to be that when a new branch was released then none of the ​subsequent changes for older branches are available. So almost all the recent 0.9.8 changelogs, and 1.0.0 changelogs are missing. Yeah, we need to figure out how to fix that. I'll make sure the team sees it.

Re: [openssl-users] [openssl-announce] Website changing this weekend

Many of the changelogs have disappeared - for example try finding the changelog between 0.9.8n and 0.9.8o on https://www.openssl.org/news/changelog.html. This applies to lots of other releases too. Thanks. It seems that the 0.9.8n - 0.9.8o changes are only in the 0.9.8 branch. We pull the

Re: [openssl-users] FW: Website changing this weekend

I'm curious why the new download page lists version 1.01p before version 1.02d? Is it suggesting that users download the 1.01 branch instead of the later one? They're listed in time-order, not alpha order. Should perhaps fix that. ___

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

What about 3DES with appropriate IV, downgrade and replay countermeasures, what exactly is wrong with those ciphers that is beyond salvage?(By salvage I mean significantly better than plain text when talking to clients that don't support anything more modern, such as certain Microsoft

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Try this as a starting point: https://security.ias.edu/poodle-and-beast-isnt-love-story-sslv3-cipher-vulnerability ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] The manpages are on the website now

As a new feature, all releases are now online, including master. There is still some links broken. We could use some Perl hacking help. If you know how to add -podpath searching into Pod::XHTML, please get in touch. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter:

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL 3.0 ? No. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

There are *no* secure SSLv3 ciphers. If you need to support it (for legacy clients), then best you can do is use the poodle patch, the SCSV indicator which will at least prevents clients that are capable of more from being downgraded. ___

Re: [openssl-users] Online manuals no longer accessible

I noticed this weekend that the man pages are no longer available from the OpenSSL.org site. The site is beautiful, but the man pages are really needed. For example: try openssl.org/docs/ssl/ or openssl.org/docs/apps/ Please see the blog. We're working on it. Might be a couple of days.

[openssl-users] FW: Website changing this weekend

From: Salz, Rich [mailto:rs...@akamai.com] Sent: Friday, August 14, 2015 4:20 PM To: openssl-annou...@openssl.org Subject: [openssl-announce] Website changing this weekend We're bringing up a new website this weekend. Please be patient if you have problems. If you notice any broken links, let

Re: [openssl-users] X509_STORE manipulations and thread-safety

Is it safe to have a thread reload trusted certificates and crls into a SSL_CTX's X509_STORE while connections are running in other threads, especially when considering renegotiations? As a general rule, multi-thread simultaneous access doesn't work and will often make things go ka-boom.

Re: [openssl-users] Custom OID strange characters

How do I teach OpenSSL the format of the value for a custom extension without writing code? You can't. The closest you can do is encode a binary string into the config file. But something has to write that string :) ___ openssl-users mailing list

Re: [openssl-users] [openssl-1.0.2d] default SSL handshake fails

Specifically, a number of decisions have the feel of a project that has been co-opted or taken over by someone eager to make sweeping changes for little apparent reason, someone with lots of idle lawyers on hand, like Microsoft, various corporate partners, the CII, and/or the SFLC (using a

[openssl-users] We're working on license changes

Please see https://www.openssl.org/blog/blog/2015/08/01/cla/ for some more details. Summary: Moving to Apache 2, CLA's coming, it will take time. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users

Re: [openssl-users] Sending files in SSL communication

What you want is application-specific, not part of the TLS protocol. So you have to use SSL_read/SSL_write and pull the data out as needed. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Sending files in SSL communication

But is there a way to send text files through SSL_write()? No. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Sending files in SSL communication

But there is a way in which the server sends a test( for example a random number) and the client signs it with his private key right? It's called mutual (or client-side) authentication and is part of the TLS protocol. The client must have an X.509-style certificate.

Re: [openssl-users] Regarding the security of the keys

Actually that isn't quite right.  A properly configured and tuned RBAC  policy, when combined with PaX, can very effectively limit all userspace activity (including root access!).  How do you know that the module is installed and actually doing things? How do you know what kernel is

<    2   3   4   5   6   7   8   9   10   11   >