RE: Value of DEFAULT cipher suite

We disagree. I've got two IETF WG's coming to the same conclusion so making post-1.0.2 follow IETF practices seems pretty inarguable. > The IETF is sadly also prone to knee-jerk reactions. True. Some would put perpass in that category. -- Principal Security Engineer Akamai Technologies, Camb

RE: Value of DEFAULT cipher suite

> Far more productive than disabling RC4 would be ensuring that it is not the > preferred cipher suite when better options are enabled. I am not disabling RC4. I am saying that applications that want to use it will, after the post-1.0.2 release is adopted, need to take pro-active action. This

RE: Value of DEFAULT cipher suite

> For what it's worth, I'm with Victor on this. RC4 as cipher of last resort in > the > default set is better than not having it there at all. Take it up with the IETF which has two working groups advocating against it. UTA (use of TLS in applications) and the TLS group itself: https://tools.i

RE: Value of DEFAULT cipher suite

> Master has "security levels", which still need some work, but are a less crude > mechanism for such tweaks. Disabling RC4 at security level 2 or some such, is > better than incompatibly reclassifying it as "LOW". We can discuss the > details > later. That should probably also be done. But th

RE: Value of DEFAULT cipher suite

> Moving RC4 to "LOW" is also premature. It is already at the bottom of the > medium cipherlist, that should be enough. I am planning on doing it for master, not 1.0.2 That means it won't be in an official release until... what, at least six months. ___

RE: On 2K keys and SHA-256

> May I suggest 4096 bit with SHA-256. I think the next step after 2K-RSA is ECC, and that 4K RSA isn't going to see much deployment because of the computational cost. At least, that's how we see things at my employer. > And Chrome+Firefox still happily uses MD5 to sign SPKAC after offering yo

RE: Value of DEFAULT cipher suite

> Please consider also adding !SSLv3 and !RC4 to this list. My plan is to move RC4 and MD5 to LOW; see RT3518. As for SSLv3, the issue is that you really mean the protocol, not the ciphers (there's overlap with SSL and TLS), which is configured separately, and only via code. So I think I have

RE: On 2K keys and SHA-256

> > No complaints from me for 1K or 2K, but... Oh, sorry, this would be 1.0.2 and HEAD only. Not 1.0.1 or earlier. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���

Updating roadmap objectives: RT backlog

We've updated the roadmap, https://www.openssl.org/about/roadmap.html with information about our progress on the RT backlog: Update (8th September 2014): we have made a great deal of progress on the backlog. A graph of ticket activity[1] is available, as is the raw data[2] for every bug

Value of DEFAULT cipher suite

We are considering removing weak cryptography from the value of DEFAULT. That is, append ":!LOW:!EXPORT" It is currently defined as this in include/openssl/ssl.h: #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" Please let us know if you have strong objections to this. -

On 2K keys and SHA-256

We are considering changing the default keysize (RSA, DSA, DH) from 1K to 2K, and changing the default signing digest from SHA-1 to SHA-256. We've already committed this to HEAD/master. We would like to make this change in the upcoming 1.0.2 release as well. Several downstream distributions, su

RE: Why does OpenSSL own all the prefixes in the world?

The extern "C" makes it difficult to put things into a namespace. You'd either have to write class declarations that used NO public openssl header files in their public declaration, or we'd have to change the extern "C" wrappers to be something like #if defined(__cplusplus) && !defined(

RE: Why does OpenSSL own all the prefixes in the world?

> My suggestion is indeed that openssl lib switch to C++, at least for > namespace usage. That would be nice to have. But C++ classes are like opinions -- everyone has one, nobody wants to use anyone else's. :) I'd be surprised if OpenSSL started work on this, but I'd encourage interested folk

RE: The no-stdio and NO_FP_API options

It would be easiest if you attached them to RT 2279. If that’s a hassle, post them or email me. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Certificate pass phrase brute force...

There is nothing special about cracking a certificate password versus any other password. There is a lot of literature out there; a web search will easily give you enough information to be depressed. I think your biggest faulty assumption is that your users will pick truly random 10char passwor

RE: The no-stdio and NO_FP_API options

Thanks. There is no big rush, knowing you're working on it, and this is for after 1.0.2. Perhaps by January/Feb? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz __ Open

RE: Can I use ASN1_INTEGER_free directly?

> Can I use ASN1_INTEGER_free directly to free the memory allocated by > ASN1_INTEGER_dup ? Yes, absolutely. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z

RE: The no-stdio and NO_FP_API options

> So please tell me *exactly* what you require to get the NO_FP_API support > into a state that it is still acceptable for you. And please tell how and on > which > platform I can reproduce the problems you are seeing. Any Linux platform. "./config no-stdio -DNO_FP_API" should build clean. --

RE: The no-stdio and NO_FP_API options

I am sorry that I was not clear. I am saying that if there are people who depend and want no-stdio and NO_FP_API to be kept in the OpenSSL source, then they need to feed their patches, just to make those things work, back to OpenSSL. My mind is not made up. I am asking for people who want us t

RE: The no-stdio and NO_FP_API options

> +1 for keeping the features (I use AmiSSL ;) ) It doesn’t build. Unless that is addressed, it is highly likely that I will remove it from the tree after 1.0.2 -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: The no-stdio and NO_FP_API options

What config flags to you use? What changes have you made? It doesn't build for me. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz __ OpenSSL Project

The no-stdio and NO_FP_API options

These configuration options do not build. I started to try and fix them, but after fixing the first few problems, things got really sticky. We hear that OpenSSL on embedded devices is important. Is anyone using this, willing to share their fixes, and help maintain it? If not, it will be removed

RE: Renegotiation workaround for TLS 1.2, 1.1 patch doesn't work (Check-in [22565])

Is this the F5 BigIP needs padding bug? Tried to follow all the discussion threads and got lost. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Client Key Exchange Message

There is no tutorial or walk-through of the OpenSSL code. You should start my reading the TLS RFC and make sure you really understand it; then you can figure out what the code is sending. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me

RE: SSL_MODE_ENABLE_PARTIAL_WRITE does not work in DTLS

The website isn't great, and it's not immediately obvious where to email bug reports. It's one of the things we're working on. I don't know if you can do partial writes over UDP. You might look at section 4.1 of this original paper: https://crypto.stanford.edu/~nagendra/papers/dtls.pdf :��I

RE: Platform query

Thanks for the note. Seems like there's enough support to keep it around :) -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: certificate issue

>   i need help if i have a certificate in X509 structure how can i >convert it into  unsigned int format this is too important for me thanks for >your help You mean an array of bytes (unsigned char)? This is called the DER form, and there are functions and command-line ways to do this

RE: SSL APIs which does not need certificates/keys stored in filesystem

>Currently we are storing certificates/keys in filesystem and using the SSL >apis like SSL_CTX_use_certificate_chain_file and SSL_CTX_load_verify_locations >to load the certificate chain from file system for server and client purpose. > We want to avoid storing in filesystem, but read the certif

RE: Platform query

I'm not sure what WINDOWS means. And I'm not sure MSFT knows either :) Less flippantly, the goal is that OPENSSL_SYS_WINDOWS means any Windows platform, and then there are subtypes within that. We'll figure it out as we go along. It's gonna take a while to clean up the #ifdef world without b

RE: Platform query

> Minor clarification is appropriate. MSDOS is supported in single "stance", > namely DJGPP, which is 32-bit environment. Good point. So the idea is that MSDOS gets turned into DJGPP. BEOS and OS/2 are removed in HEAD (i.e., after 1.0.2), and Microsoft means WINDOWS of various flavors. If this

RE: Working cert rejection after reboot

I’m a bit stumped. Is this openssl s_client/s_server, or stunnel that’s failing? And are you sure it is using the certs that you think it is? Have you run, for example, s_client with –debug and –msg flags? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me

Platform query

Does anyone want to speak up for the requirement that we continue to support BEOS (apparently B/1 and R5?), OS/2, or pre-Windows MSDOS? Unless there is strong interest and commitment, we will drop these after 1.0.2 /r$ -- Principal Security Engineer Akamai Technologies, Cambridg

RE: Working cert rejection after reboot

> After a recent reboot, a previously working cert is now being rejected with > "NO X509_NAME". I can't set the log level higher on the AIX side to get more > detail. What are the most likely causes of the "NO X509_NAME" error? Something changed in addition to the system rebooting. New softwa

RE: Case-sensitive cipher names are a bad idea

> Well, one problem is that "strcasecmp" is not in the Standard C Library, and > in > fact is illegal, because external identifiers beginning with "str" are > reserved to > the implementation. Openssl already handles that, thanks. > That said, I agree that case-insensitive comparison would be a

RE: Case-sensitive cipher names are a bad idea

> The case makes some things more clear: I never said it didn't. > There are lots of other ways to typo the input string. Yup, but saying TLSV1 won't work while TLSv1 does work is silly. > Perhaps there are currently no collisions, and case folding is likely safe, > but I > don't really see m

RE: Error Handling in a Multithreaded Environment, Failures effecting non-associated connections

> Just so I make sure I understand, I just need to do something like: > while ((err = ERR_get_error())); > When I switch work and everything will be ok? Simpler to just call ERR_clear_error() -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

Case-sensitive cipher names are a bad idea

Does ANYONE think that case-sensitive cipher names are good idea? Someone who types TLSV1:RC4-MD5 will find things working, but is likely to be surprised by how weakly-protected they are. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me

RE: Error Handling in a Multithreaded Environment, Failures effecting non-associated connections

Ø I don't know whether it's documented anywhere, but I'd say yes, it's probably good to drain the error queue each time a thread picks up a new piece of work. This hadn't occurred to me before your note - I'll have to investigate whether any of my code needs to do this as well. Yes, suboptimal

Netware support?

Is anyone willing to step up and maintain the Netware port? If not, then we will probably remove it after the next release. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Forcing client to send Certificate record

> There is no need for an API for a non-interoperable feature that would > violate the TLS protocol: > > https://tools.ietf.org/html/rfc5246#section-7.4.6 Perhaps more usefully, see http://datatracker.ietf.org/doc/draft-thomson-tls-care/ This will almost definitely be part of TLS 1.3. Note

RE: Print SSL errors

Try printing "r2" in your original code. SSL_get_error isn't doing what you think it does; see the docs. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Print SSL errors

What's the value of err ("%ul")? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Print SSL errors

> every time I have an SSL error I try to log useful data using > ERR_error_string_n. Can you post the code with the call? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz _

RE: Query on X509 certificate validation- EVP_VerifyUpdate & EVP_VerifyFinal

Start by isolating the steps. The username is in the formdata? Can you run the openssl command-line program, for example, to encrypt the username you get? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Question on EVP_DecryptFinal_ex

Just wanted to say that Thulasi’s explanations and advice are exactly correct; thanks! -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Query on X509 certificate validation- EVP_VerifyUpdate & EVP_VerifyFinal

You have to look at the character string type of the DN. For example, in printableString the exclamation point is an illegal character. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: emailAddress in DN

The X509 output routines have a variety of options, but the x509 program doesn't let you choose them. This is text output, so you won't find it covered by any RFC. Look at the -nameopt flag in x509 app -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me

RE: Can't get my CRL to work on my OpenSSL client

Yes, but "as far as I'm aware" doesn't go very far into that part of the code. See what happens when other devs (in timezones closer to GMT) reply. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

No, I was confused; when you said "append to the root cert" I thought you meant copying it into the local directory. You meant literally appending it to the cert. I suppose you could create a new file with a "similar" name... -- Principal Security Engineer Akamai Technologies, Cambridge MA IM:

RE: Can't get my CRL to work on my OpenSSL client

No, I'm saying that putting the CRL's into the local directory is okay, and OpenSSL will parse them. How you get them there is your issue :) -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

> However, I do have a question. Is there any way around this requirement? The > requirement of apending the  root certificate and  CRL files on the client  > machine in /etc/ssl/crls? It totally depends on the client program that you are using. So, which client? The validation code won't, on

RE: TPS performance with TLS1.0 and TLS1.2

It is hard to imagine that a few random bytes makes a measurable difference, but I suppose it’s possible. You’ve checked, for example, that you’re using the same cipher suite in both cases? And what’s a transaction – connect, then shutdown with no application-level traffic to get in the way?

RE: Program to convert private key from pem to der format

Just do base64 decode. -- Principal Security Engineer, Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing Li

RE: DTLS aborts

> My guess (and its purely speculation) is the report is being held because of > security considerations. I don't believe so; there's no filter on email sent to rt. Interestingly, there are a few bugs created a day ago, and then a few created four days ago. Looks like mail got lost or is in-tra

RE: DTLS aborts

> Is the development team aware of this?  Should we open an RT? Please open an RT. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project

RE: Password prompt for encrypted EC keys?

Do you have to enter the password? Whatever, I guess. Sure sounds like some kind of platform issue. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f�

RE: Password prompt for encrypted EC keys?

I don't think I understand. Are you saying that this command line: openssl ec -in ec-enc-priv.pem -passin pass:test -text -noout >/dev/null works when typed at the shell, but not if put into a script? Can you cut and paste the output? -- Principal Security Engineer Akamai Technologies,

RE: SSL passphare expiration

> I am encrypting a file using open SSL, but the password which is created > should be expired after 1 year or 2 year what ever we configure. It there > anything password expiry concept in openssl? Ah, licensing? :) No, password expiration is not supported. You could sign the file with a certifi

RE: OpenSSL roadmap

> Would the project consider moving to C99 Yes, we are. We're trying to figure out platform and toolchain issues. (Platform is the operating system and hardware, and toolchain is like gcc or clang, for those who don't know.) I think moving to c99 is an obvious thing to do :) /r$ --

RE: BIO apis - bind to local ip address.

Ø Using BIO apis is there a way to specify the local ip address on which an application can bind to. No, you will have to open and bind the socket yourself and then create a BIO around that descriptor. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: r

RE: Using single EVP_PKEY instance across multiple connections

> To expand on this question a little more, is it safe to just create one > SSL_CTX* > at initialization of my server that will be used each time a new client > connects > when i do SSL_new(ctx)? Yes. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitt

RE: CVE-2014-0198: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

That is the value for the flag, it does not say whether or not it is enabled. To enable it you need to call something like SSL_CTX_set_options() with that flag passed in. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: Rich

RE: openssl-0.9.8za violates RFC 6066 problem

> That's the code I saw. Should OpenSSL do Apache a favour and not send a > warning alert anyway, when the extension callback is the SNI callback? NO!!! -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __

RE: Authority Key ID Extension

Yes, it's definitely optional. The most common keyIdentifier's that I have seen are based, well, on the key :) /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz _

RE: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

AARGH. You *cannot* just set or clear them all... -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Salz, Rich Sent

RE: SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))

The subtle issue is that some option settings *enable* behavior, and some option settings *disable* behavior. You can just set/clear them all and really expect something good to happen. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter

RE: CVE-2014-0195

> Does that mean this RCE is a heap based overflow? I/O buffers in openssl are generally (always?) from the heap, not on the stack. So yes in general, and yes in this specific case. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: Ri

RE: CVE-2014-0224

> Can anyone explain the vulnerability? A handful of links Here's the timeline, a public document: https://plus.google.com/u/0/+MarkJCox/posts/L8i6PSsKJKs And this blog entry from the guy who found the bug. BTW, it's 16 years old. http://ccsinjection.lepidum.co.jp/blog/2014-06-

RE: SSL Renogotation failure

It must therefore be that the *other side* is trying to do unsafe renegotiation. Someone posted a note about PostGres issues, IIRC. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz

RE: suspending and continuing handshake

It supports both, yet lots of complicated work to create a full event system. Well, okay :) As opposed to have the SNI callback block on a mutex while some other thread wakes up and does whatever work is needed. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA I

RE: suspending and continuing handshake

> You could try the OpenSSL RT. I would suspect that such a feature would be > relatively low on the priority list. Especially because OpenSSL's programming model is to use threads, not events. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me;

RE: SSL Renogotation failure

Ø Can you please elaborate? Ø One side of your connection, and it could be either the client or the server, is doing the old-style (OpenSSL calls it LEGACY) renegotiation and the other side is rejecting it. One use for renegotiation is to get a client cert, for example. For information about

RE: SSL Renogotation failure

Ø 2014-06-03 07:12:05 EDT LOG: SSL error: unsafe legacy renegotiation disabled Somebody has an outdated implementation that doesn’t do secure renegotiation. Google search. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me

RE: Platinum Sponsorship by Huawei

Frans, I apologize. My posting was a mistake. (I meant to cancel my posting, but instead my fingers hit control-return rather than escape.) I am sorry that, on the basis of one posting, I called you a troll, or implied that you had anything other than concern and interest in seeing the best p

RE: Platinum Sponsorship by Huawei

Please don't feed the troll -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess Sent: Wednesday, May 28, 2

RE: ECC Certificate with certificate chain in RSA format

> So the "same key type" rule only applies to TLS <=1.1. I'm not aware of any > implementation that actually enforce this rule though. Thanks for posting the references! /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz ___

RE: ECC Certificate with certificate chain in RSA format

> The signature on a certificate is made using the key of its parent CA. So > that means that the parent CA uses an RSA key and not an ECDSA key. I thought the spec says the cert should be signed with the same key type. Not sure which spec, sadly. :( And that consensus was that this is a mista

RE: PEM to DER changes SubjectAltName

It just looks like the windows cert viewer displays field names differently. No big deal. Or am I missing something? /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz

RE: backward compatibility for tls 1.2

Ø I am planning to upgrade my tls connection from 1.0 to 1.2. I have made changes from the client side and am able to see the client hello with tls version 1.2. The server supports only 1.0 and the client is not falling back to 1.0 and giving me a fatal that Protocol version alert. You have t

RE: How to check if certificate is a EV-SSL certificate?

Ø X509_get_ext_d2i(certificateX509, NID_certificate_policies, NULL, NULL) Ø ​which returns some data depending of the NID provided. Since it is a void-pointer, I don't know, which data type it returns. According to x509v3/pcy_cache.c, it returns a pointer to CERTIFICATEPOLICIES. According to

RE: whichever certificate loading first wins

Nothing jumps out at me, sorry. Hopefully others will find something. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project

RE: whichever certificate loading first wins

> We have a webserver with an SSL self-signed certificate that uses our company > CA cert in its chain I can't parse that -- either it's self-signed (usually only done by root CA's), or it's using an internal company CA. Can you post "x509 -text" for both certs? /r$ -- Principal Se

RE: Increment certificate serial numbers randomly

If you are comfortable with the key existing (online?) in multiple places, make the serial number be a UUID treated as a BIGNUM. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz

Improving structure and governance

While we're still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there. Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such. Or perhaps consider adopting a large

RE: Secure storage of private (RSA) keys

In our haste to help, the secure memory allocation patch we posted last week had two issues. First, it wasn’t easy to use. We knew that, and tried to set expectations accordingly. Second, it wasn’t really secure enough. We didn’t know that, and we thank everyone who brought it to our attention.

RE: Do I have to regenerate my own CA certificate because of Heartbleed???

Ø do I have to regenerate my CA certificate created with the former openssl version because of the Hearthbleed vulnerability ??? There should never be any reason for your web server to read the private key of the CA. So, no. -- Principal Security Engineer Akamai Technology Cambridge, MA

RE: Secure storage of private (RSA) keys

> Have you thought about mprotecting the guard pages with > mprotect(PROT_NONE) so the application crashes in case of a stray memory > access? Yes, rats. My message implied that we do that. And I then posted the wrong version of the code. :( Here's the right version of cmm_init. /r$

Secure storage of private (RSA) keys

Akamai Technologies is pleased to offer the following patch to OpenSSL. It adds a "secure arena" that is used to store RSA private keys. This arena is mmap'd, with guard pages before and after so pointer over- and under-runs won't wander into it. It's also locked into memory so it doesn't appea

RE: OpenSSL Security Advisory

> Can you please post a "good" and a "bad" server example. I have tested a lot > of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the simplest. My example tests only for

RE: OpenSSL Security Advisory

Ø I get the heartbeating message on both unpatched and patched servers. Should that make me worry about the patched machines? Not necessarily. If they updated to the 'g' release, then they are doing buffer-overrun checking and you're safe. You can probably find out by connecting to your serv

RE: OpenSSL Security Advisory

Ø How do I determine whether or not the web servers I run are affected? Here's a simple way: echo B | openssl s_client -connect $HOST:$PORT if you see "heartbeating" at the end, then $HOST is vulnerable. How can you tell if private keys have been taken? You can't, really. You ca

RE: Question regarding offloading fundamental ECC operations on a hardware

> So if i go on and change the openssl code to offload ECC operations, will i > be breaking any license? If you are buying off-the-shelf hardware, then the vendor probably has the necessary licenses. If you are building your own hardware, purely for your exploration and discovery, then it is

RE: Passing packets (vs file descriptor) to OpenSSL...

Ø Is there a good way to pass the packets to/from openssl instead of using a FD for handshakes/etc? BIO is the openssl IO abstraction; see SSL_set_bio, for example. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA

What if I don't call SSL_{CTX}_set_cipher_list?

What happens if I never set the cipher list (in either SSL or SSL_CTX). Do I get the value of DEFAULT? Or a zero list and failure? Thanks. -- Principal Security Engineer Akamai Technology Cambridge, MA

RE: Regarding certificate type

Those aren't certificate types, they are encodings. (You can almost think of them like character sets; uincode utf-8 utf-16 for example). I'm not aware of any tests in openssl, but I could be wrong. If the file is ascii, or has a line that starts with five "-" characters, or the filename ends

RE: DH_generate_key() segmentation fault

Ø These built-in functions do not return the size of the binary data, so how can I get the length of the binary data? BN_num_bytes() which you already used in your initial posting? -- Principal Security Engineer Akamai Technology Cambridge, MA

RE: DH_generate_key() segmentation fault

As two other people have already said, you cannot use strlen() on binary data. > >BN_bin2bn(parmp,strlen(parmp), dhPar2->p); > >BN_bin2bn(parmg,strlen(parmg), dhPar2->g); /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA

RE: Verification of a x509 certificate signature

The point of posting PEM is that people can cut and paste from a mail message and decode it to get the DER or whatever. (That's why PEM format was invented, to survive intact through email:) You are generating a certificate, self-signing it, and your recipient cannot verify it. Right? Please

RE: Verification of a x509 certificate signature

NID is an internal openssl implementation detail; X509 data structures have OID's. Post the PEM of the cert. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA

RE: Problem with specifying the CIPHER list

> Server side at least it would be theoretically possible: i.e. only choose a > ciphersuite if TLS v1.2 is negotiated. OpenSSL doesn't support this though. I didn't think so, thanks. One possibility is to add a construct like proto?cipher to the colon-separated list. Any interest in a p

<    5   6   7   8   9   10   11   12   >