In 1.1.0 and later, the flag takes a single parameter in name=value. Yes
that’s strange, but it means that in the common case you don’t need to do any
quoting:
-header Host=ocsp.example.com
In 1.0.2 it takes two parameters
-header Host ocsp.example.com
--
opens
>Well what I was alluding to is this the correct use of the RAND_add
> function
to seed the Key generation. Its a bit confusing certainly.
You are calling the API correctly. That should have been clear from the
manpage.
You still did not tell us what version of OpenSSL you are using.
What version of OpenSSL are you using?
Using the time to seed the RNG is horrible; DO NOT DO THAT.
Not trying to be insulting, but if you think time is a good source, then you
really don't know what you're doing for RNG's. Consider looking at the master
branch, with its highly-improve seeding
There are TLS control messages which could flow in either direction,
spontaneously. Renegotiation (pre TLS 1.3), tickets (TLS 1.3), and so on.
I cannot comment on if your proposal would work or not, sorry.
From: Alex H
Date: Saturday, May 19, 2018 at 5:03 AM
To: Rich Salz , openssl-users
Subj
TLS is a bidirectional protocol. You can’t throttle only one side.
From: Alex H
Reply-To: openssl-users
Date: Friday, May 18, 2018 at 7:21 PM
To: openssl-users
Subject: [openssl-users] Receive throttling on SSL sockets
How do you properly implement receive throttling on SSL sockets without
h
=31919==by 0xB355537: asn1_do_lock (tasn_utl.c:79)
==31919==by 0xB352767: asn1_item_embed_free (tasn_fre.c:88)
==31919==by 0xB3528D4: ASN1_item_free (tasn_fre.c:20)
Regards,
Raghavendra
On Fri, May 11, 2018 at 3:40 PM, Salz, Rich via openssl-users
mailto:openssl-users@openssl.org>> wro
(tasn_fre.c:88)
==31919==by 0xB3528D4: ASN1_item_free (tasn_fre.c:20)
Regards,
Raghavendra
On Fri, May 11, 2018 at 3:40 PM, Salz, Rich via openssl-users
mailto:openssl-users@openssl.org>> wrote:
The print routine does not free anything.
From: Raghavendra a mailto:raghua...@gmail.com&g
The print routine does not free anything.
From: Raghavendra a
Reply-To: openssl-users
Date: Friday, May 11, 2018 at 5:53 AM
To: openssl-users
Subject: [openssl-users] freeing of X509_CRL object
Hi All,
In my program,
converting X509_CRL object to string format using X509_CRL_print and
BIO_get
>After the generation of SignedCertificate.pem. I would like to write
function to verify the SignedCertificate.pem, whether it is signed or not.
That is still not an accurate description. By definition, a certificate is
*signed data.* It appears as a bitstring in the X509 data structu
On 5/3/18, 4:24 AM, "morthalan" wrote:
No, technically not. I am just searching for a simple method just to check a
certificate is signed by CA or not.
Because. Something like signing check, I am not quite sure, I do not have
proper knowledge on Openssl.
If you have a ce
>Interoperability issues with middle-boxes or existing software written for
> TLS 1.2.
Facebook, Google, and Mozilla did lots of testing with TLS 1.3 and middleboxes.
If something was missed, the whole Internet will have problems. Existing
software is the question we are trying to answer
>The issue is most likely that no one "in the wild" has done any testing
of significance.
I thought the Akamai numbers were significant.
I can certainly see tls1.2 exchange but there is nothing for tls1.3 and
so I am working on getting a site up pronto ( in the wild ) to test
Sorry, typo. We've had hundreds of millions of connections, with megabytes of
data exchanged."
On 4/30/18, 11:52 AM, "Salz, Rich" wrote:
Akamai has had millions of connections with megabytes of data exchanged.
This is with partial deployment on our network, and requiring customers to opt
Akamai has had millions of connections with megabytes of data exchanged. This
is with partial deployment on our network, and requiring customers to opt in to
enable beta-testing. We have found no issues. We don't do 0RTT. We are using
our own server.
I was surprised by how many connections an
* I have posted my question into the forum. Please kindly approve it as
soon as possible.
Which forum?
The fact that you were able to post to the openssl-users mailing list means you
should just post your question, well, to the openssl-users mailing list. ☺
--
openssl-users mailing list
To
Yeah, you're probably right. I was distracted, should have looked closer.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Your key starts with EF... Since that has the high-bit on, it should be
encoded with a leading zero.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>wget --no-check-certificate https://bootstrap.pypa.io/get-pip.py
When I try this:
; ./apps/openssl s_client -connect bootstrap.pypa.io:443 -tls1_1
It fails. When I leave off the last flag, it connects via TLS 1.2
So that website does not support anything older than TLS 1.2, appare
>But I know someone is going to ask: Can you apply all of the newer
security fixes to 0.9.8zh? So I'll ask...can I?
The project stopped supporting 0.9.8 2+ years ago, and announced its plans 3+
years ago. Backporting fixes from 1.0.2 should be possible, but won't always
be easy.
It m
>I have an application that runs on an old OS that currently has
OpenSSL 0.9.8a
So you should be able to compile and install the last 0.9.8 release,
https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zc.tar.gz Note that this
is more than two years old. Many fixes have happened since
You didn't answer the question that was asked.
Which host?
On 4/16/18, 4:23 PM, "Rob Marshall" wrote:
Hi,
I built and installed OpenSSL 1.0.2n and I'm still seeing the problem.
I originally tried to build/install 1.1.0h but my goal was to
build/install an updated OpenSSH (
OpenSSL 1.1.0 *does not* go through the locking callbacks. They will never be
called.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* Does this mean I can safely remove all usages of the above functions from
my application code? I'd appreciate if someone could explain the above comment
in a little more detail or confirm what I'm saying. Or has anyone else been in
the same situation?
Yes. Do not use the locking callba
You need to change your server config (however it is done), so that it gets
@SECLEVEL=0 into the cipher string. See the ciphers manpage for description of
security levels.
You can also edit openssl source and rebuild/relink, but that shouldn’t be
necessary.
--
openssl-users mailing list
To u
>openssl ciphers -v list the NULL ciphers, but when I try to use NULL or
>NULL-MD5 I get the same result: No ciphers available.
You have to configure with a cipher string that has “@SECLEVEL=0” in it.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl
* Need some help with RFC5077 ticket construction. I’d like to implement a
type of Needham-Schroeder protocol where:
That’s not what TLS tickets are for. It is for having session state, where the
client holds all the state and the server (having only the decryption key) can
resume the con
* So, Is OpenSSL community is thinking on having the inbuilt PKCS#11
support or will continue working with third party modules(libp11) ?
Things have never gotten past this kind of discussion phase.
Interested parties will have to discuss on email list and create one or more
pull requests.
For RSA it's the ASN1 sequence of the key. For Ed25519 it's just the 40 bytes
of the raw key.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>I might, but people using envelope-from
are not very contactable :(
Did you try? That address works.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
The API cannot do it. The encoding requires that numbers with the high-bit on
have a leading zero to avoid being interpreted as negative numbers as you
noticed. You could maybe generate our own RSA numbers with the high-bit off –
i.e., make your own RSA_new kind of API. The BN code can have f
>Is there a way yet to get the raw public-key out,
documented or not? As you may guess, this is for DKIM.
Ask Murray; he's had some off-list discussions :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Did you specify the -md flag on either/both?
https://www.openssl.org/docs/faq.html#USER3
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
How big is the file? Could it be bigger than 32 vs 64 bit platforms?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Please look at https://github.com/openssl/openssl/pull/5704 and see if it fixes
the issues.
On 3/20/18, 8:52 PM, "RTT" wrote:
Hello,
Building the shared libraries (version 1.1.1 pre 3) for Windows with
Visual Studio, targets VC-WIN32 or VC-WIN64A, result in DLLs with
ver
* As of now, what is the latest version of openssl supporting FIPS, then?
1.0.2
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* Did you mean if an application uses the low level crypto algorithm
functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then they won't work
under FIPS mode (and hence may cause unpredictable issues)?
Yes.
It’s not unpredictable issues, but rather that your application cannot claim t
>I believe you're out of luck. I believe that OpenSSL does not support
> migration
of live connections between address spaces.
Yeah, the closest you can come is using TLS sessions or tickets.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/opens
Yes, you will have to create the BIO object at run-time and use the settor
methods.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
This is very useful! Can you post an udate to the wiki?
https://wiki.openssl.org/index.php/Binaries
On 2/21/18, 8:57 AM, "Angus Robertson - Magenta Systems Ltd"
wrote:
Windows developers may be interested in our Win32 build of OpenSSL
1.1.1-pre1 (alpha), the binaries are digitally
https://github.com/openssl/openssl/pull/5423
On 2/20/18, 2:10 PM, "Salz, Rich via openssl-users"
wrote:
I agree, let's just use malloc for the reasons you said. PR later today.
On 2/20/18, 2:08 PM, "Viktor Dukhovni" wrote:
I agree, let's just use malloc for the reasons you said. PR later today.
On 2/20/18, 2:08 PM, "Viktor Dukhovni" wrote:
> On Feb 20, 2018, at 11:36 AM, Norm Green
wrote:
>
> Your patch tests clean, however there is an easier way which avoids
malloc:
Great, so
> So ... this will be fun.
:)
Thanks for poking at this, folks. Please take a look at the INSTALL and README
files which do cover some of this prerequisites. And then once you've "fixed"
it, let us know what we need to change!!
--
openssl-users mailing list
To unsubscribe: https:/
Would making buf a union also avoid the problem?
union { unsigned long dummy[2]; char buf[DATA_BUF_SIZE]; } d
and then replace 'buf' with 'd.buf' in the code?
On 2/20/18, 12:00 AM, "Viktor Dukhovni" wrote:
On Mon, Feb 19, 2018 at 01:45:26PM -0800, Norm Green wrote:
> # AS
* Which version on 1.0.2x is the same as 1.1.0g(bug fixing branch)?
None. 1.1.0 is substantially different (most structures are now opaque).
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
FYI, FIPS does not work for 1.1.x.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
You are probably having errors because you have old build results still in your
tree. It might be easiest to wipe things out and start over. You can run the
whole build and test without being root. I do it multiple times a day. And
then, if needed run the ‘make install’ step as root.
From:
For the failing test, try this
make TESTS=test_rehash V=1 tests
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* If your program uses threads, then you *have* to set the thread
functions. Glad you got it fixed.
> Why can't OpenSSL do this automatically? Yes, some applications will need to
> supply specialty functions, but it could supply defaults.
It does in 1.1.0 and later.
--
openssl-users mai
If your program uses threads, then you *have* to set the thread functions.
Glad you got it fixed.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
FIPS is not supported in 1.1.0. We will be starting a FIPS project soon,
targeted for the next release after 1.1.1
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
The usual cause for this is a stray or incorrect pointer, corrupting malloc
structures. Have you run your code under a valgrind or similar?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* What is OpenSSL's current status regarding this?
I don’t recall it being raised before, and I don’t think anyone one the team
has expressed interest in this. It would probably have to start by someone
contributing a pull request.
--
openssl-users mailing list
To unsubscribe: https://mta.o
Yes, if there’s something that was made impossible to do because of things
being made opaque, adding the missing API’s would be a bugfix and go into 1.1.0
and beyond. It woud be great if you could create a PR.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listi
It appears to be a memory leak in the DNS libraries.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
➢ Question: Is there a way to set IV for CTX after its initialization for
FIPS
version of OpenSSL?
No, sorry.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
The OpenSSL FIPS Validation #1747 is affected by the key wrapping transition
and will therefore be moved to Historical at some point.
As we’ve said, FIPS will be the focus of our next feature release after 1.1.1
(TLS 1.3).
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/m
The TLS protocol puts limits on how much application data can appear in a
single record. Without knowing all the details, that seems like a very silly
requirement. There is no security reason for it.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl
Sorry, then, I’ve exhausted my knowledge-base. Hopefully others will have more.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Doesn’t shutdown close the socket?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Two SSL objects sharing the same socket? That doesn’t work. Or did you mean
something else?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
And also the last paragraph of our most recent blog entry, which says this:
We also decided that the primary focus of the next feature release after 1.1.1
will be FIPS. We know that FIPS is very important to some, not all, members of
our community and we are committed to addressing this. We don’
The current FIPS only supports dynamic libraries.
You should try to get the email disclaimer removed when you post to a public
email list.
From: Emre BAYRAM
Reply-To: openssl-users
Date: Thursday, January 25, 2018 at 1:30 AM
To: openssl-users
Subject: [openssl-users] Building/Running fips en
>> You seem to be very very VERY upset by how OpenSSL implements one
> particular part of RFC 5280. Viktor has shown that it’s not just us, it’s
> other code as well. The original poster was able to live with OpenSSL’s
> implementation. You don’t like that code. So be it.
> If tha
On Tue, Jan 23, 2018 at 3:45 PM, Salz, Rich wrote:
> ➢ The docs have _not_ changed:
https://www.openssl.org/docs/standards.html.
>
> Nor is there any need for that page to change. READ WHAT IT SAYS.
➢ I'm surprised you are arguing against clear documentation on behaviors
➢ The docs have _not_ changed: https://www.openssl.org/docs/standards.html.
Nor is there any need for that page to change. READ WHAT IT SAYS.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
➢ this feature sends notifications about _all_ conversations happening.
For me, I get the actual comments that are posted. Don’t you? On the mailing
list, you have to explicitly mark/junk conversation threads in your mail
program. You would still have to do that here.
I don’t understand
You should be able to just watch the openssl repo (the eyeball/watch notice in
the upper-right side)
On 1/23/18, 7:00 AM, "Hubert Kario" wrote:
On Friday, 19 January 2018 18:34:57 CET Salz, Rich via openssl-dev wrote:
> There’s a new blog post at
> https://www.openssl.org/blog/
I think this discussion is getting a little hot and bothered.
Have a good night.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
➢ I don't see CA/Browser Forums listed, but I do see RFC 3280 listed.
The page also says it’s “casually maintained.” Feel free to create a PR on
openssl/web repo. :)
IETF RFC’s aren’t perfect; that’s why there are errata. Dragging this all the
way to “we’re ignoring the words” is not nor
> Here's the standards OpenSSL claims to implement:
Read the whole text. It doesn’t say anything like “claims to implement.”
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Perhaps ask what other FreeRadius users do, on one of their support forums? I
doubt you are the first to run into this.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
➢ The sensible thing at this point is to publish an update to RFC5280
that accepts reality.
Yes, and there’s an IETF place to do that if anyone is interested; see the
LAMPS working group.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-user
There’s a new blog post at
https://www.openssl.org/blog/blog/2018/01/18/f2f-london/
It contains some important policy changes we decided at our meeting last month.
This includes:
- Closing the openssl-dev mailing list; use GitHub for issues
- New mailing list openssl-project for pro
We have had some discussions within the team about LTS, and there’s nothing to
say yet.
From: Saul Dickinson
Reply-To: "sauldickin...@gmail.com" , openssl-users
Date: Tuesday, January 16, 2018 at 9:39 AM
To: openssl-users
Subject: [openssl-users] Next LTS version
Hi,
Is there any more recent
For CBC the encrypted text will be a multiple of the cipher size. So your use
of CBC is wrong. The quoted post uses aes256; you were using aes-cbc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
The combination of (issuer,serial#) is the only way to get a unique identifier
for a certificate. Lots of software depends on certs being uniquely
identifiable. What happens if that assertion is not true? Some things will
break. What? Well, it depends on the software, and which certs are
“
> 4 - In general, is there a way of making the Signature/Encryptions in
> OpenSSL be deterministic for debugging/testing purposes? >
You can define your own RAND method that implements a known sequence. Look at
test/ecdsatest.c in master, for example.
--
openssl-users mailing list
To unsubscrib
The difference is “auto private key” versus “RSA private key.”
> -BEGIN PRIVATE KEY-
This is a private key wrapped in a PKCS8 container with a key-type identifier.
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # openssl rsa -inform pem -in
test.key -outform der -out key.der
writing RSA key
It is hard to follow this thread with all the indenting.
> If I take a PEM-encoded RSA private key file and convert it to binary (using
> b64decode) what I get is not the same thing as I get from "openssl rsa
> -inform pem -in key -outform der -out key.der".
How do you convert it? Did you str
,
Great news!
Does it work for certificates too?
On Thu, Dec 28, 2017 at 11:51 PM, Salz, Rich via openssl-users
mailto:openssl-users@openssl.org>> wrote:
Having wrestled with this in the past, I want to point out that with commit
https://github.com/openssl/openssl/
Having wrestled with this in the past, I want to point out that with commit
https://github.com/openssl/openssl/commit/bfa470a4f64313651a35571883e235d3335054eb
in master, it’s now possible to put a SAN field (or any extension) in a cert
request via the command line; no special custom config or fa
> Hence, if at all, verification requirements must have been lowered in the new
> OpenSSL version.
No, it is also the case that the new version now more correctly accepts some
chains as valid that because of bugs, the old version did not.
--
openssl-users mailing list
To unsubscribe: https://
So if you put locks around the SSL_CTX object when it’s used, then you can use
the set private key call to update the key; and then all SSL_new objects
afterwards will use the new credentials. Does that meet your need?
> "is there a decent way to convert a PEM or DER private key file into ASN.1
Yes, the certificate validation was fixed, and improved, in 1.1.0.
You should not use 1.0.1 if you can at all avoid it. It has many bugs,
probably security issues, and missing features. Like, for example, cert
validation.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.or
➢So it's guaranteed for 1.1, mostly guaranteed for recent 1.0.2, but not
guaranteed for older 1.0.2.
yes.
➢ I also think it would be good to backport all to 1.0.2
Yes. I believe I did that, but I am not absolutely 100% positive.
--
openssl-users mailing list
To unsubscribe: h
➢ I think we fixed all such cases in 1.1.0, all *_free() functions
should handle NULL. I don't think we backported to changes to 1.0.2.
Yes, and we fixed the documentation. I backported all/most of them to 1.0.2 to
make cherry-picking easier. I don’t know if I changed the docs.
--
> if (ptr!= NULL) free(ptr);
That shouldn’t be necessary for OpenSSL. If you find places where it is,
please open an issue.
➢ BTW, "can handle" should explicitly say what happens. Perhaps use the C
library text, which says:
If ptr is NULL, no operation is performed.
Our intent is that all FREE functions can handle NULL. If you find things
missing or undocumented, please open an issue on GitHub. Thanks!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* My target can’t support native build environment, so I must use cross.
* Is there any way to fix those errors?
If you make any changes to the FIPS build procedure, then the result is not
FIPS validated. I think the build procedure does not support cross-compiling
very well, because it
Okay, FF does ECDHE not DHE/EDH. The whole industry does that, and most are
using X25519 which was developed by Dan Bernstein.
The Guardian article you referenced didn’t even have the word curve in it. My
question – do you have a reference that shows Schneier says not to use elliptic
curve –
* I find that Firefox refuses to do any ephemeral ciphers whatsoever. What
the heck? Why am I surprised. Somebody paid them.
I don’t know what server you are testing against, but FF does ECDHE all the
time with no problems.
* If you follow Schnieder, elliptic curve is not an option
The s_server program is not multi-threaded, it does one connection at a time.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
➢ The OP claimed the file was only in the FIPS tarballs, and not in the
OpenSSL tarballs. My questions were based on that.
So the OP is wrong.
➢ Saying "in the distribution and website" is also quite vague and
thus another example of a non-answer.
No it’s not. The OpenSSL dist
README.ECC has never been part of 1.0.2 and is always part of the the 1.1.0
tarballs; do you have evidence otherwise?
I don’t think the team is going to answer any questions beyond what is already
in the distrubtuion and website except to say that the license is NOT limited
to the FIPS releases
➢Or at least that used to be the case. TLSv1.3 got rid of renegotiation, so
if you have a TLSv1.3 connection, it will never renegotiate.
But it could ask for a certificate, which would trigger SSL_WANT_WRITE
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/
You can re-use the keys, but then you get no forward secrecy, and sessions
generated with one connection are vulnerable to another.
Why are you using DH? Unless you have compelling reasons (interop with
legacy), you really should use ECDHE.
--
openssl-users mailing list
To unsubscribe: https:
* When I see SSL certificates, their serial number is like this :
0A:8D:9A:4Q:8X:1A:0B:88:18:1Z
Serial numbers are displayed as hex values, so my guess is you just typed that
“as an example” since Q X Z aren’t valid hex characters. Or perhaps it was an
extension (like device serial) that is
>My personal priority list for OpenSSL is bug fixes and code cleanup
> (static and dynamic analysis of the 1.1.x codebase would be good, and one of
> these days I'll get around to doing it myself),
We do run coverity weekly, and anyone can sign up to see the results BTW
--
openssl-users m
> My number one complaint is that it seems like the defaults are generally set
> up to do the wrong things, and the application has to either explicitly set
> "yes, you should be secure" options or do stuff on its own. This seems to
> have been getting better - gaining hostname validation, for
➢ It probably wouldn't hurt to post something to the lists when there's a blog
post with news like this - items that subscribers would likely feel is
important. Blog posts like the recent "OpenSSL in China" series probably don't
need to be mentioned on the lists. But it's subjective, and I woul
201 - 300 of 456 matches
Mail list logo