Re: [openssl-users] CSR with multiple subject names?

By default, TLS only does server-side verification. If you are using client certificates, you will have to write some code for your application. -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscrib

Re: [openssl-users] OpenSSL version 1.0.2l published

> So the CHANGES file isn't really "changes". The full list of everything that has changed can be found via git logs. As Matt said, we only put particularly significant items in the CHANGES file. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/opens

Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

> Then I've misunderstood the presence of the "-DSHA256_ASM" flag. > > What's it specifically used for? To remind me to double-check my answers? :( Sorry, they are present. The difference is that the help message in 1.0.2 isn't complete. Did you try the commands directly? -- openssl-users ma

Re: [openssl-users] sha256 digest support in v102l build missing; present in v110f. missing build flag?

> The results are both functional, but the v102l build is missing > sha{224|256|384|512} digests Right; those digests are not in 1.0.2 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cannot find SSL_CTX_get0_param in libssl library

> The openssl program will use the wrong libssl.so and libcrypto.so. Yes, got it. But that's small potatoes compared to everyone else finding the wrong shared library, and just saying "use rpath" doesn't help all those others. -- openssl-users mailing list To unsubscribe: https://mta.openssl.or

Re: [openssl-users] Cannot find SSL_CTX_get0_param in libssl library

> We still don't know what use case is being represented by omitting the > RPATH in the OpenSSL build. Because only one program, apps/openssl, presumably needs rpath. But that doesn't solve the problem for *external applications* that need to find OpenSSL in a different place, does it? -- op

Re: [openssl-users] Cannot find SSL_CTX_get0_param in libssl library

> I am trying to compile / install a utility from Source on CentOS that > utilizes OpenSSL 1.1.0 (latest version) . However, I get the following error: > configure: WARNING: Cannot find SSL_CTX_get0_param in libssl library. TLS > hostname verification will not be available. Most likely, the uti

Re: [openssl-users] certificate renewal without restarting processes

> It uses SSL_CTX_use_certificate_chain_file in some places and in other places > it uses PEM_read_bio_X509 > > When these APIs are used, can the OpenSSL stack detect updated files on > disk and reload them without any intervention from the application? No, it's a load and use the current content

Re: [openssl-users] automating my CA

> Alot of Online certificate providers have some kind of REST API. > > Is there such an API available as OSS or do i have to write one myself You might want to look at the IETF ACME protocol. There are many clients around. And the LetsEncrypt code is open source. -- openssl-users mailing list

Re: [openssl-users] SSL_CTX_set_tmp_ecdh_callback() - version 1.0.2k

> 2) Why isn't it listed in the manpages? Many fucntions aren't documented. We're all working on it. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Regarding pkcs_9_at_signingDescription(1.2.840.113549.1.9.13)

Doesn’t seem to be supported in openssl. Whats the equivalant of pkcs_9_at_signingDescription

Re: [openssl-users] C++ How to parse Subject Directory Attributes Extension?

That attribute is not currently supported. Someone would have to write ASN1 parsing code. There are examples all over the place within OpenSSL; see the various d2i_XXX and i2d_XXX functions. There are macro/define’s available to make the job easier. But, it is not really documented. Maybe t

Re: [openssl-users] forking server question

> Make that N processes, and understand why this should be a FAQ. Have no problem with adding to the FAQ. It's likely to be our next code-health target :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] forking server question

> Please excuse what is a simple question: what is the proper way to clean up > in the parent and child when writing a forking server using OpenSSL? It's not simple. Can you have the parent just do socket stuff, and then accept/fork and have the child do all the OpenSSL calls? Having two proces

Re: [openssl-users] Documentation for Integrating New Cipher Creation Request

> While the process is still fresh in my head, I was wondering if the community > would benefit in having some documentation on the process to follow and > issues that may arise? Possibly add this into the OpenSSL wiki? This would be a great idea. -- openssl-users mailing list To unsubscribe: htt

Re: [openssl-users] Is there a "Golden" CA makefile?

I can point you to https://github.com/richsalz/pki-webpage But it is *not official* and may not work for what you want. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

> I am looking for a CA makefile to use with a openvpn tutorial I am writing > https://github.com/Oflameo/openvpn_ws. Is there one officially endorsed > by the openssl project? If there were, it would be in the source distribution. -- openssl-users mailing list To unsubscribe: https://mta.openssl

Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree?

I unsubscribed Ryan; he’ll have to rejoin. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init properly? How to free correctly?

Once you "turn over" the MD to the MD_CTX, it's now owned by it and cleanup will happen with MD_CTX_free -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] AES-256 Do I need random IV?

> For AES-256 encryption, should IV be random? I am already using a random > salt, so I was wondering if IV should be random too. It should be non-repeating. It can just be a counter. (Yes, I know OP didn't ask about AESGCM. But if they're coming here for advice ... ) -- openssl-users mailin

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

> Does openssl  provide any way to set MSG_NOSIGNAL on sendmsg (Underlying > TCP/IP socket layer) ? No. You will have to modify the code yourself. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

> A naïve question. A certificate that contains SAN attribute(s) – is there a > limit on how many, say, RFC822 SAN attributes can a valid certificate have? No. > It’s been my understanding that a cert can contain as many SAN attributes as > needed, but it appears that Apple believes it has to

Re: [openssl-users] Which protocols should my client support?

> My client is a custom application and as such only needs to communicate with > specific servers for specific purposes.  I think it makes sense for my client > to only support the specific protocol that my server will use, > ECDHE-RSA-AES128-GCM-SHA256.  Does this sound reasonable or should I a

Re: [openssl-users] EVP_CIPHER_CTX array not compiling

>#define OTEXT_AES_KEY_INIT(ctx, buf) { \ >        EVP_CIPHER_CTX_init(ctx); \ >        EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, buf, ZERO_IV); \ >        } Most of the datatypes are now opaque. This means you can't have an EVP_CIPHER_CTX object, but instead a pointer to it. Don't call

[openssl-users] Code heatlh delayed a week

We are still reviewing several PR's from the previous code health, which was about converting tests to use the new test framework. With this extended time period, we'll have ended up converting almost all the tests, which is great. We'll announce the next project toward the end of the week. Th

Re: [openssl-users] Certificate chain validation

You are asking two different questions. The certificates that the *client* sends are specified by the various “use certficiate” API’s. No chain is built. See doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain file” API. As for what the *server* does, it tries to use

Re: [openssl-users] How do I connect to this server

> https://username:passw...@server.com > How do I specify this username and password when using SSL_connect()? You don't. That stuff is at the protocol level about TLS/SSL. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate chain validation

No, you must have a chain up to a local trust anchor. You can install the intermediate in your trust store. -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz From: Lei Kong [mailto:leik...@msn.com] Sent: Thursday, April 20, 2017 9:38 PM To

Re: [openssl-users] SSL_shutdown return error when close in init

> The OpenSSL documentation makes it clear > that you must keep calling the same asynchronous function with the same > parameters until the async job has completed. Is there a way we can (relatively cheaply) check for that type of programming error and return an "in progress on another op" error

Re: [openssl-users] EVP Functions

You need to learn what CBC mode is. Block ‘n’ feeds into block ‘n+1’ The behavior you describe is not wrong. Blocks are padded, so only read outlen bytes. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Escaped Issuer/Subject

> I thought about escaping regarding DN itself (LDAP DN). Look up the -nameopt flag in, say, x509.pod Then if you need C code, trace through what apps/x509.c does. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl_method_st not defined

>>in my case, i need to initialize the SSL , and set parameters as same as client and server (depending on direction ) and call OpenSSL to decrypt the data. >>before openSSL 1.1.0 as all member variables could be set, it was easy task, >> now i do face issues with ssl_session

Re: [openssl-users] ssl_method_st not defined

No, the functions you want aren’t provided right now. What are you trying to do? Why are you modifying the session, outside of the TLS protocol? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS leak for openssl 1.1.0b with libcurl 7.50.3

Those are curl functions, not openssl -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz From: ghanashyam satpathy [mailto:ghanashyam.satpa...@gmail.com] Sent: Saturday, March 25, 2017 10:05 AM To: openssl-users@openssl.org Subject: [openssl

Re: [openssl-users] One question about RSA decrypt with private key

> For encrypting user data such as user's password, could I use PKCS#1 or OAEP > padding mode? If you do not know what you are doing, use the defaults. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] One question about RSA decrypt with private key

> After commented out the line "EVP_PKEY_CTX_set_rsa_padding(ctx, > RSA_NO_PADDING)",? it worked well. You need to do some reading about basic RSA cryptography. Signatures are padded out to the keysize. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/open

Re: [openssl-users] Is crypto library thread-safe?

> However, is crypto library thread-safe? Check out this blog entry: https://www.openssl.org/blog/blog/2017/02/21/threads/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EDDSA certificates

> Does any version of OpenSSL provide support for EDDSA, particularly creating > and displaying the content of them? Not yet. EDDSA for 25519 and 448 would be great to have in the next relese, tho. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-

Re: [openssl-users] Generating dh parameters multithreaded?

> Are you suggesting that I should modify openssl myself to expose that > functionality or are suggesting that there is a way to do that given the > already > exposed functionality? If it is the latter could you point me in the right > direction? OpenSSL code does not do what you want. You'll ha

Re: [openssl-users] Generating dh parameters multithreaded?

> It takes a long time. Is there some way to have it use all available cores > instead of just the one? You'll have to write the code to do that parallelism yourself. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS#7

> Say someone would be able to gather several clear text AES keys and their > respective asymmetrically encrypted RSA blocks. Would it weakens the security > of the RSA key pair ? I mean could it be easier for someone using that > information to brute force an RSA key pair ? No -- openssl-user

Re: [openssl-users] PKCS#7

> If so, would it be possible in principle to decrypt an encrypted PKCS#7 > envelope only knowing which AES key was used ? Yes. But maybe not with the openssl api's :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Extracting Handshake Information

> Is there a way in openssl we can extract the protocol(TLS/DTLS ) handshake > information, like in clienthello,  the protocol version, ciphersuites > offered, Random,  session id etc. Look at the code in apps/s_client and apps/s_server and see what it prints in various debug modes. -- openssl

Re: [openssl-users] scripting creating a cert

Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages, https://www.openssl.org/docs/manmaster/man5/ For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz PS -- fi

Re: [openssl-users] [openssl-dev] Openssl 1.0.2 stable SNAP 20170309 issue

Already fixed. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

No, it does not do this automatically. if the nounce _explicit overflows or overlaps , then does openssl code handles it (atleast by initiating renegotiation )? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] error making Private RSA

> > My source can be viewed at: mt-umunhum-wireless.net/Sources/rsa/rsa.c Gives a 403. > > My main guess is that your allocation for the PEM buffer is too small > > -- is key/key_len pointing to a static buffer? > > It points to a char string Not sure what that means. Please post your code he

Re: [openssl-users] error making Private RSA

What version of openssl? I'm guessing 1.0.2. Put this line inyour code ERR_load_ERR_strings(); And youll get a more informative message. My main guess is that your allocation for the PEM buffer is too small -- is key/key_len pointing to a static buffer? -- openssl-users mailing

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

> Licensing issues are indeed thorny. Why can't openssl perform a dynamic link? > The soversion should handle any ABI issues introduced in later versions of > GMP. Anything is possible; it is just code. I don't think this is a priority for the team. A pull request ... -- openssl-users mailin

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

> Have you considered using GMP as a big integer backed for openssl?  It has > support for several arm variants using handwritten assembly code and the > developers go to great lengths to find optimize runtime on all supported > platforms. It might be interesting if we could figure out how to h

Re: [openssl-users] FW: problem with missing STDINT.H file

> It's cargo-cult programming, most often by people who can't be bothered to > learn the language they're using. There are also sometimes portability issues, vendors get things wrong. But at any rate, for this project, OpenSSL style says parens after sizeof and says nothing at all about pre-proc

Re: [openssl-users] Why do we try out all possible combinations of top bits in OpenSSL timing attack?

Michael was kind to post some replies. I think a better forum to discuss this is one of the following, which has more focus on cryptographic science and less on “how do I use the CLI” http://www.metzdowd.com/mailman/listinfo/cryptography https://www.irtf.org/mailman/listinfo/cfrg -- op

Re: [openssl-users] How to detect AES-NI compatible CPU

> My application links to OpenSSL 1.1.0 dynamically, and I would like to be able > to determine if the CPU supports the AES-NI instruction set. > Is there an OpenSSL API that can do this? Look at man3/OPENSSL_ia32cap.pod ? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mail

[openssl-users] Heads up -- RT tickets moving to GH issues

Just to let you know, we found a tool to migrate RT to GitHub issues and will be doing that shortly. This will just about double the number of open issues we have and, unfortunately, push the existing (active ones) down a few pages. -- openssl-users mailing list To unsubscribe: https://mta.ope

Re: [openssl-users] Openssl 1.0.2k compilation issues

>Am trying to upgrade openssl 1.0.1p to 1.0.2k and the compilation breaks with >the below error and am using Ubuntu 10.04.1 >In file included from req.c:84: >comp.h:28: error: redefinition of typedef 'COMP_METHOD' >../../Build/target/usr/include/openssl/ossl_typ.h:181: error: previous >declaratio

Re: [openssl-users] Does CVE-2016-7055 only impact x86_64 platform ?

The text says Broadwell-specific So it only affects *some* x86_64 platforms. -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz From: Sandeep Umesh [mailto:sanum...@in.ibm.com] Sent: Monday, January 30, 2017 2:14 AM To: openssl-users@openssl

<    1   2   3   4   5