> configuration is identical between the systems/combinations of
> > OpenSSL that work and those that don't.
>
> Do you know that for certain? There's no openssl.cnf from some other
> source being picked up on the non-working system?
I'm pretty certain, but I'll get the customer to double-check.
Cheers!
-- David --
the time to look into this for me Richard.
Cheers!
-- David --
nation of factors rang any bells with
anyone before I started digging much deeper; it's altogether possible that I
might
just have to write this one off to experience and tell the user to use a 1.1.1g
build
of OpenSSL (which I build exactly the same way, and which works correctly in
the same setup).
Thanks for the help - appreciated.
Cheers!
-- David --
answered
elsewhere - I *did* spend some time in Google but couldn't find anything that
seemed relevant.
Thanks in advance for any advice.
Cheers!
-- David --
Background, earlier versions of my project were using OpenSSL 1.n.n, the output
stayed within it's checkout directory, and the .DLLs deployed to where-ever the
project was deployed.
Now trying to implement OpenSSL 3, after compiling it seems to be keep
referring to the directories it was config
cker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cmp-algorithms
Cheers,
David
.
David
On Mon, 2022-10-03 at 19:48 +, Blumenthal, Uri - 0553 - MITLL wrote:
David,
Thank you! That’s a great answer. It looks like OpenSSL does support CRMF?
Would you or somebody else have an example of how to work with CRMF (to create
it, and to process/sign it)?
Do you happen to
returned by the CA in
encrypted form (using the new public key) to the EE,
and the EE will only be able to make use of the cert if it is able to decrypt
it, which proves possession of the private key.
David
On Mon, 2022-10-03 at 15:11 +, Blumenthal, Uri - 0553 - MITLL wrote:
> TLDR;
> N
xtra option: "subjectKeyIdentifier=hash"
req: Use -help for summary.
and this will be available with OpenSSL 3.1.
BTW, if you want a validity period of exactly 100 years, you need to take into
account 24 leap days/years,
so better use "-days 36524" than "-days 36500".
Hi, I'm not an expert on this topic, but this is looks like of interest here:
https://stackoverflow.com/questions/58488774/configure-tomcat-hibernate-to-have-a-cryptographic-provider-supporting-1-2-840-1
23 Aug 2022 10:34:51 李周华 :
> Hi , guys
>
>
> I have use the follow openssl commands to c
represents the trust anchor for the chain.
Some information on the OpenSSL view on trusted/untrusted certs can be
fount
at
https://beta.openssl.org/docs/manmaster/man1/openssl-verification-options.html
David
On Fri, 2022-07-15 at 22:38 +0200, Kamil Jońca wrote:
>
> I have freeradius server conf
Yes, the TLS diagnostics can be confusing:
it reports "wrong version" also when there is no TLS (version) being
used by the peer at all.
David
On Mon, 2022-07-11 at 00:16 -0400, Viktor Dukhovni wrote:
> On Sun, Jul 10, 2022 at 02:41:23PM +, loic nicolas wrote:
>
> >
Hi again Beni,
On Wed, 2022-06-22 at 08:29 +0200, Benedikt Hallinger wrote:
> Hi David and thank you for your advice and example.
my pleasure.
I was about to send a slightly improved version of my example code
regarding the use of proxies and the expected content type - see
attached
and
12 command does not have an -
outform option.
And for those having it such as openssl x509, it is not needed because
PEM is the default.
Regards,
David
>
> From: openssl-users On Behalf Of
> Beilharz, Michael
> Sent: Wednesday, May 25, 2022 3:10 AM
> To: 'openssl-users@o
ey -subj "/CN=test" -addext
"subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt
HTH,
David
On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote:
>
> Henning Svane wrote:
> > I am using OpenSSL 1.1.1f Is there a way to make a SAN
> certificate
> &
Hi Philip,
I just had a look a look at the commit you referenced.
Indeed this bug got fixed there, apparently without this fact being mentioned
there. This commit was part of OpenSSL_1_1_0-pre1, so presumably it was
released with 1.1.0.
15 May 2022 06:14:
their security(?) experts did not get my point and
refused support.
David
On 22.12.21 22:13, Jordan Brown wrote:
On 12/22/2021 1:08 PM, Philip Prindeville wrote:
I see there being limited application (utility) of self-signed certs, since
they're pretty much useless from a security
their security(?) experts did not get my point and
refused support.
David
On 22.12.21 22:13, Jordan Brown wrote:
On 12/22/2021 1:08 PM, Philip Prindeville wrote:
I see there being limited application (utility) of self-signed certs, since
they're pretty much useless from a security
but so
far the project members have not
found time for this. Later I re-phrased the issue later as a major FR:
https://github.com/openssl/openssl/issues/13440
<https://github.com/openssl/openssl/issues/13440>
Regards,
David
On 22.12.21 19:58, Kyle Hamilton wrote:
From a conceptual pe
but so
far the project members have not
found time for this. Later I re-phrased the issue later as a major FR:
https://github.com/openssl/openssl/issues/13440
<https://github.com/openssl/openssl/issues/13440>
Regards,
David
On 22.12.21 19:58, Kyle Hamilton wrote:
From a conceptual pe
3.0 was supported on
Solaris, but no releases after that are? Or something else?
Thanks,
David
options, which also
holds for apps/req.c .
You can follow there the code sections starting with the call to
X509_REQ_new_ex().
Sometimes interesting code snippets may be found also in test/ , but not
for CSR generation.
David
options, which also
holds for apps/req.c .
You can follow there the code sections starting with the call to
X509_REQ_new_ex().
Sometimes interesting code snippets may be found also in test/ , but not
for CSR generation.
David
-threading, but
very likely not.
David
On 31.08.21 03:19, 青木寛 / AOKI,HIROSHI wrote:
> I would like some advice as to why I am getting NULLs returned as a result of
> calling SSL_CTX_new.
>
> The library I'm using is OpenSSL 1.1.1k.
> The argument to SSL_CTX_new is TLS_
t CRLs are not trusted by themselves.
So the above sentence is in fact a bit misleading
and should better be re-phrased to: "Untrusted certificates should
not be added in this way."
Regards,
David
On 28.08.21 03:52, bl4ck ness wrote:
>
> Hello,
>
> I'm t
* We have a server that has around 2025 clients connected at any instant.
* Our application creates a Server /Listener socket that then is converted
into a Secure socket using OpenSSL library. This is compiled and built in a
Windows x64 environment. We also built the OpenSSL for the Win
if canmulti
* and characters may be escaped by \
*/
X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const
char *desc)
Would be good to have such a function as part of the X.509 API.
David
On 23.07.21 07:49, Viktor Dukhovni wrote:
>> On 22 Jul 2021, at 9:29 pm,
org.openssl.engine:pkcs11:
should work, rather than
-engine pkcs11 -keyform engine
because the latter pertains to all key options used, including -key,
which is not what you want.
HTH,
David
On 25.03.21 18:56, mbalembo wrote:
>
> Hello all,
>
>
> I'm trying to do a CMP request using op
sages.
Kind regards,
David
On 08.07.21 13:17, Petr Gotthard wrote:
>
> Hello,
>
>
>
> I am trying to renew a certificate via CMP and authenticate the
> request using the same cert.
>
>
>
> I start the mock server:
>
> openssl cmp -port 8080 -srv_trusted
ider interface will likely
lift the limitation regarding RSA-PSS support, which lacks just due to
the engine interface.
Cheers,
David
On 01.07.21 19:49, Reinier Torenbeek wrote:
> Hi,
>
> For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1,
> you may want to check out this
to-the-point
hint if an unsuitable one is used.
> I do not have access to nmake.exe.
Everyone who uses a VC-* configuration should have access to cl.exe and
nmake.exe.
David
On 01.07.21 16:55, Joe Carroll wrote:
> Thanks Matt. That clears it up.
>
>
>
> -Origina
.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
-
Le mar. 29 juin 2021 à 18:06, Jan Just Keijser a écrit :
> On 29/06/21 11:58, david raingeard wrote:
>
Hello,
Technically, why prevents openssl 1.1.1g from compiling correctly on some
operating systems like Solaris 2.6, CentOS 7.8,... ?
thank you !
hello
is it possible to have some kind of debug server which will always use the
same data, so i can debug the code ?
i mean i have openssl working with tls 1.3 and ssl3 on unbuntu, which i
could compare the logs with the ones on the sparc, so i can find out where
it goes wrong ?
thank you
Hello,
I compiled it using sun compiler, with some modifications to the source
code.
However :)
openssl s_client -connect google.com:443 -tls1_2
works fine !
But
openssl s_client -connect google.com:443 -tls1_3
fails on CRYPTO_memcmp.
For easy debugging, I have made a copy of CRYPTO_memc
(m|$/|s) {
> print STDERR "## $ARGV ##\n";
> system "echo '$_' | openssl x509 -noout -text";
> }
> }
which unfortunately does not work with "TRUSTED CERTIFICATE".
I think the x509 command should be extended to
this provides in the error queue not only
the error code and string, but also the cert for which the error occurred
as well as the set of untrusted certs and the set of trust anchor certs
that were available for chain building in the current X509_STORE_CTX.
Regards,
David
On 31.03.21 07
tly discussing how to handle version
compatibility issues
with the upcoming version 3.0 at
https://github.com/openssl/openssl/issues/14628.
Can you give some concrete typical examples which exact issues you are
facing?
David
On 25.03.21 13:58, Floodeenjr, Thomas wrote:
> If your problem
This question may be considered off-topic, since is not directly about
using the OpenSSL library. Let me know if you want me to delete this
posting.
I have a question about uploading a file (text.txt) securely in PHP
using the SFTP protocol and a public/private key pair. I have posted
this qu
ongly ASN.1 entangled
libcrypto code)
to build OpenSSL without any ASN.1 support, which should reduce code
size drastically.
I suggest opening a feature request at
https://github.com/openssl/openssl/issues
Regards,
David
On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote:
> On 1/20/2
On 01.01.21 08:07, 定平袁 wrote:
> @David von Oheimb <mailto:d...@ddvo.net>
> Thank you so much for your deep investigation!
My pleasure!
> With subjectKeyIdentifier and authorityKeyIdentifier extensions, it
> works like a charm!
Good to hear.
I've meanwhile submitted a pull
On 25.12.20 00:35, 定平袁 wrote:
> @David von Oheimb <mailto:d...@ddvo.net> I will update to a new version
> and try again.
Good. Ideally try also a current 3.0.0 alpha release because there have
been some changes to cert chain building and verification recently.
> To append cert
g it,
or even better, remove the old (non-matching) certificate from that file.
Hope this helps,
David
P.S.: I will be unavailable for several days, too.
On 23.12.20 04:15, 定平袁 wrote:
> @David Thanks for you help!
> This is my openssl version, and the self compiled curl backend
>
> On Mon, Aug 31, 2020 at 11:00:31PM -0500, David Arnold wrote:
>
> > 1. Construe symlinks to current certs in a folder (old or new / file by
> file)
> > 2. Symlink that folder
> > 3. Rename the current symlink to that new symlink atomically.
>
> This is fine, but
1. Construe symlinks to current certs in a folder (old or new / file by
file)
2. Symlink that folder
3. Rename the current symlink to that new symlink atomically.
On OpenSSL side statd would have to follow through on symlinks - if it
shouldnt do so.
This is +- how kubernetes atomically provisions
bad thing, under the least-privilege
principle.
-Kyle H
On Sun, Aug 30, 2020, 18:36 Viktor Dukhovni
mailto:openssl-us...@dukhovni.org>>
wrote:
On Sun, Aug 30, 2020 at 05:45:41PM -0500, David Arnold wrote:
> If you prefer this mailing list over github issues, I still want
to ask
ur comments!
BR, David A
27;ll
keep
using no-asm, and hope that it's not going to get more deprecated than it
apparently is at present (based on the comments in INSTALL).
If anyone on the list has a NASM account or knows any of the maintainers,
could they pass this on? They really should be aware of it.
Cheers!
-- David --
he static versions,
the
code is a little bigger, but there's no redistributable installation required
and I
never run into rights issues.
Again, thank you for the assistance, Matt - I appreciate it.
Cheers!
-- David --
res, but
I can't continue doing that any longer as TLS3 starts coming on stream.
Anyone have any insights into what I'm doing wrong, or what I can do about
this? I'm
very reluctant to use the software in production if it can't pass its own
self-test
regime, even if it appears to work normally otherwise.
Comments most welcome.
Cheers!
-- David --
it directly from configure ?
Thanks all !
--
*Have a nice day David Barishev.*
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 15-Sep-2017 06:24, Richard Olsen wrote:
> When i click on advanced i see
>
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistio
Back on 13 May 2016 I had proposed by email to a couple of people
including Rich Salz
a third library level (on top of crypto and ssl) with more high-level,
application-oriented code.
His response was:
> That is a really interesting idea. Please bring this up on openssl-dev
> mailing list.
Then
pps
and help application developers?
Maybe other OpenSSL users have specific experience on error and timeout
handling for BIO_do_connect() etc.
and can comment in more detail on the (approximate) solution,
bio_connect(), that I gave below?
On 28.08.2017 13:46, David von Oheimb wrote:
>
gure options or is there
some other problem?
Thanks,
David
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi Jeff,
I am not sure I can post the entire cert here. Is there any part in
particular that would be useful to debug the Alert Number 43 problem?
David
On Tue, Nov 1, 2016 at 8:07 PM, Jeffrey Walton wrote:
>> When I tested a remote server using s_client, it responded with:
>>
>
failure:s3_pkt.c:598:
I found the the following URL about this:
http://stackoverflow.com/questions/14435839/ssl-alert-43-when-doing-client-authentication-in-ssl?answertab=oldest#tab-top
My question: Does this indicate something wrong with server side
certificate like the URL said?
Thanks.
David
penssl.org/source/. Is there such a document? For instance, is the
list of tags in Github appropriately reliable?
If not, could such a document be created?
Many thanks,
--
David Turner
Principal Developer
Operations & Planning Systems Division
Tracsis
Tracsis Operations and Planning Sy
At 09:25 AM 9/5/2016, you wrote:
david wrote:
> On the client:
> openssl enc -salt -a -A -aes128 -pass pass:123
>
> On the server:
> openssl enc -d -salt -a -A -aes128 -pass pass:123
>
> When the ENCRYPTING software is 1_0_2h and the
> decrypting software is 1_0_1e on Li
_0, or
both 1_0_2(e..h), the decryption succeeded. If the versions were
different, it failed.
Is this a feature or a bug? Is there some setting I should have different?
Thanks in advance
David
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 02/09/2016 16:39, Dr. Stephen Henson wrote:
> On Tue, Aug 30, 2016, David wrote:
>> How can I obtain the length of the overall sequence which contains PKCS7
>> signed data? This is important because the length I already have may be
>> longer than the actual PKCS7 data.
>
ned data? This is important because the length I already have may be
longer than the actual PKCS7 data.
David
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,
What configuration parameters (NO-XXX) should be passed for the
openssl library to be built to support standard TLS/SSL required for
sending emails through the public smtp servers but at the least amount
of code needed.I have it working (only calls a few BIO_ and/or
SSL_ functions) but add
Apparently it is OpenSSL bug/ticket number 2288.
Hopefully fixed sometime...
Regards,
David
On 12 February 2016 at 18:09, David Balažic wrote:
> Hi!
>
> Tomcat released version 8.0.32 which bundles OpenSSL 1.0.2e (see below)
> The issue remains (with the change that now IE can no
):
Loaded APR based Apache Tomcat Native library 1.2.4 using APR version 1.5.1.
OpenSSL successfully initialized (OpenSSL 1.0.2e 3 Dec 2015)
Regards,
David
On 8 January 2016 at 17:02, David Balažic wrote:
> Hi!
>
> I encounter this issue when using Firefox to access tomcat (that i
est tested configuration:
tomcat 8.0.30, using OpenSSL 1.0.1m 19 Mar 2015
Firefox 43.0.4
OS: Windows 7 Pro SP1 64bit
The tomcat bug with much details:
https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
Firefox bug report (not much details):
https://bugzilla.mozilla.org/show_bug.cgi?id=1231406
Rega
v1.1.0-pre1 on linux
(1) Compiling with "no-threads " gives error on lines 173 and 379 in async.c.
possible cause: async_fibre_makecontext() function
async_posix.h @ line 57: #if defined(OPENSSL_SYS_UNIX) &&
defined(OPENSSL_THREADS)
seems threads is required?
(2) Compiling with no-psk and
25 11:23 GMT+01:00 Viktor Dukhovni :
> On Wed, Nov 25, 2015 at 11:14:48AM +0100, David García wrote:
>
> > Viktor, you pointed me to the right way. I was missing the -nopad flag in
> > the openssl command.
>
> Not using padding is fragile and can lead to subtle data corrup
25 10:39 GMT+01:00 Viktor Dukhovni :
> On Wed, Nov 25, 2015 at 09:18:15AM +0100, David García wrote:
>
> > H6cr2yN8oWV6AUY/JlknQw==
>
> Decrypting in ECB mode you get:
>
> $ echo H6cr2yN8oWV6AUY/JlknQw== |
> openssl base64
ould be expected. If
> it is indeed the newline that is making the difference, you could try using
> the echo command with the '-n' option to suppress it.
>
> Jay
>
>
> On 11/24/2015 9:12 AM, David García wrote:
>
> Sorry, still not getting the same result, n
BTW I get the same result if the text in the echo is between '' or is read
from a text file.
2015-11-24 18:07 GMT+01:00 David García :
> You are right Viktor, that was my problem.
>
> Thank you very much for your help Viktor and Michael.
>
> 2015-11-24 18:00 GMT+01:00 Vi
You are right Viktor, that was my problem.
Thank you very much for your help Viktor and Michael.
2015-11-24 18:00 GMT+01:00 Viktor Dukhovni :
> On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote:
>
> > openssl enc -e -des-ede3-cbc -in m
Perhaps you
> mean to use -K (uppercase K, with an actual hexadecimal argument)?
>
>
> --
> Michael Wojcik
> Technology Specialist, Micro Focus
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mail
ng to get it multilpe of 8
byte[] ciphertext = desCipher.doFinal(cleartext);
new String(Base64.encodeBase64(ciphertext), "UTF-8");
Could anyone point me to what I am doing worng in this command line call?
Thanks in advance.
--
David
___
openssl-users maili
PrivateKey format:@"cannot
decode RSA private key"];
NS_DURING {
switch (n = RSA_check_key(r)) {
case 1: // ok
break;
default:
[NSException raise:X509CertificateExcInvalidPrivateKey
format:@"RSA_check_key() returned %d&
the attached cert is not
readable by d2i_RSAPrivateKey? I'm running these tests on a Mac, but the same
thing happens on Ubuntu Linux.
Thank you,
David
Printout of the attached cert, which fails to parse with d2i_RSAPrivateKey:
MacBook-Air:self_signed dlobron$ openssl x509 -in cert.10
e internal[1234]
controlmaster connections seemed to keep working.
Thanks,
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi Jakob,
The computer has been up running for quite a while. I wonder if it
really needs NTP to take that long to sync up.
David
On Thu, Sep 10, 2015 at 7:20 PM, Jakob Bohm wrote:
> On 11/09/2015 02:13, David Li wrote:
>>
>> Hi,
>>
>> I am using "openssl
hen I waited 10 min and reran the same cmd and got "OK".
I am puzzled by this. Is this a some timing issue?
My openssl version is:
OpenSSL 1.0.1e-fips 11 Feb 2013
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org
e great if you can put me
on the way.
Thank you,
Best regards,
On Mon, Aug 24, 2015 at 10:34 PM, Wim Lewis wrote:
> On Aug 24, 2015, at 11:33 AM, David Luengo López wrote:
> > 439 #define DUMMY_SEED "" /* at least
> MD_DIGEST_LENGTH */
> > 440
is it used? And for some extra points, why that RAND_poll for
vxworks...
I'll keep investigating in all this.
Thank you in advance,
Best regards,
--
[image: RTI]
*David Luengo López*
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> From: openssl-users On Behalf Of Salz, Rich
> Sent: Sunday, July 05, 2015 11:56
[in response to message about 'ca']
> > > the question: where does the serial number for this certificate come
> from?
> > > is it random by default when nothing is said about it?
>
> It will be random if (a) the seri
> From: openssl-users On Behalf Of Dr. Roger Cuypers
> Sent: Monday, July 06, 2015 10:43
> Follow up:
>
> For some reason, the X509_NAME_hash function calculates a very different
> hash for the server certificate:
>
> 5ad8a5d6
>
> Renaming the certificate to 5ad8a5d6.0 causes it to be found, but I
> From: openssl-users On Behalf Of Ben Humpert
> Sent: Sunday, July 05, 2015 07:58
> Take a look in your openssl.cnf and you should see the option "serial"
> with a path / file specified. The serial number is taken from that
> file. If the file doesn't exists or is empty when the very first
> cert
> From: openssl-users On Behalf Of Walter H.
> Sent: Sunday, July 05, 2015 06:49
> openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump
> CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem
> -out ./squidCA.pem
>
> the question: where does the serial number for this certifi
From: openssl-users On Behalf Of Dr. Roger Cuypers
Sent: Friday, July 03, 2015 11:01
> I'm trying to do peer client verification using the
> SSL_CTX_load_verify_locations function
> However, setting only CAPath will not:
> This will result in a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.
Ben,
I think you are right. My verify test is okay now if I match the
subjectAltName to the nameConstraints defined by the subCA.
Thanks.
David
On Mon, Jun 29, 2015 at 6:23 PM, Ben Humpert wrote:
> Yes, because nameConstraints are inherited.
>
> I don't know exactly where the
, Ben Humpert wrote:
> Do you use nameConstraints or have specified IP in subjectAltName?
> Because OpenSSL can't handle that correctly.
>
> 2015-06-29 22:51 GMT+02:00 David Li :
>> Hi,
>>
>> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
&g
. This is what I did:
cat rootCA.crt subCA.crt > caChain.crt
openssl -verbose -verify -CAflie caChain.crt clientCert.crt
openssl verify -CAfile caChain.crt client/clientCert.crt
client/clientCert.crt: C = US, ST = California, O = David's company,
CN = David's client cert, emailAd
Can anyone shed light on why these APIs are disabled in FIPS mode? They
involve operations that must be implemented within the boundary of the FIPS
crypto module? It seems like disabling them is intended to prevent mistakes
from developers trying to write their own AES mode implementations?
Thank
Dukhovni
Sent: Tuesday, April 07, 2015 8:32 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous
"DES-CBC3-SHA"
On Tue, Apr 07, 2015 at 08:09:31AM -0700, David Rueter wrote:
> >> You're confusing SSLv3 the protocol, with SSLv3
these.
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: Tuesday, April 07, 2015 9:57 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous
"DES-CBC3-SHA"
On 07/04/2015 17:09, David Ruete
rom: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Monday, April 06, 2015 7:44 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous
"DES-CBC3-SHA"
On Mon, Apr 06, 2015 at 05:11:22PM -0700, Da
in this situation I am able to call SSL_CTX_set_options.
I guess I might be stuck if I can’t use the cipher list to disable SSL3 while
leaving TLS1 enabled. Not the end of the world, but not ideal.
Sincerely,
David Rueter
From: openssl-users [mailto:openssl-users-boun
I would like to disable SSL3 (to prevent POODLE attacks), but I would like
to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and
AES256-SHA).
However disabling SSL3 with !SSLv3 disables TLSv1 also. Furthermore,
disabling SSL3 with -SSLv3 then adding in individual ciphers such as
+DE
Great, that works, thank you. Is this the default behavior when using the C
API?
Thanks,
David
On Sunday, April 5, 2015, Matt Caswell wrote:
>
>
> On 05/04/15 23:42, Matt Caswell wrote:
> >
> >
> > On 05/04/15 22:04, David Rufino wrote:
> >> Hello,
> &g
tion would
fail with p224 ? my understanding is that openssl supports all the nist
curves.
Regards,
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I am trying to build Openssh 6.7p1 on a Red Hat 5.6 x86_64 system
with Red Hat openssl-0.9.8e-31, which is the latest Red Hat openssl
version. The Openssh build checks openssl versions and requires 0.9.8f.
Is there a work around for this?
Thanks.
David Flatley
On Fri, Oct 24, 2014 at 1:28 PM, Richard Könning <
richard.koenn...@ts.fujitsu.com> wrote:
> Am 24.10.2014 20:47, schrieb David Li:
>
>>
>>
>> On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning
>> > <mailto:richard.koenn...@ts.fujitsu.com>> wrot
On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning <
richard.koenn...@ts.fujitsu.com> wrote:
> At 24.10.2014 19:03, David Li wrote:
>
>> I am still a little unclear by what exactly TLS_FALLBACK_SCSV option
>> would do.
>>
>> What if the server only supports SSL
1 - 100 of 1807 matches
Mail list logo