plan is to just point to the ISO FIPS-equivalent spec.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi OpenSSL team,
I am Srivalli Kuppa. I have a couple of questions regarding support of CHACHA
and Poly1305 cipher suites with OpenSSL.
1. Do we have a stable OpenSSL patch that can be applied to OpenSSL 1.0.2
version to support CHACHA cipher both as a server/client?
2. Can CHACHA
work.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Without commenting on whether or not your understanding is correct (the client
gets the params and can see how big the key is, no?), I will point out that the
way DHE works is defined by the IETF RFC’s, and they have not changed.
--
openssl-users mailing list
To unsubscribe: https
The connection is open for verly long time (>24h), so I thought that
the peer may force a renogatioation due to the session timeout. Or
have I got something wrong and a renogatioation is not necessary for
long-running sessions?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.
>The code above does what I want - except for renegotiations!
Do you absolutely, positively, HAVE TO support renegotiation?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
fd until that
condition is met. Then repeat calling SSL_read(). So I'm repeatedly
calling SSL_read() until it reports SSL_ERROR_NONE. With this I
satisfy the requirement of the OpenSSL-API to repeat an incomplete
call until it completes. Although I did not read that exactly in
I don’t recall the details of 1.0.2, sorry. Maybe someone else on this list
knows the best place to insert your checks.
From: Sandeep Deshpande
Date: Thursday, May 31, 2018 at 6:08 PM
To: Rich Salz , openssl-users
Subject: Re: [openssl-users] Fwd: basic constraints check
Hi Rich.. Thanks
be used, or how long the cert chain may be. OpenSSL
is doing the right thing.
If you want to add them, and you cannot upgrade, then read about the openssl
config file syntax. Good luck.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hello Walter,
I did not found file ca.pem (root certificate) for testing.
Thanks
Mark
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Walter H.
Sent: Wednesday, May 30, 2018 11:17 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Test SSL connection
On
Hello,
I use OpenSSL version is openssl-1.1.0h(Windows) and
I run following command from apps directory
openssl s_server -accept 443 -www
The server in this case use certificate "server.pem"
On client computer I run command
openssl s_client -connect 10.65.48.108:443
On client compu
in, then
you should wait. IF you don’t, you run the risk that your random numbers
(session keys, RSA or other long-term keys, etc) could be guessed by an
attacker.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>This didn't show up in my RSS client. Is the RSS feed not working, or is
> it just my client?
It probably sat in draft form for too long, and went out with the old date.
Oops.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
, I'm
> currently explicitly disabling TLS 1.3 support with OpenSSL by default
> in these application due to these issues and the expected
> interoperability issues and as such, the OpenSSL 1.1.1 release default
> behavior regarding TLS 1.3 support should not have impact for these
>
We just posted a new blog entry on long-term support, the different phases, and
so on. It’s here:
https://www.openssl.org/blog/blog/2018/05/18/new-lts/
TL;DR is that the upcoming 1.1.1 will be our next LTS release.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1 pre release 7 (beta)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 7 has now
ance with the FOI
Act.
-->
FooCrypt is current finalising a submission as per the request to stake
holders containing a number of high level case studies regarding
'FooCrypt,0.0.1,Core | FooCrypt, A Tale Of Cynical Cyclical
Encryption.'.
This is an informal request to the openssl
>In 1.1.0 and later it is documented:
And in 1.0.2 it was documented in January, 2017.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>Well what I was alluding to is this the correct use of the RAND_add
> function
to seed the Key generation. Its a bit confusing certainly.
You are calling the API correctly. That should have been clear from the
manpage.
You still did not tell us what version of OpenSSL you are
What version of OpenSSL are you using?
Using the time to seed the RNG is horrible; DO NOT DO THAT.
Not trying to be insulting, but if you think time is a good source, then you
really don't know what you're doing for RNG's. Consider looking at the master
branch, with its highly-
There are TLS control messages which could flow in either direction,
spontaneously. Renegotiation (pre TLS 1.3), tickets (TLS 1.3), and so on.
I cannot comment on if your proposal would work or not, sorry.
From: Alex H
Date: Saturday, May 19, 2018 at 5:03 AM
To: Rich Salz , openssl-users
TLS is a bidirectional protocol. You can’t throttle only one side.
From: Alex H
Reply-To: openssl-users
Date: Friday, May 18, 2018 at 7:21 PM
To: openssl-users
Subject: [openssl-users] Receive throttling on SSL sockets
How do you properly implement receive throttling on SSL sockets without
Based on the information you provided, I don’t have any other advice. The
print routine does not free the CRL. You must be free’ing it twice. Perhaps
run under a debugger with a breakpoint
From: Raghavendra a
Date: Tuesday, May 15, 2018 at 2:58 AM
To: Rich Salz
Cc: openssl-users
Subject
Something else is going wrong. Is that the only valgrind error? Are you sure
you didn’t free the object in your code?
From: Raghavendra a
Date: Friday, May 11, 2018 at 6:22 AM
To: Rich Salz , openssl-users
Subject: Re: [openssl-users] freeing of X509_CRL object
Hi Rich,
Thanks for
The print routine does not free anything.
From: Raghavendra a
Reply-To: openssl-users
Date: Friday, May 11, 2018 at 5:53 AM
To: openssl-users
Subject: [openssl-users] freeing of X509_CRL object
Hi All,
In my program,
converting X509_CRL object to string format using X509_CRL_print and
y object, but start
with that first manpage and follow the references.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 5/3/18, 4:24 AM, "morthalan" wrote:
No, technically not. I am just searching for a simple method just to check a
certificate is signed by CA or not.
Because. Something like signing check, I am not quite sure, I do not have
proper knowledge on Openssl.
If
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1 pre release 6 (beta)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 6 has now
ing to answer.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
the wild ) to test.
I am sorry if it wasn't clear, but I was referring to *Akamai* not *OpenSSL.*
Let me repost the whole message edited a bit.
AKAMAI has partially deployed TLS 1.3 on one of its networks using its own
server. Customer can opt-in to beta-test. AKAMAI has already seen hundre
efault if it all possible.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
tions and how much data we are already
seeing. I think that makes a very strong argument that TLS 1.3 should be
enabled by default if it all possible.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* I have posted my question into the forum. Please kindly approve it as
soon as possible.
Which forum?
The fact that you were able to post to the openssl-users mailing list means you
should just post your question, well, to the openssl-users mailing list. ☺
--
openssl-users mailing list
Yeah, you're probably right. I was distracted, should have looked closer.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Your key starts with EF... Since that has the high-bit on, it should be
encoded with a leading zero.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>wget --no-check-certificate https://bootstrap.pypa.io/get-pip.py
When I try this:
; ./apps/openssl s_client -connect bootstrap.pypa.io:443 -tls1_1
It fails. When I leave off the last flag, it connects via TLS 1.2
So that website does not support anything older than TLS
be easy.
It might be worth contacting your vendor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>I have an application that runs on an old OS that currently has
OpenSSL 0.9.8a
So you should be able to compile and install the last 0.9.8 release,
https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zc.tar.gz Note that this
is more than two years old. Many fixes have happe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1 pre release 5 (beta)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 5 has now
You didn't answer the question that was asked.
Which host?
On 4/16/18, 4:23 PM, "Rob Marshall" wrote:
Hi,
I built and installed OpenSSL 1.0.2n and I'm still seeing the problem.
I originally tried to build/install 1.1.0h but my goal was to
build/instal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [16 Apr 2018]
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Severity: Low
The OpenSSL RSA Key
OpenSSL 1.1.0 *does not* go through the locking callbacks. They will never be
called.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
he locking callbacks. OpenSSL uses system-native threads and
locks now.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Thanks
On 4/5/18, 2:35 PM, "openssl-users on behalf of Viktor Dukhovni"
wrote:
> On Apr 5, 2018, at 2:29 PM, Henderson, Karl via openssl-users
wrote:
>
>> TLS 1.3 unifies session tickets with (external) PSKs, perhaps you should
recast your app
Thanks,
> TLS 1.3 unifies session tickets with (external) PSKs, perhaps you should
> recast your approach in terms of PSKs rather than session tickets.
Is there a good implementation example of this?
On 4/5/18, 2:19 PM, "openssl-users on behalf of Viktor Dukhovn
mean without modification to the server C.
Thanks,
Karl
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
You need to change your server config (however it is done), so that it gets
@SECLEVEL=0 into the cipher string. See the ciphers manpage for description of
security levels.
You can also edit openssl source and rebuild/relink, but that shouldn’t be
necessary.
--
openssl-users mailing list
To
Thanks for the response - yes, I do understand I'm re-purposing this mechanism
in a creative way. At this time, it's just for experimental purposes.
On 4/3/18, 5:34 PM, "Viktor Dukhovni" wrote:
> On Apr 3, 2018, at 11:00 AM, Henderson, Karl vi
Description: S/MIME cryptographic signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1 pre release 4 (beta)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 4 has now
>openssl ciphers -v list the NULL ciphers, but when I try to use NULL or
>NULL-MD5 I get the same result: No ciphers available.
You have to configure with a cipher string that has “@SECLEVEL=0” in it.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/li
Viktor Dukhovni" wrote:
issuing client certs
smime.p7s
Description: S/MIME cryptographic signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
this now but I can’t get it working.
From: openssl-users on behalf of Michael
Sierchio
Reply-To: "openssl-users@openssl.org"
Date: Wednesday, March 28, 2018 at 12:45 PM
To: "openssl-users@openssl.org"
Subject: [EXTERNAL] Re: [openssl-users] RFC5077 ticket construction hel
connection.
You might want to look at OAUTH and the “TLS exporter” documents.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
?
The problem I think I’m having the most difficulty with is understanding what I
need to put into the encrypted_state portion of the session ticket.
Thanks,
Karl
smime.p7s
Description: S/MIME cryptographic signature
--
openssl-users mailing list
To unsubscribe: https
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [27 Mar 2018]
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.0h released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.0h of our open
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.0.2o released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.2o of our open
* So, Is OpenSSL community is thinking on having the inbuilt PKCS#11
support or will continue working with third party modules(libp11) ?
Things have never gotten past this kind of discussion phase.
Interested parties will have to discuss on email list and create one or more
pull requests
For RSA it's the ASN1 sequence of the key. For Ed25519 it's just the 40 bytes
of the raw key.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>I might, but people using envelope-from
are not very contactable :(
Did you try? That address works.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
flags to not
require the high bit on.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>Is there a way yet to get the raw public-key out,
documented or not? As you may guess, this is for DKIM.
Ask Murray; he's had some off-list discussions :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Did you specify the -md flag on either/both?
https://www.openssl.org/docs/faq.html#USER3
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
How big is the file? Could it be bigger than 32 vs 64 bit platforms?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Please look at https://github.com/openssl/openssl/pull/5704 and see if it fixes
the issues.
On 3/20/18, 8:52 PM, "RTT" wrote:
Hello,
Building the shared libraries (version 1.1.1 pre 3) for Windows with
Visual Studio, targets VC-WIN32 or VC-WIN64A, result in
* As of now, what is the latest version of openssl supporting FIPS, then?
1.0.2
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1 pre release 3 (beta)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 3 has now
Hi All,
My ultimate goal is to generate an RSA-PSS key that will have the PSS
parameters in the subjectPublicKey section of the TBSCertificate. In order
to do that the first need is a paramfile. Here's the command being used to
to generate the parameter file:
OpenSSL> genpkey -
KumarOn Thursday, March 8, 2018, 7:12:31 PM GMT+5:30, Wouter
Verhelst wrote:
This type of error message is shown when the error strings haven't been loaded.
You can fix that by way of the ERR_load_crypto_strings() call.
On 08-03-18 14:14, binod kumar via openssl-users
Hello openssl users,
Need you help understanding the openssl error
"error:140760FC:lib(20):func(118):reason(252)". I am using SSL server on
Windows machine and am successfully able to connect and make requests to this
server from other Windows machine. But when requests are being
claim to
be FIPS validated.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>I believe you're out of luck. I believe that OpenSSL does not support
> migration
of live connections between address spaces.
Yeah, the closest you can come is using TLS sessions or tickets.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailm
Yes, you will have to create the BIO object at run-time and use the settor
methods.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1 pre release 2 (alpha)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 2 has now
Morning Dennis, et al
This may be off thread topic, but one thing I have noticed with the x86
openssl builds shipped by Oracle and Blastwave in the releases I have
been testing FooCrypt against ( 10u11 through 11.3 ) is that openssl
seems to ‘HANG’ when inputting a string greater than 262
On 02/21/2018 10:16 AM, Robert Watson wrote:
> I'm trying to update a crypto library for crtmpserver to work with
> openssl 1.1.0. The software is no longer actively maintained and my
> c++ skills are somewhat rudimentary but I keep getting a compilation
> error for something t
This is very useful! Can you post an udate to the wiki?
https://wiki.openssl.org/index.php/Binaries
On 2/21/18, 8:57 AM, "Angus Robertson - Magenta Systems Ltd"
wrote:
Windows developers may be interested in our Win32 build of OpenSSL
1.1.1-pre1 (alpha), the binaries are
https://github.com/openssl/openssl/pull/5423
On 2/20/18, 2:10 PM, "Salz, Rich via openssl-users"
wrote:
I agree, let's just use malloc for the reasons you said. PR later today.
On 2/20/18, 2:08 PM, "Viktor Dukhovni" wrote:
ng" is likely good enough, but could prove more fragile
as the code evolves.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> So ... this will be fun.
:)
Thanks for poking at this, folks. Please take a look at the INSTALL and README
files which do cover some of this prerequisites. And then once you've "fixed"
it, let us know what we need to change!!
--
openssl-users mailing list
To
== NULL)
+return 0;
+
+(void)RAND_bytes((unsigned char *)o,
+ (int)package->encode_expectations_elem_size);
ret = ASN1_item_print(bio_err, o, 0, i, NULL);
+OPENSSL_free(o);
return ret;
}
--
Viktor.
-
for target '_tests' failed
I do not think it is expected. Could you capture the output of 'make
V=1 TESTS="test_asn1_encode test_secmem"' and make it available?
(Probably via posting it on the web and linking; the output may be long.)
-Ben
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* Which version on 1.0.2x is the same as 1.1.0g(bug fixing branch)?
None. 1.1.0 is substantially different (most structures are now opaque).
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
FYI, FIPS does not work for 1.1.x.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
: "Sakuma, Koshiro"
Date: Thursday, February 15, 2018 at 5:43 AM
To: Rich Salz
Cc: openssl-users
Subject: Re: [openssl-users] error (openssl-1.1.0g)
Hi,
Please let me know how I can compile the source with normal user account
instead of root? The error I got was like "
For the failing test, try this
make TESTS=test_rehash V=1 tests
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* If your program uses threads, then you *have* to set the thread
functions. Glad you got it fixed.
> Why can't OpenSSL do this automatically? Yes, some applications will need to
> supply specialty functions, but it could supply defaults.
It does in 1.1.0 and later.
--
op
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1 pre release 1 (alpha)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 1 has now
If your program uses threads, then you *have* to set the thread functions.
Glad you got it fixed.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
criminalization of cryptology in
Australia.
Documentation and high level specifications available via :
The FooKey Method
http://www.foocrypt.net/the-fookey-method.html
OpenSSL is the DEFAULT cypher engine for use with all
FooCrypt,0.0.1,Core releases.
A quick break down :
Operating System
FIPS is not supported in 1.1.0. We will be starting a FIPS project soon,
targeted for the next release after 1.1.1
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
The usual cause for this is a stray or incorrect pointer, corrupting malloc
structures. Have you run your code under a valgrind or similar?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* What is OpenSSL's current status regarding this?
I don’t recall it being raised before, and I don’t think anyone one the team
has expressed interest in this. It would probably have to start by someone
contributing a pull request.
--
openssl-users mailing list
To unsubscribe:
Hi All,
I used a mutex lock to prevent the SSL_accept() method being called by multiple
thread concurrently since it may get coredump if there is no lock on
SSL_accept() method. I am just wondering is the lock is still needed for
openssl 1.0.2e version?
mutex.lock();
int rt
Yes, if there’s something that was made impossible to do because of things
being made opaque, adding the missing API’s would be a bugfix and go into 1.1.0
and beyond. It woud be great if you could create a PR.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman
It appears to be a memory leak in the DNS libraries.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
➢ Question: Is there a way to set IV for CTX after its initialization for
FIPS
version of OpenSSL?
No, sorry.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
changes of IV and I can't find a way to set it other than
EVP_CipherInit. Initialization, however, relatively high time-consuming
operation.
Question: Is there a way to set IV for CTX after its initialization for FIPS
version of OpenSSL?
--
Best regards,
Alex Dankow
1001 - 1100 of 1707 matches
Mail list logo