[openssl-users] Issue with openssl 1.0.2 20150713 SNAP

Script started on Mon Jul 13 09:31:31 2015 doctor.nl2k.ab.ca//usr/source/openssl-1.0.2-stable-SNAP-20150713$ make test testing... (cd ..; make build_libcrypto) making all in crypto... ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o

[openssl-users] openssl fips package for openssl-0.9.8zg

Hi All, Please let me know what is the compatible openssl-fips package for the 0.9.8zg version. When i try with with openssl-1_2_4, I am getting the below error bash 3.2:90gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m32 -DL_ENDIAN

Re: [openssl-users] CVE-2015-1793 only on cert-based client auth?

On Mon, Jul 13, 2015 at 01:03:09PM -0400, Colin Edwards wrote: I've been reading/hearing different opinions on the recent vulnerability for cert chain forging that was patched (CVE-2015-1793). Some people are saying the vulnerability only exists if a system is using certificate-based client

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

On 13/07/2015 12:22, Victor Wagner wrote: On Mon, 13 Jul 2015 12:25:40 +0530 Nayna Jain naynj...@in.ibm.com wrote: Hi all, I am programmatically generating the self signed certificate and need to specify the Not Before and Not After date, Wanted to understand what all formats are acceptable

Re: [openssl-users] CVE-2015-1793 only on cert-based client auth?

On Tue, Jul 14, 2015 at 01:23:52PM -0400, Colin Edwards wrote: Thank you, Kurt. The information I was getting (from some sources) was that the vulnerability was only present in configurations where the server was authenticating a client certificate. The fact is, the vulnerability applies to

Re: [openssl-users] beginner needs advice on data signature/verification

(continuing top posting to keep thread consistent) Note that the point of using an X.509 signature at file creation time and/or client approval time was to reuse the internal file structure that is already designed to hold that particular signature format (specifically, the internal file

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

This is important when creating root certs with expiry dates after 2038 Not an issue for openssl. As long as you use ASN1_TIME values, it's okay. Might be an issue if converting to time_t on 32-bit platforms. ___ openssl-users mailing list To

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

if ASN1_TINE_set_string() avoids that limitation, despite Victor's suggestion to never use it. It does avoid the limitation, using only |struct tm| to hold parsed fields, and not building a |time_t| from it. Not sure why Viktor doesn't like it. It seems to me it's the only portable thing to

Re: [openssl-users] Has the support for SPARC architecture crypto extensions been Implemented?

I am doing some tests using OpenSSL command line utility 'openssl'. My tests show regarding to the performance of executable ‘openssl’ there is no difference between 1.0.1p and 1.0.2d. Here is the test results. ksol1% ./1.0.1p/shared64bit/openssl/bin/openssl speed -evp aes-128-cbc WARNING:

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

On 14/07/2015 21:50, Salz, Rich wrote: This is important when creating root certs with expiry dates after 2038 Not an issue for openssl. As long as you use ASN1_TIME values, it's okay. Might be an issue if converting to time_t on 32-bit platforms. Victor suggested to use only ASN1_TIME_set()

[openssl-users] Disable SSL3 for Windows 32 Distros?

Hello, I¹ve made several attempts to compile various versions of OpenSSL, the latest being 1.0.2d for Win32. Although many attempts to compile have been successful and the dlls (and .exe) usable, I have not been able to successfully disable SSLv3. I attempted on a Windows 7 box using VC 2010, I

Re: [openssl-users] Has the support for SPARC architecture crypto extensions been Implemented?

Some additional information here. When testing the default openssl installed in /usr/bin/ on Solaris 11, I saw a much better result below. Hence I believe OpenSSL utility 'openssl' built by me does not use the hardware crypto accelerators at all. Anyone knows the reason? Thanks, Aaron ksol1%

Re: [openssl-users] openssl fips package for openssl-0.9.8zg

Hi Jacob, I have used openssl-fips-1_2_4 with openssl 0.9.8zf and not found any issue. For my environment, just I upgraded my openssl version from 0.9.8zf to zg. Thanks, Gayathri On Wed, Jul 15, 2015 at 12:36 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 14/07/2015 12:35, Gayathri Manoj

[openssl-users] How to let OpenSSL applications/utilities use SunSPARC crypto accelerators?

Hello OpenSSL folks, I noticed that the OpenSSL command line utility 'openssl' built in Solaris 11.1 does not use SunSPARC crypto accelerators. From the change log of OpenSSL 1.0.2, I saw the following description. Changes between 1.0.1l and 1.0.2 [22 Jan 2015] ... *) Support for SPARC

Re: [openssl-users] openssl fips package for openssl-0.9.8zg

On 14/07/2015 12:35, Gayathri Manoj wrote: Hi All, Please let me know what is the compatible openssl-fips package for the 0.9.8zg version. As far as I know you need to use the file http://www.openssl.org/source/openssl-fips-1.2.4.tar.gz with the specific HMAC checksum specified in the

Re: [openssl-users] CVE-2015-1793 only on cert-based client auth?

Thank you, Kurt. The information I was getting (from some sources) was that the vulnerability was only present in configurations where the server was authenticating a client certificate. The fact is, the vulnerability applies to certificate validation regardless of if it's on the client or