Re: [openssl-users] Delay of email delivery for the list

2015-03-10 Thread Kurt Roeckx
On Tue, Mar 10, 2015 at 10:23:41PM +0300, Serj Rakitov wrote: > Hello, > > I see some delay about 30-40 min for my emails. They arrive and I see them in > the incoming messages in the list only after 30-40 min. And one email was > delivered for 2 hours. Is it normal for the openssl-users@openss

Re: [openssl-users] FIPS_module_version_text()

2015-03-10 Thread Jason Schultz
Hmm. I am pretty sure I was linking against the FIPS capable OpenSSL but I will double check tomorrow to make sure I did it right. Thanks. > On Mar 10, 2015, at 7:28 PM, Dr. Stephen Henson wrote: > >> On Tue, Mar 10, 2015, Jason Schultz wrote: >> >> Is this function available to call in O

Re: [openssl-users] FIPS_module_version_text()

2015-03-10 Thread Dr. Stephen Henson
On Tue, Mar 10, 2015, Jason Schultz wrote: > Is this function available to call in OpenSSL 1.0.1? I'm trying to call it > from my application running a FIPS capable version of OpenSSL (everything > else works, turning FIPS on, etc), but I include fips.h but I get a compile > error saying the fu

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread Dr. Stephen Henson
On Tue, Mar 10, 2015, jonetsu wrote: > > > > From: "Dr. Stephen Henson" > > Date: 03/10/15 10:21 > > > Although you cannot modify the FIPS module itself without voiding the > > validation you *can* change the FIPS capable OpenSSL. > > > You might (for example) change FIPS_mode_set() to alwa

Re: [openssl-users] Delay of email delivery for the list

2015-03-10 Thread Salz, Rich
> I see some delay about 30-40 min for my emails. They arrive and I see them > in the incoming messages in the list only after 30-40 min. And one email was > delivered for 2 hours. Is it normal for the openssl-users@openssl.org? It happens sometimes. > Some time ago I see an email with message:

Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE

2015-03-10 Thread Serj Rakitov
Hi, Jakob. Thanks for reply. Now I have seen OpenSSL code and something clear for me. WANT_READ/WANT_WRITE it's just an implementation for "WOULDBLOCK": not fatal error for non-blocking IO. So, for example for socket and Windows it's just WSAEWOULDBLOCK returns by WSAGetLastError. Peforms by

[openssl-users] Delay of email delivery for the list

2015-03-10 Thread Serj Rakitov
Hello, I see some delay about 30-40 min for my emails. They arrive and I see them in the incoming messages in the list only after 30-40 min. And one email was delivered for 2 hours. Is it normal for the openssl-users@openssl.org? Some time ago I see an email with message: Welcome to the opens

Re: [openssl-users] How to disable all EXPORT Ciphers?

2015-03-10 Thread Dave Thompson
> From: openssl-users On Behalf Of Viktor Dukhovni > Sent: Monday, March 09, 2015 12:47 > On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote: > > "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH" > > with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 > and 1024? > You only

Re: [openssl-users] FIPS_module_version_text()

2015-03-10 Thread Jason Schultz
I guess I didn't have the correct fips.h file in my include path when I couldn't get it to compile. But I don't think it will work for my purposes since if I install my application on another system, that entry point is not defined in libcrypto.so or libssl.so. Does anyone know if it's really g

Re: [openssl-users] How to make a rehandshake(renegotiation)?

2015-03-10 Thread Salz, Rich
> Does OpenSSL support renegotiation? Yes. You probably need more than that. :) Take a look at the apps/s_client and look for the 'R' constant to see how to do client-initiated reneg. ___ openssl-users mailing list To unsubscribe: https://mta.openssl

Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE

2015-03-10 Thread Serj Rakitov
Nobody knows? 09.03.2015, 15:30, "Serj Rakitov" : >  I have to open discussion again. > >  I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. > But I can't do this. SSL_read never wants write and SSL_write never wants > read! > >  I don't know how to catch these situat

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu
> From: "Dr. Stephen Henson" > Date: 03/10/15 10:21 > Although you cannot modify the FIPS module itself without voiding the > validation you *can* change the FIPS capable OpenSSL. > You might (for example) change FIPS_mode_set() to always add a callback > which logs any errors. I see.  So t

Re: [openssl-users] How to make a rehandshake(renegotiation)?

2015-03-10 Thread Serj Rakitov
Nobody knows? Does OpenSSL support renegotiation? I will be very grateful for answers because there is no any info about this in the net. 09.03.2015, 00:36, "Serj Rakitov" : > Hello > > I want to test SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. > I have client and server. Server is sending data

Re: [openssl-users] Getting info on the ciphers supported by a client

2015-03-10 Thread Jakob Bohm
On 09/03/2015 14:13, Waldin wrote: Am 08.03.2015 um 09:14 schrieb Waldin: Now, I also want to check ciphers enabled in (mobile) mail clients. I've tried to make OpenSSL listen on port 110 (for POP with TLS) and redirected the client to the OpenSSL server. But when trying to pull mail I can't s

Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE

2015-03-10 Thread Jakob Bohm
On 09/03/2015 13:21, Serj Rakitov wrote: I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to

Re: [openssl-users] How to disable all EXPORT Ciphers?

2015-03-10 Thread Michael Wojcik
Viktor's description agrees with Matthew Green's explanation.[1] The FREAK attack can work against non-patched OpenSSL clients even if they disable export-grade ciphers; in fact, that's precisely the problem. The attack works like this: 1. Client sends ClientHello with a suite list that include

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread Dr. Stephen Henson
On Tue, Mar 10, 2015, jonetsu wrote: > Hello, > >   Is there a method that is always in the path of execution when a crypto > error occurs ?  The reason for asking is that I would like to very slightly > modify the OpenSSL FIPS version so that it will write a file in tmpfs when > an error occurs.

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu
> From: "Steve Marquess" > Date: 03/10/15 08:56 Hello,   Thanks for your reply. > You're talking about a Level 2 validation (or higher)? You most > definitely do *not* want to include the OS or applications in the > "cryptographic module boundary" for Level 1. It's a level 2.  The behaviou

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu
> Is there a method that is always in the path of execution when a crypto error > occurs ?  It looks like fips_set_selftest_fail() would be a likely candidate where to create an empty file on a tmpfs in order to let the OS know about the error. Comments and suggestions welcomed.  Based on yo

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread Steve Marquess
On 03/10/2015 08:20 AM, jonetsu wrote: > ... > Steve has replied that indeed the validation will be lost - I wonder > if that would have any impact on the total validation costs for a > whole unit, OS and apps ? You're talking about a Level 2 validation (or higher)? You most definitely do *not* w

[openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu
Hello,   Is there a method that is always in the path of execution when a crypto error occurs ?  The reason for asking is that I would like to very slightly modify the OpenSSL FIPS version so that it will write a file in tmpfs when an error occurs.  That place will be observed by another app us

Re: [openssl-users] How to disable all EXPORT Ciphers?

2015-03-10 Thread Viktor Dukhovni
On Tue, Mar 10, 2015 at 08:44:57AM +, Christian Georg wrote: > I understand that the downgrading of the ciphersuites is a bug in the > library that should be patched. Doing this can however be dificult when > talking about mobile apps that use OS Libraries. From my understanding > the bug onl

Re: [openssl-users] How to disable all EXPORT Ciphers?

2015-03-10 Thread Christian Georg
Hi Viktor, please help me to understand your sentence: "Note that doing so does not address the FREAK CVE in SSL clients. Even with EXPORT ciphers disabled they are still vulnerable, unless patched!" I understand that the downgrading of the ciphersuites is a bug in the library that sh