[openssl-users] compared performances on Mac OS X 10.6.8
Hello, I've compiled OpenSSL 1.0.2a on Mac OS X 10.6.8, and used `openssl speed` to compare performances with stock OpenSSL (0.9.8). In many tests, 1.0.2a is a bit faster, or as fast as 0.9.8y, but on the 6 AES tests, the old one is almost twice as fast as the new one: OpenSSL 1.0.2a 19 Mar 2015 built on: reproducible build, date unspecified options:bn(64,32) rc4(8x,mmx) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr) compiler: cc -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM ../.. aes-128 cbc 93494.07k 102637.16k 104677.80k 105762.76k 106145.31k aes-192 cbc 78912.98k84939.17k86991.87k88263.00k88350.72k aes-256 cbc 68691.56k73564.65k74554.37k75421.01k75803.31k ../.. aes-128 ige 89849.59k94381.10k97713.32k98399.23k97045.16k aes-192 ige 76133.38k80632.62k81332.31k82033.66k81988.27k aes-256 ige 66744.15k69558.66k70501.12k70079.15k70041.60k ../.. OpenSSL 0.9.8y 5 Feb 2013 built on: Jun 27 2013 options:bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) blowfish(ptr2) compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB -mmacosx-version-min=10.6 ../.. aes-128 cbc 149709.21k 157970.02k 159079.54k 160057.16k 159908.25k aes-192 cbc 132826.18k 138516.09k 139301.84k 139847.86k 139845.95k aes-256 cbc 119058.45k 123144.42k 123989.61k 124192.42k 124275.21k ../.. aes-128 ige 157970.54k 168814.05k 171997.82k 171239.04k 172713.37k aes-192 ige 139152.02k 145860.99k 148705.55k 148606.98k 150433.13k aes-256 ige 124678.17k 130624.07k 132307.43k 131849.37k 132539.38k Is it a compilation issue? (I've tested both -arch on 1.0.2a with same results). thanks, patpro ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] compared performances on Mac OS X 10.6.8
On Mon, May 11, 2015 at 07:24:10AM +0200, Patrick Proniewski wrote: I've compiled OpenSSL 1.0.2a on Mac OS X 10.6.8, and used `openssl speed` to compare performances with stock OpenSSL (0.9.8). In many tests, 1.0.2a is a bit faster, or as fast as 0.9.8y, but on the 6 AES tests, the old one is almost twice as fast as the new one: Use openssl speed -evp. Then if your hardware has AES-NI, it will be faster in 1.0.2. Otherwise, the slowdown is expected. The software-only AES in 1.0.x is constant-time, and avoids timing side-channel attacks. The 0.9.8 version is not constant time (faster, but less secure). -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] upgrade system's OpenSSL and libs on Mac OS X 10.6.8
Hi, Disclaimer: I'm not a developer. I would like to upgrade openssl, libssl and libcrypto on my Mac OS X 10.6.8 system. The purpose is to allow system and softwares to use the new libs (for example ssh, sshd, Mail...). Do you think it's possible? I can already install openssl and libs somewhere else (/usr/local), but if possible I would like to replace those provided by the system. Any help greatly appreciated. patpro ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] upgrade system's OpenSSL and libs on Mac OS X 10.6.8
On Mon, May 11, 2015 at 07:07:13AM +0200, Patrick Proniewski wrote: I would like to upgrade openssl, libssl and libcrypto on my Mac OS X 10.6.8 system. The purpose is to allow system and softwares to use the new libs (for example ssh, sshd, Mail...). Do you think it's possible? You can install OpenSSL from MacPorts or Homebrew, choose whichever you prefer. I can already install openssl and libs somewhere else (/usr/local), but if possible I would like to replace those provided by the system. That would be a mistake. It is best to not replace system libraries with incompatible upstream versions. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] a question on SSL_MAX_BUF_FREELIST_LEN_DEFAULT
Hi All, We are using OpenSSL on a multihome device. Device has 4 interfaces. Each network interface creates one SSL context (SSL_CTX) and supports 16 connections. As per OpenSSL implementation Each SSL context can maintain a free buffer list of 32. And this retained till SSL context (SSL_CTX) is deleted. I wanted to know is there any reason behind defining #define SSL_MAX_BUF_FREELIST_LEN_DEFAULT 32 . Can I reduce it to say 4 or some smaller value. Also can I use OpenSSL_malloc/OpenSSL_free instead of freelist_extract/freelist_insert in ssl3_setup_read_buffer/ssl3_setup_write_buffer. Are there any side effects? Any help is appreciated. Thanks in advance. Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Stand alone AES-CTR module
The task of implementing AES should not be undertaken by a novice programmer. Please save the world another heartbleed and pick something more in line with your skill level. On May 10, 2015 11:48 AM, konstantinos Alexiou konstantinako...@gmail.com wrote: Dear Sirs, I am new to C programming and i am trying to create an independent to libraries source code for demonstration purposes for AES-CTR mode.Could i have some help on doing that using the source code contained under crypto/aes. Thank you very much in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl 1.0.2 and openssl 1.1.0 Snapshots
What is happening lately? openssl 1.0.2 snapshots have do materialised properly in the last 2 days and now opensl 1.1.0 is flopping. Please fix. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism UK! Vote LDem on 7 May 2015!! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] minor documentation errors
2015-05-09 21:47 GMT+02:00 Salz, Rich rs...@akamai.com: After getting into building and especially configuring my own CA again I'm nearly at the end and I've noticed some errors in the documentation I want to report. I like the again :) Yeah, once upon a time I had done a comprehensive configuration with a Root CA and two Signing CAs and wrote down the command lines I need to use but then I didn't even touched it for over four years so I only had few memories. A good PKI tutorial and my files helped me getting into it again quickly. 1) On https://www.openssl.org/docs/apps/ca.html for the -md option not all possible values (sha256, sha384, etc.) are list but just md5, sha1 and mdc2 2) On https://www.openssl.org/docs/apps/req.html for the -[digest] option not all possible values are listed 4) On https://www.openssl.org/docs/apps/req.html for the default_md option not all possible values are listed (shouldn't this reference the -[digest] option) 5) On https://www.openssl.org/docs/apps/x509.html not all available options are listed in -md2|-md5|-sha1|-mdc2 Getting this correct is incredibly painful, as it depends on the configuration options chosen when building openssl, and right now the manpages are not affected by the config. Our plan for this is to say any supported digest. That will be updated in a couple of days, and then pushed to the website in hour or so later. I see. I thought about mentioning get a list of supported (message) digests by using the command openssl list-message-digest-commands in the doc but after I tried that command I just got md4, md5, rmd160, sha, sha1 but since I was able to create a sha-256 with the -sha256 command option I guess it's just the wrong command to get a list of supported digest? I also tried openssl list-message-digest-algorithms and that shows SHA512, SHA256, whirlpool (I like that one) and more. However I don't think that it shows the correct names of supported options (case-sensitive?). Additionally some options are listed twice like DSA, DSA-SHA, MD4, MD5. Is that a bug too? While being on it I also issued openssl list-cipher-algorithms and here all entries are listed twice. The output gives a list which contains of list (B) appended to list (A). List (A) has 93 unique entries and shows aliases uppercase (eg. CAMELLIA256 = CAMELLIA-256-CBC). List (B) has 100 entries, 97 of them are unique. Aliases are shown lowercase (camellia256 = CAMELLIA-256-CBC). The additional entries are id-aes128-GCM, id-aes192-GCM, id-aes256-GCM and blowfish = BF-CBC while the three aes ones are listed twice (once correctly between AES-xxx-ECB and and AES-xxx-OFB once incorrectly between DESX-CBC and rc2 = RC2-CBC). I also would like to ask if there's a newer version (or subtree) of openssl that is cleaned up. I don't know what you mean by this. Well I just asked because if that would've been planned I would've liked to participate in that process. What I meant was a version that's cleaned up of superseded / deprecated commands and has a more logical structure or command names, eg. no CA command and not three different ways of getting the same result. It's simple enough for doing simple stuff like quickly getting a self-signed certificate and just gets a little bit more complicated than it has so be when you begin with complex stuff. But I don't have a problem with how it's done now :) Currently there are many ways of creating a CSR, signing a certificate, etc. I think this is confusing everybody. The CA script is a wrapper around the various commands, and is reasonable. But we're not planning on removing any of the current mechanisms. Ivan Ristic has a really great, free, OpenSSL cookbook that might be useful: https://www.feistyduck.com/books/openssl-cookbook/ Thanks for that like. I'll definitely cook some delicious meals with that ;) ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] DSA_generate_key() or DSA_print_fp() with passphrase protection
Hi all, The openssl gendsa command supports passphrase protected generation of dsa keys. I'm doing the dsa parameter and key generation, using the C API, using DSA_generate_parameters(), DSA_generate_key() and DSA_print_fp() Now, I'd like to write, store the dsa keys and/or parameters in a passphrase protected fashion like the openssl gendsa command provides. I could not find any information in the docs about how to handle that. Have I been overlooking the obvious? I'd be very grateful for directions about how to handle such passphrase protection with the C interface. Thanks in advance, Erik Leunissen. -- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DSA_generate_key() or DSA_print_fp() with passphrase protection
On 10/05/15 17:37, Erik Leunissen wrote: Hi all, The openssl gendsa command supports passphrase protected generation of dsa keys. I'm doing the dsa parameter and key generation, using the C API, using DSA_generate_parameters(), DSA_generate_key() and DSA_print_fp() Now, I'd like to write, store the dsa keys and/or parameters in a passphrase protected fashion like the openssl gendsa command provides. I could not find any information in the docs about how to handle that. Have I been overlooking the obvious? In the meantime, a search separate from the openssl online documentation for the above C API's, made me find: https://www.openssl.org/docs/crypto/pem.html where I found: PEM_write_DSAPrivateKey() which seems to be what I want. In order to make that page findable from the manual pages for the C API's DSA_generate_parameters(), DSA_generate_key() and DSA_print_fp(), I'd suggest to include a link in the respective SEE ALSO sections. Sincerely, Erik Leunissen -- I'd be very grateful for directions about how to handle such passphrase protection with the C interface. Thanks in advance, Erik Leunissen. -- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Stand alone AES-CTR module
Dear Sirs, I am new to C programming and i am trying to create an independent to libraries source code for demonstration purposes for AES-CTR mode.Could i have some help on doing that using the source code contained under crypto/aes. Thank you very much in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
