Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Jakob Bohm
On 12/07/2017 07:23, Viktor Dukhovni wrote: On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote: I don't think a state is really needed for this, if the callback simply checks if the certificate is in the loaded trust collection, and/or if it is self-signed (depending on the application'

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Viktor Dukhovni
On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote: > I don't think a state is really needed for this, if the callback > simply checks if the certificate is in the loaded trust collection, > and/or if it is self-signed (depending on the application's chosen > root CA trust model). Yes, th

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Jakob Bohm
On 10/07/2017 18:52, Viktor Dukhovni wrote: On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote: What's the best way / a working way to reject weak signature schemes in OpenSSL 1.0.{1,2}? Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire over the next year or two. Wh

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-11 Thread Salz, Rich via openssl-users
> It's very well worth the effort, otherwise there's a security issue, because > certificates can be forged. No they cannot. What *has* been done is a document was created with "weak spots" and another document was created that changed those weak spots, but the digest was the same. This is a

[openssl-users] Issue with TLS1.3 and s_time

2017-07-11 Thread Raj Jain
I'm having an issue with s_time and s_server using the latest OpenSSL (1.1.1-dev) and tls1_3. When I use tls1_2 connections are established and data is transferred. However, when I use tls1_3 data is not transferred (connections are established). Below are the commands I use for s_time and s_

Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to source code

2017-07-11 Thread Matthias Ballreich
yes i can do this. I do it as github issue then. I hope i find time this evening to do this otherwise tomorrow. Von: openssl-users im Auftrag von Richard Levitte Gesendet: Dienstag, 11. Juli 2017 09:19:04 An: openssl-users@openssl.org Betreff: Re: [openssl-user

Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to source code

2017-07-11 Thread Richard Levitte
This all sounds a bit mysterious... would you mind sharing a test program that shows the problem, with detailed step by step instructions (among others what libraries you're running against each time)? Preferably as a github issue, but here is fine as well... Cheers, Richard In message on Mo