A TLSv1 Kx=ECDH Au=RSA
Enc=AES(128) Mac=SHA1
There isn't a cipherlist property that
specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM
(and perhaps also AESCCM).
Enjoy
Jakob
--
ming code) for when a FIPS module for 1.1.x is provided,
while leaving the blocking of accidental miscompilation in a clear
location having no other effects.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 1
S 1.3 also affects the matching TLS < 1.3 functionality, and is
separated from the APIs that control the TLS server sending a list
of client certificate CAs to clients.
This aspect was somehow missed in a recent discussion of this TLS 1.3
behavior (which I cannot find right now).
Enjoy
Jakob
unique
numbers for fast lookup during application load.
There is a source file in OpenSSL giving the assigned numbers.
You will need to add numbers for you additional exports, and
deal with the risk that a future OpenSSL release uses that
number for something else.
Enjoy
Jakob
--
Jakob Bohm, CIO
'libssl32.dll', GSCheck passes for both
32bit and 64bit.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
On 26/11/2018 20:04, Viktor Dukhovni wrote:
On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users
wrote:
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TL
of income is to spy on the world population for profit.
Regarding Corey's original note: SSL/TLS does not have a "username" concept
because it would be redundant or inconsistent. A certificate is a peer identifier; it
takes the place of a username.
Enjoy
Jakob
--
Jakob Bohm, CI
ith -ignoreeof and no stdin actually fails
earlier than with stdin == /dev/null
- If this is triggered by a code bug.
P.S.
On some Debian systems, cron runs scripts with stdout and stderr piped
(directly or indirectly) to a mail program that times out if a cron job
runs for a long time.
Enjo
r 1988,
p. 1195 (a_aux_rand_weak()). This is the code:
Note that since that ancient article, ARC4 was not only
invented,
but also found too insecure for modern use.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 286
On 07/01/2019 22:26, Jordan Brown wrote:
[ Off topic for OpenSSL... ]
On 1/7/2019 8:06 AM, Jakob Bohm via openssl-users wrote:
A chroot with no other reason to open /dev/null should not contain that
file name, even on unix-like platforms (least privilege chroot design).
There's always
On 07/01/2019 22:31, Steffen Nurpmeso wrote:
> Good evening.
>
> Jakob Bohm via openssl-users wrote in <95bceb59-b299-015a-f9c2-e2487a699\
> 8...@wisemo.com>:
> |Small corrections below:
> | ...
Note that I do not represent the project at all, I am just another
On 03/01/2019 12:52, Neil Craig wrote:
Thanks for the quick reply Matt. I tried -ign_eof but it had no effect,
sadly.
If anyone has any further suggestions, I¹d appreciate it very much as this
is in aid of our automated released testing for TLS1.3 on our production
traffic management service.
On 02/01/2019 11:18, Dennis Clarke wrote:
On 1/2/19 5:14 AM, Jakob Bohm via openssl-users wrote:
On 02/01/2019 10:41, Matt Caswell wrote:
On 27/12/2018 08:37, Dmitry Belyavsky wrote:
Hello,
Am I right supposing that local variables tmp1, tmp2, iv1, and iv2
are unused in
this function
.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing
stdin if -ignoreeof is set.
In particular, this avoids dealing with OS specific names of /dev/null,
as well as chroot jails without that character device.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
r has
been authenticated. Some SSH libraries may even be able to
do things like BREAK via standard SSH mechanisms.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindi
onstraints and extensions).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
know if an older PKCS#1 document (before 1.5) actually specified
this
format, only that is was present in the wild.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non
own version 1.1.1
libraries.
If so, try testing withthe command
LD_LIBRARY_PATH=/home/your/openssl-1.1.1-build-dir/somewhere openssl version
to force use of your not-yet-installed OpenSSL 1.1.1 libraries.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej
firewalls.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
as having Sender and From with different domains). Because
the plugins may not have been tested for that.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
ks, the document wording made it look like the OpenSSL 3 FIPS RNG would
only accept the system entropy source.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding a
that the connection is ended as soon as
allowed by the risk of creating an attack side channel.
Other OpenSSL callbacks represent the one place to do certain
complex tasks, such as choosing among different certificates,
checking against outside (networked!) revocation systems etc.
Enjoy
Jako
omehow tie themselves to the
exact shared library versions used, e.g. by linking to
versioned .so file names (such as libssl.so.3.0.2), however
this does not protect recompiling and/or debugging with an
unchanged .so name.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.
On 27/02/2019 22:18, Richard Levitte wrote:
On Wed, 27 Feb 2019 21:55:29 +0100,
Jakob Bohm via openssl-users wrote:
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL
validated modules.
A hypothetical US gov example would be using a certificate on a FIPS
validated FIPS 201 PIV ID card.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
idate"
commands) to warn when a certificate is outside the
standards for public certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain err
is why using the reference count already kept by the OS
loader is such a nice solution.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors
About 25 years ago I struggled with another library that did
the same kind of unload-blocking that OpenSSL 1.1.x does. It
was sad to see a big project like OpenSSL repeat that mistake.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmar
from
updating GLIBC.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
ly unusual.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
, perhaps
on the same, perhaps on another machine.
P.S.
I don't known if the Solaris loader lets LD_LIBRARY_PATH override
RUNPATH as
presumed by the above answer.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
te a custom BIO
that buffers the socket data and lets you look at it before passing
it to the SSL/TLS layer or directly to your code according to the
contents. This way you don't depend on the ability to make the OS
socket API do this for you.
I don't know if this ability is also in OpenSSL 1.1.x.
Enjoy
On 13/02/2019 20:12, Matt Caswell wrote:
On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
On 13/02/2019 12:26, Matt Caswell wrote:
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
Given this announcement
with all the API changes from OpenSSL 1.0.x to OpenSSL
3.0.x . OS distributions will also need some time to roll out the
resulting feature updates to end users.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
-From (etc.) pointing to that domain to only be used with
at least one of DKIM and SPF passing for header-From. Rule 5
applies, but so does rule C.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
T
On 15/02/2019 12:23, Matt Caswell wrote:
On 15/02/2019 03:55, Jakob Bohm via openssl-users wrote:
These comments are on the version of the specification released on
Monday 2019-02-11 at https://www.openssl.org/docs/OpenSSL300Design.html
General notes on this release:
- The release
gorithms should
be available in addition to the fixed sets of well-known
group parameters. In FIPS 800-56A rev 3, these are the
DH primes specified using a SEED value. Other versions of
SP 800-56A, and/or supplemental NIST documents may allow
other such group parameters.
- If permitted by th
key breach, but that's no different
from the basic RSA suites.
Public CAs no longer issue DH certificates, so these will not be
found in public services that rely on the browser/mail/OS
certificate trusts, but they may still exist in private trust
contexts not constrained by browser politics.
Enjoy
Jako
hich parts
of the documentation someone read, they could get told to use the old
interface, the new interface or not get told either way.
Personally, I just gave up and didn't use that part of OpenSSL.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
A product existed, but
until then, disciplined use of the OpenSSL ca "sample" command seems to be
the best there is.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
01-test_abort.t ok
../test/recipes/01-test_sanity.t ... Dubious, test
returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16
assembler
optimizations enabled is especially advantageous on such systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remo
ore likely
successor for low cost low power router hardware.
(OK, somewhere someone probably has one of the other AIX variants running -
AIX/390 might be the last non-POWER AIX to die, if I had to bet. But probably
not AIX IA64.)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.
removed such a widely used
interface, can you point out when that was removed from the Linux
kernel?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may conta
with only one certificate available, the OpenSSL sends the
(untrusted, and in this case inappropriate) certificate, just in
case the server was somehow configured to make a special exception
for this particular case.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
smartcard) is
"away from terminal".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
t;/etc/pki/tls"
engines: dynamic
Please let me know if you need any further details from my end.
Thanks, in advance.
Chandu
--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
This message is only for its inte
On Linux x86, test programs that avoid all floating
point can be checked via the PF_USED_MATH flag or its
upcoming Linux 5.x replacement. This may be useful
in the test suite.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Di
mbedded and portable applications most likely to lack floating point
support.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remot
wondering if there is any version of OpenSSL that
does not require compiling assembly code.
Or, if there is anyone who experienced the similar problem, please
share your experience.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg
to OpenSSL 1.0.x . 1.1.x will not have FIPS
support, and 4.y.x may lack this agility.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain erro
s somewhat limited these days
since it is
not relevant for TLSv1.3 and does not get used if encrypt-then-mac
is negotiated
(which recent versions of OpenSSL will try to negotiate by default).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 S
the needed dependencies anyway.
Also, Borland C/C++ used to stick to the old OMF object file format,
not the COFF format used by Microsoft tools.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
defined in RFC
5289 [0xc030] ECDHE-RSA-AES256-GCM-SHA384
How would I configure openssl-fips to force this precise compliance,
eliminating all other cipher suites?
Thank you.
--Larry
C++ Developer
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transforme
Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the
.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
s).
I’d also be interested to know what is wrong with the policy page?
Only that it states the policy of stopping 1.0.2 support at end of
2019, which would be fine if a FIPS-capable replacement had been
ready by now (as is fortunately the case for non-FIPS).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partn
more easily find them).
3. If your system generates/maintains a big file with all the
trusted certs concatenated, concatenate your extra cert to the
end of that file.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS"
-D"OPENSSL_USE_APPLINK" -D"NDEBUG" -c
/Foapps\libapps-lib-app_rand.obj "apps\app_rand.c"*
*app_rand.c*
*C:\Users\hello\_DEV\3di\openssl\e_os.h(129): fatal error C1083:
Cannot open include file
, they are essentially black boxes and could
contain anything. It is extremely difficult, if not impossible, to
tell if the hardware RNG is good or not. This doesn’t mean that they
should not be used, it just means that using them involves another
risk assessment.
On 16 Aug 2019, at 8:42 pm, Jakob Bohm
embedded platforms?
Thanks,
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PC
/64 in an end cert.
P.S. 2001:db8::/32 is the official prefix for use in examples.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wi
-shelf CAs is nil.
Note to consumed with things in your stomach:
https://tools.ietf.org/html/draft-ietf-anima-autonomic-control-plane-20#section-6.1.2
Jakob Bohm via openssl-users wrote:
> As the author of a proposal in this area, could you define a
notation
> for IPv6 D
application data.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
tes certificates for
devices as they are manufactured.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
ers
have to ignore that extension and use heuristic guesses to choose the
DH strength.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain erro
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
ile a tool to set up initial private keys at first
boot would need to wait for the stronger entropy source (which may
in fact get initial randomness over such an encrypted early
connection!).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
=
Windows builds with insecure path defaults (CVE-2019-1552)
======
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindin
t; between you code and
the ssl dynamic library. In the second case, even if you
properly statically link with this lib, you will still need
the dll to execute your program.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
;
} SHA_CTX;
Thanks,,
Read the specification of the SHA-1 algorithm (either in the FIPS 180-1
standard or in a textbook).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
command "ADDLIB" inside
the provided MRI-style linker script. For more details see the
"ar scripts" part of the full GNU BinUtils TexInfo manual.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
, so no trusted CA can
support it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones
does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.
On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl
characters
are "fetchmail: OpenSSL reported: err", the remaining 81 are not
shown above.
The hashed name ending in ".1" is OpenSSL looking to see if you
have more than one cert with the hash value 4a6481c9, which does
happen for some users. If you had such a second cert, OpenS
1.2 inadvisable.
With the removal of general FFDH from TLS 1.3, it has now become
advisable to implement for TLS 1.3 session but ignore for TLS 1.2
and below sessions, as if not implemented for those, at least as a
default-on compatibility option.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo
in finish message.
Which RFC/section explains this in detail?
For TLS 1.2, this is RFC5246 Section 6.2.3.2
Note that each version of TLS makes arbitrary changes to the record
encryption.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
specifically because the certificate is not issued by an
already trusted issuer.
is this an expected behavior in OpenSSL 1.1.1?
Yes.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion me
Non-zero exit status: 1
Files=1, Tests=6, 12 wallclock secs ( 0.04 usr 0.06 sys + 1.77 cusr 9.78
csys = 11.65 CPU)
Result: FAIL
*** Error 1 in . (Makefile:217 '_tests')
*** Error 1 in /home/ca/pd/security/openssl-1.1.1g (Makefile:205 'tests')
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, Wis
people cargo-culting poorly thought cipher lists
from
> some random HOWTO. Over optimising your cipherlist is subject to
> rapid bitrot, resist the temptation...
Yeah, I should have probably suggested just: CipherString = DEFAULT
There is not much point in being as close to
n PKCS7 mode until you receive a CMS message from the
peer, and then upgrade to CMS. But this winds up in a bid-down attack if
both parties run this algorithm, so you'd want to insert some extension that
said: "I can do CMS" into your PKCS7 messages.
Enjoy
Jakob
--
Jakob Bohm, CIO, Part
On 2020-04-22 15:22, Hubert Kario wrote:
On Tuesday, 21 April 2020 21:29:58 CEST, Jakob Bohm via openssl-users
wrote:
That link shows whatever anyone's browser is configured to handle
when clicking
the link.
The important thing is which browsers you need to support, like the
ones on
https
figure options (other
than endless trial and error)?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 12/05/2020 16:01, Matt Caswell wrote:
On 12/05/2020 14:50, Jakob Bohm via openssl-users wrote:
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
Looking at the code here:
https://
places, and
here's just no way to know that it won't be used indefinitely.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
On 2020-09-01 04:26, Viktor Dukhovni wrote:
On Aug 31, 2020, at 10:57 PM, Jakob Bohm via openssl-users
wrote:
Given the practical imposibility of managing atomic changes to a single
POSIX file of variable-length data, it will often be more practical to
create a complete replacement file
) and Australia (25 Dec 2019 to 9 Jan 2020):
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-END EMAIL SIGNATURE-
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
ileges and/or enters a chroot jail, as will already be the case
for hashed certificate/crl directories.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may co
ssifications please see:
https://www.openssl.org/policies/secpolicy.html
Wouldn't a more reasonable response for 1.0.2 users have been to force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected cipher
suites
and telling affected people to recompile with the fix off?
Enjoy
Jakob
--
an AWS hosted server, and
would be seriously inconvenienced if they got generally banned by mail
recipients.
And we did check that they were not in bad standing at spamhaus.org
before choosing them to host that server. Some of their competitors
failed those checks.
Enjoy
Jakob
--
Jakob Bohm
(21 Mar 2017), in Taiwan (5 Aug
2019) and Australia (25 Dec 2019 to 9 Jan 2020):
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-END EMAIL SIGNATURE-
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo
On 2020-09-10 09:03, Tomas Mraz wrote:
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
Wouldn't a more reasonable response for 1.0.2 users have been to
force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
cipher
suites
and telling affected people
compliant with all Linux Debian
distribution ?
Thank you in advance for your answer.
Best Regards,
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
ttp://www.symas.com>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
use a compatible stronger CAPI "provider" (their engines) to do
stronger hashes etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain er
exclusive, but the notBefore field is inclusive.
PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012)
says
nothing about this aspect of the interpretation of the validity structure.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformerve
, but failing to
pass that job to the CAPI engine. I was commenting on how that might be
made to work.
On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users
mailto:openssl-users@openssl.org>> wrote:
On 2020-10-23 15:45, Matt Caswell wrote:
>
> On 23/10/2020
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
* without __COUNTER__ */
/* If assertion fails, compiler will complain about invalid array size */
/* If assertion is not a const expression, compiler will complain
about that */
typedef char OSSL_const_assert_##fudge##__LINE__##_##__COUNTER__[
(BN_BYTES <= sizeof(BN_ULONG))
1001 - 1100 of 1144 matches
Mail list logo