update-ca-trust extract`).
After this curl no longer complains about the certificate from the web
server (expected).
However OpenSSL still does (unexpected), and I presume that for the same
reason(s) urllib in Python also doesn't accept the certificate.
If I manually feed `openssl verify`
tl;dr: Found an issue with update-ca-trust extract
OpenSSL doing what it should, but update-ca-trust is only pushing the cert
into some of the trust stores.
Thanks Tomas
On Tue, 29 Sep 2020 at 07:06, Tomas Mraz wrote:
>
> On Mon, 2020-09-28 at 22:35 +0100, John Robson via openssl-users
yChain = yes" (thx to Rob Hoes).
- OpenSSL DLLs updated to version 1.1.1h.
* New features
- New securityLevel configuration file option.
- FIPS support for RHEL-based distributions.
- Support for modern PostgreSQL clients (thx to Bram Geron).
- Windows tooltip texts updated to
Hi All,
As Apple is moving from Intel to ARM architecture, does OpenSSL support
cross-compiling(using Xcode 12.2) on MacOS Big Sur for Apple silicon(ARM
architecture)?If not, any expected date?
Thanks,Vinay
er one.
This is probably the following issue:
https://github.com/openssl/openssl/issues/8872
Matt
Looking at the brutal wontfixing of that bug, maybe reconsider if the
existing engine interface can do PSS by simply having the CAPI/CAPIng
engine export the generic PKEY type for PSS-capable RSA keys
the capi engine handle only the
client authentication. As you understand it, would the problem breaking
server verification also preclude client authentication with the capi
engine?
From the content of your mails, I inferred that whatever you tried to
do caused OpenSSL to attempt to generate
warning, I checked what the OpenSSL code does, and it
seems
to be a bit more buggy:
x509_vfy.c seems to be a bit ambivalent if certificate validity should be
inclusive or exclusive of the time values in the certificate.
apps.c seems to convert the validity duration in days as if the notAfter
field is
Hello, how does openSSL determine the Record Layer Version used to initiate
a ClientHello message to the server? I believe the determination is made at
this level.
When testing using multiple implementations (Python Requests on a Debian
machine and `cURL --tlsv1.2 --tls-max 1.2` from macOS) I
On 2020-11-09 09:58, Venkata Mallikarjunarao Kosuri via openssl-users wrote:
Hi
We are trying to work scenario to openssl OCSP responder busy, but we
are not sure how to make OCSP responder busy could please throw some
pointer to work on.
Ref https://www.openssl.org/docs/man1.0.2/man1
I'm using an OpenSSL engine that uses the RSA_FLAG_SIGN_VER flag and implements
RSA_METHOD.rsa_sign() instead rsa_priv_enc(). This is mainly because of the
requirement that it work with Windows CryptoAPI which does not support
low-level RSA signing (see CAPI engine). Everything works
3 nov. 2020 à 15:43, Michael Wojcik
mailto:michael.woj...@microfocus.com>>
a écrit :
> From: openssl-users mailto:openssl-users-boun...@openssl.org>> On Behalf Of Brice André
> Sent: Friday, 13 November, 2020 05:06
> ... it seems that in some rare execution cases, the server
performs a
Hi,
I am trying to use openssl to implement a client-side TLS connection with
Client Authentication on Windows, using a non-exportable private key stored
in the Windows Certificate Store. Currently, our code can use a private
key stored in a local file, and if the key in the Windows store was
On 07/12/2020 12:39, Matt Caswell wrote:
On 04/12/2020 13:28, Narayana, Sunil Kumar wrote:
Hi,
We are trying to upgrade our application from openssl
usage of 1.0.2 to openssl 3.0, during which we observe following errors.
Looks like the below #def been removed from 1.1
Dear openssl team,
While migrating from 1.0.2 to 3.0, we found that
DH_generate_key() has be deprecated. And as per the man page, it is advised to
use
EVP_PKEY_derive_init<https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_init.html>
&
EVP_PKEY_de
rd party and same connection type
> but not reported this issue.
>
> Has anyone got any clue as to what might be causing this type of
> intermittent connection issue ?
As was already noted, this is not an error generated by OpenSSL.
More concretely, RFC 8152 is for CBOR Object Signing
to exactly replace this we are generating “pubparam_key/priparam_key” using
bn_publicKey/dh->priv_key as below
OSSL_PARAM_BLD *pubparamsbld = NULL, priparamsbld = NULL;
OSSL_PARAM *pubparams = NULL, priparams = NULL;
EVP_PKEY *pubparam_key = NULL, *priparam_key = NULL;
EVP_PKEY_CTX *pubctx =
We do have generated the key using EVP_PKEY_gen as suggested in earlier emails,
but since this was a non-ephemeral and we wanted to store the key in "raw"
octet bytes, so we did extracted the whole DH priv/pub key pair out from the
key generated via EVP_PKEY_gen ( using as suggested…
EVP_PKEY
Hello, everyone!
I'm creating a p12 bundled certificate (I used it for Android phone). Used both
easyrsa command and, alternatively, openssl command as shown in many manuals,
like this:
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name
"name" -out cli
version. Note that the inputs are same in both scenario.
The generated key should be random. So unless you seed your PRNG with a
constant value, you should always generate a different public/private keypair.
Between OpenSSL versions, the PRNG may have changed, so I would not depend on
them to
From: Narayana, Sunil Kumar
Sent: Thursday, December 17, 2020 8:17 AM
To: Sands, Daniel ; openssl-users@openssl.org
Subject: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0
Hi,
For the equivalent replacement of DH_compute_key in 3.0, we
tried to perform the steps
Hi all,
According to the manpage at
https://www.openssl.org/docs/man1.1.0/man3/BIO_s_file.html the macro BIO_tell()
casts to int:
/opt/local/include//openssl/bio.h:# define BIO_tell(b)
(int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
What happens if the file being parsed is larger than can fit in
Hi all,
I've been tasked with making some modifications to OpenSSL 1.1.1 in order
to bring it into compliance with FIPS 140-2. One of the items on the to-do
list was to implement the required key agreement scheme assurances
specified in NIST SP.800-56Ar3 Section 9. This involves performing
KEY public/private
keypair and then overrides it with the server public key, so the
generation was a waste anyway. Instead, it should create a
parameters-only EVP_PKEY.
(This is a consequence of OpenSSL using the same type for empty key,
empty key with key type, empty key with key type + parameters,
On 2021-01-07 18:05, Ken Goldman wrote:
On 1/7/2021 10:11 AM, Michael Wojcik wrote:
$ cat /etc/redhat-release && openssl version
CentOS Linux release 7.9.2009 (Core)
OpenSSL 1.0.2k-fips 26 Jan 2017
Ugh. Well, OP should have made that clear in the original message.
And this is on
On Sun, Jan 10, 2021 at 02:44:38PM +, Jeremy Harris wrote:
> Hi,
>
> What is the status of SSL_get_finidhed() / SSL_get_peer_finished() ?
>
> I do not find them documented at
>
> https://urldefense.com/v3/__https://www.openssl.org/docs/manmaster/man3/__;!!GjvTz_vk!FUYwEktTkE4ZmFeJKSFeBQe32
On Mon, Jan 11, 2021 at 09:26:30PM +, Jeremy Harris wrote:
> On 11/01/2021 08:20, Benjamin Kaduk wrote:
> > Current recommendations are not to use the finished message as the channel
> > binding but instead to define key exporter label for the given usage
> > (see
> > https://urldefense.com/v3
ck with the Finished-based channel bindings; the exporter
> > interface is a new protocol mechanism and the whole protocol/ecosystem has
> > to be expecting to use it.
>
> Right. So we have implementations out there using it; will the OpenSSL
> project consider promoting it to suppor
No. OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a wor
X.509-conformant certificates).
>
> Thanks
>
> Regards,
> Uri
>
> > On Jan 20, 2021, at 19:26, Kaduk, Ben wrote:
> >
> > No. OpenSSL does not include any CBOR protocol support.
> > I'm also not sure what you mean by "CBOR-encoded certificate"
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse,
PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips
provider. It looks like that is because they try to load PKCS12KDF
which is not implemented in the fips provider. These
Does that mean that OpenSSL 3.0 will not have a true "FIPS mode" where
all the non-FIPS algorithms are disabled, but the FIPS-independent
schemes/protocols in the "default" provider remains available?
Remember that in other software systems, such as OpenSSL 1.0.x and MS
ode can
be easily achieved with OpenSSL 3.0 - either by loading just the fips
and base provider, or by loading both default and fips providers but
using the "fips=yes" default property (without the "?").
The PKCS12KDF does not work because it is not an FIPS approved KDF
algorithm s
If the context does not limit the use of higher level compositions, then
OpenSSL 3.0 provides no way to satisfy the usual requirement that a
product can be set into "FIPS mode" and not invoke the non-validated
lower level algorithms in the "default" provider.
The usual contex
If that is a hypothetical context, what context is the official design
goal of the OpenSSL Foundation for their validation effort?
On 2021-01-28 11:26, Tomas Mraz wrote:
This is a purely hypothetical context. Besides, as I said below - the
PKCS12KDF should not be used with modern PKCS12 files
wrote:
I am trying to provide a test certificate generated by
openssl-3.0.0-alpha10 to a third party certificate parser/manager.
This software expects AlgorithmIdentifier to either have parameters or
to have null encoded (05 00) parameters which seems to be missing in
the certificate.
Cer
: *openssl-users-bounce on
behalf of openssl-users
*Organization: *WiseMo A/S
*Reply-To: *Jakob Bohm
*Date: *Thursday, January 28, 2021 at 21:10
*To: *openssl-users
*Subject: *Re: Encoding of AlgorithmIdentifier with NULL parameters
Also note that the official ASN.1 declaration for
(thx to Martin Stein).
- Fixed a double free with OpenSSL older than 1.1.0 (thx to
Petr Strukov).
- OpenSSL DLLs updated to version 1.1.1j.
* New features
- New 'protocolHeader' service-level option to insert custom
'connect' protocol negotiation headers. This feat
27;, 'illegal padding'), ('asn1 encoding routines',
> 'asn1_template_noexp_d2i', 'nested asn1 error'), ('asn1 encoding routines',
> 'asn1_template_noexp_d2i', 'nested asn1 error'), ('SSL routines',
> 'tls_proce
That sounds like the certificate is encoded using ASN.1 BER rules, that openssl
accepts, but the python library is insisting on DER encoding (per the spec).
-Ben
On Thu, Feb 25, 2021 at 05:19:32PM +, John Robson via openssl-users wrote:
> Hi all,
>
> I'm encountering an error
hat I am seeing.
Thanks,
John
On Thu, 25 Feb 2021 at 17:29, Benjamin Kaduk wrote:
> That sounds like the certificate is encoded using ASN.1 BER rules, that
> openssl
> accepts, but the python library is insisting on DER encoding (per the
> spec).
>
> -Ben
>
> On Thu, Feb 25
On Thu, Feb 25, 2021 at 03:30:43PM -0800, Frank Liu wrote:
> Looking at test cases
> https://urldefense.com/v3/__https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/test/recipes/04-test_pem.t__;!!GjvTz_vk!A42D2c2brOwptas6T1iBt9i7pMWhwehkKAmeCuILgR-6iv5n0TQPQ6tkkVgG9A$
>
&g
if (calist == NULL) {
/* log error loading client CA names */
}
SSL_CTX_set_client_CA_list(server_ctx, calist);
If yes, Is it expected to do the IP or hostname validation?
Neither, authorization of the client is up to you. OpenSSL will check
the dates, validity of the signa
Hi Stephen :)
The API you'll want to use is EVP_PKEY_fromdata(); there's
a stubbed out example of using it to make an EVP_PKEY with
EC group parameters at
https://github.com/openssl/openssl/issues/14258#issuecomment-783351031
but the translation to also specify OSSL_PKEY_PARAM_PRI
make an EVP_PKEY with
> > EC group parameters at
> > https://github.com/openssl/openssl/issues/14258#issuecomment-783351031
> > but the translation to also specify OSSL_PKEY_PARAM_PRIV_KEY
> > (and possibly OSSL_PKEY_PARAM_PUB_KEY; I forget if you need
> > to pass bot
Hi All,
In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.
Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for
entropy and nonce generation.
How can this be achieved with EVP_RAND implementation i.e. does it allow
entropy to b
Hi All,
We build the "crypto" code in OpenSSL to generate "libcrypto.a" for MIPs
platform.
Our application links statically with "libcrypto.a" and uses the OpenSSL crypto
API's accordingly.
With this compilation model, will it be feasible to integrate with
Hi All,
This is a basic question regarding FIPs algorithm code in OpenSSL 3.0, can you
kindly let me know:
1> Can you please help to understand the differences in the FIPs algorithm
implementation code vs default?
Are there additional validations performed in FIPs code?
Can
ail:crypto/provider_core.c:557:name=fips
00FFF2406000:error:076D:configuration file routines:(unknown
function):module initialization
error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect
retcode=-1
Version: OpenSSL 3.0.0-alpha13 11 Mar 2021
~ # ls -lrt providers/
-rwxrwxrwx
Hello,
Is there minimal requirements for Linux kernel for usage of openssl library
version 1.1.1?
I have old application based on Linux kernel 3.0.8 which uses openssl version
1.0.2. My question is whether it is possible to port this application to use
openssl version 1.1.1 in Linux 3.0.8
er it describes ALL required modification?
On Monday, April 5, 2021, 03:57:36 PM EDT, Viktor Dukhovni
wrote:
> On Apr 5, 2021, at 11:16 AM, Boris Shpoungin via openssl-users
> wrote:
>
> Is there minimal requirements for Linux kernel for usage of openssl library
> versio
Dear Users,
I have released version 5.59 of stunnel.
### Version 5.59, 2021.04.05, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.1.1k.
* New features
- Client-side "protocol = ldap" support (thx to Bart
Dopheide and Seth Grover).
* Bugfixes
- The
Hello,
In our client application we are trying to set TLS 1.2 in ClientHello message.
The OpenSSL version is 1.1.1h
We use the function
SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION);
If I test the version right after setting it does return 1.2
SSL_CTX_get_proto_version(ssl-&
> From: Matt Caswell
> Subject: Re: Using SSL_CTX_set_min_proto_version
> Date: April 6, 2021 at 2:13:02 PM EDT
> To: openssl-users@openssl.org
>
>
> On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote:
>> Hello,
>> In our client application we are try
Hello,
I am using cross compiler toolchain (arm-hisiv200-linux-gnueabi) to compile
openssl library for arm based custom board.
I had no problems to compile version 1.1.1a, however I am having troubles to
compile versions 1.1.1i and 1.1.1k:
${LDCMD:-arm-hisiv200-linux-gnueabi-gcc} -pthread -Wa
Hello,
I am porting application from openSSL version 1.0.2u to 1.1.1k and linker
complaints that symbols X509_set_notAfter and X509_set_notBefore are missing.
I've checked both versions 1.0.2u and 1.1.1k and I see that these symbols
really are not present in 1.1.1k.
user@ubuntu_dev_vm:~/
They are macros now. You should still be able to build code that uses them.
-Ben
On Fri, Apr 09, 2021 at 08:03:28PM +, Robert Smith via openssl-users wrote:
> Hello,
> I am porting application from openSSL version 1.0.2u to 1.1.1k and linker
> complaints that symbols X509_set_not
te.cpp:202:
undefined reference to `X509_set_notAfter'
Any idea?
On Friday, April 9, 2021, 04:13:32 PM EDT, Benjamin Kaduk
wrote:
They are macros now. You should still be able to build code that uses them.
-Ben
On Fri, Apr 09, 2021 at 08:03:28PM +, Robert Smith via openssl-users wrot
Hi,
I am getting the following warning while linking my app to openssl version
1.1.1k. Could you advise what can cause these warnings and how to resolve them?
Thanks
../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In function
`ASYNC_is_capable':
async_posix.c:(.text
s invoked for the entropy/nonce consumption (any specific callbacks
set)? Can you please explain the steps or example of the usage?
2> Also, we need set DRBG for CAVS test (Input: EntropyInput, Nonce,
PersonalizationString, AdditionalInput, EntropyInputPR, AdditionalInput,
EntropyInputPR),
On 2021-04-15 12:57, Michal Moravec wrote:
Follow-up on my previous email:
I modified my proof-of-problem program to load PKCS7 file into PKCS7
and convert it to CMS_ContentInfo using the BIO (See convert.c in the
attachment). It is similar to this:
handle_encrypted_content(SCEP *handle, SC
/implementations/rands/test_rng.c and the code to run NIST test.
Still finding it a bit difficult to wrap around these new APIs
In the old implementation using OpenSSL 1.1.1, to generate random numbers:
a> we have set the callback for custom entropy (using RAND_DRBG_set_callbacks)
for
I'm trying to create a certificate request with a multivalue RDN which
involves CN+UID. I achieved the encoded multi-value RDN, but I want the UID
being encoded first and then the CN. I always get the CN first, no matter
what I put in the -subj "/CN=value+UID=value" or "/UID=value+CN=value".
Changi
Hello everyone.
I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the
following configuration flag enable-crypto-mdebug
and getting the following linker error:
Creating library apps\openssl.lib and object apps\openssl.expopenssl.obj :
error LNK2019: unresolved ext
M EDT, Jan Just Keijser
wrote:
Hi,
On 26/04/21 20:29, Robert Smith via openssl-users wrote:
Hello everyone.
I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the
following configuration flag enable-crypto-mdebug
and getting the following linker error:
Hi,
I have updated the openssl version running on the switch from 1.1.1g to
1.1.1h and eventually to 1.1.1k.
Starting 1.1.1h, I am observing that the switch hangs for a significant
amount of time (> 3 minutes) when the call RAND_write_file is invoked from
the switch software.
The same c
On 2021-05-19 19:56, Michael McKenney wrote:
I installed Openssl 1.1.1k and Ubuntu 20.04 did an upgrade and
reverted it back to 1.1.1f. Usually Ubuntu upgrades don’t break it.
OpenSSL 1.1.1f 31 Mar 2020 (Library: OpenSSL 1.1.1k 25 Mar 2021)
built on: Thu Apr 29 14:11:04 2021 UTC
of
the following diagnostic commands (after Ubuntu apparently
undid your upgrade).
$ dpkg --status libssl1.1
$ dpkg --status libssl-dev
$ dpkg --status openssl
$ type openssl
$ openssl version -a
$ ls -alF /usr/lib/x86_64-linux-gnu/libssl*
$ ls -alF /usr/locallib/libssl*
Oops, my bad, should have
Hi,
I'm trying to encrypt an email using the ECDH One-Pass algorithm. I've first
created an X509 certificate with an EDSA key based on the curve prime256v1.
Then, I ran this command:
openssl cms -encrypt -in Unencrypted.eml -binary -recip ecc.cer -aes256 -keyopt
ecdh_kdf_md:sha2
Hi,
after studying the different key generator functions more closely I came to the
conclusion that, since the Prime256 curve has a cofactor of 1, both KDF should
produce the same value and so everything has cleared up.
Kind regards,
Henning
From: openssl-users
b.com/openssl/openssl/blob/master/crypto/x509/x509_trs.c#L72
int X509_check_trust(X509 *x, int id, int flags)
{
X509_TRUST *pt;
int idx;
/* We get this as a default value */
if (id == X509_TRUST_DEFAULT)
return obj_trust(NID_anyExtendedKeyUsage, x,
My wordpress servers are under constant attack. My Fortinet 60E firewall logs
are filled. Openssl is constantly reported on The Hacker News and other sites.
So I don't need to worry about upgrading OpenSSL in the future to 1.1.1k or
above? I can just use what the distro has to off
Keijser
; openssl-users@openssl.org
Subject: Re: Why can't we get a proper installation method to keep OpenSSL at
the latest revision for Linux?
If you use a supported distro (i.e., one that is not out of life) then the
distro is expected to supply CVE issue fixes in form of updates.
They us
cryptology.The OpenSSL
bugs state to upgrade beyond 1.1.1f.
-Original Message-
From: openssl-users On Behalf Of Mauricio
Tavares
Sent: Monday, May 31, 2021 7:45 AM
To: openssl-users@openssl.org
Subject: Re: Why can't we get a proper installation method to keep OpenSSL at
the l
I have never had a break in. The Fortinet 60E firewall does an amazing job.
I will just leave it up to Ubuntu to provide the best OpenSSL solutions. Many
people complain Ubuntu LTS is never on the latest kernel and lacks other things
the 9 month distros like 21.04 and 21.10 give you.I
h "default"
X509_VERIFY_PARAM
From: openssl-users On Behalf Of Graham
Leggett via openssl-users
Sent: Friday, 28 May, 2021 06:30
I am lost - I can fully understand what the code is doing, but I can’t see
why openssl only trusts certs with “anyExtendedKeyUsage”.
Interesting. I wondered if thi
er,
not all of them?
// Signing
openssl smime -binary -sign -nodetach -in file -out file.signed -inkey
key1.pem -signer cert1.pem -inkey key2.pem -signer cert2.pem
// this command fails with signer certificate not found"
openssl smime -binary -verify -nointern -noverify -certfile cert
Dear team,
It would be nice if there was a user- and security-friendly best
practice document for distributions (such as Linux distributions) that
freeze on an OpenSSL release version (such as 1.1.1z) and then backport
any important fixes.
Perhaps something like the following:
1. The
Hello,
Based on https://alpaca-attack.com/, I was looking at
how a TLS connection with ALPN set to e.g., "banana"
by the client to a server that has ALPN set to "h2"
would behave. For example:
$ openssl s_server -www -accept 443 -alpn h2 \
-key /tmp/key.pem -cer
Jan Schaumann via openssl-users wrote:
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Same for TLS 1.2, btw. (I accidentally copied the
default output when writing the email.)
-Jan
I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG
and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very
short RFC).
As far as I could try it out (see my attachement) there are two ways
to sign and verify with OpenSSL/DSA: via the EVP interface and via
Oops, forgot to sha1; now it works.
Am 14.06.21 um 11:20 schrieb Elmar Stellnberger via openssl-users:
I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG
and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very
short RFC).
As far as I could try it out
On 2021-06-17 15:49, Viktor Dukhovni wrote:
On Sat, Jun 12, 2021 at 10:20:22PM +0200, Gaardiolor wrote:
When I compare those, they are exactly the same. But that's the thing, I
think server.sig.decrypted should be prepended with a sha256 designator
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 0
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I'm curious how exactly an SSL client verifies an SSL server's
certificate which is signed by a CA. So, during the SSL handshake,
when the server sends its certificate, will the SSL client first
checks the `Issuer`'s `CN` fiel
On 2021-06-18 16:23, Michael Wojcik wrote:
From: openssl-users On Behalf Of Jakob
Bohm via openssl-users
Sent: Friday, 18 June, 2021 07:10
To: openssl-users@openssl.org
Subject: Re: reg: question about SSL server cert verification
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I&#
On 2021-06-18 17:07, Viktor Dukhovni wrote:
On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
Now the client simply works backwards through that list, checking if
each certificate signed the next one or claims to be signed by a
certificate in /etc/certs. This
dpkg -S /usr/lib/x86_64-linux-gnu/libssl3.so
> libnss3:amd64: /usr/lib/x86_64-linux-gnu/libssl3.so
> something up there that should be concerning, because maybe it will cause
> confusion.
NSS is the mozilla TLS stack, used by firefox/etc.
> My newly installed openssl 3 has:
>
> %ls
On Tue, Jun 22, 2021 at 04:18:25AM +, Revestual, Raffy [AUTOSOL/PSS/MNL]
wrote:
> Also asked this question in stackoverflow.com
>
> https://urldefense.com/v3/__https://stackoverflow.com/questions/68077419/can-openssl-handle-multiple-authentication-mechanisms-on-the-same-ssl-
Hello,
OpenSSL version: 1.1.1k.
I noticed that
X509 *d2i_X509(X509 **px, const unsigned char **in, long len);
function is no longer defined in openssl/x509.h available in 1.0.x
versions, the only one available is now
X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length);
Do I
On 01.07.2021 08:04, Viktor Dukhovni wrote:
> On Thu, Jul 01, 2021 at 12:36:10AM +, Konstantin Boyandin via
openssl-users wrote:
>
>> OpenSSL version: 1.1.1k.
>>
>> I noticed that
>>
>> X509 *d2i_X509(X509 **px, const unsigned char **in, long len);
&g
orporate
filter that automagically adds those.
And oh boy! openssl-users having almost 3000 subscribers, that's
quite a lot of people to chase down and ensure they have destroyed all
copies, I tell ya! "Good luck" is probably an appropriate response
;-)
Which is why I have set
The cadence of 1.1.1 release is supposed to be quarterly (I seem to recall
reading that somewhere, but I can't find it)?
It has been almost 4 months since 1.1.1k (25-March-2021) was released.
Are there any plans for 1.1.1l (ell)?
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by
Question was how to retrieve those lists for any given certificate,
using currently supported OpenSSL APIs.
The lists of usage bits and extusage OIDs in any given certificate
are finite, even if the list of values that could be in other
certificates is infinite.
On 2021-07-16 06:44, Kyle
and the library search path however that
resulted in a pile of undefined symbols.
So then I went and deleted my previous 1.1.1k libs and the openssl
binary and tried the manual link once again with success.
Not sure if anyone else runs into this but I would hope that the
previous libs would not be
After some work to clean out previous versions of OpenSSL 1.1.1x for
some x I was able to get 3.0.0 beta1 to build. However it looks like
some horrific perl problem in the test harness :
#
--
# Failed test '
oblem but
> we still require help testing.
Not a problem. I do understand. This is not exactly a common platform
anymore but the things just keep on running. And running.
> This would best be raised as an issue on GitHub
> [https://github.com/openssl/openssl/issues/new?assignees=&
ing modes_internal_test
#
--
# Failed test 'running modes_internal_test'
# at
/opt/bw/build/openssl-3.0.0-beta1_sunos5.10_sparcv9.002/util/perl/OpenSSL/Test/Simple.pm
line 77.
# Looks like you failed 1 test of 1.03-test_internal_modes.t ...
Dubious, test returned 1 (wstat 2
Hi Tomáš and openssl users,
finally the server at gibs.earthdata.nasa.gov was upgraded in order to
support SHA256 (instead of SHA1) as peer signing digest algorithm.
So, it is now possible to properly connect to it on Ubuntu 20.04 without
the need of lower the default SECURITY LEVEL from 2
Dear all,
Testing migration to OpenSSL 3.0.
Got to update some code building a JWK (in relation to ACME LetsEncrypt
protocols).
Having an EVP_PKEY which happens to be a RSA key, I proceeded this way (1.1.1)
to extract the bignums needed for inclusion into the JWK:
// Access the
AM_RSA_N, n2);
EVP_PKEY_set_bn_param(mKey, OSSL_PKEY_PARAM_RSA_E, e2);
EVP_PKEY_set_bn_param(mKey, OSSL_PKEY_PARAM_RSA_D, d2);
But how to get the proper int type to pass to EVP_PKEY_set_type()?
Thanks all for support switching to OpenSSL 3.0.
__
Best Regards, Meilleures salu
601 - 700 of 1686 matches
Mail list logo
