Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

There are *no* secure SSLv3 ciphers. If you need to support it (for legacy clients), then best you can do is use the poodle patch, the SCSV indicator which will at least prevents clients that are capable of more from being downgraded. ___

[openssl-users] The manpages are on the website now

As a new feature, all releases are now online, including master. There is still some links broken. We could use some Perl hacking help. If you know how to add -podpath searching into Pod::XHTML, please get in touch. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter:

Re: [openssl-users] Privacy considerations - identity hiding from eavesdropping in (D)TLS

Are there any recommended ways to avoid certificates being sent in cleartext? That is, to first establish an anonymous encrypted channel, and then to authenticate within the encrypted channel. Not without breaking the protocol. I am also aware of some of the work in progress on TLS 1.3. It

Re: [openssl-users] [openssl-announce] Website changing this weekend

It seems to be that when a new branch was released then none of the ​subsequent changes for older branches are available. So almost all the recent 0.9.8 changelogs, and 1.0.0 changelogs are missing. Yeah, we need to figure out how to fix that. I'll make sure the team sees it.

Re: [openssl-users] [openssl-announce] Website changing this weekend

Many of the changelogs have disappeared - for example try finding the changelog between 0.9.8n and 0.9.8o on https://www.openssl.org/news/changelog.html. This applies to lots of other releases too. Thanks. It seems that the 0.9.8n - 0.9.8o changes are only in the 0.9.8 branch. We pull the

Re: [openssl-users] Online manuals no longer accessible

I noticed this weekend that the man pages are no longer available from the OpenSSL.org site. The site is beautiful, but the man pages are really needed. For example: try openssl.org/docs/ssl/ or openssl.org/docs/apps/ Please see the blog. We're working on it. Might be a couple of days.

Re: [openssl-users] [openssl-announce] Website changing this weekend

It seems to be that when a new branch was released then none of the ​subsequent changes for older branches are available. So almost all the recent 0.9.8 changelogs, and 1.0.0 changelogs are missing. Well, yeah, kinda. I updated the page to explain this a bit. And I also put all the branch

Re: [openssl-users] FW: Website changing this weekend

I'm curious why the new download page lists version 1.01p before version 1.02d? Is it suggesting that users download the 1.01 branch instead of the later one? They're listed in time-order, not alpha order. Should perhaps fix that. ___

[openssl-users] We're working on license changes

Please see https://www.openssl.org/blog/blog/2015/08/01/cla/ for some more details. Summary: Moving to Apache 2, CLA's coming, it will take time. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users

Re: [openssl-users] [openssl-1.0.2d] default SSL handshake fails

Specifically, a number of decisions have the feel of a project that has been co-opted or taken over by someone eager to make sweeping changes for little apparent reason, someone with lots of idle lawyers on hand, like Microsoft, various corporate partners, the CII, and/or the SFLC (using a

[openssl-users] FW: Website changing this weekend

From: Salz, Rich [mailto:rs...@akamai.com] Sent: Friday, August 14, 2015 4:20 PM To: openssl-annou...@openssl.org Subject: [openssl-announce] Website changing this weekend We're bringing up a new website this weekend. Please be patient if you have problems. If you notice any broken links, let

Re: [openssl-users] X509_STORE manipulations and thread-safety

Is it safe to have a thread reload trusted certificates and crls into a SSL_CTX's X509_STORE while connections are running in other threads, especially when considering renegotiations? As a general rule, multi-thread simultaneous access doesn't work and will often make things go ka-boom.

Re: [openssl-users] Regarding the security of the keys

Actually that isn't quite right.  A properly configured and tuned RBAC  policy, when combined with PaX, can very effectively limit all userspace activity (including root access!).  How do you know that the module is installed and actually doing things? How do you know what kernel is

Re: [openssl-users] Sending files in SSL communication

What you want is application-specific, not part of the TLS protocol. So you have to use SSL_read/SSL_write and pull the data out as needed. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Sending files in SSL communication

But is there a way to send text files through SSL_write()? No. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Sending files in SSL communication

But there is a way in which the server sends a test( for example a random number) and the client signs it with his private key right? It's called mutual (or client-side) authentication and is part of the TLS protocol. The client must have an X.509-style certificate.

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

If it's a simple matter of adding =0 in the declaration, we should just fix the darn thing. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

For the stragglers, I don't think its a stretch to ask C99 in 2015. We agreed to support Netware; does it have C99? Anyone know? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

This is important when creating root certs with expiry dates after 2038 Not an issue for openssl. As long as you use ASN1_TIME values, it's okay. Might be an issue if converting to time_t on 32-bit platforms. ___ openssl-users mailing list To

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

if ASN1_TINE_set_string() avoids that limitation, despite Victor's suggestion to never use it. It does avoid the limitation, using only |struct tm| to hold parsed fields, and not building a |time_t| from it. Not sure why Viktor doesn't like it. It seems to me it's the only portable thing to

Re: [openssl-users] Regarding the security of the keys

If some one build their own openssl and add few lines to print the keys during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, may result in compromising the security of the keys. Can anyone other than root do this? You have to trust root. They could just cat your

Re: [openssl-users] [openssl-dev] FW: Website changing this weekend

From the https://www.openssl.org/docs/manmaster/crypto/crypto.html page - the links to x509v3, asn1, stack and txt_db are broken. Yes, cross-refs within the manpages are still often broke. We're working on that. - it's unclear what INTERNAL FUNCTIONS means. UTILITY is a better word,

Re: [openssl-users] OpenSSL public repository, bug tracker ?

> Is the version control repository as well as the bug tracker of public read > access ? https://www.openssl.org/source/ ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Elliptic curves approved or recommended by government

> Is there a up to date list of elliptic curves approved or recommended for > government use in OpenSSL? You'll have to look outside OpenSSL for advice like that. I would suggest looking at the CFRG, part of the IETF basically. Do web search for curve recommendations. Good luck. It's a

Re: [openssl-users] Does openssl server always choose highest TLS version offered?

> Rfc5246 basically says that the server will choose the highest version but I > wanted to confirm that that's what openssl does (just to be certain). That is what openssl does. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Ø If you are aware of a concrete use of MD2 or any of the other algorithms, please let us know! Also, note that we have an extended alpha and-beta test period, so we can add things back if mistakes are made. /r$ ___ openssl-users

Re: [openssl-users] s_server (and maybe s_client) misbehaves with binary data

> It would thus be useful for s_server (and if applicable > s_client) to accept the "-binary" option (already provided by the cms/smime > commands), to turn off this behavior and provide a clean data pass through > to/from the other end. This is a good idea, thanks!

Re: [openssl-users] Clarification about content of folder /ocsp

> I could not find any API documentation about the code in /crypto/ocsp. Does > it mean that these functions are not part of the official API and therefore > should not be directly used?   No, it just means that the documentation has not been written.

Re: [openssl-users] Old RSA_NET key format

1. Is there any good reason to remove this code? Yes. If it's not tested, reviewed, or in general use, then it's more likely to be harmful (source of bugs) than useful. 2. Is this the OpenSSL name for the private key format used by older Microsoft Authenticate tools (and thus

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

How deep does the certificate chain have to be? It does not matter. If I have 2 self-signed CA certificates, and a non-CA certificate is received for verification, will this hit the problem? Also, is it a condition of the bug that both CA certificates have to have the same subject names and

Re: [openssl-users] Vulnerability Disclosures

I wanted to suggest that when notifying of new vulnerabilities, in addition to the severity level, information is also provided about how widespread the issue is expected to be. I'd be concerned about doing that. While this one seemed pretty rare -- only folks running a release less than

Re: [openssl-users] SSL_CTX_load_verify_locations only with CAPath

I thought, as the doc has (always? long?) said, that CApath must have each cert (or CRL) in a separate file. But on checking I see that by_dir.c actually calls X509_load_{cert,crl}_file from by_file.c, which for PEM loads all certs (or crls) in a file to the working context. Thus a

Re: [openssl-users] Old RSA_NET key format

That's an overly general criteria, and may be the source of your mysterious marauding of the APIs. Well there was no intent to be mysterious although I like the alliteration. We did mention it in the roadmap (https://openssl.org/about/roadmap.html) . Things are evaluated on a case-by-case

Re: [openssl-users] [openssl-dev] OpenSSL Security Advisory

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. In other words, if you are not using those specific releases -- i.e., the ones that came out less than 30 days ago -- you do not need to upgrade. ___ openssl-users mailing list

Re: [openssl-users] -Wconversion

Is it planned to tackle the warnings, for example by checking the involved code lines and (carefully) replace them by explicit casting to achieve clean compiles when using stricter warnings? Yes. Timetable TBD. ___ openssl-users mailing list To

Re: [openssl-users] Old RSA_NET key format

OpenSSL is a critical part of security in too many places for us to take on any unnecessary technical debt. This is a somewhat empty argument as long as no one bothers to properly determine if a piece of code is a debt or an asset. I claim that we are being careful and doing the proper

Re: [openssl-users] Old RSA_NET key format

Because both methods confirm your prior decisions, you therefore conclude that you were always right in the first place. Provably wrong. I wanted to get rid of Netware support as the first example that comes to mind. As the second, I want to move all uses of RC4 and MD5 to LOW strength

Re: [openssl-users] Does openssl server always choose highest TLS version offered?

? I have seen rumors (nothing reliable) that the TLS WG is proposing to disable a whole lot of good cipher suites in TLS 1.3. Well, it's pretty easy to verify. Look at the IETF TLS-WG web page, and get a pointer to the current draft doc. Yes, TLS removes non-AEAD ciphers, and has only PFS key

Re: [openssl-users] Cleanup and changing the malloc routines

1. I trust that functions to allocate specific data   types (such as bignums) are not changed by this. They are not. 2. Macros that take zero arguments (such as   "OPENSSL_malloc_init()") are not accepted by all   compilers.  In my own API designs this has forced   me to give such

Re: [openssl-users] Cleanup and changing the malloc routines

> > Remove {OPENSSL,CRYPTO}_strdup; use BUF_strdup. Reconsidering, I did this backward. The right thing is to use OPENSSL_strdup, not BUF_strdup. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] PEM X509 certificate with no newline

> PEM_read_bio_X509() fails because of the missing newlines. The underlying base64 decoder is horrible. It accepts invalid 8bit chars, and silently enforces a line-length limit. Wanna rewrite it? :) ___ openssl-users mailing list To unsubscribe:

[openssl-users] Cleanup and changing the malloc routines

We are considering a big cleanup to the memory-allocation API's in the next release. Please take a look at the attached documentation, which describes *ALL* of the public functions, and let us know if it will cause a problem. Thanks. -- Senior Architect, Akamai Technologies IM:

Re: [openssl-users] [openssl-dev] FW: Website changing this weekend

Yes, cross-refs within the manpages are still often broke. We're working on that. Thanks to the generous help of Phil Pearl, the links within the manpages are fixed! ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Behaviour facing a broken OCSP responder

> Are these the only three error codes ? Nope. It's not standardized at all sadly ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about Openssl FIPS module and Python-openssl

>Is there anyway to make the FIPS mode always enabled by default in the library >layer, so that there's no need to invoke the FIPS_mode_set API? No. You'd have to end up calling some explicit routine of your own which called FIPS_mode_set. ___

Re: [openssl-users] Best way to combine ControlPersist and ProxyCommand?

> What's the best way to set up a persistent master connection, along with a > proxy jump host? Ideally the persistent master would speed up connections to > machines behind the proxy, not just the connection to the proxy. I think you’ve got the wrong mailing list. -- Senior Architect,

Re: [openssl-users] Is there any patch for OpenSSH for it to work with OpenSSL FIPS?

> Is there any reliable patch for OpenSSH to support FIPS mode? Try the openssh mailing lists? >From what I've seen the OpenBSD folks actively dislike FIPS, so good luck. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Behaviour facing a broken OCSP responder

> The documentation does not seem too clear about what the behaviour > exactly is when OpenSSL deals with a broken OCSP responder.  For instance, > one that would send an OK without any contents.  We call openssl from an > application and would like to know what is returned in such a case, or in

Re: [openssl-users] Key Deriviation Function Tests for TLS

>Did you miss the detail about the contribution agreement not granting any >rights to third parties until the OpenSSL Foundation has "published" the >contribution. No I didn't. They are free to post code as apache 2 and frequently rebase against master. Or whatever they want. We don't have

Re: [openssl-users] Key Deriviation Function Tests for TLS

> Speaking just for myself, and not my fellow team mates, I see no upside and > a lot of downsides to our hosting of "does not work" code contributions. > Especially for FIPS specific code. The originators of that code are free to > give > it to anyone else at any time; they don't need us to do

Re: [openssl-users] explicitly including other ciphers.

> but if I do a: openssl ciphers -v "ALL:eNULL" | grep eNULL Look for NULL, not eNULL. Or "Enc=None" ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about TLS record length limitations

I suggest you ask on the TLS mailing list, t...@ietf.org /r$ -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe:

[openssl-users] Changing malloc/debug stuff

I want to change the memory alloc/debug things. Right now there are several undocumented functions to allow you to swap-out the malloc/realloc/free routines, wrappers that call those routines, debug versions of those wrappers, and functions to set the set-options versions of those functions.

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

> And we don't know on which client OP will have to use that pem file, thus > give advise that works on all clients, not just OpenSSL or GnuTLS or whatever. It is quite reasonable to give openssl-specific answers on the openssl-users mailing list, isn’t it?

Re: [openssl-users] Changing malloc/debug stuff

> I don't need it so I don't object. But if anyone objects, you could write a > ... Good point! > I guess this is because that interface is not a part of a commercial grade > full > featured SSL/TLS and general purpose crypto library, it is just a means to do > quality assurance on said

Re: [openssl-users] [openssl-dev] Changing malloc/debug stuff

> > https://github.com/openssl/openssl/pull/450 > > This seems much more sane. I'll settle for less insane :) ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Openssl 1.1

> We do our best to get this informing done. > > I do not know why yet, but I had a problem with openssh. Thank you very much for your help! Happy New Year. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] openSSL and SLOTH attack

Are you going to keep posting and posting until you get a response? :( Master branch, 1.1, is not released but will not be vulnerable (may already be fixed) 1.0.2 is not vulnerable. 1.0.1f and later are not vulnerable. 1.0.0 might be, and is end of life anyway so you should move of that. 0.9.8

Re: [openssl-users] [openssl-dev] Openssl 1.1

> Are Openssh, DNS developers, SMTP/POP3/IMAP developers, FTP > devleopers, HTTPD developers and LDAP developers aware of changes > coming down the pipe? > > If not, they should be informed. We've posted about it several times. We're making explicit pre-release testing versions available.

Re: [openssl-users] mailing list issues? Re: CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

> A few zombie messages today: There were some that had been held up on the queue because of things like size limits. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-101m server and openssl-101q client TLS1.2 failure

>But In my case  replacing the client side binary built with openssl-101m this >issue > goes away.  So wondering could this be a bug in openssl code ? Very very doubtful. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] openssl-101m server and openssl-101q client TLS1.2 failure

Try https://groups.google.com/forum/#!topic/node-apn/H1B6iCJlZYo ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

> What would then be the permitting conditions to pursue a new validation ? > If you don't mind me asking. I have read several notes you have on the > subject and I agree that the whole thing is of Dedalus proportions. In a > nutshell what would be these conditions ? In a nutshell: someone

Re: [openssl-users] FIPS 140-2 X9.31 RNG transition expenses

> Just want to confirm on this item. Are we saying that to get openssl back to > be FIPS compliance is just a paper shuffle. If so is there any expected eta > on it as our team is using openssl version for a security project and we need > a fips compliance library. No. We have answered this

Re: [openssl-users] Need to store RSA Structure in Sqlite database

> I am new to openssl. In my developement i need to store the RSA Public and > Private keys into sqlite database. Convert to DER and then perhaps base-64 encode it. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] Do you need EGD support?

>>Will you still support PRNGD?  I need PRNGD, as I’m on a platform without a >>built-in random device or cpu instructions. > PRNGD is a direct replacement for EGD, so if the interface to EGD is removed > from OpenSSL, PRNGD stops to work for it as well. Thanks. That means we should not

Re: [openssl-users] Signing a csr with subjectAltName using x509 command

In your ca_defualt you should have a x509_extensions field that references another stanza. That other stanza needs the copy. I don’t know if copy_extensions copies everything. ☹ ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Diffie-Hellman Questions

> NO, Rich is making a mistake, ADH is ephemeral of necessity, since without > long-term keys in certificates it is impossible to use long-term keys whose > disclosure might later compromise confidentiality. Except that your code can always use the same keypair if it screws up the callback.

Re: [openssl-users] OpenSSL responder as a CGI

> Does any of this sound like a particularly awful idea? On the contrary, it sounds like a good idea. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl shared libs

> Now my company is (T) and we don't want to leak (V)'s session key. > You may assume that our binary is protected state of the art agains debugger > attacks and stuff. > So the only question is if the shared openssl library makes the tool more > vulnerable? You cannot prevent someone from

[openssl-users] Do you need EGD support?

We are considering removing EGD support in 1.1 If your platform still needs it, please reply soon. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] OPenssl and dependencies such as openssh

> All right, can the above be committed and any other source-backwards- > compatible behaviour ? > > This will help API developers a lot. It was done and is part of the yesterday's alpha release. ___ openssl-users mailing list To unsubscribe:

[openssl-users] simplifying rand_egd API

There are currently three functions related to the EGD: int RAND_egd(const char *path); int RAND_egd_bytes(const char *path, int bytes); int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes); I would like to just have a single function Int

Re: [openssl-users] [openssl-dev] simplifying rand_egd API

> truly think that saying "please keep this interface" isn't backed by noone, > wether they speak up or not today.) Yes, I know. It is however the best we can do. My issue with the other two API's is that they are really EGD functions, not OpenSSL functions. > P.S.: i like the new website; i

Re: [openssl-users] Signing a csr with subjectAltName using x509 command

>But when I try to sign it using my own CA using the x509 command this data is >removed  You need to make sure that subjectAltName is marked as copy in your config file. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] pkeyutl does not invoke hash?

Okay, how about this. First, remove the NOTES subhead. Add this to the end of the first paragraph: This program does not hash the input data and requires the input data to be of the proper size, and must not be greater than the size of the public key field or modulus.

Re: [openssl-users] Getting error 'SSLv2_client_method': identifier not found

Do not use SSLv2. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL library/development problems on OpenSUSE 13.2

   // Generates Garbage    memcpy(encbuf, encbuf+100, enclen); For overlapping copies you are supposed to use memmove. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Do you use the JPAKE feature?

It's currently "experimental" and we're thinking of dropping it completely from the next release. If you use it, please reply here soon. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Extra EPOLLIN event at end of SSL connection

Are you getting WANT_READ or WANT_WRITE? That is common for non-blocking. And also, yeah, way back when, it was common to return zero when read on a non-blocking socket had no data :) And what release are you using? -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] WARNING message "can't open config file” when running openssl command

> It works, thank you for your suggestions! I am just wondering is there any > other options, for example eliminate the WARNING message while building > the openssl libraries and executables? You could modify the source (e_os2.h, somewhere in that #ifdef maze sorry) to set the default ot be

Re: [openssl-users] WARNING message "can't open config file” when running openssl command

> $ openssl x509 -in cert.pem -noout -text > $ WARNING: can't open config file: /usr/local/ssl/openssl.cnf > How can I eliminate this WARNING message even though the > “/usr/local/ssl/openssl.cnf” file does not exist? Among other options, "OPENSSL_CONF=/dev/null ; export OPENSSL_CONF"

Re: [openssl-users] OpenSSL FIPS modules and APIs compatibility

> Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? No. For example, only the EVP interface to crypto. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS Certification

>Everybody else is better off not trying to use FIPS-restricted modes and >setups. Strongly agree!! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] automatic renegotiation

I don't believe OpenSSL actually does automatic renegotiation, but I could be wrong. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem getting actual Client protocol version on server side

> How can I get actual protocol sent by client at server side...? If the handshake fails, the server doesn't send a version. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] Ubsec and Chil engines

> If we integrate the support natively into OpenSSL, then PKCS#11 URIs (see > RFC7512) can be first-class citizens throughout the crypto and SSL APIs. Any > function which takes a filename for a cert or key should also accept¹ a > PKCS#11 URI. It'd be great to see a crypto/pkcs11 directory with

Re: [openssl-users] ECDHE PSK ciphersuites

> Please could you explain which stable code should I use to have those cipher > suites? Master, which will be 1.1 It's not done yet. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECDHE PSK ciphersuites

It will probably work for your needs. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] default cipher suit

If no cipher suite is named, then the value of DEFAULT will be used. What that is depends on which version of OpenSSL is used. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz From: John Hunter [mailto:zhjw...@gmail.com] Sent: Sunday, February 28, 2016 8:11 AM

[openssl-users] "These are not the patches you are looking for"

We recently posted some patches to to our public repo. Since they came out just before the announced security release, many people have been confused and thought that perhaps we posted CVE fixes prematurely. This is not the case. The commit were for fixing low-priority CVE issues, and

Re: [openssl-users] [openssl-dev] Openssl 1.1 and Bind 9.6 ESV R11

> That's my issue. I cannot get a more recent bind version to stay to stable on > one box. Then I think that's going to be a tough issue, and you'll either have to modify that source or stay at 1.0.2 ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Getting the current key exchange algorithm mode from an SSL_CIPHER

The most portable, and longest-lasting, way is probably to get the name and then use that as a key to look up things in your own table of characteristics. A PR that adds API's (and doc) for extracting various things, and returning them as nid's or oid's or something, would be helpful.

Re: [openssl-users] OpenSSL version 1.1.0 pre release 3 published

>OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 3 has now >been made available. For details of changes and known issues see the >release notes at: Just to emphasize one important point: Our next release is planned to be Beta-1, in about a month. After that, no new

Re: [openssl-users] ciphers

If all you want is TLS 1.2, then this line is enough: > >> SSLProtocol -All +TLSv1.2 > >> SSLCompression off > >> SSLInsecureRenegotiation off -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] follow-up to: ChaCha20/Poly1305 in OpenSSL?

> What's current plan status for these ciphers? > > Not until 1.1.0 release? Or earlier? Yup, 1.1. It's a new feature so it doesn't go into current releases which only get fixes. And the code that's in master, which just released alpha-3, rocks. :) -- openssl-users mailing list To

Re: [openssl-users] follow-up to: ChaCha20/Poly1305 in OpenSSL?

> (1) 1.0.2f + cloudflare patch > (2) 1.1.0-alpha3 Did CF update their patch to the official version and codepoints? Cool. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Ubsec and Chil engines

> In both cases I would like to remove these engines from 1.1.0. I'd like to > hear > from the community if there is any active use of these. One option if there is > found to be some small scale use is to spin out the engine into a separately > managed repo (as has happened recently with the

Re: [openssl-users] Problem in decryption using python which cipher text is encrypted in c++

> Then i am passing this cipher text to my another end which is using a > python(PyCrypto library) code to decrypt a cipher text using same Key and > IV. The IV, key, and ciphertext are all binary arrays of bytes. Not C (or ASCII or UTF8 or anything) strings. You will have to convert back/and

Re: [openssl-users] Errors in building 1.0.2f

Do an initial config to get the symlinks copied, then do your 'real' config. This will be fixed next time :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

<    1   2   3   4   5   6   7   8   9   10   >