On Wed, 2018-05-30 at 13:12 -0400, Viktor Dukhovni wrote:
> > On May 30, 2018, at 12:54 PM, Michał Trojnara > nel.org> wrote:
> >
> > > I am rather puzzled as to why you chose to eliminate
> > > not just fixed DH, but also the ephemeral finite-field
> > > DH key exchange. What's wrong with the
On Mon, 2018-06-04 at 18:51 +0200, Stefan via openssl-users wrote:
> Hi everybody!
>
> I am working on a program where each peer may write at any time, so
> the other side has to be able to read incoming data when it gets
> available. If the peer sent nothing my program must be able to call
>
On Wed, 2018-05-02 at 08:19 -0400, Edward Diener wrote:
> The latest documentation for OPENSSL_VERSION_NUMBER at
> https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_VERSION_NUMBER.h
> tml
> says that it is 9 hex digits, with the last nibble being a status
> identifier, while every use I have
On Fri, 2018-07-27 at 09:44 -0400, Robert Moskowitz wrote:
> Here we go again with figuring out what to put in the command
> lines.
> Dr. Google is not giving up enough answers.
>
> For ecdsa I started with:
>
> openssl genpkey -aes256 -algorithm ec\
> -pkeyopt ec_paramgen_curve:prime256v1\
On Thu, 2018-07-26 at 10:10 -0400, Robert Moskowitz wrote:
>
> On 07/26/2018 10:07 AM, Viktor Dukhovni wrote:
> >
> > > On Jul 26, 2018, at 9:01 AM, Robert Moskowitz > > m> wrote:
> > >
> > > My Fedora 28 shipped with:
> > >
> > > OpenSSL 1.1.0h-fips 27 Mar 2018
> > >
> > > Does that have
On Thu, 2018-07-26 at 10:33 -0400, Robert Moskowitz wrote:
>
> On 07/26/2018 10:19 AM, Tomas Mraz wrote:
> > On Thu, 2018-07-26 at 10:10 -0400, Robert Moskowitz wrote:
> > > On 07/26/2018 10:07 AM, Viktor Dukhovni wrote:
> > > > > On Jul 26, 2018, at 9:0
On Fri, 2018-07-27 at 12:49 -0400, Robert Moskowitz wrote:
>
> On 07/27/2018 12:35 PM, Viktor Dukhovni wrote:
> >
> > > On Jul 27, 2018, at 11:25 AM, Robert Moskowitz > > om> wrote:
> > >
> > > 3064446992:error:2006D080:BIO routines:BIO_new_file:no such
> > > file:crypto/bio/bss_file.c:79:
> >
On Wed, 2018-08-22 at 20:08 -0400, Robert Moskowitz wrote:
>
> On 08/22/2018 11:48 AM, Matt Caswell wrote:
> >
> > On 22/08/18 00:53, Robert Moskowitz wrote:
> > >
> > > On 08/21/2018 06:31 PM, Matt Caswell wrote:
> > > > On 21/08/18 16:24, Robert Moskowitz wrote:
> > > > > Thanks!
> > > > >
>
of contexts.
>
> Someone should perhaps open an issue to track whether anything needs
> to change here beyond advice to users, and if so what.
I've opened it:
https://github.com/openssl/openssl/issues/7411
Tomas Mraz
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Tue, 2019-03-05 at 14:16 +0100, Yann Ylavic wrote:
> On Tue, Mar 5, 2019 at 12:51 PM Matt Caswell
> wrote:
> >
> > 2) The no-pinshared option does not appear in 1.1.1 or 1.1.1a. It
> > first appears
> > in 1.1.1b. Backporting the option was considered ok. But changing
> > the default
> >
On Tue, 2019-03-05 at 16:00 +0100, Yann Ylavic wrote:
> On Tue, Mar 5, 2019 at 2:47 PM Tomas Mraz wrote:
> >
> Why? Distros know better than the applications they run?
They actually do, because applications cannot really know whats deep in
the chain of loaded shared libraries -
On Fri, 2019-02-15 at 11:23 +, Matt Caswell wrote:
>
> On 15/02/2019 03:55, Jakob Bohm via openssl-users wrote:
> > yout - but this is useful input.
>
> >
> > FIPS-specific issues:
> >
> > - The checksum of the FIPS DLL should be compiled into the FIPS-
> > capable OpenSSL library, since
On Mon, 2019-04-15 at 10:39 +0300, Dmitry Belyavsky wrote:
> Hello,
>
> Could you please explain how blinding works in OpenSSL?
>
> EC_KEY structure seems to have an unblinded private key structure and
> blinded X, Y, Z- coordinates of the public key when blinding is in
> use. But if I
On Tue, 2019-05-28 at 10:39 -0700, Jay Foster wrote:
> I built OpenSSL 1.1.1c from the recent release, but have noticed
> what
> seems like a significant performance drop compared with 1.1.1b. I
> notice this when starting lighttpd. With 1.1.1b, lighttpd starts in
> a
> few seconds, but with
On Sun, 2019-06-16 at 12:11 +0200, Tobias Wolf wrote:
> I`d like to understand how a memory bio can be reseted with the
> internal read counter back to zero for further reusage.
>
> e.g.
> I want to try to read first der and then pem
>
> d2i_X509
>
> and then:
>
> PEM_read_X509
>
> Then
Hi OpenSSL developers,
when is the 1.1.1c expected to be released? There were plenty of bug
fixes committed to the 1.1.1 branch since the 1.1.1b release. Is the
1.1.1c release imminent?
Regards,
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
hanks Tomas,
> >
> > I will try that.
> >
> > On Tue, Nov 12, 2019 at 3:14 AM Tomas Mraz
> > wrote:
> > > On Mon, 2019-11-04 at 17:34 -0500, Jason Qian via openssl-users
> > > wrote:
> > > > Hi
> > > >
> > > >
On Mon, 2019-11-04 at 17:34 -0500, Jason Qian via openssl-users wrote:
> Hi
>
>We have an application that does the Diffie Hellman key exchange
> (OpenSSL/1.1.0f).
>It works fine, but under heavy loaded conditions, sometimes an
> invalide secret been generated and other side couldn't
On Tue, 2019-10-15 at 15:43 +0200, Stephan Seitz wrote:
> Hi!
>
> I was looking at the output of „openssl ecparam -list_curves” and
> trying
> to choose a curve for the web server together with letsencrypt.
>
> It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1.
>
> Then I
On Thu, 2019-10-10 at 08:40 -0700, Neptune wrote:
> Hi all,
> I am in the process of making required changes to migrate our code to
> the
> 1.1.x branch. We are currently using the FIPS Object Module 2.0 and
> eagerly
> await word on the new 3.0 FIPS Object Module, but in the meantime
> there is
>
On Wed, 2019-10-09 at 11:37 +0100, tim.j.culh...@gmail.com wrote:
> Hi,
>
> I've built OpenSSL 1.1.1c locally on my 64 bit CentOS 7 server.
>
> My application links with the libraries contained in this build.
>
> When running tests for my application under valgrind I'm seeing lots
> of
>
On Fri, 2020-04-17 at 13:03 -0400, Viktor Dukhovni wrote:
> On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
>
> > Or you could modify the /etc/pki/tls/openssl.cnf:
> > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> > line in it a
com> wrote:
> > Thanks a lot; It really helped
> >
> >
> > Regards,
> > Junaid
> >
> >
> > On Wed, Apr 15, 2020 at 5:04 PM Tomas Mraz
> > wrote:
> > > On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote:
On Thu, 2020-04-16 at 17:32 +0200, Harald Koch wrote:
> > Am 16.04.2020 um 17:07 schrieb Tomas Mraz :
> >
> > On Thu, 2020-04-16 at 15:42 +0200, Harald Koch wrote:
> > > Hello list,
> > >
> > > I have a TLS server which is started on demand in a multi
On Thu, 2020-04-16 at 15:42 +0200, Harald Koch wrote:
> Hello list,
>
> I have a TLS server which is started on demand in a multithreaded
> (pthread) application. The TLS server is one thread which is being
> started and stopped. At first start, the TLS server initialized with
> SSL_CTX_new with
On Thu, 2020-04-23 at 16:05 -0700, Sam Roberts wrote:
> Fwiw, took a quick run at building and testing Node.js against the
> 3.x beta.
>
> It was API compatible enough to build. The DH_, ECDH_, HMAC_, etc.
> deprecations make sense, will look at those.
>
> My assumption is that EVP versions of
On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote:
> Hi Team
>
> I am trying to enable TLSv1 on CentOS-8. We don't have the ability to
> upgrade the server unfortunately so we need to enable TLSv1 with
> weak-ciphers on OpenSSL.
>
> I have tried to build the OpenSSL version manually using
On Mon, 2020-05-11 at 13:37 -0700, Benjamin Kaduk via openssl-users
wrote:
> On Tue, May 12, 2020 at 05:22:29AM +0900, NAKANO Takuho wrote:
> > 2020年5月12日(火) 0:31 Benjamin Kaduk :
> >
> > > OS-vendor customization
> >
> > Thank you. That's very helpful. I get how to configure (but don't
> > know
On Tue, 2020-09-08 at 17:39 +, Yury Mazin via openssl-users wrote:
> Hello,
>
> I have a question based on the response provided to me:
>
> My question is why following openssl commands (version 1.1.1f)
> return those TLSv1.3 ciphers as offering no authentication and no
> encryption?
What
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
> Wouldn't a more reasonable response for 1.0.2 users have been to
> force on
> SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
> cipher
> suites
> and telling affected people to recompile with the fix off?
On Tue, 2020-09-01 at 15:46 +, CODERE Carl-Eric wrote:
> > -Original Message-
> > From: Matt Caswell [mailto:m...@openssl.org]
> > Sent: mardi 1 septembre 2020 18:57
> > To: CODERE Carl-Eric ; openssl-
> > us...@openssl.org
> > Subject: Re: OpenSSL 3.0.0 security concerns using dynamic
On Tue, 2020-09-01 at 18:13 +0200, Tomas Mraz wrote:
> On Tue, 2020-09-01 at 15:46 +, CODERE Carl-Eric wrote:
> > > -Original Message-
> > > From: Matt Caswell [mailto:m...@openssl.org]
> > > Sent: mardi 1 septembre 2020 18:57
> > > T
Hello,
there is no way to do that. The CentOS OpenSSL build does not allow using the
upstream Fips object module.
In theory you could replace the CentOS openssl library with upstream 1.0.2
library built in way that it allows using the fipscanister.o however it would
require non-trivial patching
On Thu, 2020-09-24 at 07:01 +, Dr. Matthias St. Pierre wrote:
> > On 22/09/2020 15:03, Michael Wojcik wrote:
> > > changelog.html hasn't been updated since 1.1.1e.
> > >
> > > https://www.openssl.org/news/changelog.html#openssl-111 shows:
> >
> > That's the master Changelog. Confusing I
On Mon, 2020-09-28 at 22:35 +0100, John Robson via openssl-users wrote:
> Hi,
>
> I'm really struggling to get my head around a specific scenario that
> isn't behaving as I expect. Hopefully someone with more
> experience/knowledge can set me on the right path.
>
> Note - my attempts to
On Mon, 2020-05-25 at 13:20 +0200, Emmanuel Deloget wrote:
> Hello everybody,
>
> I'm pretty sure this has already been discussed somewhere but
> grepping
> through the whole openssl-user list does not gave me the answer I'm
> searching for, so here am I.
>
> In my development I'm using a idiom
On Fri, 2020-10-23 at 14:39 +0530, shiva kumar wrote:
> Hi,
>
> Compared to OpenSSL 1.0.2 and 1.1.0 and above, in struct
> x509_st , char *name field has been removed, what is the alternative
> for it and what is the impact? can anyone please answer the query?
Hi,
although the name field was
It is not a bug in OpenSSL and it is not a misconfiguration or non-compliance
on the server side either. Basically to enhance security the default seclevel
on Debian and Ubuntu was raised to 2 which doesn't allow SHA1 signatures which
are weak. The server apparently doesn't support them which
On Sun, 2020-06-28 at 15:12 +1200, David Harris wrote:
> I normally compile OpenSSL with "no-asm", but this time I thought I'd
> try
> installing NASM and seeing what difference, if any, it actually made.
>
> I downloaded NASM from the official site (which I believe to be
> http://www.nasm.us)
On Wed, 2020-06-17 at 23:02 +0200, Kurt Roeckx wrote:
> On Wed, Jun 17, 2020 at 03:50:05AM -0700, Hal Murray wrote:
> > levi...@openssl.org said:
> > > What does surprise me, though, is that direct EVP_MAC calls would
> > > be slower
> > > than going through the PKEY bridge. I would very much
Hi,
curl on RHEL-7 and Centos 7 uses NSS and not OpenSSL as the TLS
backend. So this is unfortunately a wrong mailing list to ask.
Tomas Mraz
On Wed, 2020-12-09 at 20:35 +0900, Craig Henry wrote:
> Hi,
>
> This is my first post to this list so please be kind!
>
> Environment
On Thu, 2020-12-10 at 10:39 +0100, Andreas Tengicki wrote:
> The solution was to choice a EVP by signing the certificate
>
> i = X509_sign(x, CApkey, EVP_sha256());
I do not really think this was the problem. In the code below you do
not set the notBefore time which is actually indicated by the
On Thu, 2020-12-17 at 15:16 +0530, prudvi raj wrote:
> Hi,
>
> I need to set custom accelerated functions for bn_mod_exp methods in
> openssl 1.1.1, while upgrading for openssl 1.0.2. Here's the code
> snippet () :
> --
> static DH_METHOD Intoto_DH_Method;
> static RSA_METHOD
On Tue, 2020-11-03 at 15:13 +, Matt Caswell wrote:
>
> The reasons are a little complicated (see below) but the TL;DR
> summary
> is that there is an error in your config file. The ".include" line
> should specify a config file relative to OPENSSLDIR (or
> OPENSSL_CONF_INCLUDE if it is set).
Hi,
yes, this is a known regression in 1.1.1i that is fixed in the git repo
already with commit c2fc1115eac53d2043e09bfa43ac5407f87fe417
Tomas
On Thu, 2021-02-04 at 13:08 +0100, we...@infotech.de wrote:
> Dear OpenSSL users,
>
> we just bumped into a case we assume as a bug in version 1.1.1i.
On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote:
>
> On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote:
> > On 2021-01-25 17:53, Zeke Evans wrote:
> > > Hi,
> > >
> > >
> > >
> > > Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse,
> > > PKCS12_verify_mac) do not work in
vation, they should work.
That in 1.0.x the PKCS12 worked with the FIPS module with legacy
algorithms it only shows that the "true" FIPS mode was not as "true" as
you might think. There were some crypto algorithms like the KDFs
outside of the FIPS module boundary.
Tomas Mraz
On Thu, 2
t; lower level algorithms in the "default" provider.
>
> The usual context is to "sell" (give) products to the US Government
> or
> its contractors that have a "FIPS" box-checking procurement
> requirement.
>
> On 2021-01-28 10:46, Tomas Mraz wrote:
>
nts limit the use of
> higher
> level compositions such as PKCS12KDF, when using only validated
> cryptography for the underlying operations?
>
> On 2021-01-28 09:36, Tomas Mraz wrote:
> > I do not get how you came to this conclusion. The "true" FIPS mode
> > can
On Wed, 2021-06-09 at 12:32 -0400, Jan Schaumann via openssl-users
wrote:
> Hello,
>
> Based on https://alpaca-attack.com/, I was looking at
> how a TLS connection with ALPN set to e.g., "banana"
> by the client to a server that has ALPN set to "h2"
> would behave. For example:
>
> $ openssl
On Thu, 2021-06-17 at 17:12 +0200, Steffen Nurpmeso wrote:
>
> P.P.S.: Tomáš Mráz: aren't you part of PAM project too? Off-topic
> here, but i had written a somewhat primitive yet i think nicely
> working
Yes. I am.
> pam_xdg.so is a PAM module that manages creation of the
>
On Wed, 2021-06-23 at 08:12 +, Kumar Mishra, Sanjeev wrote:
> Hi,
>
> I am upgrading the code of OpenSSL 1.0 to 3.0. I am not getting some
> macros for FIPS example -
>
> FIPS_TEST_INTEGRITY
> FIPS_R_PAIRWISE_TEST_FAILED
> FIPS_R_DRBG_STUCK etc.
It is unclear what you're doing with those
On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote:
> Hi,
>
> with OpenSSL 3 defaulting to TLS security level 1, applications
> trying
> to make a TLSv1/1.1 connection will fail.
>
> I wonder if there is a proper way to detect current security level.
>
> I.e. how about test suites
Hi,
you must be using some custom patched OpenSSL build. There is
no BIO_CTRL_GET_PKT_COUNT in OpenSSL 1.0.x releases as released by the
OpenSSL project.
Tomas Mraz
On Mon, 2021-06-14 at 07:33 +, Kumar Mishra, Sanjeev wrote:
> Hi,
>
> I am upgrading the code of OpenSSL 1.0 to
G_INFO("SSL_free ref %d ", ssl->references);
For the SSL_CTX_set_tlsext_status_cb() you can use
SSL_get_SSL_CTX() to obtain the ctx.
There is no way to get the ssl->references value as that is an internal
value. As you apparently need it just for debug logging you should be
able to avoid that.
Tomas Mraz
If you use a supported distro (i.e., one that is not out of life) then
the distro is expected to supply CVE issue fixes in form of updates.
They usually do not upgrade the version to the upstream one but just
backport the security fixes and that's the reason why the version does
not change.
Tomas
Hello,
is this a regression when comparing with OpenSSL-1.1.1?
If so, it might be a good idea to report this as an issue to the
project in GitHub.
Tomas
On Fri, 2021-05-28 at 13:30 +0200, Graham Leggett via openssl-users
wrote:
> Hi all,
>
> While running code that calls X509_verify_cert(),
On Fri, 2021-07-02 at 07:53 -0600, The Doctor wrote:
> So far working better with openssh 8.6 .
>
> Ruby 2.7 and rust is of concern.
Language bindings are expected to require some minor changes to be able
to properly work with OpenSSL 3.0. Hopefully the maintainers of these
language bindings
On Sun, 2021-03-28 at 09:41 +, Jesús Molina Roldán wrote:
> I would like to know if there is a way to calculate the time spend in
> generate a key pair and in compute the shared secret for the ecdh
> algorithm.
>
> "openssl speed ecdh" only calculate the number of operations in 10s.
It is
works, but not for NIST curves. So I
> have an ok workaround, even if the fault's not mine, which
> it of course probably is:-)
Not sure if there are any other issues, but the public key parameter
should be "encoded-pub-key" AFAIK.
Tomas Mraz
On Mon, 2021-04-12 at 05:48 -0700, Hal Murray wrote:
> > Did you attempt to pass NULL for the key and zero for it's length
> > to the
> > EVP_MAC_init() call?
>
> Yes.
>
> We can do better. If we have to use dup/free, we can move the
> EVP_MAC_init()
> to before the dup, out of the timing
On Tue, 2021-04-20 at 10:45 +, Kumar Mishra, Sanjeev wrote:
> Hi,
> I am not getting different functions in OpenSSL 3.0 for accessing
> different fields of typedef struct evp_pkey_st EVP_PKEY. For Example
> - code is like this -
> EVP_PKEY * privKey;
> -
> -
> if (
On Thu, 2021-08-26 at 16:27 -0500, William Roberts wrote:
> On Thu, Aug 26, 2021 at 3:01 AM Tomas Mraz wrote:
> >
> > On Wed, 2021-08-25 at 13:20 -0500, William Roberts wrote:
> > > Hello,
> > >
> > > I am trying to ve
On Wed, 2021-08-25 at 13:20 -0500, William Roberts wrote:
> Hello,
>
> I am trying to verify an HMAC signature with the code below and the
> EVP_DigestVerifyInit()
> routine is failing with "error:0608F096:digital envelope
> routines:EVP_PKEY_verify_init:operation not supported for this
>
Hello,
your analysis is right. It does only pairwise consistency test as the
KAT is impossible to do for regular DSA and ECDSA due to random nonce
being input of the signature algorithm and thus the signature always
changes.
Tomas
On Fri, 2021-08-27 at 22:47 +0530, Nagarjun J wrote:
> Hi,
>
>
the RNG to feed the expected nonce, so it can check vs a
> KAT.
>
> Cheers,
>
> BBB
>
> On Mon, Aug 30, 2021 at 12:40 PM Tomas Mraz
> wrote:
> >
> > Hello,
> >
> > your analysis is right. It does only pairwise consistency test as
> > the
> >
Thank you for the report.
This is already fixed on both 1.1.1 and master branches with:
https://github.com/openssl/openssl/pull/16409
Tomas Mraz
On Fri, 2021-08-27 at 13:34 -0400, Scott Lasley via openssl-users
wrote:
> Building openssl-1.1.1l with Xcode 10.1 under macOS 10.13.6 fa
t; providers
>
> Thanks,
> shiva kumar
> From: Tomas Mraz
> Sent: Wednesday, September 8, 2021 7:00 PM
> To: Shivakumar Poojari ;
> openssl-users@openssl.org
> Cc: Paramashivaiah, Sunil ;
> Bhattacharjee, Debapriyo (c)
> Subject: [EXTERNAL] Re: ENGINE API rep
On Mon, 2021-09-13 at 16:13 -0700, Kory Hamzeh wrote:
> I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything
> seems to be working fine, except for the fact that I cannot get
> OpenSSL to load the legacy module when I configure /ssl/openssl.cnf
> as such. I can, however, load the
I've written a blog post to explain the situation with the old Let's
Encrypt root certificate expiration which will happen on 2021-09-30 and
the behavior of OpenSSL 1.0.2 with that root certificate.
Please read, if interested:
On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:
> Conceptually, how are these different?
>
> When do I use one vs the other?
The EVP_PKEY is an object holding data (well, rather a reference, but
that is fairly irrelevant) of a private key, public key, or domain
parameters for asymetric
Hello,
there is no direct replacement. The ENGINEs as a pluggable crypto
modules concept is replaced with the providers concept which is much
more sophisticated and capable.
Please look at
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
ENGINEs support is not removed from OpenSSL
can investigate this further.
Tomas Mraz
On Fri, 2021-09-17 at 11:55 -0700, Kory Hamzeh wrote:
>
>
> > On Sep 14, 2021, at 12:03 AM, Tomas Mraz wrote:
> >
> > On Mon, 2021-09-13 at 16:13 -0700, Kory Hamzeh wrote:
> > > I have cross-compiled Op
As this requires support for Attribute Certificates which is not
currently present in OpenSSL neither RFC 5755 is supported.
Regards,
Tomas
On Sat, 2021-09-18 at 11:34 +0800, 215104920 via openssl-users wrote:
> Hi. There
> Could you give me some help?
> Thanks a lot.
>
>
> BRs
> Mystic
On Tue, 2021-09-14 at 14:42 -0400, Ken Goldman wrote:
> On 9/14/2021 11:40 AM, Tomas Mraz wrote:
> > On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:
> > > Conceptually, how are these different?
> > >
> > > When do I use one vs the other?
> >
> &
On Tue, 2021-09-14 at 21:46 -0700, Kory Hamzeh wrote:
> I have written a custom provider which I need to include (link) with
> my Application at link time rather than load it at run-time. The init
> function is defined like this:
>
> OSSL_provider_init_fn sck_provider_init;
>
> int
On Fri, 2021-08-06 at 18:06 -0400, Ken Goldman wrote:
> On 8/6/2021 1:11 PM, Ken Goldman wrote:
> > I have an application where I have to create a partial x509
> > certificate. It gets sent to an HSM, which fills in the public key
> > and signs it.
> >
> > I was calling
> >
> > X509_new
>
On Mon, 2021-08-09 at 09:48 -0400, Ken Goldman wrote:
> On 8/9/2021 3:50 AM, Tomas Mraz wrote:
> > On Fri, 2021-08-06 at 18:06 -0400, Ken Goldman wrote:
> > > On 8/6/2021 1:11 PM, Ken Goldman wrote:
> > > > I have an application where I have to create a partial x509
On Thu, 2021-10-14 at 17:36 -0400, Ken Goldman wrote:
> On 10/14/2021 6:39 AM, Matt Caswell wrote:
> >
> > "priv" (OSSL_PKEY_PARAM_PRIV_KEY)
> >
> > The private key value.
> >
> > Since its an integer using EVP_PKEY_get_bn_param() would be
> > appropriate here, but not
On Mon, 2021-09-27 at 15:15 -0400, Ken Goldman wrote:
> Does it make sense to initialize the context once and then use it
> multiple times, or is cleaner to create a new one from the raw key
> byte string each time?
It is not necessary. The reinitialization is supported to avoid
recreating key
On Thu, 2021-09-30 at 21:28 -0400, Felipe Gasper wrote:
> Hello,
>
>
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>
> ^^ This document indicates that, by enabling trusted-first mode, I
> should be able to work around the LE expiration problem.
>
> I’m
You would have to implement a STORE provider that handles your special
url scheme and then the keys would be referenced by the
yourscheme://any-identifier-you-have. Of course the application (i.e.,
the openssl application which already does this) would have to use the
OSSL_STORE API to load the
wrong then in saying that dgst and possibly other apps are not
> ready to be used with providers rather than engines in the case you
> need keyform=ENGINE ?
>
>
> On Mon, 4 Oct 2021, 14:13 Tomas Mraz, wrote:
> > You would have to implement a STORE provider that handles your
On Mon, 2021-09-27 at 08:24 -0700, Jay Foster wrote:
> On 9/27/21 7:33 AM, Michael Richardson wrote:
> > Jay Foster wrote:
> > > While migrating some applications from OpenSSL 1.0.2 (and
> > 1.1.1) to
> > > 3.0.0, I have noticed that the
> > SSL_CTX_set_default_verify_paths()
> > >
to rename the test , as
> it is misleading and can cause problems in FIPS certification ?
>
> Thanks,
> Nagarjun
>
> On Mon, Aug 30, 2021 at 3:51 PM Tomas Mraz wrote:
> > The question was about the fips module POST (power on self test)
> > and
> > there what
On Sat, 2021-10-23 at 11:04 +0700, Alex Dankow wrote:
> Hi OpenSSL users and its glorious developers,
>
> Thank you very much for OpenSSL 3!
>
> My question is about writing a provider. I decided to start from a
> Windows certificate storage provider. It already works with "openssl
> storeutl"
On Tue, 2022-01-04 at 14:17 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> Now I became interested. ;-)
>
> Theoretically, shouldn’t
>
> EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned
> int)order)
>
> work? I verified that it does not seem to work, at least in the
> obvious
On Tue, 2022-01-04 at 16:46 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 1/4/22, 11:23, "Tomas Mraz" wrote:
>
> > > Theoretically, shouldn’t
> > >
> > > EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned
> > int)order)
On Tue, 2022-01-04 at 17:02 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> > > In other words, the man page says it's unsigned int, but in fact
> > it's
> > > BIGNUM? Because the pointer I gave was to "unsigned int", like
> > in the
> > > OP's code.
> >
> > The param is too big to fit into
On Tue, 2022-01-04 at 19:25 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> > > But, considering that the man pages describe C API, wouldn't it
> > be
> > > nice to mention (even though it may be obvious that a number of
> > order
> > > 2^384 might not fit into 32 or even 64 bits) that the
On Mon, 2022-01-03 at 01:51 +0100, Wolf wrote:
> Greetings,
>
> I'm trying to port my program to openssl 3.0 and in the process I
> need
> to replace EC_GROUP_get_degree(EC_KEY_get0_group(ec)) with something
> that is not deprecated. I'm trying to use EVP_PKEY_get_int_param with
>
On Tue, 2022-01-04 at 02:33 +0100, Wolf wrote:
> Thank you for the answer!
>
> On 2022-01-03 10:11:19 +0100, Tomas Mraz wrote:
> > You're using the secp384r1 curve which is a prime field curve. The
> > OSSL_PKEY_PARAM_EC_CHAR2_M parameter can be obtained only for
> &
On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 11/9/21, 22:23, "Dr Paul Dale" wrote:
>
> > Currently I've no idea and can't reproduce locally :(
>
> Maybe you'd know how to force the "-engine rdrand" path through
> "openssl.cnf"?
>
> > A rogue configuration
On Tue, 2021-11-02 at 11:42 +0700, Alex Dankow wrote:
> Matt,
>
> Thank you very much for your response. I understand that the FIPS
> certified OpenSSL module is long awaited and the team was quite
> limited in time to complete all features.
> I tried Windows certificates +Openssl because it
On Fri, 2021-11-05 at 13:04 +, Jason Schultz wrote:
> I know I've been raising a lot of issues this week, because of
> varying reasons, but I've hit another one that seems like either an
> OpenSSL problem, or something new/different I need to do with OpenSSL
> 3.0 in connection establishment.
On Fri, 2021-11-05 at 13:48 +, Jason Schultz wrote:
> For setting up the trusted store, when the application starts, it
> calls:
>
> ssl_trusted_certs = X509_STORE_new()
>
> ...and then reads all of the certificates in /etc/ssl/certs/ calling
> X509_STORE_add_cert(trusted_store,cert);
>
On Wed, 2021-11-03 at 20:32 +, Jason Schultz wrote:
> 00B741558E7F:error:0308010C:digital envelope routines:(unknown
> function):unsupported:crypto/evp/evp_fetch.c:346:Global default
> library
> context, Algorithm (SHA1 : 96), Properties ()
The "Global default library context" hints at
On Sun, 2021-12-12 at 00:39 +0200, Graham Leggett via openssl-users
wrote:
> Hi all,
>
> The ENGINE API is deprecated in favour of the new Provider API.
>
> What is the provider equivalent function that replaces
> ENGINE_load_private_key()?
One option would be for a provider to provide
On Wed, 2022-01-12 at 09:41 +0100, Milan Kaše wrote:
> By further comparing the scenario with the built-in file provider and
> my external provider I found that this has something to do with
> library contexts.
>
> When x509_pubkey_ex_d2i_ex tries to decode the certificate's public
> key it
On Tue, 2022-01-11 at 10:15 +, Kumar Mishra, Sanjeev wrote:
> Hi,
> I am getting following linking Error for APIs "bn_get_words()" and
> "bn_get_top()" while compiling with OpenSSL 3.0. Although crypto/bn.h
> is included in file.
> Please help to resolve it.
> Regards,
> Sanjeev
These symbols
1 - 100 of 172 matches
Mail list logo