Goodbye

2020-07-03 Thread Salz, Rich via openssl-users
* topic: Change some words by accepting PR#12089 * * 4 against, 3 for, no absensions I am at a loss for words. I can’t contribute to a project that feels this way. The OMC (list at [1], a picture of some of them at [2] although it includes non-OMC members) is, in my view, on the wr

Re: Monolith compile verify.c

2020-06-24 Thread Salz, Rich via openssl-users
C mandates that any “missing” initializers are as if 0/null were present. {NULL, -1, 'Q', "unused end of list"} this is the change I’d like to offer Turn off the warning.

Re: endless loop in probable_prime

2020-06-18 Thread Salz, Rich via openssl-users
>BN_bin2bn assumes that the size of a BN_ULONG (the type of a bn->d) is BN_BYTES. You have already told us that sizeof(*d) is 4. So BN_BYTES should also be 4. If BN_BYTES is being incorrectly set to 8 on your platform then that would explain the discrepancy. Can you check? This see

Re: freefunc - name clash with Python.h

2020-06-13 Thread Salz, Rich via openssl-users
I dlon't lnow about Python's freefunc, no idea what it is, but the OpenSSL line is defining a function with a local parameter named freefunc. Those names shouldn't clash; what compiler and flags? It should be possible to rename the one in safestack.h to be "freefuncarg" or something. Can you s

Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?

2020-05-28 Thread Salz, Rich via openssl-users
* >FIPS ciphers are a subset of the ciphers that OpenSSL supports. * Is this true of both OpenSSL 2.0 FIPS version and OpenSSL 3.0 FIPS version. (I suppose yes). But still your confirmation will be helpful. Yes it is true for both. * Also, current version is considered outdated, ev

Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?

2020-05-28 Thread Salz, Rich via openssl-users
Are you asking about the current (outdated) 2.0 module or the 3.0 module that is still being developed? In 2.0, once you enter FIPS mode you cannot leave it. In 3.0 you can switch among FIPS and non-FIPS as you need to. See https://www.openssl.org/docs/OpenSSL300Design.html for a description o

Re: distributed secret key

2020-05-24 Thread Salz, Rich via openssl-users
* In any case, I am unaware of any existing system which meets your requirement 3. Admittedly, I haven't specifically searched for such. CertCo (now defunct, don’t know who has the intellectual property) had a patent that did ALL of the things. RSA keygen, split the key, each key signs the

Re: How to get all certs into a .der file.

2020-05-22 Thread Salz, Rich via openssl-users
* application/pkix-pkipath * Defined in RFC4366 (section 8) and RFC6066 (section 10.1) I doubt that it is worth doing this. First, because OpenSSL doesn’t support it now, then CURL (what the original poster was talking about) can’t use it when using OpenSSL. Instead, as others have po

Re: How to debug a TLSv1.3 protocol problem?

2020-05-20 Thread Salz, Rich via openssl-users
>Speaking of which, I've recently discovered (a documented interface landmine) that: status = SSL_read(ssl, ...); err = SSL_get_error(ssl, status); >is an anti-pattern, because the "correct" usage is: It's not unlike checking errno without knowing if the syscall actua

Re: Export regulation / EAR 742.15

2020-05-03 Thread Salz, Rich via openssl-users
You might find https://github.com/openssl/openssl/issues/10923 to have some useful information. OpenSSL is publically available.

Re: liblegacy.a does not work unless compiled with -static

2020-05-01 Thread Salz, Rich via openssl-users
Hm, so DSO support is a requirement for legacy crypto now? That probably needs to be made explicit, and see if the project gets pushback.

Re: 04/26/2020 openssl smime question...

2020-04-26 Thread Salz, Rich via openssl-users
* I have seen scripts that have the openssl smime option of -inform, or -outform set to DEM. That’s an error. PEM or DER. Interesting mixup. :)

Re: OpenSSL key agent available?

2020-04-26 Thread Salz, Rich via openssl-users
It has been done. For example, we leverage the ASYNC interface to make the private-key operations remote. There was also an RT ticket that had an implementation for a version years ago. (I can't find the RT but I know it was there.) The PKCS#11 stuff might also be appropriate.

Re: OpenSSL version 3.0.0-alpha1 published

2020-04-25 Thread Salz, Rich via openssl-users
>Yes, nice, why not reduce compile time and save prescious compiler memory by getting rid of all-inline one-liners. And link-time collapsing the identical code. I think this is an issue on some Solaris, for example. > Sorry for coming over sarcastic, i am listening to "This monkeys

Re: OpenSSL version 3.0.0-alpha1 published

2020-04-25 Thread Salz, Rich via openssl-users
>I do not understand one thing at the moment. If i use no-deprecated then the stack handling is not available: If you use no-deprecated you have to use DEFINE_STACK_OF in exactly one file. And use DECLARE_STACK in your common header file. Let me know if this works, or not, for you.

Re: How to disable renegation before compiling openssl

2020-04-21 Thread Salz, Rich via openssl-users
* Sorry for being unclear, the goal would be to just not send the SCSV value in the ClientHello. Why?

Re: TLS 1.3 migration: SSL_set_cipher_list vs SSL_set_ciphersuites and "aliases" of families of cipher like TLSv1.3

2020-04-01 Thread Salz, Rich via openssl-users
>- Do you think any use for supporting some kind of alias for families of > cipher in SSL_set_ciphersuites, like for example "TLSv1.3" Suppose someone finds out that chacha/poly is insecure and the IETF issues a new RFC that says "TLS 1.3 MUST NOT use" that cipher. Should the openssl alias

Re: Program works with older libssl, but not with newer

2020-03-31 Thread Salz, Rich via openssl-users
Isn't this the SSL EOF thing?

Re: 1.OU or OU.1 ?

2020-03-30 Thread Salz, Rich via openssl-users
Just to close the loop: I decided better documentation is the only answer for now: https://github.com/openssl/openssl/pull/11431 I'll copy the info below into a new issue. On 3/21/20, 9:47 AM, "Salz, Rich via openssl-users" wrote: Argh. Thanks for the detailed explanati

Re: Handshake failure: TLSv1.3 early data?

2020-03-24 Thread Salz, Rich via openssl-users
>It seems some browsers open three to five sockets at the same time and then don't complete SSL negotiation on all of them, just closing them in various states. Yes, this is exactly what they do.

Re: 3.0 FIPS related questions

2020-03-24 Thread Salz, Rich via openssl-users
>> The second question is somewhat related. Has there been a decision yet > whether the FOM 3.0 will go through a 140-2 or a 140-3 validation? >We are going through 140-2. Has the list of validated platforms been made public yet? For people using a different platform, will they

Re: Handshake failure: TLSv1.3 early data?

2020-03-23 Thread Salz, Rich via openssl-users
Is it possible the browsers are trying to send early data?

Re: 1.OU or OU.1 ?

2020-03-21 Thread Salz, Rich via openssl-users
ls are correct. Unfortunately... Cheers, Richard On Fri, 20 Mar 2020 22:12:08 +0100, Salz, Rich via openssl-users wrote: > > > The doc/man5/config.pod file says to use > > 1.OU = “My first OU” > >

1.OU or OU.1 ?

2020-03-20 Thread Salz, Rich via openssl-users
The doc/man5/config.pod file says to use 1.OU = “My first OU” 2.OU = “My second OU” But doc/man5/x509v3_config.pod says to append the numeric, as in email.1 = steve@here email.2 = steve@there I believe the second form is correct. Ca

Re: TLS 1.3 protocol question

2020-03-14 Thread Salz, Rich via openssl-users
The TLS RFC describes the “bytes on the wire” – the syntax for how client and server communicate, and the semantics of those exchanges. Is it a specification or standard? Yup both. Is OpenSSL implementation of the spec? Yup. What language used in the spec? It’s described in the RFC; see “pre

Re: TLS version 1.3 in Production servers.

2020-03-14 Thread Salz, Rich via openssl-users
> Please suggest me books or tutorials to understand OpenSSL and TLS > cryptographic protocol in detail. I look forward to hearing from you. Thanks > in advance. Start with the RFC’s, then look for crypto basics – there are free books online.

Re: TLS version 1.3 in Production servers.

2020-03-14 Thread Salz, Rich via openssl-users
* I am reading this article https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3

Re: Problems porting Openssl 1.1.1d to zos.

2020-03-04 Thread Salz, Rich via openssl-users
Perhaps someone should writeup and submit a "NOTES.zos" file to add?

Re: Support FFDHE?

2020-02-27 Thread Salz, Rich via openssl-users
>Per section Supported Groups in RFC 8446 [1], FFDHE groups could be supported. I was wrong, sorry for the distraction. As others have pointed out, it will be in the next (3.0) release.

Re: OpenSSL 3.0

2020-02-27 Thread Salz, Rich via openssl-users
None of those choices address what happens in the 1.0.2 module goes to historic on Sept 1. See https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules for details.

Re: OpenSSL 3.0

2020-02-27 Thread Salz, Rich via openssl-users
* That's fair. So the only option is to use another module? Extended 1.0.2 support does not resolve this either, correct? I do not think that is the only option. For example, you might be able to use 3.0 and say it’s “in evaluation.” There might be other options, that was all I could think

Re: OpenSSL 3.0

2020-02-27 Thread Salz, Rich via openssl-users
* The OpenSSL FIPS Object Module will be moved to the CMVP historical list as of 9/1/2020. Since there is no OpenSSL 3.0 until Q4 2020, and a FIPS Module will be after that sometime, where does this leave 1.0.2 users who need a FIPS validated object module past that date? Without their free

Re: OpenSSL 3.0

2020-02-27 Thread Salz, Rich via openssl-users
>It would probably be a good idea for us to pull together a "Getting Started" guide on the Wiki with some basic information on how to get things going, with some links to the various man pages etc where more detailed information is required. This needs to be real user documentat

Re: Support FFDHE?

2020-02-27 Thread Salz, Rich via openssl-users
* Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port TLS 1.3 doesn’t have those groups.

Re: OpenSSL 3.0

2020-02-26 Thread Salz, Rich via openssl-users
> That's 5 weeks from now, I'd thought the basic structure might be present > now. It is. You probably have to look at the tests to see how to use things.

Re: OpenSSL 3.0

2020-02-26 Thread Salz, Rich via openssl-users
6, 2020 at 8:36 AM Salz, Rich wrote: > > >I'd like to give this a spin, to get an idea what's going to be > involved in porting from FIPS2.0 to 3.0, any pointers on where to > start? > > Per the blog post, "most

Re: OpenSSL 3.0

2020-02-26 Thread Salz, Rich via openssl-users
>I'd like to give this a spin, to get an idea what's going to be involved in porting from FIPS2.0 to 3.0, any pointers on where to start? Per the blog post, "most applications should just need to be recompiled." :) Get the source via instructions here: https://www.openssl.org/source

Re: CRYPTO_secure_malloc_init() fails without error message

2020-02-20 Thread Salz, Rich via openssl-users
Are you running as root? If not, that's likely to be the problem.

Re: Questions about using Elliptic Curve ciphers in OpenSSL

2020-02-11 Thread Salz, Rich via openssl-users
I believe you just load your ECDSA cert and the other stuff – Dhparams!! – is not needed.

Re: Questions about using Elliptic Curve ciphers in OpenSSL

2020-02-11 Thread Salz, Rich via openssl-users
The first thing I would suggest is to separate ECDH, the session key exchange, from ECDSA, the signature. Try to make ECDH with RSA work. Then just load your ECDSA cert; you can load one cert of each type (RSA DSA) and the runtime will figure out what to do, depending on what the client offers

Re: Problems adding specific extensions to signed certificates

2020-02-07 Thread Salz, Rich via openssl-users
I think the mismatch is that CSR extensions are not carried over; they have to be added at signing time. See https://github.com/openssl/openssl/issues/10458

QUIC support

2020-02-06 Thread Salz, Rich via openssl-users
A month ago Tim said[2] that PR 8797[1] requires on OMC decision on “whether or not QUIC in this manner of approach should be added into OpenSSL at this time.” To save you a click, this PR adds API’s to OpenSSL so that Google’s open source QUIC implementation can be built on top of OpenSSL. For

Re: Openssl 3.0 fips usage

2020-02-04 Thread Salz, Rich via openssl-users
* If both default and fips provider are loaded and application generate Rsa key pair(2048 bits) from fips provider and try to use default provider to sign with sha1, is this allowed? The application will have to explicitly “export” the key from the FIPS provider and “import” it into the

Re: writev over OpenSSL

2020-02-02 Thread Salz, Rich via openssl-users
TLS/TLS will take your data and wrap it inside it’s own record structure. It has to, that’s the nature of the protocol. Thinking that a single writev() is “encrypt buffers and then do analogous syscall” is wrong.

Poll on manpages

2020-01-28 Thread Salz, Rich via openssl-users
The next release of OpenSSL splits the “help” for commands into sections, like this: ; ./apps/openssl rehash --help Usage: rehash [options] [directory...] General options: -helpDisplay this summary -h Display this summary -compat Create both new- and old-style hash links -

Re: intermittent Apache/OpenSSL error hangs server

2020-01-09 Thread Salz, Rich via openssl-users
>Once we get that error, every time we try to serve a request in Apache using >that pid, it errors out. So, it seems like something randomly corrupts that >PID. Can someone provide some information about FIPS_CHECK_EC: pairwise test >failed. Once FIPS detects an error, it will stay stuck in e

Re: X25519 Unlisted by -list_curves and Any Trusted Python Code for X, Y Coordinates

2019-12-25 Thread Salz, Rich via openssl-users
* I want to us ECDSA for my Web server's SSL certificate via an ACME client to Let's Encrypt and maybe later BuyPass. That’s fine. * I thought that EC is better than RSA, but now I don't think so. The answer seems to be: it depends. There are trade-offs. The biggest one is that EC gi

Reviewer statistics

2019-11-20 Thread Salz, Rich via openssl-users
The attached script summarizes git log data and generates CSV lines for each commit. For example, ; git log -2 | ~/reviews.pl 8984, 2019-05-23, levi...@openssl.org, O, paul.d...@oracle.com, O 9624, 2019-08-18, bernd.edlin...@hotmail.de, C, levi...@openssl.org, O It ignores log entries that don’t

Re: Help on Diffie Hellman key exchange

2019-11-13 Thread Salz, Rich via openssl-users
>For using 1.1.0, we only need to call RAND_bytes() ? Yes. But do check the return value of RAND_bytes.

Re: Help on Diffie Hellman key exchange

2019-11-13 Thread Salz, Rich via openssl-users
>RAND_seed(seed, ::strlen(seed)); >RAND_bytes(buf, keySize / 8); I don’t know where you are getting the seed, but it is typically binary data, not a C string. If you are using 1.1.0 or later, you do not need to seed things.

Re: dsaparam error OpenSSL 1.1.1d

2019-11-11 Thread Salz, Rich via openssl-users
The question about -rand option is valid, but Viktor’s post is right and the rest of my post is wrong :( From: openssl-users Reply-To: Rich Salz Date: Monday, November 11, 2019 at 8:10 AM To: shiva kumar , openssl-users Subject: Re: dsaparam error OpenSSL 1.1.1d * openssl dsaparam 128 -

Re: dsaparam error OpenSSL 1.1.1d

2019-11-11 Thread Salz, Rich via openssl-users
* openssl dsaparam 128 -rand file Why are you using the -rand option? Unless this is a special platform, don’t do that. * is taking long time processing the command and not producing any output. What is your hardware and software? Can you run it under a debugger, and interrupt it som

Re: Force the use of engine in config file

2019-11-02 Thread Salz, Rich via openssl-users
If you are changing openssl, why not just change the init function to load your engine and abort/exit/fail if it doesn’t load?

Re: Remove All Software Generators

2019-10-31 Thread Salz, Rich via openssl-users
Why not just change things so that if your module fails to load, the library exits? Don't change the RAND code, change the INIT code.

Re: Retrieve CA for client cert from SSL*

2019-10-25 Thread Salz, Rich via openssl-users
Is looking at the IssuerDN good enough?

Re: Preferred way of passing user context void* inside SSL*

2019-10-23 Thread Salz, Rich via openssl-users
>Is there a way for me to piggyback a void* inside the SSL structure so that I can access it from within the callback? Yes, you can use SSL_set_app_data and SSL_get_app_data which are documented in https://github.com/openssl/openssl/pull/10216 (and due to be merged to master soon)

Re: openssl 1.0.2 with TLS 1.2

2019-10-22 Thread Salz, Rich via openssl-users
* I can’t find documentation on how to tell TLS where to look. Not sure about 1.0.2, but “openssl version -a” should show you the CERT directory. BTW, that’s an old release, you should upgrade if possible.

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

2019-10-21 Thread Salz, Rich via openssl-users
* Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till the new FIPS module/OpenSSL 3.0 becomes available? This question gets asked a great deal. Why? The OpenSSL project has not done any 1.0.2-FIPS work for years. This means that if there are any CVE-level bugs in 1.

Need a .gitignore fix on master

2019-10-18 Thread Salz, Rich via openssl-users
>; git status >On branch master >Your branch is up-to-date with 'origin/master'. >Untracked files: > (use "git add ..." to include in what will be committed) > >include/openssl/opensslv.h > >nothing added to commit but untracked files present (u

Re: Questions about secure curves

2019-10-15 Thread Salz, Rich via openssl-users
There is nothing known to be wrong with NIST P256. If you don't have a known reason to use 384, then don't use it.

Re: building OpenSSL 1.1.1 with -DPURIFY

2019-10-09 Thread Salz, Rich via openssl-users
Emilia's work removed the need to add -DPURIFY; you never need to add it. Note that the BN code is clever, it doesn't bother to zero everything when it knows which bits within a word it is using.

Re: OpenSSL compilation errors in Windows

2019-10-01 Thread Salz, Rich via openssl-users
Several people have told you the following: That is an *internal* openssl header file; do not use it. Remove the include statement from your code. Your code is wrong. That file is a C file, not compatible with C++ Why do you not listen?

Re: Regarding using OpenSSL along with optee

2019-09-30 Thread Salz, Rich via openssl-users
>Greetings. I was checking for the support for Trusted > Execution Environment (TEE) in OpenSSL. I’m curious – what do you think would be required?

Proposed change to linux kernel about random numbers

2019-09-18 Thread Salz, Rich via openssl-users
Please take a look at https://lore.kernel.org/lkml/CAHk-=wiGg-G8JFJ=r7qf0b+utqa_weouk6v+mcmfsljlrq6...@mail.gmail.com/ and consider giving your comments. TL;DR: see the comment below. + * Hacky workaround for the fact that some processes + * ask for truly secure random numbers and absolutely wa

Re: DH group cipher suites getting rejected

2019-09-18 Thread Salz, Rich via openssl-users
* However if I try ECDHE, it works fine. Is DHE only cipher suites less common now ? * I believe its responsibility of server to generate DHparam of large enough size. Yes, DHE has dropped because it is hard to get right, and it takes more CPU cycles than ECDHE.

Re: 1.1.1d LD_LIBRARY_PATH

2019-09-14 Thread Salz, Rich via openssl-users
On restart on my host with version 1.1.1d , I have this problem: I hope you are not replacing your system OpenSSL with one you built. Don't do that.

Re: MD2 or RC5?

2019-09-13 Thread Salz, Rich via openssl-users
* I'd still like to know if it's possible to enable to both. If it's not, though, then which one is best to enable? MD2 or RC5? Thanks in advantage for the reply and sorry for the new email thread. They do different things; MD2 is a digest (“hash”) function, and RC5 is a block (encrypt/de

Re: CSR with only public key

2019-09-12 Thread Salz, Rich via openssl-users
>I used CX509CertificateRequestCertificate class to create CSR with only public key. Those functions/classes/names/whatever are not part of OpenSSL. The OpenSSL "req" command cannot process as CSR unless it is signed by the private key. If you have a requirement to sign a CSR w

Re: Compiling OpenSSL 1.1 - certs directory is empty, how to obtain?

2019-09-09 Thread Salz, Rich via openssl-users
Another great source is https://github.com/nabla-c0d3/trust_stores_observatory One-stop shopping for all of apple, Android, Windows, NSS, OpenJDK, Oracle Java.

Re: Subject: SSL_connect returned=1 errno=0 state=error: dh key too small

2019-08-29 Thread Salz, Rich via openssl-users
* I've another question, based on your suggestion Salz Rich, this config @SECLEVEL can be set per host/domain, or is it impossible? It totally depends on which webserver you are running and what it’s configuration allows. I’m not able to answer webserver config questions BTW.

Re: Format and standard for CSR

2019-08-29 Thread Salz, Rich
A CSR is most commonly a PKCS#10 object and therefore defined in ASN.1 and encoded in DER. https://github.com/openssl/openssl/blob/master/crypto/include/internal/x509_int.h#L53

Re: Subject: SSL_connect returned=1 errno=0 state=error: dh key too small

2019-08-29 Thread Salz, Rich
* We haven't control of the server who are using DH key size of 1048 bits. In order to work with this kind of server (terribly poor security characteristics), you need to add “@SECLEVEL=0” to your OpenSSL configuration.

Re: client certs with no subjectName only SAN

2019-08-16 Thread Salz, Rich via openssl-users
>In the same paragraph, the sentence before the one you're quoting says "If > the subject field contains an empty sequence, then the issuing CA MUST > include a subjectAltName extension that is marked as critical." >It's not possible to have a missing subject name in a certificate, t

Re: Acquire Entropy for embedded platform

2019-08-16 Thread Salz, Rich via openssl-users
* Honestly, I’d like to add CPU Jitter to OpenSSL as one of its default entropy sources. * I dread the effort that this would entail. Open an issue and maybe someone with an older platform will work on doing it. I don’t think the project has any need to support such things. (Members of

Re: client certs with no subjectName only SAN

2019-08-15 Thread Salz, Rich via openssl-users
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark subjectAltName as non-critical" I can believe that OpenSSL doesn't support empty subjectName's. An empty one, with no relative disintuished name components, is not the same as not present.

Re: IPv6 address encoding in commonName

2019-08-14 Thread Salz, Rich via openssl-users
RFC 8002 (with a null subjectName), but a CA cert MUST have a non-empty subjectName. Non-empty subjectName or non-empty commonName within the subject name? Shrug. Doesn't matter, I guess. Just populate it with the string version of the HIT name, something like CN=IP Address 20

Re: 1.0.2 to 1.1 migration problem with verify_callback()

2019-08-08 Thread Salz, Rich via openssl-users
> (why doesn't it use SSL_get_ex_data_X509_STORE_CTX_idx() instead of 0?). History; OpenSSL reserved some exdata indices for itself.

Re: OPENSSL_thread_stop() equivalent

2019-08-06 Thread Salz, Rich via openssl-users
* Had to downgrade the OpenSSL used in an application from 1.1.0k to 1.0.2s. That’s too bad, given 1.0.2 is going to become unsupported at year-end. Was it because the application wasn’t ready to handle opaque structures? >Due to this I have to remove the usage of OPENSSL_thread_stop(), wan

Re: openssl hash value - how to generate ?

2019-07-30 Thread Salz, Rich via openssl-users
>At the bottom of the man page for x509 it states the following: The hash algorithm used in the -subject_hash and -issuer_hash options before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a

Re: Openssl binary with statically linked libssl and libcrypto

2019-07-25 Thread Salz, Rich via openssl-users
>Sadly, I can not make use of the "no-shared" option as I still need the shared libraries to be built. Statically linking against files built for shared libraries is possible on many platforms (link against the .a even though .so exists), but not all platforms. You can always build twi

Re: help - building OpenSSL fips for 64 bit Android

2019-07-22 Thread Salz, Rich via openssl-users
>that the setenv-android.sh script doesn't account for 64 bit architectures. Correct. The current FIPS module has not been modified for quite some time, and your platform is not supported. If you cannot follow the steps *exactly* you cannot claim FIPS validation. The OpenSSL project is wo

Re: How to use openssl smine sign the email body only

2019-07-12 Thread Salz, Rich
>Maybe I posted too many stuff. What my problem is "openssl smime" command signed everything fed to it. For example, I wanted to sign the following email body. Yes, it signs whatever you give it. You will have to feed it just the message body and set the headers yourself.

Re: looks like the support for Heart beat extension is removed from openssl

2019-07-12 Thread Salz, Rich
* would the below method be advisable to handle the "failure to close" conditions Sorry, no comment. Maybe others will.

What's up with ectest?

2019-07-11 Thread Salz, Rich via openssl-users
Ectest has been broken for quite some time. What are the plans to get it fixed?

Re: looks like the support for Heart beat extension is removed from openssl

2019-07-11 Thread Salz, Rich via openssl-users
* Why the support for Heart beat extension is removed from openssl. It’s intended use was to check MTU along the path. That is not very useful any more. * How to handle abnormal disconnection in DTLS? You should be able to detect time-outs and “failure to close” in your application.

Re: Will my application be FIPS 140-2 Certified under following conditions?

2019-07-08 Thread Salz, Rich via openssl-users
> It seems to me that the easiest thing to do is maintain that release of OpenSSL by themselves. >Which would be another variation of such unofficial work. You could look at things like that. I consider it to be more like "your free FIPS ride is done, time to pay up" >That p

Re: Will my application be FIPS 140-2 Certified under following conditions?

2019-07-06 Thread Salz, Rich via openssl-users
>> They would have to get their own validation, their own lab to verify, etc., etc. >That seems to contradict the other answer, which is that legally, the >FIPS cannister (properly built) can be used with any software outside >the cryptographic boundary, the soon-to-be-deprecated

Re: Will my application be FIPS 140-2 Certified under following conditions?

2019-07-04 Thread Salz, Rich via openssl-users
>Is the use of OpenSSL an actual legal requirement of the certification of the FIPS object module, or just the easiest way to use it? I'm not sure who you are asking this. The exiting FIPS validations for OpenSSL only cover the 1.0.2 based source code. >Difference would be partic

Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

2019-07-03 Thread Salz, Rich via openssl-users
Didn’t you just ask this question? :) If you followed the Win32 build instructions *exactly* and you build your application to turn on FIPS mode and link against the canister, then yes. If you made changes to the process, then no.

Re: Building a DER sequence

2019-07-01 Thread Salz, Rich via openssl-users
>I see those macros, but ... is there any documentation? No.

Re: error: dereferencing pointer to incomplete type DH {aka struct dh_st}

2019-06-28 Thread Salz, Rich via openssl-users
>I'm attempting to build our RHEL 7 based product on RHEL 8 and running > into a lot of changes from openssl 1.0.2k-fips (RHEL 7) to 1.1.1 FIPS (RHEL > 8). I haven't found a good guide to adapting the sources to these changes. Web search for "openssl opaque accessors" turns up many hits; th

Re: Building a DER sequence

2019-06-26 Thread Salz, Rich via openssl-users
Do I construct a sequence and add items to it - top down? No, because then you have to go back and patch the sequence length and perhaps slide everything up or down a copule of bytes. I would look at an existing simple sequence and start writing your own based on that; look for ASN1_SEQUENC

Re: Proposal to remove some platforms

2019-06-23 Thread Salz, Rich via openssl-users
>Yes NetBSD cares about PARISC... We still build and run on it. Thanks. The targets removed in that PR were for hpux-parisc.

Proposal to remove some platforms

2019-06-21 Thread Salz, Rich
I created a handful of PR’s to remove support for some platforms. The project would like to hear from people about this. The pull requests are as follows: Remove HP PARISC support https://github.com/openssl/openssl/pull/9210 Remove HP/MPE and Tru64 Unix support https://github.com/openssl/opens

Re: Issues establising SSL connection after a wget command

2019-06-18 Thread Salz, Rich via openssl-users
You posted on Monday about a problem, got one suggestion, and then you posted on Tuesday; not much patience. :) My suggestion: use a current release, at least something in the 1.1.x line.

Re: Make file removed in openssl 1.1.1

2019-06-17 Thread Salz, Rich via openssl-users
>It depends on what you want to achieve. The top level template Makefile is > in Configureations/unix-Makefile.tmpl. Each individual directory contains a build.info file which allows you to make per-directory changes to things like the sources to be compiled, etc. And also impo

Re: failing in reproducing .so files

2019-06-14 Thread Salz, Rich via openssl-users
If you are adding new functions to the library, you need to 1A Make sure there is a prototype in one of the existing OpenSSL header files; OR 1B If your prototype is in a new header file, you will have to edit Configurations/unix-Makefile.tmpl to pick up that f

Re: building openssl for windows - missing do_win64a from ms directory.

2019-06-11 Thread Salz, Rich via openssl-users
* The issue I have is that I don’t see ‘do_win64a’ within the ‘ms’ directory (I’m following build instructions here: http://eran.geek.co.il/wp/archives/3897

Re: debugging a make/dependency issue

2019-06-07 Thread Salz, Rich via openssl-users
Thanks. I had a trailing backslash on a source list, and it gobbled up the next line which was an INCLUDE directive.

debugging a make/dependency issue

2019-06-04 Thread Salz, Rich via openssl-users
I am importing some code into openssl and getting a strange build error: make[1]: *** No rule to make target 'crypto/bn/crypto/include.o', needed by 'libcrypto.a'. Stop. Any common ideas on what to look for (e.g., missing header file, wrong INCLUDE settings in build.info, etc) ?

  1   2   3   4   5   6   7   8   9   10   >