On Mon, 2022-12-05 at 16:14 -0800, Benjamin Kaduk via openssl-users
wrote:
> On Mon, Dec 05, 2022 at 11:31:18AM -0800, Thomas Dwyer III wrote:
> > Why does EVP_get_digestbyname("md4") return non-NULL if the legacy
> > provider
> > isn't loaded? Similarly, why does it return non-NULL for "md5"
> >
Hi,
there is an error in your code - see my comment below.
On Mon, 2022-12-05 at 08:45 +, Zhongyan Wang wrote:
...
> md = EVP_get_digestbyname(dgst);
> if (!md) {
> printf("Error EVP_get_digestbyname %s\n", dgst);
> goto err_exit;
> }
>
> in =
That is the master branch CHANGES.md. It will be synced later.
For the 3.1 changes please look at the CHANGES.md in the openssl-3.1
branch and/or inside the alpha tarball.
Tomas
On Thu, 2022-12-01 at 15:15 +, Kenneth Goldman wrote:
> The changes show a jump from 3.0 to 3.2
>
>
Hmm, good point.
Though when migrating from 1.1.1 the 3.0 guide still applies and
migration from 3.0 to 3.1 should be just seamless.
Tomas
On Thu, 2022-12-01 at 09:40 -0500, Felipe Gasper wrote:
> AFAICT, the migration guide doesn’t actually seem to mention upgrades
> to 3.1.
>
> -FG
>
>
>
On Fri, 2022-11-11 at 16:01 +0100, Jakob Bohm via openssl-users wrote:
> On 2022-11-06 23:14, raf via openssl-users wrote:
> > On Sat, Nov 05, 2022 at 02:22:55PM +, Michael Wojcik
> > wrote:
> >
> > > > From: openssl-users On
> > > > Behalf Of raf via
> > > > openssl-users
> > > > Sent:
Red Hat backports security fixes to older versions so if you keep your
RHEL installation up-to-date with 'yum update' you should not need to
install newer upstream releases on the system.
Regards,
Tomas Mraz
On Tue, 2022-11-08 at 08:51 +0100, Matthias Apitz wrote:
> El día martes, noviembre
-8.6?
Tomas Mraz, OpenSSL
On Tue, 2022-11-08 at 07:17 +0100, Matthias Apitz wrote:
>
> Hello,
>
> We compile openssl 1.1.1l from the sources and run on RedHat 8.6 into
> the
> problem that the system shared lib /usr/lib64/libk5crypto.so.3 misses
> a
> symbol from openssl:
In general unless you've built and installed your own build of OpenSSL
you need to refer to the vendor of your operating system for patches.
In particular the openssl packages in CentOS 7.9 are not affected given
they are 1.0.2 version and not 3.0.x version.
Tomas Mraz, OpenSSL
On Wed, 2022-11
No, long long and unsigned long long is required and it was required
for quite some time. The code is mostly C90 but not strictly.
I suppose on platforms with 64bit long type we could make it work
without long long though. Pull requests are welcome.
Tomas Mraz, OpenSSL
On Tue, 2022-11-01 at 22
Hi Mike,
the signing key is a sub key of the key listed on this web site:
https://www.openssl.org/community/otc.html
The primary key fingerprint is also mentioned at
https://github.com/openssl/openssl/blob/master/doc/fingerprints.txt
Regards,
Tomas Mraz, OpenSSL
On Tue, 2022-11-01 at 18:14
.
The SHA3 low level implementation is used at various places. For
example there is also the SHAKE XOF hash function implementation which
uses the low level SHA3 routines. There is also an implementation of
the original Keccak algorithm in the master branch.
Tomas Mraz, OpenSSL
On Fri, 2022-10-21 at 11:33
is in the object database.
Tomas Mraz
On Sun, 2022-10-23 at 13:46 -0400, Martin via openssl-users wrote:
> Hi,
>
> How can I get the nid from the curve name for a EC key in OpenSSL 3?
> I’m porting code from OpenSSL 1.0.2.
>
> I’m converting this:
>
> ecc_curve_type =
openssl-3.0 and openssl-1.1.1 in your
system.
Tomas Mraz
On Thu, 2022-10-20 at 05:26 +, Gahlot, Ashish Kumar wrote:
> Hi everyone,
>
> I'm trying to enable fips provider in openssl3 by writing the
> following lines into openssl.cnf file:
>
> openssl_conf = openssl_
releases as the existing SRP API continues to be
supported there.
Tomas Mraz, OpenSSL
On Mon, 2022-10-17 at 21:13 -0700, Norm Green wrote:
> I'm also interested in the answer to these questions regarding SRP
> in OpenSSL v3.
>
> Our project still uses OpenSSL v1.1.1 with plans to mov
Thank you for your time and help.
>
> -Fernando Elena Benavente.
>
> -Original Message-
> From: Tomas Mraz
> Sent: Wednesday, October 12, 2022 11:15 AM
> To: Fernando Elena Benavente ;
> openssl-users@openssl.org
> Cc: Jorge Juan Tejero Fernández ;
> Alberto Sendino Aragoné
On Wed, 2022-10-12 at 11:02 +0200, Tomas Mraz wrote:
> On Tue, 2022-10-11 at 10:50 +, Fernando Elena Benavente wrote:
> > Hi guys, Im triying to use the EVP_MAC OpenSSL API with the
> > CMAC_AES256, I have been using some testing vectors I found on
> > github, but se
On Tue, 2022-10-11 at 10:50 +, Fernando Elena Benavente wrote:
> Hi guys, Im triying to use the EVP_MAC OpenSSL API with the
> CMAC_AES256, I have been using some testing vectors I found on
> github, but seems they doesn’t work on the CMAC of OpenSSl, as the
> expected output of the test
k you
> Setsuo Imazu
>
> On 2022/10/05 15:36, Tomas Mraz wrote:
> > Hello,
> > most probably the key is stored in the OpenSSH private key format.
> > You'll need to use ssh-keygen -p -m PKCS8 to convert the key into a
> > format that OpenSSL can read.
> >
Hello,
most probably the key is stored in the OpenSSH private key format.
You'll need to use ssh-keygen -p -m PKCS8 to convert the key into a
format that OpenSSL can read.
Tomas Mraz, OpenSSL
On Wed, 2022-10-05 at 15:00 +0900, Imazu Setsuo wrote:
> Hello.
>
> When I read the RSA pr
their refcount
dropped and they will be properly freed.
Tomas Mraz, OpenSSL
On Mon, 2022-10-03 at 09:35 -0700, Jay Foster wrote:
> Your response makes sense. I am a bit puzzled by the BIO reference
> counting. For example
>
> BIO_new() (or BIO_new_socket() which calls BIO_new
As I wrote before, there is no such function. There is only the
EVP_PKEY_get_size() which gives you the maximum length the encrypted
data can have for a given key.
If you do not know the length of the ciphertext for the
EVP_PKEY_decrypt() call, you can use the EVP_PKEY_get_size() value,
compare
I am glad to hear that.
Regards,
Tomas Mraz, OpenSSL
On Fri, 2022-09-30 at 17:18 +, GonzalezVillalobos, Diego wrote:
> [AMD Official Use Only - General]
>
> Hello Tomas,
>
> There was a logic error in my code, I did not realize that the first
> iteration of the verific
There is EVP_PKEY_get_size() function which will give you the maximum
length the encrypted data can have. Unfortunately it cannot give you
the exact length which might be smaller in some cases.
Tomas Mraz
On Thu, 2022-09-29 at 21:49 +, ANUJ SHARMA wrote:
> Hi,
> I am working on this fu
);
The SSL BIO should always have a next BIO if properly initialized.
Tomas Mraz, OpenSSL
On Thu, 2022-09-29 at 13:02 -0700, Jay Foster wrote:
> I have an application that constructs a chain of BIOs. Sometimes
> this
> chain also includes an SSL BIO. Years ago, I ran into
t; << endl;
> break;
> }
>
> int ret = EVP_DigestVerifyFinal(verify_md_ctx,
> der_sig, der_sig_len);
> if (ret == 0) {
> cout << "EC Verify digest fails" <<
Hi,
comments below.
On Wed, 2022-09-28 at 22:12 +, GonzalezVillalobos, Diego wrote:
> [AMD Official Use Only - General]
>
> Hello Tomas,
>
> I generated the key as you suggested, and I am no longer getting an
> error message! Thank you for that. Here is how I'm generating the key
> now:
>
if (EVP_DigestVerifyUpdate(verify_md_ctx, child_cert,
> pub_key_offset) <= 0){ // Calls SHA256_UPDATE
> cout << "updating digest fails" << endl;
> break;
> }
>
> int ret = EVP_DigestVerifyFinal(verify_md_ctx,
> signature, sig_len);
> cout << ret << endl;
&g
On Thu, 2022-09-08 at 16:10 +, GonzalezVillalobos, Diego via
openssl-users wrote:
> [AMD Official Use Only - General]
>
> Hello everyone,
>
> I am currently working on updating a signature verification function
> in C++ and I am a bit stuck. I am trying to replace the deprecated
> 1.1.1
On Tue, 2022-08-23 at 12:09 +, Jonathan Wernberg wrote:
> TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to
> read in an EC private key from raw format into an EVP_PKEY object
> ready to be used? What is the easiest way to convert an RSA public
> key from raw modulus and
Hi,
there is no way to do that with OpenSSL 1.1.0 and newer. The thing is
that with recent versions of OpenSSL the later operations with the
EVP_MD_CTX can fail for other reasons than memory allocation failure
such as algorithm unavailability from a provider. So you would need to
check anyway.
be to use
PEM_read_bio_Parameters().
Tomas Mraz
On Wed, 2022-07-13 at 16:35 +0200, Dirk Stöcker wrote:
> Hello,
>
> when upgrading to openssl3 my code states that some functions are
> deprecated in openssl 3, but even after reading documentation I was
> unable to find a non-depreca
A good starting point is to read the migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
Tomas Mraz, OpenSSL
On Tue, 2022-06-28 at 20:48 -0700, Pei JIA wrote:
> Actually, my question is quite general:
> It looks a lot of functions in **OpenSSL1.1.1**
On Tue, 2022-06-21 at 10:33 +, Tiwari, Hari Sahaya wrote:
> Hi,
> I need one clarification on routine SSL_CTX_free(). I see the memory
> is not freed even after calling this SSL_CTX_free().
>
> I have a simple test program, which just does SSL_CTX_new() and
> SSL_CTX_free().
>
> #include
This is a known issue:
https://github.com/openssl/openssl/issues/18456
You can just ignore the failure for now, it will be fixed in the next
release.
Tomas
On Fri, 2022-06-10 at 14:08 +0430, Mohammad Ghasemi wrote:
> I'm trying to build openssl 3 in Windows 10 using msvc 143
>
> Test Summary
On Thu, 2022-06-09 at 13:14 +, Beilharz, Michael wrote:
> well, i use:
>
> pkcs12 -in "cert.p12" -clcerts -nokeys -out cert.PEM" -passin
> pass:
> pkcs12 -in "cert.p12" -nocerts -out tmpkey.PEM -passin pass: -
> passout pass:
Instead of this step you can just use:
pkcs12 -in "cert.p12"
suggestions.
>
> Could it be an issue with openssl or with the compile ?
>
> Thanks,
> Minal
>
> On Thu, Jun 2, 2022 at 2:32 PM Tomas Mraz wrote:
> > This is crashing inside the getentropy call in glibc or the weak
> > symbol
> > binding does not work correctly for
at might help.
Regards,
Tomas Mraz
On Thu, 2022-06-02 at 12:49 +0530, Minal Patil wrote:
> here is the backtrace with debug.
> Program received signal SIGILL, Illegal instruction.
> 0x1004 in ?? ()
> Missing separate debuginfos, use: dnf debuginfo-install libgcc-8.3.1-
>
Can you please try to build the openssl with debug information (-d on
Configure command line)? To see whether the backtrace will contain more
information.
Tomas Mraz
On Thu, 2022-06-02 at 11:09 +0530, Minal Patil wrote:
> Hello All,
>
> I am trying to use RSA_generate_key_ex
On Sat, 2022-05-28 at 19:12 -0700, Kip Warner wrote:
> Hey list,
>
> I am in the process of porting some RSA related code that used
> OpenSSL
> 1.1.1 to the newer 3.0 API. A lot of the functions I was using are
> now
> deprecated. I've tried to follow the migration guide as best I can.
>
> Right
On Wed, 2022-05-18 at 16:37 -0500, Kevin R. Bulgrien wrote:
> > From: "Matt Caswell"
> > Subject: Re: openssl 1.1.1 minor patches to build on SCO OpenServer
> > 5.0.7
> >
> > Hi Kevin,
> >
> > The patch in s_socket.c is likely to be acceptable. It looks
> > reasonable
> > to me, it may well be
The EVP_CIPHER_CTX_set_padding(ctx, 0) must be called after the
EVP_CipherInit() to have an effect.
Also what is the AST_CRYPTO_AES_BLOCKSIZE value? Is it in bits (i.e,
128)?
Also res should be initialized to -1 so you do not return uninitialized
value on error.
Tomas Mraz
On Fri, 2022-05-13
Please look at
demos/signature/rsa_pss_direct.c
If you want to use the old PKCS1 v1.5 padding then just replace
RSA_PKCS1_PSS_PADDING with RSA_PKCS1_PADDING.
Tomas
On Thu, 2022-05-05 at 10:35 -0600, Philip Prindeville wrote:
> Bonjour. Et milles mercis.
>
> That was helpful.
>
> One more
Fix is here:
https://github.com/openssl/openssl/pull/18247
On Thu, 2022-05-05 at 07:54 +0200, Tomas Mraz wrote:
> Yes, this is unfortunately a bug in 3.0.3 release. Calling
> OPENSSL_init_crypto should not be necessary.
>
> Tomas Mraz
>
> On Wed, 2022-05-04 at 21:58 +0200, K
Yes, this is unfortunately a bug in 3.0.3 release. Calling
OPENSSL_init_crypto should not be necessary.
Tomas Mraz
On Wed, 2022-05-04 at 21:58 +0200, Klaus Keppler wrote:
> Hello,
>
> yesterday we updated OpenSSL from 3.0.2 to 3.0.3, what made some of
> our
> unit tests crash.
&
compliant as the low-level API calls called from an
application are implemented by the libcrypto library and not the FIPS
provider.
Tomas Mraz, OpenSSL
On Tue, 2022-05-03 at 10:12 -0500, Joy Latten wrote:
> Hi,
> I understand that low-level APIs have been deprecated in version 3. I
> have bee
Maybe https://github.com/openssl/openssl/pull/18136 could help you?
Regards,
Tomas Mraz
On Thu, 2022-04-21 at 16:49 +, Gaurav Mittal11 wrote:
> I tried same commands and same setting with root access, seems like I
> pass that error.
> Can you help why its not giving any error and
and
certificate files.
Tomas Mraz
On Fri, 2022-04-01 at 18:14 +, vchiliquinga--- via openssl-users
wrote:
> Hello,
>
> Connection between a Openssl 3.0.2 server and a 1.1.1g client is
> proving to be unsuccessful.
>
> According to the logs collected we seem to
The bio_st structure is private since 1.1.0 release. So one option is
to check if the OPENSSL_VERSION >= 0x1010
Tomas
On Fri, 2022-03-25 at 18:33 -0600, Philip Prindeville wrote:
> Hi,
>
> I was wondering if there was some sort of sentinel variable that
> tells us if is exporting access to
On Mon, 2022-03-28 at 09:24 +0300, Mib wrote:
> Hi, I am trying to create a ECC certificate with ecdsa_with_SHA3-512
> signature algorithm.
>
> But I am having the below issue When I try to verify it with the
> X509_Verify api.
> "error:068000C7:asn1 encoding routines::unknown signature
with it.
Tomas Mraz
On Fri, 2022-03-25 at 09:54 +, Gaurav Mittal11 wrote:
> Hi,
>
> I have build and installed 1.0.2u version but when I have change
> below softlink point to 1.0.2u from 0.9.8, console from putty stopped
> connecting.
> This is something related to openssl.cnf or
On Thu, 2022-03-24 at 22:19 -0600, Philip Prindeville wrote:
> Hi,
>
> I'm incrementally trying to port asterisk to Openssl 3.0.
>
> First thing I'm trying to do is wean the code off of the RSA_*
> functions, and use generic EVP_PKEY_* functions instead.
>
> Most of it is fairly straightforward
On Fri, 2022-03-18 at 05:24 -0400, Michael Richardson wrote:
>
> Tomas Mraz wrote:
> >> Should the test *ALSO* ifdef itself out if OPENSSL_NO_DGRAM is
> >> defined?
>
> > No, that's not necessary as they won't be built at all with the
> >
On Thu, 2022-03-17 at 10:17 -0400, Michael Richardson wrote:
>
> Tomas Mraz wrote:
> >> I figured out that this means that ./Configure should have
> "no-dgram"
> >> appended to it. That seems to result in OPENSSL_NO_DGRAM
> being
>
On Wed, 2022-03-16 at 16:20 -0400, Michael Richardson wrote:
>
> One of the run checkers is marked "no dgram".
>
> https://github.com/mcr/openssl/runs/5563998914?check_suite_focus=true
>
> I figured out that this means that ./Configure should have "no-dgram"
> appended to it. That seems to
On Mon, 2022-03-14 at 08:58 -0300, Richard Dymond wrote:
> On Mon, 14 Mar 2022 at 04:52, Tomas Mraz wrote:
> > The DSA_SIG_* functions are not deprecated including the i2d and
> > d2i
> > functions. So you can use d2i_DSA_SIG to decode the DER produced by
>
On Fri, 2022-03-11 at 15:21 -0400, Richard Dymond wrote:
> Hi
>
> I recently migrated an application from OpenSSL 1.1.1 to OpenSSL 3.0,
> and I'm wondering how best to handle DSA signatures - specifically,
> the 'r' and 's' values - in OpenSSL 3.0.
>
> In OpenSSL 1.1.1, it was pretty easy:
>
>
Yes, this is a fully supported scenario.
You can even test it with the openssl s_server command - use -cert, -
key, and -cert_chain for the first certificate and -dcert, -dkey, and -
dcert_chain with the second one.
Tomas Mraz
On Fri, 2022-03-11 at 13:19 +, Kris Kwiatkowski wrote:
> He
on that key.
Tomas
On Fri, 2022-03-04 at 09:59 +, Srinivas, Saketh (c) wrote:
> I need to compute the shared key for DH. I have to extract public and
> private keys from evpkeypair. But the function EVP_PKEY_get_bn_param
> extracts as a big num. I need them as evp_pkey.
>
>
>
with domain
parameters.
Tomas Mraz
On Fri, 2022-03-04 at 09:43 +, Srinivas, Saketh (c) wrote:
> i need them to create ctx = EVP_PKEY_CTX_new(priv_key, NULL)
>
> and then add the peer to ctx as EVP_PKEY_derive_set_peer( ctx,
> pub_key )
>
> both should be evp_pkey format.
There is no straightforward way to do that. What do you want to do with
the public and private EVP_PKEYs?
Tomas
On Fri, 2022-03-04 at 07:28 +, Srinivas, Saketh (c) wrote:
> HI,
>
> i have EvpKeyPair from GenerateEvpKeyPair(dh_p, dh_g, )
>
> How can I get the public key and priv key from
nging
the standard. The problem is the non-compliant PKCS12KDF is basically
hardcoded in the PKCS12 standard as the KDF to generate the MAC key
from the password.
Tomas
> Thanks,
>
> Florin Spatar
>
> On 16.02.2022 17:25, Tomas Mraz wrote:
> > Yes, unfortunately PKCS12_parse curr
Yes, unfortunately PKCS12_parse currently does not support PKCS12 files
without the MAC. Such support could be easily added. As a workaround
you can look at how the pkcs12 application is implemented and use these
calls instead.
Regards,
Tomas Mraz, OpenSSL
On Wed, 2022-02-16 at 14:09 +
Please note that there are two checksums in the configuration file. One
of them is the FIPS module checksum and the other is the checksum of
the configuration. You can copy the file across machines if it is
without the configuration checksum - that means the selftest will be
always run when the
On Fri, 2022-02-11 at 08:35 +, Kevin Millson wrote:
> Hello OpenSSL Users,
>
> I’m trying to use SHA1 message digest hashing in combination with the
> FIPS provider, but seem to be running into issues. My code looks like
> the following:
>
> EVP_PKEY* privateKey = getPrivateKey();
>
i set this return value.
>
> thanks,
> Saketh.
> From: Tomas Mraz
> Sent: Wednesday, February 9, 2022 4:59 PM
> To: Srinivas, Saketh (c) ;
> openssl-users@openssl.org
> Subject: [EXTERNAL] Re: does Openssl 3.0 has backward compatiblity.
> The PKCS12 files use algorithms
The PKCS12 files use algorithms that are legacy, you need to load the
legacy and default provider to be able to load them. You can do that
either with configuration file (see man 5 config) or with
OSSL_PROVIDER_load() calls.
Regards,
Tomas
On Wed, 2022-02-09 at 11:11 +, Srinivas, Saketh (c)
Hi,
is this with a 3.0 version? If so, the most probable cause is that the
pkcs12 file uses some legacy algorithms. You'll need to load the legacy
and default providers either by having them activated in the OpenSSL
configuration file or by explicitly loading them with
OSSL_PROVIDER_load() calls.
Yeah, you need to add the @SECLEVEL=0 in the cipher string to set the
security level to 0. That is needed to allow SHA1 in signatures which
is required for these TLS versions.
Tomas Mraz
On Thu, 2022-02-03 at 17:36 +1100, pa...@openssl.org wrote:
> It does support both. I th
On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
> Hi,
> I successfully implemented OpenSSL v3 provider which provides store
> and keymgmt and I can use it to sign a cms with the following
> command:
>
> openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider
> default
>
>
On Wed, 2022-01-12 at 09:41 +0100, Milan Kaše wrote:
> By further comparing the scenario with the built-in file provider and
> my external provider I found that this has something to do with
> library contexts.
>
> When x509_pubkey_ex_d2i_ex tries to decode the certificate's public
> key it
On Tue, 2022-01-11 at 10:15 +, Kumar Mishra, Sanjeev wrote:
> Hi,
> I am getting following linking Error for APIs "bn_get_words()" and
> "bn_get_top()" while compiling with OpenSSL 3.0. Although crypto/bn.h
> is included in file.
> Please help to resolve it.
> Regards,
> Sanjeev
These symbols
On Tue, 2022-01-04 at 19:25 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> > > But, considering that the man pages describe C API, wouldn't it
> > be
> > > nice to mention (even though it may be obvious that a number of
> > order
> > > 2^384 might not fit into 32 or even 64 bits) that the
On Tue, 2022-01-04 at 17:02 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> > > In other words, the man page says it's unsigned int, but in fact
> > it's
> > > BIGNUM? Because the pointer I gave was to "unsigned int", like
> > in the
> > > OP's code.
> >
> > The param is too big to fit into
On Tue, 2022-01-04 at 16:46 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 1/4/22, 11:23, "Tomas Mraz" wrote:
>
> > > Theoretically, shouldn’t
> > >
> > > EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned
> > int)order)
On Tue, 2022-01-04 at 14:17 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> Now I became interested. ;-)
>
> Theoretically, shouldn’t
>
> EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned
> int)order)
>
> work? I verified that it does not seem to work, at least in the
> obvious
On Tue, 2022-01-04 at 02:33 +0100, Wolf wrote:
> Thank you for the answer!
>
> On 2022-01-03 10:11:19 +0100, Tomas Mraz wrote:
> > You're using the secp384r1 curve which is a prime field curve. The
> > OSSL_PKEY_PARAM_EC_CHAR2_M parameter can be obtained only for
> &
On Mon, 2022-01-03 at 01:51 +0100, Wolf wrote:
> Greetings,
>
> I'm trying to port my program to openssl 3.0 and in the process I
> need
> to replace EC_GROUP_get_degree(EC_KEY_get0_group(ec)) with something
> that is not deprecated. I'm trying to use EVP_PKEY_get_int_param with
>
On Sun, 2021-12-12 at 00:39 +0200, Graham Leggett via openssl-users
wrote:
> Hi all,
>
> The ENGINE API is deprecated in favour of the new Provider API.
>
> What is the provider equivalent function that replaces
> ENGINE_load_private_key()?
One option would be for a provider to provide
On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 11/9/21, 22:23, "Dr Paul Dale" wrote:
>
> > Currently I've no idea and can't reproduce locally :(
>
> Maybe you'd know how to force the "-engine rdrand" path through
> "openssl.cnf"?
>
> > A rogue configuration
On Fri, 2021-11-05 at 13:48 +, Jason Schultz wrote:
> For setting up the trusted store, when the application starts, it
> calls:
>
> ssl_trusted_certs = X509_STORE_new()
>
> ...and then reads all of the certificates in /etc/ssl/certs/ calling
> X509_STORE_add_cert(trusted_store,cert);
>
On Fri, 2021-11-05 at 13:04 +, Jason Schultz wrote:
> I know I've been raising a lot of issues this week, because of
> varying reasons, but I've hit another one that seems like either an
> OpenSSL problem, or something new/different I need to do with OpenSSL
> 3.0 in connection establishment.
On Wed, 2021-11-03 at 20:32 +, Jason Schultz wrote:
> 00B741558E7F:error:0308010C:digital envelope routines:(unknown
> function):unsupported:crypto/evp/evp_fetch.c:346:Global default
> library
> context, Algorithm (SHA1 : 96), Properties ()
The "Global default library context" hints at
On Tue, 2021-11-02 at 11:42 +0700, Alex Dankow wrote:
> Matt,
>
> Thank you very much for your response. I understand that the FIPS
> certified OpenSSL module is long awaited and the team was quite
> limited in time to complete all features.
> I tried Windows certificates +Openssl because it
On Sat, 2021-10-23 at 11:04 +0700, Alex Dankow wrote:
> Hi OpenSSL users and its glorious developers,
>
> Thank you very much for OpenSSL 3!
>
> My question is about writing a provider. I decided to start from a
> Windows certificate storage provider. It already works with "openssl
> storeutl"
On Thu, 2021-10-14 at 17:36 -0400, Ken Goldman wrote:
> On 10/14/2021 6:39 AM, Matt Caswell wrote:
> >
> > "priv" (OSSL_PKEY_PARAM_PRIV_KEY)
> >
> > The private key value.
> >
> > Since its an integer using EVP_PKEY_get_bn_param() would be
> > appropriate here, but not
wrong then in saying that dgst and possibly other apps are not
> ready to be used with providers rather than engines in the case you
> need keyform=ENGINE ?
>
>
> On Mon, 4 Oct 2021, 14:13 Tomas Mraz, wrote:
> > You would have to implement a STORE provider that handles your
You would have to implement a STORE provider that handles your special
url scheme and then the keys would be referenced by the
yourscheme://any-identifier-you-have. Of course the application (i.e.,
the openssl application which already does this) would have to use the
OSSL_STORE API to load the
On Thu, 2021-09-30 at 21:28 -0400, Felipe Gasper wrote:
> Hello,
>
>
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>
> ^^ This document indicates that, by enabling trusted-first mode, I
> should be able to work around the LE expiration problem.
>
> I’m
On Mon, 2021-09-27 at 15:15 -0400, Ken Goldman wrote:
> Does it make sense to initialize the context once and then use it
> multiple times, or is cleaner to create a new one from the raw key
> byte string each time?
It is not necessary. The reinitialization is supported to avoid
recreating key
On Mon, 2021-09-27 at 08:24 -0700, Jay Foster wrote:
> On 9/27/21 7:33 AM, Michael Richardson wrote:
> > Jay Foster wrote:
> > > While migrating some applications from OpenSSL 1.0.2 (and
> > 1.1.1) to
> > > 3.0.0, I have noticed that the
> > SSL_CTX_set_default_verify_paths()
> > >
can investigate this further.
Tomas Mraz
On Fri, 2021-09-17 at 11:55 -0700, Kory Hamzeh wrote:
>
>
> > On Sep 14, 2021, at 12:03 AM, Tomas Mraz wrote:
> >
> > On Mon, 2021-09-13 at 16:13 -0700, Kory Hamzeh wrote:
> > > I have cross-compiled Op
As this requires support for Attribute Certificates which is not
currently present in OpenSSL neither RFC 5755 is supported.
Regards,
Tomas
On Sat, 2021-09-18 at 11:34 +0800, 215104920 via openssl-users wrote:
> Hi. There
> Could you give me some help?
> Thanks a lot.
>
>
> BRs
> Mystic
t; providers
>
> Thanks,
> shiva kumar
> From: Tomas Mraz
> Sent: Wednesday, September 8, 2021 7:00 PM
> To: Shivakumar Poojari ;
> openssl-users@openssl.org
> Cc: Paramashivaiah, Sunil ;
> Bhattacharjee, Debapriyo (c)
> Subject: [EXTERNAL] Re: ENGINE API rep
On Tue, 2021-09-14 at 14:42 -0400, Ken Goldman wrote:
> On 9/14/2021 11:40 AM, Tomas Mraz wrote:
> > On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:
> > > Conceptually, how are these different?
> > >
> > > When do I use one vs the other?
> >
> &
On Tue, 2021-09-14 at 21:46 -0700, Kory Hamzeh wrote:
> I have written a custom provider which I need to include (link) with
> my Application at link time rather than load it at run-time. The init
> function is defined like this:
>
> OSSL_provider_init_fn sck_provider_init;
>
> int
On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:
> Conceptually, how are these different?
>
> When do I use one vs the other?
The EVP_PKEY is an object holding data (well, rather a reference, but
that is fairly irrelevant) of a private key, public key, or domain
parameters for asymetric
I've written a blog post to explain the situation with the old Let's
Encrypt root certificate expiration which will happen on 2021-09-30 and
the behavior of OpenSSL 1.0.2 with that root certificate.
Please read, if interested:
On Mon, 2021-09-13 at 16:13 -0700, Kory Hamzeh wrote:
> I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything
> seems to be working fine, except for the fact that I cannot get
> OpenSSL to load the legacy module when I configure /ssl/openssl.cnf
> as such. I can, however, load the
Hello,
there is no direct replacement. The ENGINEs as a pluggable crypto
modules concept is replaced with the providers concept which is much
more sophisticated and capable.
Please look at
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
ENGINEs support is not removed from OpenSSL
to rename the test , as
> it is misleading and can cause problems in FIPS certification ?
>
> Thanks,
> Nagarjun
>
> On Mon, Aug 30, 2021 at 3:51 PM Tomas Mraz wrote:
> > The question was about the fips module POST (power on self test)
> > and
> > there what
1 - 100 of 169 matches
Mail list logo