Hello,
I have a question regarding openssl and verification of client
certificates. Is there a way to have an openssl-enabled server ask for a
client certificate, and when it receives one it can't verify, rather than
immediately terminating the handshake, it would allow the connection, but
pass
On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
>> Von: openssl-users Im Auftrag von The
>> Doctor
>> Gesendet: Dienstag, 11. September 2018 08:49
>> An: openssl-users@openssl.org; openssl-...@openssl.org
>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>>
>> Will that combination
Hi Viktor,
I realized that something like this could be an option a few minutes after
I hit "send". Thanks for the confirmation - I'll give this a shot!
Many thanks!
Armen
On Mon, Sep 10, 2018 at 11:19 PM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:
>
>
> > On Sep 11, 2018, at 2:09
Will that combination occur?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
NB 24 Sept vote Liberal!
> Von: openssl-users Im Auftrag von The
> Doctor
> Gesendet: Dienstag, 11. September 2018 08:49
> An: openssl-users@openssl.org; openssl-...@openssl.org
> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>
> Will that combination occur?
Support for TLS 1.3 is a new feature in OpenSSL 1.1.1
> On Sep 11, 2018, at 2:09 AM, Armen Babikyan wrote:
>
> I have a question regarding openssl and verification of client certificates.
> Is there a way to have an openssl-enabled server ask for a client
> certificate, and when it receives one it can't verify, rather than
> immediately
> On Sep 11, 2018, at 2:25 AM, Armen Babikyan wrote:
>
> I realized that something like this could be an option a few minutes after I
> hit "send". Thanks for the confirmation - I'll give this a shot!
You should also consider what if anything you want to pass to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1 released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1 of our open
> On Sep 11, 2018, at 4:55 PM, Joseph Christopher Sible
> wrote:
>
> What exactly are each of "Curves" and "ECDHParameters" used for, as
> documented by https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html?
The documentation of OpenSSL 1.1.x does not mention "ECDHParameters",
only
> On Sep 11, 2018, at 6:20 PM, Viktor Dukhovni
> wrote:
>
>
> The 1.0.2 documentation for "ECDHParameters" explains that this is
> server-side setting to select a particular *fixed* ECDHE curve.
> This is a legacy feature that predates negotiation of the curve
> used based on the client's
On 11/09/2018 19:34, Viktor Dukhovni wrote:
On Sep 11, 2018, at 1:17 PM, Jordan Brown wrote:
The key piece that I was missing - I hadn't looked at and thought about the protocol
enough - was that there's no version-independent way for the server to fail. If the
server supports only
> On Sep 11, 2018, at 9:57 PM, Jakob Bohm wrote:
>
> Clarification question, as I cannot match what you wrote above with
> the changelog (NEWS) in the OpenSSL 1.1.1 tarball:
>
> - Does OpenSSL 1.1.1 include SSL3.0 support or not?
The code is there, but it is disabled in default builds. You
On Tue, Sep 11, 2018, 13:10 Kurt Roeckx wrote:
> On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> > Hello,
> >
> > What is the better way, for anyone running, by example, Apache or nginx
> on
> > a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
> > 1.3 ?
> >
Ah, yes. Well that's why FIPS for OpenSSL is the main focus of the
next release, and presumably why Oracle is one of the sponsors... :-)
In the mean-time, yeah, you may have to support 1.0.2 for ~1 more year.
> On Sep 12, 2018, at 1:18 AM, Jordan Brown
> wrote:
>
> My understanding is that
Hello,
What is the better way, for anyone running, by example, Apache or nginx on
a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
1.3 ?
Waiting package update to have openssl 1.1.1 ? probably a lot of time
Recompile openssl dynamic library and replace system library ?
Looks likes I found a first bug
../test/recipes/70-test_comp.t .
Proxy started on port [::1]:10789
Server command: ../../util/shlib_wrap.sh ../../apps/openssl s_server
-max_protocol TLSv1.3 -no_comp -rev -engine ossltest -ext_cache -accept [::1]:0
-cert ../../apps/server.pem
AFAIK 1.1.1 does not support the FIPS module, which means that those of us who
require FIPS must stay on 1.0.2. Any ETA on when FIPS support might be added?
Graeme
-Original Message-
From: openssl-users On Behalf Of Matt
Caswell
Sent: September 11, 2018 4:31 AM
To:
On 11/09/18 14:58, The Doctor wrote:
> On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:
>>
>>
>> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
Von: openssl-users Im Auftrag von The
Doctor
Gesendet: Dienstag, 11. September 2018 08:49
An:
>So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
in order to use TLS 1.3 .
Yes.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Our new Long Term Support release, OpenSSL 1.1.1, including TLSv1.3, has
been released today. Please download and upgrade!
There is a blog post about the new release and the status of the older
releases here:
https://www.openssl.org/blog/blog/2018/09/11/release111/
Matt
--
openssl-users mailing
On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:
>
>
> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
> >> Von: openssl-users Im Auftrag von The
> >> Doctor
> >> Gesendet: Dienstag, 11. September 2018 08:49
> >> An: openssl-users@openssl.org; openssl-...@openssl.org
> >>
On 11/09/18 15:12, Perrow, Graeme wrote:
> AFAIK 1.1.1 does not support the FIPS module, which means that those of us
> who require FIPS must stay on 1.0.2. Any ETA on when FIPS support might be
> added?
TBD. Likely to be next year (before the EOL of 1.0.2) IMO. Our
development focus is now
> On Sep 11, 2018, at 11:33 AM, The Doctor wrote:
>
> Looks likes I found a first bug
>
> ../test/recipes/70-test_comp.t .
> Proxy started on port [::1]:10789
> Server command: ../../util/shlib_wrap.sh ../../apps/openssl s_server
> -max_protocol TLSv1.3 -no_comp -rev
> On Sep 11, 2018, at 12:33 PM, Jordan Brown
> wrote:
>
> Thanks!
>
> Now I need to wrap my head around what that all means.
>
> It sounds like the protocol doesn't really have a version-independent way for
> the version negotiation to cleanly fail. That's unfortunate.
Well, once SSL3
On Tue, Sep 11, 2018 at 12:23:08PM -0400, Viktor Dukhovni wrote:
>
>
> > On Sep 11, 2018, at 11:33 AM, The Doctor wrote:
> >
> > Looks likes I found a first bug
> >
> > ../test/recipes/70-test_comp.t .
> > Proxy started on port [::1]:10789
> > Server command:
On 09/11/2018 12:23 PM, Viktor Dukhovni wrote:
On Sep 11, 2018, at 11:33 AM, The Doctor wrote:
Looks likes I found a first bug
This did not happen on my machine, the build succeeded, and all tests
passed:
$ uname -srp
FreeBSD 11.1-RELEASE-p10 amd64
You have 11.1 there whereas
On 9/11/2018 9:46 AM, Viktor Dukhovni wrote:
> Part of the confusion is also using a version inflexible method on the
> client, that's rarely done.
My test engineers like trying all the variations, including the ones
nobody will ever use :-)
> Instead of "s_client -tls1" it is wiser to test with
On 09/11/2018 01:30 PM, The Doctor wrote:
On Tue, Sep 11, 2018 at 12:48:53PM -0400, Dennis Clarke wrote:
On 09/11/2018 12:23 PM, Viktor Dukhovni wrote:
On Sep 11, 2018, at 11:33 AM, The Doctor wrote:
Looks likes I found a first bug
Let's just slow down here a sec.
LEt's get this
On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:
> Looks likes I found a first bug
>
> ../test/recipes/70-test_comp.t .
> Proxy started on port [::1]:10789
> Server command: ../../util/shlib_wrap.sh ../../apps/openssl s_server
> -max_protocol TLSv1.3 -no_comp -rev
> On Sep 11, 2018, at 10:59 AM, Juan Isoza wrote:
>
> What is the better way, for anyone running, by example, Apache or nginx on a
> popular Linux districution (Ubuntu, Debian, Suse) and want support TLS 1.3 ?
>
> Waiting package update to have openssl 1.1.1 ? probably a lot of time
>
>
> On Sep 11, 2018, at 1:17 PM, Jordan Brown
> wrote:
>
> The key piece that I was missing - I hadn't looked at and thought about the
> protocol enough - was that there's no version-independent way for the server
> to fail. If the server supports only versions larger than the client
>
Thanks!
Now I need to wrap my head around what that all means.
It sounds like the protocol doesn't really have a version-independent
way for the version negotiation to cleanly fail. That's unfortunate.
--
openssl-users mailing list
To unsubscribe:
On Tue, Sep 11, 2018 at 12:48:53PM -0400, Dennis Clarke wrote:
> On 09/11/2018 12:23 PM, Viktor Dukhovni wrote:
> >
> >
> >> On Sep 11, 2018, at 11:33 AM, The Doctor wrote:
> >>
> >> Looks likes I found a first bug
> >>
> >
> > This did not happen on my machine, the build succeeded, and all
On Tue, Sep 11, 2018 at 02:28:12PM -0400, Dennis Clarke wrote:
> >> It sounds like a downstream ELF header nightmare.
> >
> > Actually, it works just fine. You link with the variant library,
> > and it happily coexists with any dependencies you may have that in
> > turn depend on the system TLS
On 09/11/2018 01:09 PM, Viktor Dukhovni wrote:
On Sep 11, 2018, at 10:59 AM, Juan Isoza wrote:
What is the better way, for anyone running, by example, Apache or nginx on a
popular Linux districution (Ubuntu, Debian, Suse) and want support TLS 1.3 ?
Waiting package update to have openssl
On Tue, Sep 11, 2018 at 01:47:18PM -0400, Dennis Clarke wrote:
> >--- Configurations/10-main.conf
> >+++ Configurations/10-main.conf
> >
> >+"BSD-x86_64-opt" => {
> >+inherit_from => [ "BSD-x86_64" ],
> >+shlib_variant => "-opt",
> >+},
> >
On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> Hello,
>
> What is the better way, for anyone running, by example, Apache or nginx on
> a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
> 1.3 ?
>
> Waiting package update to have openssl 1.1.1 ? probably a lot
On 09/11/2018 02:35 PM, Viktor Dukhovni wrote:
On Tue, Sep 11, 2018 at 02:28:12PM -0400, Dennis Clarke wrote:
It sounds like a downstream ELF header nightmare.
Actually, it works just fine. You link with the variant library,
and it happily coexists with any dependencies you may have that in
On Tue, Sep 11, 2018 at 08:10:01PM +0200, Kurt Roeckx wrote:
> On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> > Hello,
> >
> > What is the better way, for anyone running, by example, Apache or nginx on
> > a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
> >
It sounds like a downstream ELF header nightmare.
Actually, it works just fine. You link with the variant library,
and it happily coexists with any dependencies you may have that in
turn depend on the system TLS library. The variant SONAME and
symbol versions provide all the requisite
Noticing that my earlier attempts to compile Apache were not FIPS compliant,
I set off to correct my error. I found the wiki, that provides the steps
for building Apache with FIPS. Every time that it attempts to compile the
SSL module, it dies.
"mod_ssl.c", line 41: warning: syntax error:
On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote:
> On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:
> > Looks likes I found a first bug
> >
> > ../test/recipes/70-test_comp.t .
> > Proxy started on port [::1]:10789
> > Server command:
> On Sep 11, 2018, at 3:57 PM, Benjamin Kaduk via openssl-users
> wrote:
>
>>> panic: XSUB Socket6::getaddrinfo (Socket6.c) failed to extend arg stack:
>>> base=805d16098, sp=805d160e8, hwm=805d160d0
>>>
>>
>> Using perl 5.28.1
Thanks for the hint, I was looking too close at the panic...
On Tue, Sep 11, 2018 at 03:01:38PM +0100, Matt Caswell wrote:
>
>
> On 11/09/18 14:58, The Doctor wrote:
> > On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:
> >>
> >>
> >> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
> Von: openssl-users Im Auftrag von
> The Doctor
> On Sep 11, 2018, at 9:58 AM, The Doctor wrote:
>
> So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
> in order to use TLS 1.3 .
OpenSSH does not use TLS or libssl, so does not need that OpenSSL
1.1.x feature. It could still benefit from libcrypto algorithm
improvements that
On Tue, Sep 11, 2018 at 02:57:09PM -0500, Benjamin Kaduk via openssl-users
wrote:
> On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote:
> > On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:
> > > Looks likes I found a first bug
> > >
> > > ../test/recipes/70-test_comp.t
On Tue, Sep 11, 2018 at 03:04:06PM -0600, The Doctor wrote:
> On Tue, Sep 11, 2018 at 02:57:09PM -0500, Benjamin Kaduk via openssl-users
> wrote:
> > On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote:
> > > On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:
> > > > Looks likes I
What exactly are each of "Curves" and "ECDHParameters" used for, as
documented by https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html?
My understanding of elliptic curves in TLS is that they're used in two
places: as ECDSA key pairs used in certificates, and in ECDHE for key
exchange.
On Tue, Sep 11, 2018 at 04:09:48PM -0500, Benjamin Kaduk wrote:
> On Tue, Sep 11, 2018 at 03:04:06PM -0600, The Doctor wrote:
> > On Tue, Sep 11, 2018 at 02:57:09PM -0500, Benjamin Kaduk via openssl-users
> > wrote:
> > > On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote:
> > > > On Tue,
49 matches
Mail list logo