On 04/10/2018 17:14, Salz, Rich via openssl-users wrote:
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded. 1.1.1 has a good random number generator and auto-seeds.
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG
Thank you for your help.
Andres
On 10/4/18 6:47 PM, Matt Caswell wrote:
On 04/10/18 16:14, Salz, Rich via openssl-users wrote:
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded.
This is not correct. The RNG in 1.0.2
>What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?
Poor locking; been known to crash.
Does not reseed.
Global across the process, rather than isolated for private-key generation or
per-connection.
Mixes in getpid and time to get
On 04/10/18 16:14, Salz, Rich via openssl-users wrote:
> Which version of OpenSSL are you using?
>
> 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
> seeded.
This is not correct. The RNG in 1.0.2 and 1.1.0 automatically seeds.
There is no need to explicitly seed
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded. 1.1.1 has a good random number generator and auto-seeds.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 04/10/2018 17:38, Salz, Rich wrote:
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?
Poor locking; been known to crash.
Simple bug, not a reason to change the algorithm.
Does not reseed.
But can be reseeded if so desired,
>This is not correct.
Thanks for the corrections, Matt.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Thu, Oct 04, 2018 at 02:07:55PM +0200, Peter Magnusson wrote:
> Modulus of evilca.pem begins with 00:cd:ba:9f and modulus of
> evilserver.pem begins with 00:af:83:6f, so they are different even if
> both have Subject: C=SE, ST=EvilServer, L=EvilServer, O=EvilServer,
> OU=EvilServer,
We disagree, and as I wrote the latest RNG code and docs, I'm biased (sic).
I'll leave on that weak pun.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,
We are encountering the crash inside the SSL_CTX_free(). Any leads for the
solution will be greatly appreciated.
We are using openssl 1_0_2 and libcrypto.so.1.0.0.
Please help us know if anyone else also faced this issue earlier.
Kindly find the Stack trace for your reference
Stack: #0
> On Oct 4, 2018, at 6:25 AM, Viktor Dukhovni
> wrote:
>
> but this corner-case is not correct, the concept of "self-issued"
> only applies to CAs, so for the leaf to be skipped it would have
> the be a self-issued CA. Try the patch below:
I've simplified the patch in
Not mentioned thus far is that if you are using 1.0.2 with FIPS support, the
random number generator does not self-seed.
Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia
-Original Message-
From: Andres Traumann
You either have threading problems are sharing structures without
proper reference counting or other protections. Perhaps the
X509_STORE used in the context was already freed by some other
caller? Or something completely unrelated corrupted the heap.
The below is not sufficient for anyone else
Is this expected? (plen > (x->ex_pathlen + proxy_path_length + 1))
evaluates to false (constraint not violated) when checking constraint
0 against plen=1 (constraint violated as far as I can understand?).
Doesn't make much sense to me. Is there something I haven't understood
about how the
On Wed, Oct 03, 2018 at 07:16:51PM +0200, Peter Magnusson wrote:
> The following test case attempts to validates evilserver.pem, issued
> by evilca.pem.
More specifically, we see that in this test the leaf server certificate
has the same subject and issuer, so EXFLAG_SI is set for that
Your patch does seem to resolve the test case.
II have maximised confusion by generating a CSR with the same textual
information for EvilCA as EvilServer.
I don't think the chain includes any self signed certificates except the root;
73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6
Hello,
In the documentation it is written: "The pseudo-random number generator
must be seeded prior to calling RSA_generate_key_ex()".
After reading the documentation in
https://wiki.openssl.org/index.php/Random_Numbers and investigating the
source code, it seems that the seeding is in fact
17 matches
Mail list logo