Re: My plans, suggestions and whatever

2019-02-08 Thread Gary E. Miller via devel
Yo Hal! On Fri, 08 Feb 2019 14:16:45 -0800 Hal Murray via devel wrote: > Gary said: > > For good reason. From their wiki: > > https://wiki.openssl.org/index.php/TLS1.3 > > "The OpenSSL git master branch (and the 1.1.1-pre9 beta version) > > contain our development TLSv1.3 code which is

Re: My plans, suggestions and whatever

2019-02-08 Thread Hal Murray via devel
Eric said: > We probably can't ship with anything lower than 1.1.1b, anyway. Not > according to Martin Langer. And it's not out yet. The problem is a simple limitation on the length of a string used to make C2S and S2C. It works fine if we shorten that string. That's a change to the NTS dr

Re: My plans, suggestions and whatever

2019-02-08 Thread Eric S. Raymond via devel
Gary E. Miller via devel : > > I'm debugging on OpenSSL 1.1.1a which supports TLS1.3 but is not > > widely deployed yet. > > For good reason. From their wiki: > > https://wiki.openssl.org/index.php/TLS1.3 > > "The OpenSSL git master branch (and the 1.1.1-pre9 beta version) > contain our

Re: My plans, suggestions and whatever

2019-02-08 Thread Hal Murray via devel
Gary said: > For good reason. From their wiki: > https://wiki.openssl.org/index.php/TLS1.3 > "The OpenSSL git master branch (and the 1.1.1-pre9 beta version) > contain our development TLSv1.3 code which is based on the final > version of RFC8446 and can be used for testing purposes (

Re: My plans, suggestions and whatever

2019-02-08 Thread Gary E. Miller via devel
Yo Hal! On Fri, 08 Feb 2019 13:51:15 -0800 Hal Murray via devel wrote: > I'm debugging on OpenSSL 1.1.1a which supports TLS1.3 but is not > widely deployed yet. For good reason. From their wiki: https://wiki.openssl.org/index.php/TLS1.3 "The OpenSSL git master branch (and the 1.1.1-pre9

Re: My plans, suggestions and whatever

2019-02-08 Thread Hal Murray via devel
>> making it build on >> older versions of OpenSSL. > Is this important? I haven't followed this exactly, but isn't AES_SIV_CMAC > only available in bleeding edge (possibly not even released) OpenSSL? If so, > this is only going to be useful if you're willing to backport the > AES_SIV_CMAC and

Re: My plans, suggestions and whatever

2019-02-08 Thread Richard Laager via devel
On 2/7/19 8:20 PM, Hal Murray via devel wrote: > making it build on > older versions of OpenSSL. Is this important? I haven't followed this exactly, but isn't AES_SIV_CMAC only available in bleeding edge (possibly not even released) OpenSSL? If so, this is only going to be useful if you're willin

My plans, suggestions and whatever

2019-02-07 Thread Hal Murray via devel
Step one is to get nts_probe() far enough along to check certificates. This is mostly copying over the details from my hack client and making it build on older versions of OpenSSL. We can test that code in ntpd by testing the NTS flag just before the current code tests the DNS flag and calli