Hi Jeffrey,
I used openssl_fips 1.2 with openssl 0.9.8l. and planning to upgrade
openssl-0.9.8l to 0.9.8za with -no-ec option. Please let me know is it
break my fips compliance.
Thanks,
Gayathri
On Fri, Aug 8, 2014 at 11:09 AM, Jeffrey Walton wrote:
> On Fri, Aug 8, 2014 at 1:11 AM, Gayathri
On Fri, Aug 8, 2014 at 1:11 AM, Gayathri Manoj wrote:
>
> Please let me know openssl-0.9.8za with -no-ec option is fips compliant or
> not.
No. If you want FIPS validated crypto, then you need one of the
openssl-fips-*-tar.gz downloads. They produce the FIPS Object Module.
openssl-0.9.8xxx is FIP
Hi All,
Please let me know openssl-0.9.8za with -no-ec option is fips compliant or
not.
Thanks,
Gayathri
Thanks for tracking it down so fast Steve. I will revert the mods in
that commit and try it again tomorrow.
Norm
On 8/7/2014 7:21 PM, Dr. Stephen Henson wrote:
On Thu, Aug 07, 2014, Norm Green wrote:
Any idea where to begin debugging this? Any and all help is appreciated.
The cause is in
On Thu, Aug 07, 2014, Norm Green wrote:
>
> Any idea where to begin debugging this? Any and all help is appreciated.
>
The cause is incorrect handling of new SRP authentication type which was added
to correct a bug where SRP authentication was incorrectly classified as NULL
authhentication.
A
Thanks, OK I got the rest of the way through the tangled mess. The
question is there someone out there that can skip trace through the
subroutines that can put together a tight code set on how this works?
One command walk through to start from the beginning to the end which is
the key feedback.
> From: owner-openssl-us...@openssl.org On Behalf Of dave
> Sent: Monday, August 04, 2014 15:50
> I have it that the elliptic multiply is not standard. So I have been
> skip tracing though the code.
> It starts with ec_key.c, with EC_KEY_generate_key. This grabs the
> group or or the particula
> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
> Sent: Monday, August 04, 2014 11:21
> On Mon, Aug 04, 2014 at 05:43:47AM +, Mitra, Rituparna (STSD) wrote:
>
> > 1. app1: sends a CGI POST request to app2 ? the POST request has
the
> UN (username).
> >
> > 2.
> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
> Sent: Thursday, August 07, 2014 16:48
> Your client is saying that it's failing the certificate verification of
> the server certificate. It's probably not using the CAfile that you
> passed to openssl s_client.
>
> -Kyle H
>
On Thu, Aug 07, 2014, Norm Green wrote:
> I just upgraded our product to 1.0.1i and logins via SRP are now
> broken. Shown below are the SSL calls made from both the client and
> server. Everything worked perfectly under 1.0.1h.
> Bot sides set the cipher list to 'SRP' via calls to
> SSL_CTX_set
On Thu, Aug 07, 2014, Norm Green wrote:
> I just upgraded our product to 1.0.1i and logins via SRP are now
> broken. Shown below are the SSL calls made from both the client and
> server. Everything worked perfectly under 1.0.1h.
> Bot sides set the cipher list to 'SRP' via calls to
> SSL_CTX_set
I just upgraded our product to 1.0.1i and logins via SRP are now
broken. Shown below are the SSL calls made from both the client and
server. Everything worked perfectly under 1.0.1h.
Bot sides set the cipher list to 'SRP' via calls to
SSL_CTX_set_cipher_list(), so the "no shared cipher" compla
On Thu, Aug 7, 2014 at 5:29 PM, Dr. Stephen Henson wrote:
> On Thu, Aug 07, 2014, Jeffrey Walton wrote:
>
>> I'm trying to track down a client side issue with the use of HTTPS. I
>> suspect it has something to do with a server misconfiguration and
>> client side certificates.
>>
>> When running s_
Hi Kyle,
Thanks
See below
On Thu, Aug 7, 2014 at 4:47 PM, Kyle Hamilton wrote:
> Your client is saying that it's failing the certificate verification of
> the server certificate. It's probably not using the CAfile that you
> passed to openssl s_client.
>
> -Kyle H
>
Actually, I can confirm t
On Thu, Aug 7, 2014 at 4:57 PM, Kyle Hamilton wrote:
> Usually you don't need to echo anything to get the "acceptable client CA
> names" list.
Thanks.
In this case, its IIS 7.5 and its *not* using SNI (SNI is available in
IIS 8). So I get a 400 "bad request" without the host header.
Jeff
> On 8
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Users,
I have released version 5.03 of stunnel.
The ChangeLog entry:
Version 5.03, 2014.08.07, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New feature
On Thu, Aug 07, 2014, Jeffrey Walton wrote:
> I'm trying to track down a client side issue with the use of HTTPS. I
> suspect it has something to do with a server misconfiguration and
> client side certificates.
>
> When running s_client:
>
> $ echo -e "GET / HTTP/1.1\nHost:example.com\n" | \
>
Usually you don't need to echo anything to get the "acceptable client CA
names" list.
-Kyle H
On 8/7/2014 1:55 PM, Jeffrey Walton wrote:
> I'm trying to track down a client side issue with the use of HTTPS. I
> suspect it has something to do with a server misconfiguration and
> client side certif
I'm trying to track down a client side issue with the use of HTTPS. I
suspect it has something to do with a server misconfiguration and
client side certificates.
When running s_client:
$ echo -e "GET / HTTP/1.1\nHost:example.com\n" | \
openssl s_client -connect example.com:443 -ssl3 -ign_eof
Your client is saying that it's failing the certificate verification of
the server certificate. It's probably not using the CAfile that you
passed to openssl s_client.
-Kyle H
On 8/5/2014 12:19 PM, Ted Byers wrote:
> I have Perl code, which uses a library that in turn uses openssl for
> HTTPS co
On Thu, Aug 07, 2014, Vladimir Simonov wrote:
>
> >> On Sun, Aug 03, 2014, Vladimir Simonov wrote:
> >>
> >>> Hi all,
> >>>
> >>> I'm trying to use openssl command line utility to sign data file with
> >>> key located in Windows Certificates Store.
> >>> I generated 1024 bit dsa private key an
Hi All,
The following vulnerability fixes in 0.9.8 zb seems to be related to the
DTLS reassemble fragment functionality that is introduced from 0.9.8 o
version.
CVE-2014-3505 -Avoid double free when processing DTLS packets
CVE-2014-3506 -Fix DTLS handshake message size checks
CVE-2014-3507 -Fix m
>> On Sun, Aug 03, 2014, Vladimir Simonov wrote:
>>
>>> Hi all,
>>>
>>> I'm trying to use openssl command line utility to sign data file with
>>> key located in Windows Certificates Store.
>>> I generated 1024 bit dsa private key and certificate. Converted them
>>> to
>>> pkcs12 format and imp
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, August 07, 2014 3:16 PM
To: openssl-users@openssl.org
Subject: Re: openssl dgst and capi engine question
> On Sun, Aug 03, 2014, Vladimir Simon
On Thu, Aug 07, 2014, Spence, Thomas P CIV USAF (US) wrote:
> Good morning...
>
> I am using GCC 4.8.2 and AIX 5.3.
>
> I downloaded the file then compile... Here what I did:
>
> # ./Configure aix-gcc zlib fips
> (no problem)
>
> # make depend
> (no problem)
>
> # make
> (no problem)
>
> #
On Sun, Aug 03, 2014, Vladimir Simonov wrote:
> Hi all,
>
> I'm trying to use openssl command line utility to sign data file
> with key located in Windows Certificates Store.
> I generated 1024 bit dsa private key and certificate. Converted them to
> pkcs12 format and imported the certificate int
Good morning...
I am using GCC 4.8.2 and AIX 5.3.
I downloaded the file then compile... Here what I did:
# ./Configure aix-gcc zlib fips
(no problem)
# make depend
(no problem)
# make
(no problem)
# make test
(failed, here is...)
test a^b%c implementations
../util/shlib_wrap.sh ./ex
27 matches
Mail list logo
