Thanks, that's just what I needed.
By performance I mean the initial connection speed. It spends 4-5 seconds
in ssl3_send_client_key_exchange () in the slow case, vs about 0.1 sec in
the fast case.
This is on a 200Mhz arm, so it's not a fast machine.
On Fri, Nov 21, 2014 at 7:03 PM, Dr. Stephen H
On Fri, Nov 21, 2014, Chris Bare wrote:
> Is there a way to query the BIO or SSL object to see which cipher is being
> used?
> I have a case where my openssl client's performance is significantly slower
> when talking to server A vs server B. AFAIK, the only difference between A
> and B is the lev
Is there a way to query the BIO or SSL object to see which cipher is being
used?
I have a case where my openssl client's performance is significantly slower
when talking to server A vs server B. AFAIK, the only difference between A
and B is the level of Windows updates, so I'm suspicious that Windo
I did a search through my application code and see no occurrence of the string
X509_STORE so I don't believe I'm doing any operations with that type of
structure.
I am using SSL_CTX_use_certificate and was possibly under the incorrect
assumption that my code did not have to explicitly free the
On Fri, Nov 21, 2014 at 04:13:58PM -0500, Jeffrey Walton wrote:
> > A fixed amount of memory that is not deallocated and is independent
> > of the number of operations performed, is NOT a memory leak.
>
> Languages like Java and C# can continuously load and unload a library.
> You will see a growth
To set the record straight, I am told that a PTF (IBMese for patch) is
required for z/OS V1R13 to support TLS v1.2.
Charles
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Friday, November 21, 2014 12:07 PM
> A fixed amount of memory that is not deallocated and is independent
> of the number of operations performed, is NOT a memory leak.
Languages like Java and C# can continuously load and unload a library.
You will see a growth in memory usage because the memory is not
reclaimed.
> Librariers to all
On Sat, Nov 22, 2014, Deepak wrote:
> Hi,
>
> Can a SSL client upgraded with patch for CVE-0224-2014 (say OpenSSL
> 0.9.8zb) talk to SSL server which does not have this patch (say OpenSSL
> 0.9.8u) ?
>
> Problem I have -
>
> Server -Apache 2.2.22 with mod_ssl compiled with OpenSSL 0.9.8u
>
> C
Thanks guys for all of the clues! I got it working! Long story. Wow, FIPS is
a moving target. I re-did my root CA with SHA 256, and my server
certificate. I had to move my testing from z/OS V1R13 to z/OS V2R1 --
*apparently* V1R13 does not support TLS V1.2 which as you intimated at some
point may b
Hi,
Can a SSL client upgraded with patch for CVE-0224-2014 (say OpenSSL
0.9.8zb) talk to SSL server which does not have this patch (say OpenSSL
0.9.8u) ?
Problem I have -
Server -Apache 2.2.22 with mod_ssl compiled with OpenSSL 0.9.8u
Client - privately maintained PKI code based upon OpenSSL 0.
On Fri, Nov 21, 2014, Charles Mills wrote:
> Thanks. I guess I may have to open a problem with IBM. The IBM documentation
> clearly lists a number of "cipher suites" (at they call them) that use SHA1
> (including the one we (IBM+OpenSSL) default to as being FIPS 140-2
> compliant.
>
> GSK appears
On Fri, Nov 21, 2014, Barbe, Charles wrote:
> Yes... sorry, forgot to include this part of my shutdown sequence. One thing
> I am noticing is that I do not call X409_free on my certs. I even have a
> comment in my code saying that I am not freeing them because I think they
> will be freed when the
Yes... sorry, forgot to include this part of my shutdown sequence. One thing I
am noticing is that I do not call X409_free on my certs. I even have a comment
in my code saying that I am not freeing them because I think they will be freed
when the SSL_CTX is freed. Is that a correct assumption or
Thanks. I guess I may have to open a problem with IBM. The IBM documentation
clearly lists a number of "cipher suites" (at they call them) that use SHA1
(including the one we (IBM+OpenSSL) default to as being FIPS 140-2
compliant.
GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly
On Fri, Nov 21, 2014, Barbe, Charles wrote:
> Thanks for the response... here is the code that runs when my connection
> closes:
>
> void OpensslConnection::cleanup()
> {
> if(ssl != NULL)
> {
> if(isConnected)
> {
> while(SSL_shutdown(ssl) == 0)
>
On Fri, Nov 21, 2014, Matt Caswell wrote:
>
>
> On 21/11/14 14:43, Charles Mills wrote:
> > I posted the certificates. What's next?
> >
> > Charles
>
> The key sizes look ok to me. As I said I'm no FIPS expert, but this page
> http://wiki.openssl.org/index.php/FIPS_mode_and_TLS
>
> says the f
On 11/19/2014 10:03 AM, Philip Bellino wrote:
> Hello,
> I am currently using openssl-fips-2.0.7 and I noticed that 2.0.8 is available
> on the website.
> Neither distribution contain a changelog, so I was wondering what changes
> were made to 2.0.8.
> Thanks,
> Phil
The relevant differences cam
On 11/18/2014 06:57 PM, Rob Jerdonek wrote:
> I see on the NIST website that OpenSSL FIPS module v2.0.9 is in the process
> of FIPS validation.
>
> Where can I download the latest v2.0.9 source code and the updated FIPS user
> guide.
>
> I would like to test with this new version.
Sorry about
On Fri, Nov 21, 2014 at 03:21:47PM +, Barbe, Charles wrote:
> What looks suspicious to me is the calls to "x509v3_cache_extensions"
> that are in the traces below. This implies to me that openssl is
> caching something. How do I ask it to clear that cache? If i need
> to augment the library to
It sort of makes sense that this is a stack of certs that is left over but what
confuses me is that this memory is allocated by calls executed as a result of
my calling SSL_accept(ssl). Also, we're talking 253 bytes... i would imagine
that stack of certs would be larger than that, wouldn't it? A
On 21/11/14 14:43, Charles Mills wrote:
> I posted the certificates. What's next?
>
> Charles
The key sizes look ok to me. As I said I'm no FIPS expert, but this page
http://wiki.openssl.org/index.php/FIPS_mode_and_TLS
says the following:
"The RSA key in the certificate has to be of suitable s
On 21/11/2014 15:26, Barbe, Charles wrote:
Thanks for the response... here is the code that runs when my connection closes:
void OpensslConnection::cleanup()
{
if(ssl != NULL)
{
if(isConnected)
{
while(SSL_shutdown(ssl) == 0)
;
On Fri, Nov 21, 2014 at 02:26:45PM +, Barbe, Charles wrote:
> static void
> openSslShutdown ()
> {
You could try adding:
ENGINE_cleanup();
if that helps.
> CONF_modules_free();
> ERR_remove_state(0);
> CONF_modules_unload(1);
> ERR_free_strings();
> EVP_cl
I posted the certificates. What's next?
Charles
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell
Sent: Wednesday, November 19, 2014 3:35 PM
To: openssl-users@openssl.org
Subject: Re: SSL alert number 51
On 19/11
Thank You for the prompt and insightful response Jeffrey :-)
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of ext Jeffrey Walton
Sent: Thursday, November 20, 2014 1:09 PM
To: OpenSSL Users List
Subject: Re: What version(s) of
Thanks for the response... here is the code that runs when my connection closes:
void OpensslConnection::cleanup()
{
if(ssl != NULL)
{
if(isConnected)
{
while(SSL_shutdown(ssl) == 0)
;
}
SSL_free(ssl);
ERR_remove_s
I see your point but I cannot have memory allocated when my application shuts
down. This constraint is related to the fact that this is an embedded VoIP
system.
Thanks for the response!
Charles A. Barbe
Senior Software Engineer
Allworx, a Windstream company
245 East Main St | Rochester NY | 146
27 matches
Mail list logo
