Re: [openssl-users] Regarding the security of the keys

On Tue, Jul 21, 2015 at 9:46 PM, Salz, Rich wrote: > > > Actually that isn't quite right. A properly configured and > tuned RBAC policy, when combined with PaX, can very effectively limit all > userspace activity (including root access!). > > How do you know that the module is installed and actu

Re: [openssl-users] Regarding the security of the keys

> If some one build their own openssl and add few lines to print the keys > during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, > may result in compromising the security of the keys. > > Does any of you faced this problem and if you could share the solution it > would be helpf

Re: [openssl-users] Regarding the security of the keys

> Actually that isn't quite right.  A properly configured and tuned RBAC  > policy, when combined with PaX, can very effectively limit all userspace > activity (including root access!).  How do you know that the module is installed and actually doing things? How do you know what kernel is actua

Re: [openssl-users] Regarding the security of the keys

Actually that isn't quite right. A properly configured and tuned RBAC policy, when combined with PaX , can very effectively limit all userspace activity (including root access!). It

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Kaduk, Ben > Sent: Tuesday, July 21, 2015 17:06 > > On 7/21/15, 17:37, "Ken Goldman" wrote: > >On 7/21/2015 6:20 PM, Jeffrey Walton wrote: > >> > >> For the stragglers, I don't think its a stretch to ask C99 in 2015.

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

>> Like I said, its learning to play well with your tools :) > > Well I think what your saying is that we should play well with other > people's tools! My tools (and presumably the rest of the dev team's as > well) don't report this warning. Ah, OK. So its being reported in GCC 5.1 via -Wmaybe-uni

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

>> For the stragglers, I don't think its a stretch to ask C99 in 2015. > > Visual Studio is often used on Windows, and it is not C99. > Oh my, I was not aware it was still struggling for C99 :) I guess Microsoft is still putting their energies into the "one-size, tablet interface known as Windows 8

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On 7/21/15, 17:37, "Ken Goldman" wrote: >On 7/21/2015 6:20 PM, Jeffrey Walton wrote: >> >> For the stragglers, I don't think its a stretch to ask C99 in 2015. > >Visual Studio is often used on Windows, and it is not C99. It is getting closer, though: http://blogs.msdn.com/b/vcblog/archive/2013/0

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On 7/21/2015 6:20 PM, Jeffrey Walton wrote: For the stragglers, I don't think its a stretch to ask C99 in 2015. Visual Studio is often used on Windows, and it is not C99. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailma

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

It may be correct in this case, but "simple matter of" can sometimes mask a real problem. If the function expected the value to be set earlier, but the analysis tool finds a path where it's not set, there could be a more real bug. Is zero the right value? Why not, 1, -1, or 42? =0 may be pe

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On 21/07/15 21:44, Jeffrey Walton wrote: > On Tue, Jul 21, 2015 at 4:06 PM, Matt Caswell wrote: >> >> >> On 21/07/15 20:54, Jeffrey Walton wrote: > ^ > d1_both.c: In function 'dtls1_retransmit_message': > d1_both.c:1261:9: warning: 'save_write_sequence' may

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On 21/07/15 21:40, Tom Browder wrote: > On Tue, Jul 21, 2015 at 2:16 PM, Matt Caswell wrote: >> On 21/07/15 15:33, Tom Browder wrote: >>> On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder wrote: >>> I lied. After rebuilding gcc 5.2.0 and rechecking I get the following >>> warnings from building 1.

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

> For the stragglers, I don't think its a stretch to ask C99 in 2015. We agreed to support Netware; does it have C99? Anyone know? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On Tue, Jul 21, 2015 at 5:56 PM, Salz, Rich wrote: > If it's a simple matter of adding "=0" in the declaration, we should just fix > the darn thing. > You know... if OpenSSL changes its policies so that C99 is the baseline, then you get to initialize all variables when declared. I think its the

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

If it's a simple matter of adding "=0" in the declaration, we should just fix the darn thing. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mai

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On Tue, Jul 21, 2015 at 4:40 PM, Tom Browder wrote: > On Tue, Jul 21, 2015 at 2:16 PM, Matt Caswell wrote: >> On 21/07/15 15:33, Tom Browder wrote: >>> On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder wrote: >>> I lied. After rebuilding gcc 5.2.0 and rechecking I get the following >>> warnings fro

Re: [openssl-users] Getting certificates from smartcards

Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks On Tuesday, 21 July 2015 8:19 PM, V

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

> I'm not real current with C so I'm not in a great position to > criticize, but can't those warnings (if there is truly no problem) be > eliminated (at least in gcc) with a pragma? > Sadly, no. GCC pragmas to manage warnings are almost useless. Its been broken for years. See: * https://gcc.gnu

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On Tue, Jul 21, 2015 at 4:06 PM, Matt Caswell wrote: > > > On 21/07/15 20:54, Jeffrey Walton wrote: ^ d1_both.c: In function 'dtls1_retransmit_message': d1_both.c:1261:9: warning: 'save_write_sequence' may be used uninitialized in this function [-Wmayb

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On Tue, Jul 21, 2015 at 2:16 PM, Matt Caswell wrote: > On 21/07/15 15:33, Tom Browder wrote: >> On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder wrote: >> I lied. After rebuilding gcc 5.2.0 and rechecking I get the following >> warnings from building 1.0.2d: >> >> d1_both.c: In function 'dtls1_retr

[openssl-users] Size of OpenSSL ECDSA/DSA Implementation

Hi, I'm currently working on my Master thesis, and the topic is about ECDSA implementations and DSA implementations in the context of small embedded systems. I'd like to try out OpenSSL but I'm not sure if I can configure it to be small enough for the embedded devices I use. For my purpose a

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On 21/07/15 20:54, Jeffrey Walton wrote: >>> ^ >>> d1_both.c: In function 'dtls1_retransmit_message': >>> d1_both.c:1261:9: warning: 'save_write_sequence' may be used >>> uninitialized in this function [-Wmaybe-uninitialized] >>> memcpy(s->s3->write_sequence, sa

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

>> ^ >> d1_both.c: In function 'dtls1_retransmit_message': >> d1_both.c:1261:9: warning: 'save_write_sequence' may be used >> uninitialized in this function [-Wmaybe-uninitialized] >> memcpy(s->s3->write_sequence, save_write_sequence, >> ^ > > This one is

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On 21/07/15 15:33, Tom Browder wrote: > On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder wrote: >> On Thu, Jul 9, 2015 at 12:00 PM, Viktor Dukhovni >>> That surely means that you're compiling some patched version or >>> not even 1.0.2d. >> >> No, it's the correct version. >> >> But just now, after

Re: [openssl-users] Getting certificates from smartcards

On Tue, 21 Jul 2015 13:58:21 + (UTC) Anirudh Raghunath wrote: > Ah okay, that clears up quite a lot of doubts. But the certificate I > want to load is a self signed certificate which has a private key > attached to it. I used the XCA application to export the > certificate-private key pair as

Re: [openssl-users] question on Alternative chains certificate forgery (CVE-2015-1793)

Precisely the versions as stated in https://openssl.org/news/secadv_20150709.txt are affected: This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

[openssl-users] question on Alternative chains certificate forgery (CVE-2015-1793)

Hi All, Does *a**lternative chains certificate forgery** issue* affects the OpenSSL stacks earlier than 1.0.1n releases Why I am asking this question is affected code seems to be available in earlier versions as well. Thanks and Regards Jayalakshmi __

[openssl-users] (no subject)

WHAT ROBERTO Y MARIBEL ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder wrote: > On Thu, Jul 9, 2015 at 12:00 PM, Viktor Dukhovni >> That surely means that you're compiling some patched version or >> not even 1.0.2d. > > No, it's the correct version. > > But just now, after building gcc-5.2.0 and using it to rebuild > open

Re: [openssl-users] Getting certificates from smartcards

Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in

Re: [openssl-users] Getting certificates from smartcards

On Tue, Jul 21, 2015, Victor Wagner wrote: > On Tue, 21 Jul 2015 06:58:24 + (UTC) > Anirudh Raghunath wrote: > > As far as I can understand, this function is designed to be called from > the client certificate callback, set with function > SSL_CTX_set_client_cert_cb. This callback gets point

Re: [openssl-users] Getting certificates from smartcards

On Tue, 21 Jul 2015 06:58:24 + (UTC) Anirudh Raghunath wrote: > Hello, > I would like to utilize the ENGINE_load_ssl_client_cert() function to > load a certificate from my smart card. I have successfully loaded the > engine and have also tried to play around with the > ENGINE_load_private_key

[openssl-users] Workaround for 'unexpected record' error during renegotiation

Hello All,   I experience the same problem as other people described in the past. Despite reading all the postings on the topic I am still not sure if there is a usable workaround to make spontaneous message exchange between server an client work:   - both client and server exchange spontaneou

Re: [openssl-users] Regarding the security of the keys

> If some one build their own openssl and add few lines to print the keys > during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, may > result in compromising the security of the keys. Can anyone other than root do this? You have to trust root. They could just cat your key

Re: [openssl-users] Regarding the security of the keys

Securing a system against this kind of attack can be done in several ways, depending on the level of assurance you desire. You might start out with Tripwire: https://en.wikipedia.org/wiki/Open_Source_Tripwire http://www.tripwire.org/ You could also implement mandatory access control and ACLs usi

Re: [openssl-users] Can OpenSSL applications/utilities use SunSPARC crypto accelerators?

I read the following description from Oracle Solaris website (https://blogs.oracle.com/DanX/entry/how_to_tell_if_sparc) OpenSSL T4 engine Availability The OpenSSL t4 engine is available with Solaris 11 and 11.1. For Solaris 10 08/11 (U10), you need to use the OpenSSL pkcs11 engine. The OpenSSL t