[openssl-users] what is the relationship between (Client)SignatureAlgorithms and cipher_list()?

Do they overlap in purpose, so the cipher list can be used to limit the signature algorithms? Or are the signature algorithms used for different purposes than the cipher suites in the cipher list? If they have to be configured seperately, is the mechanism to use https://www.openssl.org/docs/man1.1

[openssl-users] Telecommunication and Other Legislation Amendment (Assistance and Access) Bill 2018

It’s looking like AssAccess will be law here by the end of the week. Anyone know of a ‘good’ country to live / work in ? How many Openssl developers are within Australian boarders ? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Those darned customers are asking for it! I do understand the privacy exposure. Don't know if the customers do or do not. Charles -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Monday, December 3, 2018 12:40 PM To: op

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

> On Dec 3, 2018, at 3:35 PM, Charles Mills wrote: > > OCSP and OCSP stapling are currently higher on my wish list than this. Good luck with OCSP, the documentation could definitely be better, and various projects get it wrong. IIRC curl gets OCSP right, so you could look there for example code

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

> zOS does, for example, at least if you're using the RACF security provider. Ha! Spoken like a Micro Focus guy! One of the most likely clients for this server is in fact implemented on z/OS. Just FYI, the key variable is not so much RACF: (a.) RACF is just (in this case) a certificate store, not

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

LOL. Amen to that. It has gotten a WHOLE lot better. I started with OpenSSL somewhere around 2010 and the documentation was EXTREMELY sparse to say the list. Lots of functions documented as "under construction." Charles -Original Message- From: openssl-users [mailto:openssl-users-boun...

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

> On Dec 3, 2018, at 1:47 PM, Sands, Daniel via openssl-users > wrote: > > Just wondering, is there a different error for an untrusted cross- > signed root? If it's the same error, then maybe remove "self-signed" > from the above message too, because that would not always be the case > either.

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:55 > > Got it. Thanks. I would think the basic client case is "one certificate, one > CA" I'm going to disagree somewhat with this assumption, but not necessarily wit

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:53 > > I appreciate it. OpenSSL is of course a great product but it can be a little > mystifying to debug. If I were ever to write a book about OpenSSL, "a great produ

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Sat, 2018-12-01 at 15:53 -0500, Viktor Dukhovni wrote: > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text co

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Got it. Thanks. I would think the basic client case is "one certificate, one CA" so I think I will roll with what we have (especially since the product has been out there for years with no reported problems in this area -- although I think client certificate usage is rare) but keep the issue in

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

I appreciate it. OpenSSL is of course a great product but it can be a little mystifying to debug. I am a developer and I understand the problem of "layering" and virtualization, where the component that realizes there is a problem is so far removed that it does not know what the underlying real pr

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Saturday, December 01, 2018 13:53 > > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which u

Re: [openssl-users] Question on implementing the ameth ctrl ASN1_PKEY_CTRL_DEFAULT_MD_NID

Thanks for the hint... I'll implement this. Nevertheless, padding is not supported as far as I understand, right ? Thus, in order to prevent SHA256 on a P384 curve, I'll have to set the DEFAULT_MD_NID hint, right ? Could anybody give me some feedback, whether my intended approach is correct ?