On 2022-11-15 21:36, Phillip Susi wrote:
Jakob Bohm via openssl-users writes:
Performance wise, using a newer compiler that implements int64_t etc. via
frequent library calls, while technically correct, is going to run
unnecessarily slow compared to having algorithms that actually use the
going to run
unnecessarily slow compared to having algorithms that actually use the
optimal integral sizes for the hardware/compiler combination.
I seem to recall using at least one bignum library (not sure if OpenSSL
or not) that could be configured to use uint32_t and uint16_t using the
same C co
project.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
ider identifies a key, that provider should get first chance to
find/provide thekey.
Enjoy,
Jakob Bohm
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may co
to or
reveal the
exact group parameters or public key, that would be different (but still
needed)
APIs/parameters. For example, it would return 4096 for RSA4096, 384 for
the
NIST P-384 curve etc.
Enjoy,
Jakob Bohm
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tr
mer
PS : This question is for knowledge purpose only, I don't use RSA keys
anymore (except with GPG), I prefer ECC :)
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bi
use OpenSSL in
an application originally designed around another open
cryptographic API. Where the application included such things as
optional use of a different AES mode, and security rules for when/if
to restore algorithm states in error/trial decryption scenarios.
Enjoy
Jakob
--
Jakob
such as Google's
own tracking code.
On 2021-12-03 13:04, Matt Caswell wrote:
Please see my blog post on starting the QUIC design here:
https://www.openssl.org/blog/blog/2021/12/03/starting-the-quic-design/
Matt
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.
forward...
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dFishFooBar=1.3.6.1.4.1.999.1.1
RedFishBazQux=1.3.6.1.4.1.999.1.2
From there, you should be able to use the new OID names in relevant
sections and options, using the generic syntax that explicitly
states how each value needs to beencoded.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. ht
y, neither of them use an external entropy/seed source.
Are there better examples of what I am looking for?
Thanks,
Kory
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion messa
ications need more than 256 independent random bits to satisfy
their
security design. Some of the newer RNGs in OpenSSL presume otherwise in
their
government design.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +4
e explanation (or justification) for this excessive footprint?
Thanks,
Reinier
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo
use to a non-blocking socket due
to platform and application limitation
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo
for a special higher level
local namespace or "??" for another special namespace.
share is the first level below machine, in particular it is the exported
name of a remote file system or object.
ordinary\path is whatever else needs to be added to the path for a
specific use
--
d_tls_initialize in http_tcpip_inbound.c.o
"_X509_free", referenced from:
_http_tcpip_outbound_get_url_using_string_type_tls in
http_tcpip_outbound.c.o ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see
invocation) gmake
d pay load in this file, which I can not
decipher. What I have tried with openssl's rsautl and smime does not
seem to work for me.
May be someone of you can push me in the right direction, thanks!
Try the "openssl cms" command, or its older sibling "openssl smime"
(4),
keyCertSign (5),
cRLSign (6),
encipherOnly(7),
decipherOnly(8) }
There are OIDs in the extendedKeyUsage:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
Enjoy
Jakob
--
up dedicated e-mail identities for posting to such
public lists, using a different disclaimer in the sig-block.
I hope this can inspire other sysadmins to set up something similar.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark
On 2021-06-18 17:07, Viktor Dukhovni wrote:
On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
Now the client simply works backwards through that list, checking if
each certificate signed the next one or claims to be signed by a
certificate in /etc/certs. This
On 2021-06-18 16:23, Michael Wojcik wrote:
From: openssl-users On Behalf Of Jakob
Bohm via openssl-users
Sent: Friday, 18 June, 2021 07:10
To: openssl-users@openssl.org
Subject: Re: reg: question about SSL server cert verification
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I&#
ed root to make informed decisions
about trust errors.
OpenSSL documentation tends to bury its handling of all
this way too deep inside the programmer documentation
rather than explaining things clearly in the end user
documentation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://ww
that.
Defining a sufficiently narrow exception is left as an exercise
for implementors.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
W
reporting
issues/bugs in the backport work.
3. The README.fixes document should, if possible, be made available to
the upstream project
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
agically
able to respond to sudden revocations for bureaucratic reasons etc. Or
as quoted by Michael, a rule that all roots must be universal roots with
the no-EKU implicit wildcard.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg
annot access '/usr/locallib/libssl*': No such file or directory
$ ls -alF /usr/local/bin/openssl
ls -alF /usr/local/bin/openssl
ls: cannot access '/usr/local/bin/openssl': No such file or directory
$ /usr/local/bin/openssl version -a
/usr/local/bin/openssl version -a
-bash:
ssl-dev
$ dpkg --status openssl
$ type openssl
$ openssl version -a
$ ls -alF /usr/lib/x86_64-linux-gnu/libssl*
$ ls -alF /usr/locallib/libssl*
$ ls -alF /usr/local/bin/openssl
$ /usr/local/bin/openssl version -a
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transforme
ere.
Try linking libcrypto.so.1.1 with debug symbols included (not
stripped). This should make the error message point to the
function, maybe even show the call stack.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31
_ip_asc(X509 *, const char *address, unsigned int flags);
Just out of curiousity: What is the recommended way to check
the authenticated e-mail and/or DN of the client certificate,
given that those are the most common identities in such
certificates (except in server-to-server scenarios).
Enjoy
: *openssl-users-bounce on
behalf of openssl-users
*Organization: *WiseMo A/S
*Reply-To: *Jakob Bohm
*Date: *Thursday, January 28, 2021 at 21:10
*To: *openssl-users
*Subject: *Re: Encoding of AlgorithmIdentifier with NULL parameters
Also note that the official ASN.1 declaration for
.1.2, It isn't
clear if NULL parameters can be completely omitted or if it should
still have NULL encoding.
Is this a too stringent check in the third-party s/w or a miss in
openss-3.0.0-alpha10?
Thanks,
Thulasi.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://w
. Because it can
be used only with obsolete encryption algorithms anyway - the best one
being 3DES for the encryption and SHA1 for the KDF.
Tomas
On Thu, 2021-01-28 at 11:08 +0100, Jakob Bohm via openssl-users wrote:
If the context does not limit the use of higher level compositions,
then
OpenSSL
t.
Anyway OpenSSL 3.0 gives you all the flexibility needed.
Tomas
On Thu, 2021-01-28 at 10:24 +0100, Jakob Bohm via openssl-users wrote:
Does FIPS 140 or the related legal requirements limit the use of
higher
level compositions such as PKCS12KDF, when using only validated
cryptography for the und
legacy
algorithms it only shows that the "true" FIPS mode was not as "true" as
you might think. There were some crypto algorithms like the KDFs
outside of the FIPS module boundary.
Tomas Mraz
On Thu, 2021-01-28 at 09:26 +0100, Jakob Bohm via openssl-users wrote:
Does that mean
't be validated, it doesn't belong in the FIPS provider.
Pauli
On 26/1/21 10:48 pm, Tomas Mraz wrote:
On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote:
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote:
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie:
ng) to run
provider-independent code that invokes the provider implementation
of a FIPS-unapproved algorithm.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindi
ch companies like IBM/RedHat that
can purchase support plans, resulting in further popularity of OpenSSL
forks.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bi
ly)
offers an empty cipher list?
error: 'SSL_R_NO_CERTIFICATE_RETURNED' was not declared in this scope
This reason code existed in 1.0.2 but was never used by anything.
Matt
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Den
d is blocking; it's why you
think the
connection is gone, but the stack thinks otherwise.
> Note that the normal behavior of my application is : client
connects, server
> daemon forks a new instance,
Does the server parent process close its copy of the conversation
socket?
Enjoy
Ja
word "busy"
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
exclusive, but the notBefore field is inclusive.
PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012)
says
nothing about this aspect of the interpretation of the validity structure.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformerve
PSS signatures, but failing to
pass that job to the CAPI engine. I was commenting on how that might be
made to work.
On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users
mailto:openssl-users@openssl.org>> wrote:
On 2020-10-23 15:45, Matt Caswell wrote:
>
>
. Also,
maybe use a compatible stronger CAPI "provider" (their engines) to do
stronger hashes etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and
On 2020-09-10 09:03, Tomas Mraz wrote:
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
Wouldn't a more reasonable response for 1.0.2 users have been to
force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
cipher
suites
and telling affected peop
ications please see:
https://www.openssl.org/policies/secpolicy.html
Wouldn't a more reasonable response for 1.0.2 users have been to force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected cipher
suites
and telling affected people to recompile with the fix off?
Enjoy
Jako
from an AWS hosted server, and
would be seriously inconvenienced if they got generally banned by mail
recipients.
And we did check that they were not in bad standing at spamhaus.org
before choosing them to host that server. Some of their competitors
failed those checks.
Enjoy
Jakob
--
Jakob
fugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug
2019) and Australia (25 Dec 2019 to 9 Jan 2020):
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-END EMAIL SIGNATURE-
Enjoy
Jakob
--
Jakob Bohm,
away in all kinds of places, and
here's just no way to know that it won't be used indefinitely.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindi
On 2020-09-01 04:26, Viktor Dukhovni wrote:
On Aug 31, 2020, at 10:57 PM, Jakob Bohm via openssl-users
wrote:
Given the practical imposibility of managing atomic changes to a single
POSIX file of variable-length data, it will often be more practical to
create a complete replacement file, then
ble to the application, after it drops
privileges and/or enters a chroot jail, as will already be the case
for hashed certificate/crl directories.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
2019) and Australia (25 Dec 2019 to 9 Jan 2020):
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-END EMAIL SIGNATURE-
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformerve
enSSL compliant with all Linux Debian
distribution ?
Thank you in advance for your answer.
Best Regards,
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding
d by OpenLDAP:
<http://www.symas.com>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 2020-07-26 01:56, Jan Just Keijser wrote:
On 23/07/20 02:35, Jakob Bohm via openssl-users wrote:
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Thanks, I somehow missed that document as I was grepping the code
gnum implementations"
As there is an external interface for changing the variable via an
environment
var, the lack of documentation makes that useless except for "cargo-cult"
copying of values from old mailing list posts.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
more than search the docs for what I needed and implemented it.)
The site is https://jnior.com if
anyone wants to hit it. For me the digital signature in the
server_key_exchange does not verify.
I just tried openssl s_client, and it didn't complain about anything.
Negotiated a TLSv1.2 sessio
file
-- WARNING: This runs beyond length of containing DN (0x80 bytes)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
* without __COUNTER__ */
/* If assertion fails, compiler will complain about invalid array size */
/* If assertion is not a const expression, compiler will complain
about that */
typedef char OSSL_const_assert_##fudge##__LINE__##_##__COUNTER__[
(BN_BYTES <= sizeof(BN_ULONG))
njoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 12/05/2020 16:01, Matt Caswell wrote:
On 12/05/2020 14:50, Jakob Bohm via openssl-users wrote:
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
Looking at the code here:
https://
re options (other
than endless trial and error)?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 2020-04-22 15:22, Hubert Kario wrote:
On Tuesday, 21 April 2020 21:29:58 CEST, Jakob Bohm via openssl-users
wrote:
That link shows whatever anyone's browser is configured to handle
when clicking
the link.
The important thing is which browsers you need to support, like the
ones on
CS7.
You could easily run in PKCS7 mode until you receive a CMS message from the
peer, and then upgrade to CMS. But this winds up in a bid-down attack if
both parties run this algorithm, so you'd want to insert some extension that
said: "I can do CMS" into your PKCS7 messages.
En
s: 6 Failed: 1)
Failed test: 2
Non-zero exit status: 1
Files=1, Tests=6, 12 wallclock secs ( 0.04 usr 0.06 sys + 1.77 cusr 9.78
csys = 11.65 CPU)
Result: FAIL
*** Error 1 in . (Makefile:217 '_tests')
*** Error 1 in /home/ca/pd/security/openssl-1.1.1g (Makefile:205 'tests&
; I find too many people cargo-culting poorly thought cipher lists
from
> some random HOWTO. Over optimising your cipherlist is subject to
> rapid bitrot, resist the temptation...
Yeah, I should have probably suggested just: CipherString = DEFAULT
There is not much point
you're trying to do,
but specifically because the certificate is not issued by an
already trusted issuer.
is this an expected behavior in OpenSSL 1.1.1?
Yes.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
in finish message.
Which RFC/section explains this in detail?
For TLS 1.2, this is RFC5246 Section 6.2.3.2
Note that each version of TLS makes arbitrary changes to the record
encryption.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
1.2 inadvisable.
With the removal of general FFDH from TLS 1.3, it has now become
advisable to implement for TLS 1.3 session but ignore for TLS 1.2
and below sessions, as if not implemented for those, at least as a
default-on compatibility option.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo
quot;MRI
compatibility mode" and using the script command "ADDLIB" inside
the provided MRI-style linker script. For more details see the
"ar scripts" part of the full GNU BinUtils TexInfo manual.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tra
es the "link" between you code and
the ssl dynamic library. In the second case, even if you
properly statically link with this lib, you will still need
the dll to execute your program.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tran
;
} SHA_CTX;
Thanks,,
Read the specification of the SHA-1 algorithm (either in the FIPS 180-1
standard or in a textbook).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.
On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl
, so no trusted CA can
support it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones
characters
are "fetchmail: OpenSSL reported: err", the remaining 81 are not
shown above.
The hashed name ending in ".1" is OpenSSL looking to see if you
have more than one cert with the hash value 4a6481c9, which does
happen for some users. If you had such a second cert, OpenS
after boot, while a tool to set up initial private keys at first
boot would need to wait for the stronger entropy source (which may
in fact get initial randomness over such an encrypted early
connection!).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tran
joy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
rvers
have to ignore that extension and use heuristic guesses to choose the
DH strength.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain
y are essentially black boxes and could
contain anything. It is extremely difficult, if not impossible, to
tell if the hardware RNG is good or not. This doesn’t mean that they
should not be used, it just means that using them involves another
risk assessment.
On 16 Aug 2019, at 8:42 pm, Jakob
embedded platforms?
Thanks,
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, P
anything else through
off-the-shelf CAs is nil.
Note to consumed with things in your stomach:
https://tools.ietf.org/html/draft-ietf-anima-autonomic-control-plane-20#section-6.1.2
Jakob Bohm via openssl-users wrote:
> As the author of a proposal in this area, could you define a
notatio
subnet
mask length such as /64 in an end cert.
P.S. 2001:db8::/32 is the official prefix for use in examples.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bind
erates certificates for
devices as they are manufactured.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
application data.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
===
Windows builds with insecure path defaults (CVE-2019-1552)
==
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-
s).
I’d also be interested to know what is wrong with the policy page?
Only that it states the policy of stopping 1.0.2 support at end of
2019, which would be fine if a FIPS-capable replacement had been
ready by now (as is fortunately the case for non-FIPS).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partn
eries.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
top of OpenSSL-1.0.2 on top of FOM 2.x , thus no new
validation required.
The point is that some people may soon be in a desperate need to find a
FIPS-capable replacement for OpenSSL 1.0.x.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the pr
SHA384 as defined in RFC
5289 [0xc030] ECDHE-RSA-AES256-GCM-SHA384
How would I configure openssl-fips to force this precise compliance,
eliminating all other cipher suites?
Thank you.
--Larry
C++ Developer
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
d smartcard) is
"away from terminal".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
ificates.
Thus with only one certificate available, the OpenSSL sends the
(untrusted, and in this case inappropriate) certificate, just in
case the server was somehow configured to make a special exception
for this particular case.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https:/
assembler
optimizations enabled is especially advantageous on such systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remo
or an Asian design are more likely
successor for low cost low power router hardware.
(OK, somewhere someone probably has one of the other AIX variants running -
AIX/390 might be the last non-POWER AIX to die, if I had to bet. But probably
not AIX IA64.)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner,
very surprised that they removed such a widely used
interface, can you point out when that was removed from the Linux
kernel?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion messag
ger in many of the
embedded and portable applications most likely to lack floating point
support.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors
y use.
- On Linux x86, test programs that avoid all floating
point can be checked via the PF_USED_MATH flag or its
upcoming Linux 5.x replacement. This may be useful
in the test suite.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, De
to OpenSSL 1.0.x . 1.1.x will not have FIPS
support, and 4.y.x may lack this agility.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain erro
with builtin web servers and other
unwanted garbage.
It would be nice if a good command-line offline CA product existed, but
until then, disciplined use of the OpenSSL ca "sample" command seems to be
the best there is.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www
./test/recipes/01-test_abort.t ok
../test/recipes/01-test_sanity.t ... Dubious, test
returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direc
LDIR: "/etc/pki/tls"
engines: dynamic
Please let me know if you need any further details from my end.
Thanks, in advance.
Chandu
--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
This message is only fo
1 - 100 of 1153 matches
Mail list logo
