On Wed, Mar 03, 2021 at 04:14:17PM +0530, Vadivel P wrote:
> Hi OpenSSL team,
>
> We are looking for the command line option or any other way to increase the
> DHE G Parameter length to 256 bytes, by default it's 2 now, we need to
> modify it as 256 byte on the server side for our testing either b
On Thu, Dec 10, 2020 at 05:14:00PM +0200, Cosmin Apreutesei wrote:
> Hello,
>
> I have a question regarding SSL_write() and returning SSL_ERROR_WANT_WRITE
> from the write callback.
>
> _After_ SSL_write() returns with SSL_ERROR_WANT_WRITE (because my write
> callback returned SSL_ERROR_WANT_WRI
On Mon, Aug 24, 2020 at 01:38:41PM -0700, John Baldwin wrote:
> On 8/18/20 9:49 AM, Matt Caswell wrote:
> >
> >
> > On 17/08/2020 18:55, John Baldwin wrote:
> >> 1) Is 'auth_level' supposed to work for this? The CHANGES.md change
> >>references SSL_CTX_set_security_level and openssl(1) claim
On Thu, Jul 23, 2020 at 02:35:28AM +0200, Jakob Bohm via openssl-users wrote:
> The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
> it (in assembler) seemto have no clear documentation.
Have you seen the OPENSSL_ia32cap manpage?
Kurt
On Sun, Jul 12, 2020 at 12:29:43AM -0400, Viktor Dukhovni wrote:
>
> The main outstanding issue for which I'm authoring a new PR, is that
> each of the above results in SSL_CONF_cmd() returning an error for
> contexts of the other type or for contexts that are for a specific fixed
> version of TLS
On Fri, Jul 03, 2020 at 12:51:19PM +, Salz, Rich via openssl-users wrote:
> * topic: Change some words by accepting PR#12089
>
> *
>
> * 4 against, 3 for, no absensions
>
> I am at a loss for words.
>
> I can’t contribute to a project that feels this way.
I would like to point ou
On Thu, Jun 18, 2020 at 07:24:39PM +0200, Kurt Roeckx wrote:
>
> Now that a large fraction of the cost has been found, I can look
> again to see where the biggest cost in 3.0 comes from now and if we
> can do something about it.
So a code path that I've noticed before when looki
On Thu, Jun 18, 2020 at 02:12:56PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> I think that the default behavior should change for 3.0, and the API change
> described in the Release Notes. I find that alternative less impacting that
> this silent sudden performance deterioration.
Note that I
On Thu, Jun 18, 2020 at 10:41:40AM +0200, Tomas Mraz wrote:
> > I question the default behaviour, I think most people don't need
> > that support.
>
> Unfortunately that would be an API break that could be very hard to
> discover, so I do not think we can change this even in 3.0.
But I think the
going on.
>
> Over on an ntpsec list, Kurt Roeckx reported that he was still waiting...
>
> Richard's message said "I", so I sent him a copy off list. Correcting that...
So I took a look at at the EVP_PKEY case, and it seems we spend most
of our time doing:
-
On Thu, Jun 04, 2020 at 09:00:08AM -0700, John Baldwin wrote:
> At the moment there are 3 open PRs related to Kernel TLS offload
> support that I'm aware of:
>
> - 11589 adds TLS1.3 for Linux, has one approval from Matt Caswell
> - 10626 adds TLS1.3 for FreeBSD, from which 11589 is derived, but wi
On Fri, Apr 24, 2020 at 01:26:05PM +0200, Yann Ylavic wrote:
>
> - DH_bits(dh) (used for logging only in httpd)
> Replaced by BN_num_bits(DH_get0_p(dh)).
> Not sure this one should be deprecated, it seems to be used in several
> places in openssl codebase still, no replacement?
I think the replac
On Wed, Apr 22, 2020 at 11:02:47AM +0200, Michael Tuexen wrote:
> > On 22. Apr 2020, at 10:38, Matt Caswell wrote:
> >
> >
> >
> > On 21/04/2020 23:45, Michael Tuexen wrote:
> >>> Looks like the failing call is here:
> >>>
> >>> if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
> >>>
On Tue, Apr 21, 2020 at 10:49:25PM +0100, Matt Caswell wrote:
>
> Looks like the failing call is here:
>
> if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
>(const void *)&on, sizeof(on)) != 0) {
>
> To which we get an errno indicating "Invalid argument". So it loo
On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote:
>
> Debian 10 omits all the SHA1 entries from the above list. Note that
> Debian 10 will only allow SHA1 if the security level is explicitly set
> to 0 (via the -cipher "DEFAULT:@SECLEVEL=0" command line arg). Probably
> because the deb
On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote:
>
> I *think* what is happening is the server is checking the chain it has
> been configured with, spotting that it includes a SHA1 based signature
> and therefore refusing to respond at all because the client has not
> indicated SHA1 s
On Sat, Nov 23, 2019 at 04:42:50PM -0800, Hal Murray wrote:
>
> I see a lot of clutter in log files from things like
> error:1408F10B:SSL routines:ssl3_get_record:wrong version number
> I assume they are from bad guys probing for openings.
>
> Is the error code returned by ERR_get_error() const
On Wed, Oct 30, 2019 at 02:12:19PM -, Frederick Gotham wrote:
>
> It appears that OpenSSL will kick and scream and refuse to die not
> matter how hard you hit it. If I try to generate a random number like
> this:
>
> openssl rand -hex 8
>
> Then it seems it will try in this order:
>
>
On Sat, Jun 08, 2019 at 12:26:30AM +0200, Giovanni Fontana wrote:
> */usr/bin/ld:libcrypto.map:0: syntax error in VERSION scriptcollect2:
There seems to be a problem generating the libcrypto.map file for
you. What does the file look like? Which perl version are you
using? Which libc do you use?
On Fri, Jun 07, 2019 at 05:14:23PM -0400, Lewis G. Pringle, Jr. wrote:
> When I run valgrind, I get thousands of errors (exactly like I used to get
> before I turned on -Dpurify).
You probably need commit 15d7e7997e219fc5fef3f6003cc6bd7b2e7379d4
Kurt
On Tue, Jan 29, 2019 at 02:42:48PM -0500, Viktor Dukhovni wrote:
> > On Jan 29, 2019, at 2:23 PM, Rich Fought wrote:
> >
> > The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers
> > are supported:
> >
> > TLS1.0:
> > DH-RSA-AES128-SHA
> > DH-RSA-AES256-SHA
>
> The static
On Thu, Jan 24, 2019 at 11:09:40PM +0700, Arran Cudbard-Bell wrote:
> We could use this to determine what SSL_ERROR_WANT_READ is indicating. As it
> seems SSL_ERROR_WANT_READ could indicate two conditions in this scenario:
>
> 1) No pending bytes - Additional handshake messages were processed,
On Fri, Jan 18, 2019 at 06:40:05PM -0500, Dennis Clarke wrote:
> On 1/18/19 1:53 AM, Dennis Clarke wrote:
> >
> > Going in circles trying to compile 1.1.1a with strict C99 and no
> > optimizations and with a ready to debug and single step resultant
> > library.
>
> Ignore all this. Thou shalt no
On Sat, Jan 05, 2019 at 08:33:18PM +0100, Steffen Nurpmeso wrote:
>
> (I am also really interested and will look into OpenSSL to see if
> the abort() that seems to happen if the initial seed fails is in
> a linker-resolved constructor, and if not, why later failures do
> not also abort.
We do not
On Sat, Jan 05, 2019 at 08:45:37AM +1000, Dr Paul Dale wrote:
> I’m not sure about the quality of Android’s sources, but would expect them to
> be decent.
Android is just a Linux kernel. It always had /dev/urandom. Oreo
(8.0) requires at least Linux kernel 4.4. There were no
requirements for the
On Fri, Jan 04, 2019 at 02:48:48PM +0100, Steffen Nurpmeso wrote:
> Dr. Matthias St. Pierre wrote in <450169f8ca7c43d1841c4c8052e78c72@Ex13.\
> ncp.local>:
> |> So my concerns are:
> |> 1. Whether I really can count on getting a high-entropy PRNG across \
> |> these various platforms, without an
On Thu, Jan 03, 2019 at 12:18:05PM -0800, Andy Schmidt wrote:
> I am adding the RFC 7919 Diffie-Hellman parameters to our TLS servers, and
> I've found that these parameters won't pass OpenSSL's Diffie Hellman
> parameter check function DH_check(). The return code is
> DH_NOT_SUITABLE_GENERATOR. Lo
On Thu, Jan 03, 2019 at 11:03:01AM -0500, Mike Blaguszewski wrote:
> I am using the EVP API (version 1.1.1) for performing public key and
> symmetric key operations across a variety of platforms (macOS, Windows,
> Linux, iOS and Android). I am currently not doing anything to explicitly seed
> Op
On Mon, Dec 31, 2018 at 02:11:56PM +, Matt Caswell wrote:
>
> Well, you have vocally complained about the state of the documentation. You
> have
> the benefit of being a new OpenSSL user. You know what things were confusing
> or
> unclear in the documentation. More experienced OpenSSL coders
On Tue, Nov 06, 2018 at 04:19:36PM -0600, Misaki Miyashita wrote:
> Hi,
>
> According to the vulnerabilities website[1], OpenSSL 1.1.i and earlier and
> 1.1.1 are affected by CVE-2018-0735.
> Is it safe to assume that OpenSSL 1.0.2 is not affected by the CVE?
My understanding is that the code was
On Tue, Sep 18, 2018 at 05:11:42PM +, Salz, Rich via openssl-users wrote:
> >My point was about the likelihood of last-draft browsers lingering
> on in the real world for some time (like 1 to 3 years) after the
> TLS1.3-final browser versions ship.
>
> I do not think this is a conc
On Thu, Sep 13, 2018 at 08:13:41PM +0200, Jakob Bohm wrote:
> On 13/09/2018 09:57, Klaus Keppler wrote:
> > Hi,
> >
> > thank you for all your responses.
> >
> > I've just tested with Firefox Nightly 64.0a1, and both s_server and our
> > own app (using OpenSSL 1.1.1-release) are working fine.
> >
On Tue, Sep 11, 2018 at 08:10:01PM +0200, Kurt Roeckx wrote:
> On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> > Hello,
> >
> > What is the better way, for anyone running, by example, Apache or nginx on
> > a popular Linux districution (Ubuntu, Debian,
On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> Hello,
>
> What is the better way, for anyone running, by example, Apache or nginx on
> a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
> 1.3 ?
>
> Waiting package update to have openssl 1.1.1 ? probably a lot
On Fri, Aug 31, 2018 at 06:14:25PM -0700, Jordan Brown wrote:
> We're trying to nail down error reporting for TLS version mismatches,
> and we're seeing a couple of puzzling behaviors.
>
> First, and most puzzling... assume these two command lines:
>
> $ openssl s_server -cert 2018.08.31.a.pe
On Wed, Aug 22, 2018 at 02:08:42PM -0400, Viktor Dukhovni wrote:
>
>
> > On Aug 22, 2018, at 1:56 PM, Qi Zeng wrote:
> >
> > I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging
> > purpose. With OpenSSL version 1.0.2p, I was able to make it work. However
> > with version
On Sun, Aug 19, 2018 at 02:36:30PM +0200, Anton wrote:
> Hello
>
> Does anyone know some examples of applications using
> ADH ciphersuites for TLS connections in production
> environment?
At least postfix can use it for SMTP.
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.open
On Sat, Aug 18, 2018 at 07:48:21PM +0200, Juan Isoza wrote:
> What is the difference between draft 28 and rfc for tls 1.3 ?
The drafts used a version that said which draft version it was.
The RFC version has a different version. So the version that's
send in ClientHello is different, and a draft v
On Sun, Aug 12, 2018 at 08:49:35PM +0200, Kurt Roeckx wrote:
> In -pre8 we even have tests covering this behaviour, and the
> manpages have been update to say that it's possible. See
> https://www.openssl.org/docs/manmaster/man3/SSL_shutdown.html
I think this was actually commi
On Wed, Aug 01, 2018 at 09:46:37PM +0200, Alex H wrote:
>
> > If your question is whether you can still read any data that may have
> been in flight when you send your close_notify, I believe the answer
> is no. Further data received from the peer is discarded after a
> close_notify is sent.
>
>
On Wed, Aug 01, 2018 at 08:27:38AM +0200, Alex H wrote:
> Hi,
>
> I have trouble understanding the details of TLS shutdown. I get the basics
> but,
>
> Is it possible to receive data after calling SSL_shutdown? Reading the
> specs and docs leaves this rather blurry.
>
> That is, after sending a
On Mon, Aug 06, 2018 at 04:30:54PM +0200, Jakob Bohm wrote:
> The patch below works around this, porting this to OpenSSL 1.1.x
> is left as an exercise for the reader:
Can you please open a pull request on github for that?
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.
On Sun, Apr 29, 2018 at 10:05:39PM -0400, Dennis Clarke wrote:
> On 29/04/18 06:43 AM, Kurt Roeckx wrote:
> > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
> > 1.3 brings a lot of changes that might cause incompatibility. For
> > an overview see htt
The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
1.3 brings a lot of changes that might cause incompatibility. For
an overview see https://wiki.openssl.org/index.php/TLS1.3
We are considering if we should enable TLS 1.3 by default or not,
or when it should be enabled. For that, w
On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>
> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
> >
> > So if you put locks around the SSL_CTX object when it’s used, then you
> > can use the set private key call to update the key; and then all
> > SSL_new objects after
On Tue, Dec 26, 2017 at 12:38:32PM -0600, Karl Denninger wrote:
>
> What I'm trying to figure out is the "best" way to handle this.
> SSL_CTX_use_PrivateKey accepts a EVP_PKEY pointer,
> SSL_CTX_use_PrivateKey_ASN1 takes an ASN1 structure of length len, but
> what is parameter "pk" (not explained
On Mon, Dec 25, 2017 at 07:44:58PM -0800, Swapnil Deshpande wrote:
> Hi all,
>
> Noob here. I recently discovered that the "-sha1" and "-sha" flags in the
> "openssl dgst" command produce different outputs. I thought those were the
> same algorithms but turns out they are not:
>
> $ echo -n "pass
On Fri, Dec 22, 2017 at 09:30:19AM -0500, Ken Goldman wrote:
> On 12/22/2017 9:24 AM, Salz, Rich via openssl-users wrote:
> > > if (ptr!= NULL) free(ptr);
> > That shouldn’t be necessary for OpenSSL. If you find places where it is,
> > please open an issue.
>
> OK. I'll mention a few, but it'
On Fri, Dec 22, 2017 at 01:06:20PM +, Salz, Rich via openssl-dev wrote:
> Our intent is that all FREE functions can handle NULL. If you find things
> missing or undocumented, please open an issue on GitHub. Thanks!
I think we fixed all such cases in 1.1.0, all *_free() functions
should hand
On Tue, Feb 14, 2017 at 09:30:31AM +, Matt Caswell wrote:
> I am pleased to be able to announce the publication of our new Project
> Bylaws. I have written a short blog post about what we are hoping to
> achieve and some of the thinking that went into these here:
>
> https://www.openssl.org/bl
On Thu, Nov 03, 2016 at 01:53:56PM +0100, Richard Levitte wrote:
> Hi,
>
> I'm curious. Why exactly do you want to change the shared library
> version?
I had to change the soname in Debian (because I dropped all SSLv2
and SSLv3 symbols) and changed it to 1.0.2.
Kurt
--
openssl-users mailin
On Sun, Jul 03, 2016 at 07:42:44AM -0700, Igenyar Saharam wrote:
> Hi,
>
>
> Sorry to bother. The suggestion I found is to send email to openssl-users
> with one line message of "unsubscribe openssl-users". I did that but it
> still keeps coming. Could someone kindly instruct me the right way?
E
On Fri, Jul 01, 2016 at 05:17:35PM +0100, Matt Caswell wrote:
>
> "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
Maybe we should use "-" instead of "!"?
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Fri, Jul 01, 2016 at 03:54:45PM +, Salz, Rich wrote:
>
> > In short: Removing support for DSA in OpenSSL would prevent some of our
> > products from updating to 1.1.x for a significant length of time, probably
> > years.
>
> We have no plans to do that.
But we do change defaults, and it n
fice: 604.629.5182 ext 2632
> Support: 888.281.5182 | avigilon.com
>
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Kurt Roeckx
> Sent: Tuesday, March 01, 2016 12:16 AM
> To: openssl-users@openssl.org
>
On Tue, Mar 01, 2016 at 12:38:20AM +, Nounou Dadoun wrote:
> Is it sufficient to change -O3 to -O2 it in the Configure file or is there
> somewhere else it needs to be changed?
Yes, in Configure should be enough.
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/m
On Mon, Feb 29, 2016 at 10:48:22PM +, Nounou Dadoun wrote:
> But this demonstrates that my headaches have been coming from the fact that
> sha384 and sha512 are broken in our build somehow. The no-asm configure
> directive didn't make a difference so maybe a compiler bug or something?
I'm a
>
> Nou Dadoun
> Senior Firmware Developer, Security Specialist
>
>
> Office: 604.629.5182 ext 2632
>
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Kurt Roeckx
> Sent: Monday, February 29, 2016 12:2
Which compiler and version are you using?
Kurt
On Mon, Feb 29, 2016 at 08:12:10PM +, Nounou Dadoun wrote:
> For the record, I added no-asm to the config options and got exactly the same
> result on the sha512t test. Open to other suggestions ... N
>
>
> Nou Dadoun
> Senior Firmware Devel
On Sat, Feb 27, 2016 at 07:45:18PM +, Nounou Dadoun wrote:
> PLATFORM=VC-WIN64A
Can you try a build with no-asm?
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Sat, Feb 27, 2016 at 06:23:43PM +, Dr. Stephen Henson wrote:
> On Sat, Feb 27, 2016, Nounou Dadoun wrote:
>
> > Thanks for the response,
> >
> > I'm not sure what you're saying here other than TLS 1.2 client cert auth
> > processing is different from TLS x (where x<1.2); I would assume tha
On Wed, Feb 24, 2016 at 05:22:08PM +0100, lists wrote:
>
> Before I try some heavy debugging, does anybody know of a change from
> version 1.0.1e to 1.0.1r that would prevent the commands above from working?
Can you try reverting commit
23a58779f53a9060c823d00d76b3070cad61d9a3? I've attached a p
On Sun, Feb 21, 2016 at 04:15:45PM +, Sandra Schreiner wrote:
> Hello,
>
> I am currently developing a C++ application with Boost Asio SSL Sockets.
> Boost Asio uses OpenSSL for it's TLS support. My application will be ported
> to Android in the future so I tried to build OpenSSL by myself f
On Wed, Feb 10, 2016 at 09:03:35PM -0500, Jeffrey Walton wrote:
> As far as I know, there are no constants for TLS 1.0 and 1.1, so we
> can't extend this in clients:
>
> const SSL_METHOD* method = SSLv23_method();
> ctx = SSL_CTX_new(method);
> ...
>
> const long flags = SSL_OP_NO
On Mon, Feb 08, 2016 at 07:43:00AM -0700, counterpoint wrote:
> Working on a multi-threaded system that is providing an SSL server
> capability, I am running into an odd problem at the end of a connection.
> There seems no functional downside, in that it appears all data is handled
> correctly. The
On Sat, Jan 16, 2016 at 10:57:46AM +, Diganta Bhattacharjee wrote:
>
> I am looking at (query about) updating a TLS 1.1 solution based on OpenSSL
> 1.0.1b to TLS 1.2. I understand the latest OpenSSL 1.0.2 supports TLS 1.2. At
> first look I believe if we replace the OpenSSL 1.0.1 with OpenSS
On Tue, Jan 12, 2016 at 04:03:42PM -0500, Jeff Archer wrote:
> I am building from source that came from openssl-1.0.2e.tar.gz but it
> appears to be producing output of libssl.so.1.0.0. Is this what I should
> expect?
Yes. That is the correct soname for all 1.0.X releases.
Kurt
__
On Mon, Jan 11, 2016 at 09:38:05PM +0100, Jakob Bohm wrote:
> On 08/01/2016 18:43, Salz, Rich wrote:
> >Are you going to keep posting and posting until you get a response? :(
> >
> >Master branch, 1.1, is not released but will not be vulnerable (may already
> >be fixed)
> >1.0.2 is not vulnerable.
On Tue, Jan 05, 2016 at 03:40:03PM -0700, The Doctor wrote:
> tls.o(.text+0xf32): undefined reference to `SSLv23_server_method'
Are you sure it's finding the correct headers?
Kurt
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/
On Tue, Dec 29, 2015 at 08:35:49PM +0100, Felix Rubio Dalmau wrote:
> Hi all,
>
> I have been searching for some time for a solution and I can not
> manage to
> solve my problem. I have a computer that can not connect to some sites, e.g.
> github, by using openssl. I am running a debian
On Wed, Dec 16, 2015 at 06:23:25PM +, Martin Brampton wrote:
> Is there a way to obtain the amount of data available to be read?
>
> I'm working with a system that operates in non-blocking mode using epoll.
> When an EPOLLIN event is received the aim is to read the data. For the
> non-SSL case
On Sat, Dec 12, 2015 at 10:23:38PM +0100, Dominik Mahrer (Teddy) wrote:
> Hi everyone
>
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as answer
> there is only explained that openssl will not serve
On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks for the patch. Unfortunately patch did not work. I continued
> debugging and found that issue was in constant_time_msb.
>
> static inline unsigned int constant_time_msb(unsigned int a) {
> -*return 0 - (a
On Wed, Dec 09, 2015 at 05:13:32PM -0600, Benjamin Kaduk wrote:
> C does not make such a guarantee, though recent-ish POSIX does. (This
> system is a windows one, thought, right?)
There are DSPs that only support 32 bit, they don't have a concept
of 8 bit. But I think there is various code that
On Mon, Nov 30, 2015 at 10:46:45PM +, Michael Wojcik wrote:
> I'm curious if anyone has seen anything like this before.
>
> We have a situation at one customer site. They see it happen every few days.
> No one else has reported it, and we can't reproduce it.
Have you considered that this mig
1.0.2 long term support
===
The OpenSSL project team would like to announce that the 1.0.2
version will be supported until 2019-12-31.
Further details about the OpenSSL Release Strategy can be found here:
https://www.openssl.org/about/releasestrat.html
The OpenSSL Project Te
On Sat, Aug 01, 2015 at 06:56:16AM +0200, Jakob Bohm wrote:
>
> The old team would have gone out of their way to make sure
> the standard OpenSSL code would generate backward compatible
> hello records by default
So it's my understanding that you suggest the default OpenSSL
client should:
- Only
On Tue, Jul 14, 2015 at 01:23:52PM -0400, Colin Edwards wrote:
> Thank you, Kurt. The information I was getting (from some sources) was that
> the vulnerability was only present in configurations where the server was
> authenticating a client certificate. The fact is, the vulnerability applies
>
On Mon, Jul 13, 2015 at 01:03:09PM -0400, Colin Edwards wrote:
> I've been reading/hearing different opinions on the recent vulnerability
> for cert chain forging that was patched (CVE-2015-1793).
>
> Some people are saying the vulnerability only exists if a system is using
> certificate-based cli
On Wed, Jul 01, 2015 at 01:38:28PM +0300, Ikonta wrote:
> Hi everybody,
>
> Possibly stupid question:
> The default and only known for me OpenSSL database format is flat text file
> (afair index.txt in default openssl.cnf).
> Was ever suggested an idea to provide some alternatives (maybe relation
On Mon, Jun 29, 2015 at 05:48:05AM +, Srinivas wrote:
> Thanks. Makes sense.
>
> But then why are the DES ciphers not listed in the supported cipher list for
> TLSv1.2
> here?https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites
Those are all ciphers that require at least TL
On Wed, May 20, 2015 at 03:47:33PM +, Scott Neugroschl wrote:
> Is OpenSSL vulnerable to Logjam?
See
http://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
Kurt
___
openssl-users mailing list
To unsubscribe: https://mta.openssl
On Fri, May 15, 2015 at 12:44:03PM +0100, Martin Beynon wrote:
>
> That is right from 100Mbps down to 150 kpbs everything works as expected.
> As I continue tuning down the bandwidth below 150kbps openssl starts to
> stop sending data. It becomes very bursty and there are whole periods of
> second
On Mon, May 04, 2015 at 03:12:17PM +, Salz, Rich wrote:
> > I would like to know whether OpenSSL supports TLS 1.3, if supported from
> > which version of OpenSSL the implementation started.
>
> Since TLS 1.3 is not even done yet, no. If I had to guess, I'd say it won't
> be "done" for at l
On Mon, May 04, 2015 at 09:00:21AM -0500, jack seth wrote:
> > There is a limit of 1:
> > #define OPENSSL_DH_MAX_MODULUS_BITS 1
> >
> > I suggest you do not change this. It just gets slower without
> > adding security.
> >
> > I have no idea why it would freeze with something larger than
>
On Mon, May 04, 2015 at 07:21:11AM -0600, The Doctor wrote:
> This also occured in openssl-1.0.2-stable-SNAP-20150503
This will most likely be fixed in the next snapshot.
Kurt
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mail
On Tue, Apr 28, 2015 at 09:26:25AM -0500, jack seth wrote:
> Ok I have been doing some experiments with OpenVPN and I can connect using
> 1 bit DH parameters. Any bigger than that up to at least 13824 I get the
> following 'modulus too large' error on the client log:
>
> TLS_ERROR: BIO read
On Fri, May 01, 2015 at 09:01:47PM +0100, Matt Caswell wrote:
>
>
> On 01/05/15 20:09, faraz khan wrote:
> > Matt,
> > Thanks again! To be precise webrtc is using boringssl (Google's fork of
> > openssl). From the commits it seems VERY recent but I'm unable to figure
> > out the last openssl merg
On Mon, Apr 27, 2015 at 02:39:08PM +, Salz, Rich wrote:
> > It is weird that it worked for you. Anyway I found a way how to fix it (if
> > I can
> > call it "a fix"). The key is to provide a flag "-servername"
> > to enable SNI (Server Name Indication).
>
> It's not wrong to call it a fix. T
On Sun, Apr 26, 2015 at 07:05:11PM +0200, hub...@seznam.cz wrote:
> I tried this command
> openssl.exe s_client -connect ezfile.ch:443
>
> And it returns this kind of error
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
I can not reproduce this. What version ar
On Fri, Apr 03, 2015 at 07:53:59PM +, Salz, Rich wrote:
>
> And the best practice these days is to do it at the application
> layer, and feed the compressed bytes down to TLS.
The BREACH attack makes use of that.
Kurt
___
openssl-users mailing li
On Fri, Mar 13, 2015 at 11:14:18AM -0600, The Doctor wrote:
> What is happening?
>
> In the Moutain Time Zone:
>
> It was at 22:22 MST then 23:22 MDT then 00:22 MDT !!
Do you mean when the snapshot is made? The machine runs in UTC,
and the files seem to be made at 6:22 UTC.
Kurt
On Tue, Mar 10, 2015 at 10:23:41PM +0300, Serj Rakitov wrote:
> Hello,
>
> I see some delay about 30-40 min for my emails. They arrive and I see them in
> the incoming messages in the list only after 30-40 min. And one email was
> delivered for 2 hours. Is it normal for the openssl-users@openss
On Sat, Mar 07, 2015 at 11:47:12AM +, Salz, Rich wrote:
>
> > So this is preserving message boundaries. How do I get the complete
> > message just like with TCP?
>
> No, it just happened that way. TLS does not preserve message boundaries.
As far as I know SSL_read will only return data from
On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote:
>
> > It is unfortunate that browsers "lend a helping hand" to such sites.
> So, you want to say that browsers trust connections that don't provide
> intermediate certs during SSL handhake?
> As I know most browsers have also intermediate cert
On Sat, Jan 24, 2015 at 04:34:14PM -0500, Avery A. Tarasov wrote:
>
> Important findings:
>
> *1) * IfSSL_library_init() and SSL_load_error_strings() are *removed*
> (which are the only 2 OpenSSL functions I'm using) the handle leaks go
> away..
>
> *2)* IfSSL_library_init() and SSL
On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
> Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
> still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
> no-ssl3 application scenario is just one way to exploit this and that
> the ssl23_get_client_
On Sun, Dec 28, 2014 at 01:31:38AM +0100, Jakob Bohm wrote:
> 3. The 1.0.x binary compatibility promise seems to not have been
> completely kept. As recently as just this December, As a practical
> example: I had an OS upgrade partially fail due to the presence of
> a self-compiled up to date 1
On Fri, Dec 19, 2014 at 02:30:07AM +0530, Prabhat Puroshottam wrote:
> ***
> This is for *Client -> Agent*
> ***
[...]
> Version 3.1
[...]
> cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
[...]
> *
On Wed, Dec 10, 2014 at 09:51:15AM -0700, The Doctor wrote:
> Now POODLE is hitting TLS
>
> http://www.computerworld.com/article/2857274/security0/poodle-flaw-tls-itbwcw.html
>
> Any fixes in the works?
As already said previously, openssl is not affected by this.
kurt
__
1 - 100 of 112 matches
Mail list logo
