You could try calling fcloseall() before the exit() call.
Tomas Mraz, OpenSSL
On Wed, 2024-07-17 at 20:30 +0200, jean-frederic clere wrote:
> Hi,
>
> I have built with enable-unstable-qlog, but when I exit (via exit(1))
> the sqlog files are truncated:
>
Please update to 3.0.14. The change that most likely caused this
regression for you was reverted in that release by the following pull
request: https://github.com/openssl/openssl/pull/23063
Tomas Mraz, OpenSSL
On Wed, 2024-07-17 at 08:47 +0300, Victor Wagner wrote:
> On Tue, 16 Jul 2024 14:40
You should use some Key Derivation Function (KDF) to derive a key from
this shared secret. For example TLS-1.3 uses HKDF for that.
The best way would be to use TLS-1.3 (or some other standardized secure
protocol) directly instead of inventing and implementing your own
protocol though.
Tomas Mraz
Yes, they should search for TS_VERIFY_CTX_set_certs or
TS_VERIFY_CTX_set_flags (that would work for 1.1.1 as well).
Tomas Mraz, OpenSS
On Fri, 2024-06-28 at 20:04 +, BENTLEY Thom wrote:
>
>
>
> Does this Bing CoPilot response suggest that DCMTK’s CMake
> configuration shou
TS_VERIFY_CTX is an opaque structure since version 1.1.0. You may not
access its members directly. To set them you need to use the various
TS_VERIFY_CTX_set* functions.
If there are any particular accessors missing, please report that as a
bug to https://github.com/openssl/openssl
Tomas Mraz
You seem to have space instead of = between --openssldir and the path.
And yeah, try to experiment with the doublequotes if that does not
help. I do not know the exact rules for these in the Windows shell.
Tomas Mraz, OpenSSL
On Thu, 2024-06-27 at 17:46 +, BENTLEY Thom wrote
Hello,
you have to use "--openssldir=C:\OpenSSLInstallDir\CommonFiles\SSL"
Regards,
Tomas Mraz, OpenSSL
On Thu, 2024-06-27 at 16:50 +, BENTLEY Thom via openssl-users
wrote:
>
>
>
> Hi All,
>
> I get an error running `perl Configure --openssldir
> "
You need to do base64 decoding to find out the real size of the ASN.1
encoded data.
Tomas Mraz, OpenSSL
On Wed, 2024-06-19 at 14:58 +0530, Lokesh Chakka wrote:
> hi,
>
> please check the
.
Tomas Mraz, OpenSSL
On Wed, 2024-06-19 at 13:45 +0530, Lokesh Chakka wrote:
> hello,
>
> I'm trying to generate public/private keys with following commands:
>
> openssl ecparam -name secp256r1 -genkey -out pvtkey.pem
> openssl ec -in pvtkey.pem -pubout
>
> I'
They are there. Maybe you've looked too soon before the CDN caches were
synchronized.
On Tue, 2024-06-18 at 21:12 -0600, The Doctor via openssl-users wrote:
> Where are they?
--
Tomáš Mráz, OpenSSL
You can just test the HEAD commits in the respective branches (openssl-
3.0, openssl-3.1, openssl-3.2 and openssl-3.3) in git. The repository
will be frozen today afternoon so there should be no further changes
apart from eventual regression fixes and the release commits.
Regards,
Tomas Mraz
The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.3.1, 3.2.2, 3.1.6 and 3.0.14.
We will be also releasing extended support OpenSSL version
1.1.1y which will be available to premium support customers.
These releases will be made available on Tuesday 4th Jun
.3),
commit da343d06 (for 3.2), commit 9c39b385 (for 3.1) and commit 3559e868
(for 3.0) in the OpenSSL git repository.
OSSfuzz first detected and automatically reported this issue on 13th February
2024 using a fuzzer recently added to OpenSSL written by Kurt Roeckx. The fix
was developed by Tomas Mra
.3),
commit da343d06 (for 3.2), commit 9c39b385 (for 3.1) and commit 3559e868
(for 3.0) in the OpenSSL git repository.
OSSfuzz first detected and automatically reported this issue on 13th February
2024 using a fuzzer recently added to OpenSSL written by Kurt Roeckx. The fix
was developed by Tomas Mra
Thank you for the heads up. There was already a fix in
https://github.com/openssl/openssl/pull/24337 which is now merged to
the 3.3 branch.
Tomas Mraz, OpenSSL
On Mon, 2024-05-06 at 23:51 -0600, The Doctor via openssl-users wrote:
> On Mon, May 06, 2024 at 11:34:59PM -0600, The Doctor
On Mon, 2022-12-05 at 16:14 -0800, Benjamin Kaduk via openssl-users
wrote:
> On Mon, Dec 05, 2022 at 11:31:18AM -0800, Thomas Dwyer III wrote:
> > Why does EVP_get_digestbyname("md4") return non-NULL if the legacy
> > provider
> > isn't loaded? Similarly, why does it return non-NULL for "md5"
> > a
Hi,
there is an error in your code - see my comment below.
On Mon, 2022-12-05 at 08:45 +, Zhongyan Wang wrote:
...
> md = EVP_get_digestbyname(dgst);
> if (!md) {
> printf("Error EVP_get_digestbyname %s\n", dgst);
> goto err_exit;
> }
>
> in = BIO_new_file(d
That is the master branch CHANGES.md. It will be synced later.
For the 3.1 changes please look at the CHANGES.md in the openssl-3.1
branch and/or inside the alpha tarball.
Tomas
On Thu, 2022-12-01 at 15:15 +, Kenneth Goldman wrote:
> The changes show a jump from 3.0 to 3.2
>
> https://githu
Hmm, good point.
Though when migrating from 1.1.1 the 3.0 guide still applies and
migration from 3.0 to 3.1 should be just seamless.
Tomas
On Thu, 2022-12-01 at 09:40 -0500, Felipe Gasper wrote:
> AFAICT, the migration guide doesn’t actually seem to mention upgrades
> to 3.1.
>
> -FG
>
>
> >
On Fri, 2022-11-11 at 16:01 +0100, Jakob Bohm via openssl-users wrote:
> On 2022-11-06 23:14, raf via openssl-users wrote:
> > On Sat, Nov 05, 2022 at 02:22:55PM +, Michael Wojcik
> > wrote:
> >
> > > > From: openssl-users On
> > > > Behalf Of raf via
> > > > openssl-users
> > > > Sent: Frid
Red Hat backports security fixes to older versions so if you keep your
RHEL installation up-to-date with 'yum update' you should not need to
install newer upstream releases on the system.
Regards,
Tomas Mraz
On Tue, 2022-11-08 at 08:51 +0100, Matthias Apitz wrote:
> El día martes,
-8.6?
Tomas Mraz, OpenSSL
On Tue, 2022-11-08 at 07:17 +0100, Matthias Apitz wrote:
>
> Hello,
>
> We compile openssl 1.1.1l from the sources and run on RedHat 8.6 into
> the
> problem that the system shared lib /usr/lib64/libk5crypto.so.3 misses
> a
> symbol from openssl:
In general unless you've built and installed your own build of OpenSSL
you need to refer to the vendor of your operating system for patches.
In particular the openssl packages in CentOS 7.9 are not affected given
they are 1.0.2 version and not 3.0.x version.
Tomas Mraz, OpenSSL
On Wed, 20
No, long long and unsigned long long is required and it was required
for quite some time. The code is mostly C90 but not strictly.
I suppose on platforms with 64bit long type we could make it work
without long long though. Pull requests are welcome.
Tomas Mraz, OpenSSL
On Tue, 2022-11-01 at 22
Hi Mike,
the signing key is a sub key of the key listed on this web site:
https://www.openssl.org/community/otc.html
The primary key fingerprint is also mentioned at
https://github.com/openssl/openssl/blob/master/doc/fingerprints.txt
Regards,
Tomas Mraz, OpenSSL
On Tue, 2022-11-01 at 18:14
SHA3 low level implementation is used at various places. For
example there is also the SHAKE XOF hash function implementation which
uses the low level SHA3 routines. There is also an implementation of
the original Keccak algorithm in the master branch.
Tomas Mraz, OpenSSL
On Fri, 2022-10-21 at 11:33
the object database.
Tomas Mraz
On Sun, 2022-10-23 at 13:46 -0400, Martin via openssl-users wrote:
> Hi,
>
> How can I get the nid from the curve name for a EC key in OpenSSL 3?
> I’m porting code from OpenSSL 1.0.2.
>
> I’m converting this:
>
> ecc_curve_type =
need both openssl-3.0 and openssl-1.1.1 in your
system.
Tomas Mraz
On Thu, 2022-10-20 at 05:26 +, Gahlot, Ashish Kumar wrote:
> Hi everyone,
>
> I'm trying to enable fips provider in openssl3 by writing the
> following lines into openssl.cnf file:
>
> openssl_
releases as the existing SRP API continues to be
supported there.
Tomas Mraz, OpenSSL
On Mon, 2022-10-17 at 21:13 -0700, Norm Green wrote:
> I'm also interested in the answer to these questions regarding SRP
> in OpenSSL v3.
>
> Our project still uses OpenSSL v1.1.1 with plans t
> Thank you for your time and help.
>
> -Fernando Elena Benavente.
>
> -Original Message-
> From: Tomas Mraz
> Sent: Wednesday, October 12, 2022 11:15 AM
> To: Fernando Elena Benavente ;
> openssl-users@openssl.org
> Cc: Jorge Juan Tejero Fernández ;
> Alberto Sendino Ar
On Wed, 2022-10-12 at 11:02 +0200, Tomas Mraz wrote:
> On Tue, 2022-10-11 at 10:50 +, Fernando Elena Benavente wrote:
> > Hi guys, Im triying to use the EVP_MAC OpenSSL API with the
> > CMAC_AES256, I have been using some testing vectors I found on
> > github, but seems
On Tue, 2022-10-11 at 10:50 +, Fernando Elena Benavente wrote:
> Hi guys, Im triying to use the EVP_MAC OpenSSL API with the
> CMAC_AES256, I have been using some testing vectors I found on
> github, but seems they doesn’t work on the CMAC of OpenSSl, as the
> expected output of the test vect
k you
> Setsuo Imazu
>
> On 2022/10/05 15:36, Tomas Mraz wrote:
> > Hello,
> > most probably the key is stored in the OpenSSH private key format.
> > You'll need to use ssh-keygen -p -m PKCS8 to convert the key into a
> > format that OpenSSL can read.
>
Hello,
most probably the key is stored in the OpenSSH private key format.
You'll need to use ssh-keygen -p -m PKCS8 to convert the key into a
format that OpenSSL can read.
Tomas Mraz, OpenSSL
On Wed, 2022-10-05 at 15:00 +0900, Imazu Setsuo wrote:
> Hello.
>
> When I read the R
their refcount
dropped and they will be properly freed.
Tomas Mraz, OpenSSL
On Mon, 2022-10-03 at 09:35 -0700, Jay Foster wrote:
> Your response makes sense. I am a bit puzzled by the BIO reference
> counting. For example
>
> BIO_new() (or BIO_new_socket() which calls BIO_new
As I wrote before, there is no such function. There is only the
EVP_PKEY_get_size() which gives you the maximum length the encrypted
data can have for a given key.
If you do not know the length of the ciphertext for the
EVP_PKEY_decrypt() call, you can use the EVP_PKEY_get_size() value,
compare it
I am glad to hear that.
Regards,
Tomas Mraz, OpenSSL
On Fri, 2022-09-30 at 17:18 +, GonzalezVillalobos, Diego wrote:
> [AMD Official Use Only - General]
>
> Hello Tomas,
>
> There was a logic error in my code, I did not realize that the first
> iteration of the verificati
There is EVP_PKEY_get_size() function which will give you the maximum
length the encrypted data can have. Unfortunately it cannot give you
the exact length which might be smaller in some cases.
Tomas Mraz
On Thu, 2022-09-29 at 21:49 +, ANUJ SHARMA wrote:
> Hi,
> I am working on this fu
);
The SSL BIO should always have a next BIO if properly initialized.
Tomas Mraz, OpenSSL
On Thu, 2022-09-29 at 13:02 -0700, Jay Foster wrote:
> I have an application that constructs a chain of BIOs. Sometimes
> this
> chain also includes an SSL BIO. Years ago, I ran into a pro
;= 0){ // Calls SHA256_UPDATE
> cout << "updating digest fails" << endl;
> break;
> }
>
> int ret = EVP_DigestVerifyFinal(verify_md_ctx,
> der_sig, der_sig_len);
> if (
Hi,
comments below.
On Wed, 2022-09-28 at 22:12 +, GonzalezVillalobos, Diego wrote:
> [AMD Official Use Only - General]
>
> Hello Tomas,
>
> I generated the key as you suggested, and I am no longer getting an
> error message! Thank you for that. Here is how I'm generating the key
> now:
>
break;
> }
>
> if (EVP_DigestVerifyUpdate(verify_md_ctx, child_cert,
> pub_key_offset) <= 0){ // Calls SHA256_UPDATE
> cout << "updating digest fails" << endl;
> break;
> }
>
> int ret = EVP_DigestVerifyFinal(verify_md_ctx,
> signature, sig_len);
>
On Thu, 2022-09-08 at 16:10 +, GonzalezVillalobos, Diego via
openssl-users wrote:
> [AMD Official Use Only - General]
>
> Hello everyone,
>
> I am currently working on updating a signature verification function
> in C++ and I am a bit stuck. I am trying to replace the deprecated
> 1.1.1 func
On Tue, 2022-08-23 at 12:09 +, Jonathan Wernberg wrote:
> TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to
> read in an EC private key from raw format into an EVP_PKEY object
> ready to be used? What is the easiest way to convert an RSA public
> key from raw modulus and expo
Hi,
there is no way to do that with OpenSSL 1.1.0 and newer. The thing is
that with recent versions of OpenSSL the later operations with the
EVP_MD_CTX can fail for other reasons than memory allocation failure
such as algorithm unavailability from a provider. So you would need to
check anyway.
If
use
PEM_read_bio_Parameters().
Tomas Mraz
On Wed, 2022-07-13 at 16:35 +0200, Dirk Stöcker wrote:
> Hello,
>
> when upgrading to openssl3 my code states that some functions are
> deprecated in openssl 3, but even after reading documentation I was
> unable to find a non-depreca
A good starting point is to read the migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
Tomas Mraz, OpenSSL
On Tue, 2022-06-28 at 20:48 -0700, Pei JIA wrote:
> Actually, my question is quite general:
> It looks a lot of functions in **OpenSSL1.1.1**
On Tue, 2022-06-21 at 10:33 +, Tiwari, Hari Sahaya wrote:
> Hi,
> I need one clarification on routine SSL_CTX_free(). I see the memory
> is not freed even after calling this SSL_CTX_free().
>
> I have a simple test program, which just does SSL_CTX_new() and
> SSL_CTX_free().
>
> #include
>
This is a known issue:
https://github.com/openssl/openssl/issues/18456
You can just ignore the failure for now, it will be fixed in the next
release.
Tomas
On Fri, 2022-06-10 at 14:08 +0430, Mohammad Ghasemi wrote:
> I'm trying to build openssl 3 in Windows 10 using msvc 143
>
> Test Summary R
On Thu, 2022-06-09 at 13:14 +, Beilharz, Michael wrote:
> well, i use:
>
> pkcs12 -in "cert.p12" -clcerts -nokeys -out cert.PEM" -passin
> pass:
> pkcs12 -in "cert.p12" -nocerts -out tmpkey.PEM -passin pass: -
> passout pass:
Instead of this step you can just use:
pkcs12 -in "cert.p12" -noce
suggestions.
>
> Could it be an issue with openssl or with the compile ?
>
> Thanks,
> Minal
>
> On Thu, Jun 2, 2022 at 2:32 PM Tomas Mraz wrote:
> > This is crashing inside the getentropy call in glibc or the weak
> > symbol
> > binding does not work correctly for
0
That might help.
Regards,
Tomas Mraz
On Thu, 2022-06-02 at 12:49 +0530, Minal Patil wrote:
> here is the backtrace with debug.
> Program received signal SIGILL, Illegal instruction.
> 0x1004 in ?? ()
> Missing separate debuginfos, use: dnf debuginfo-install libgcc-8.3.1-
Can you please try to build the openssl with debug information (-d on
Configure command line)? To see whether the backtrace will contain more
information.
Tomas Mraz
On Thu, 2022-06-02 at 11:09 +0530, Minal Patil wrote:
> Hello All,
>
> I am trying to use RSA_generate_key_ex fu
On Sat, 2022-05-28 at 19:12 -0700, Kip Warner wrote:
> Hey list,
>
> I am in the process of porting some RSA related code that used
> OpenSSL
> 1.1.1 to the newer 3.0 API. A lot of the functions I was using are
> now
> deprecated. I've tried to follow the migration guide as best I can.
>
> Right
On Wed, 2022-05-18 at 16:37 -0500, Kevin R. Bulgrien wrote:
> > From: "Matt Caswell"
> > Subject: Re: openssl 1.1.1 minor patches to build on SCO OpenServer
> > 5.0.7
> >
> > Hi Kevin,
> >
> > The patch in s_socket.c is likely to be acceptable. It looks
> > reasonable
> > to me, it may well be
The EVP_CIPHER_CTX_set_padding(ctx, 0) must be called after the
EVP_CipherInit() to have an effect.
Also what is the AST_CRYPTO_AES_BLOCKSIZE value? Is it in bits (i.e,
128)?
Also res should be initialized to -1 so you do not return uninitialized
value on error.
Tomas Mraz
On Fri, 2022-05-13
Please look at
demos/signature/rsa_pss_direct.c
If you want to use the old PKCS1 v1.5 padding then just replace
RSA_PKCS1_PSS_PADDING with RSA_PKCS1_PADDING.
Tomas
On Thu, 2022-05-05 at 10:35 -0600, Philip Prindeville wrote:
> Bonjour. Et milles mercis.
>
> That was helpful.
>
> One more que
Fix is here:
https://github.com/openssl/openssl/pull/18247
On Thu, 2022-05-05 at 07:54 +0200, Tomas Mraz wrote:
> Yes, this is unfortunately a bug in 3.0.3 release. Calling
> OPENSSL_init_crypto should not be necessary.
>
> Tomas Mraz
>
> On Wed, 2022-05-04 at 21:58 +0200, K
Yes, this is unfortunately a bug in 3.0.3 release. Calling
OPENSSL_init_crypto should not be necessary.
Tomas Mraz
On Wed, 2022-05-04 at 21:58 +0200, Klaus Keppler wrote:
> Hello,
>
> yesterday we updated OpenSSL from 3.0.2 to 3.0.3, what made some of
> our
> unit tests crash.
&
compliant as the low-level API calls called from an
application are implemented by the libcrypto library and not the FIPS
provider.
Tomas Mraz, OpenSSL
On Tue, 2022-05-03 at 10:12 -0500, Joy Latten wrote:
> Hi,
> I understand that low-level APIs have been deprecated in version 3. I
> have bee
Maybe https://github.com/openssl/openssl/pull/18136 could help you?
Regards,
Tomas Mraz
On Thu, 2022-04-21 at 16:49 +, Gaurav Mittal11 wrote:
> I tried same commands and same setting with root access, seems like I
> pass that error.
> Can you help why its not giving any error and
and
certificate files.
Tomas Mraz
On Fri, 2022-04-01 at 18:14 +, vchiliquinga--- via openssl-users
wrote:
> Hello,
>
> Connection between a Openssl 3.0.2 server and a 1.1.1g client is
> proving to be unsuccessful.
>
> According to the logs collected we seem to be having a
The bio_st structure is private since 1.1.0 release. So one option is
to check if the OPENSSL_VERSION >= 0x1010
Tomas
On Fri, 2022-03-25 at 18:33 -0600, Philip Prindeville wrote:
> Hi,
>
> I was wondering if there was some sort of sentinel variable that
> tells us if is exporting access to
On Mon, 2022-03-28 at 09:24 +0300, Mib wrote:
> Hi, I am trying to create a ECC certificate with ecdsa_with_SHA3-512
> signature algorithm.
>
> But I am having the below issue When I try to verify it with the
> X509_Verify api.
> "error:068000C7:asn1 encoding routines::unknown signature algorithm
it.
Tomas Mraz
On Fri, 2022-03-25 at 09:54 +, Gaurav Mittal11 wrote:
> Hi,
>
> I have build and installed 1.0.2u version but when I have change
> below softlink point to 1.0.2u from 0.9.8, console from putty stopped
> connecting.
> This is something related to openssl.cnf or
On Thu, 2022-03-24 at 22:19 -0600, Philip Prindeville wrote:
> Hi,
>
> I'm incrementally trying to port asterisk to Openssl 3.0.
>
> First thing I'm trying to do is wean the code off of the RSA_*
> functions, and use generic EVP_PKEY_* functions instead.
>
> Most of it is fairly straightforward
On Fri, 2022-03-18 at 05:24 -0400, Michael Richardson wrote:
>
> Tomas Mraz wrote:
> >> Should the test *ALSO* ifdef itself out if OPENSSL_NO_DGRAM is
> >> defined?
>
> > No, that's not necessary as they won't be built at all with the
>
On Thu, 2022-03-17 at 10:17 -0400, Michael Richardson wrote:
>
> Tomas Mraz wrote:
> >> I figured out that this means that ./Configure should have
> "no-dgram"
> >> appended to it. That seems to result in OPENSSL_NO_DGRAM
> being
>
On Wed, 2022-03-16 at 16:20 -0400, Michael Richardson wrote:
>
> One of the run checkers is marked "no dgram".
>
> https://github.com/mcr/openssl/runs/5563998914?check_suite_focus=true
>
> I figured out that this means that ./Configure should have "no-dgram"
> appended to it. That seems to res
On Mon, 2022-03-14 at 08:58 -0300, Richard Dymond wrote:
> On Mon, 14 Mar 2022 at 04:52, Tomas Mraz wrote:
> > The DSA_SIG_* functions are not deprecated including the i2d and
> > d2i
> > functions. So you can use d2i_DSA_SIG to decode the DER produced by
> > the
&g
On Fri, 2022-03-11 at 15:21 -0400, Richard Dymond wrote:
> Hi
>
> I recently migrated an application from OpenSSL 1.1.1 to OpenSSL 3.0,
> and I'm wondering how best to handle DSA signatures - specifically,
> the 'r' and 's' values - in OpenSSL 3.0.
>
> In OpenSSL 1.1.1, it was pretty easy:
>
> D
Yes, this is a fully supported scenario.
You can even test it with the openssl s_server command - use -cert, -
key, and -cert_chain for the first certificate and -dcert, -dkey, and -
dcert_chain with the second one.
Tomas Mraz
On Fri, 2022-03-11 at 13:19 +, Kris Kwiatkowski wrote:
> He
ta on that key.
Tomas
On Fri, 2022-03-04 at 09:59 +, Srinivas, Saketh (c) wrote:
> I need to compute the shared key for DH. I have to extract public and
> private keys from evpkeypair. But the function EVP_PKEY_get_bn_param
> extracts as a big num. I need them as evp_pkey.
>
c key with domain
parameters.
Tomas Mraz
On Fri, 2022-03-04 at 09:43 +, Srinivas, Saketh (c) wrote:
> i need them to create ctx = EVP_PKEY_CTX_new(priv_key, NULL)
>
> and then add the peer to ctx as EVP_PKEY_derive_set_peer( ctx,
> pub_key )
>
> both should be evp_pkey for
There is no straightforward way to do that. What do you want to do with
the public and private EVP_PKEYs?
Tomas
On Fri, 2022-03-04 at 07:28 +, Srinivas, Saketh (c) wrote:
> HI,
>
> i have EvpKeyPair from GenerateEvpKeyPair(dh_p, dh_g, &pEvpKeyPair)
>
> How can I get the public key and priv
the standard. The problem is the non-compliant PKCS12KDF is basically
hardcoded in the PKCS12 standard as the KDF to generate the MAC key
from the password.
Tomas
> Thanks,
>
> Florin Spatar
>
> On 16.02.2022 17:25, Tomas Mraz wrote:
> > Yes, unfortunately PKCS12_parse curr
Yes, unfortunately PKCS12_parse currently does not support PKCS12 files
without the MAC. Such support could be easily added. As a workaround
you can look at how the pkcs12 application is implemented and use these
calls instead.
Regards,
Tomas Mraz, OpenSSL
On Wed, 2022-02-16 at 14:09 +
Please note that there are two checksums in the configuration file. One
of them is the FIPS module checksum and the other is the checksum of
the configuration. You can copy the file across machines if it is
without the configuration checksum - that means the selftest will be
always run when the FIP
On Fri, 2022-02-11 at 08:35 +, Kevin Millson wrote:
> Hello OpenSSL Users,
>
> I’m trying to use SHA1 message digest hashing in combination with the
> FIPS provider, but seem to be running into issues. My code looks like
> the following:
>
> EVP_PKEY* privateKey = getPrivateKey();
> EVP_MD_
i set this return value.
>
> thanks,
> Saketh.
> From: Tomas Mraz
> Sent: Wednesday, February 9, 2022 4:59 PM
> To: Srinivas, Saketh (c) ;
> openssl-users@openssl.org
> Subject: [EXTERNAL] Re: does Openssl 3.0 has backward compatiblity.
> The PKCS12 files use algorithms
The PKCS12 files use algorithms that are legacy, you need to load the
legacy and default provider to be able to load them. You can do that
either with configuration file (see man 5 config) or with
OSSL_PROVIDER_load() calls.
Regards,
Tomas
On Wed, 2022-02-09 at 11:11 +, Srinivas, Saketh (c) w
Hi,
is this with a 3.0 version? If so, the most probable cause is that the
pkcs12 file uses some legacy algorithms. You'll need to load the legacy
and default providers either by having them activated in the OpenSSL
configuration file or by explicitly loading them with
OSSL_PROVIDER_load() calls.
Yeah, you need to add the @SECLEVEL=0 in the cipher string to set the
security level to 0. That is needed to allow SHA1 in signatures which
is required for these TLS versions.
Tomas Mraz
On Thu, 2022-02-03 at 17:36 +1100, pa...@openssl.org wrote:
> It does support both. I thin
On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
> Hi,
> I successfully implemented OpenSSL v3 provider which provides store
> and keymgmt and I can use it to sign a cms with the following
> command:
>
> openssl cms -sign -signer myprov:cert=0014 -provider myprov -provider
> default
>
> Howev
On Wed, 2022-01-12 at 09:41 +0100, Milan Kaše wrote:
> By further comparing the scenario with the built-in file provider and
> my external provider I found that this has something to do with
> library contexts.
>
> When x509_pubkey_ex_d2i_ex tries to decode the certificate's public
> key it always
On Tue, 2022-01-11 at 10:15 +, Kumar Mishra, Sanjeev wrote:
> Hi,
> I am getting following linking Error for APIs "bn_get_words()" and
> "bn_get_top()" while compiling with OpenSSL 3.0. Although crypto/bn.h
> is included in file.
> Please help to resolve it.
> Regards,
> Sanjeev
These symbols
On Tue, 2022-01-04 at 19:25 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> > > But, considering that the man pages describe C API, wouldn't it
> > be
> > > nice to mention (even though it may be obvious that a number of
> > order
> > > 2^384 might not fit into 32 or even 64 bits) that the actual
On Tue, 2022-01-04 at 17:02 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> > > In other words, the man page says it's unsigned int, but in fact
> > it's
> > > BIGNUM? Because the pointer I gave was to "unsigned int", like
> > in the
> > > OP's code.
> >
> > The param is too big to fit into int
On Tue, 2022-01-04 at 16:46 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 1/4/22, 11:23, "Tomas Mraz" wrote:
>
> > > Theoretically, shouldn’t
> > >
> > > EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned
> > int)order)
>
On Tue, 2022-01-04 at 14:17 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> Now I became interested. ;-)
>
> Theoretically, shouldn’t
>
> EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned
> int)order)
>
> work? I verified that it does not seem to work, at least in the
> obvious context
On Tue, 2022-01-04 at 02:33 +0100, Wolf wrote:
> Thank you for the answer!
>
> On 2022-01-03 10:11:19 +0100, Tomas Mraz wrote:
> > You're using the secp384r1 curve which is a prime field curve. The
> > OSSL_PKEY_PARAM_EC_CHAR2_M parameter can be obtained only for
&
On Mon, 2022-01-03 at 01:51 +0100, Wolf wrote:
> Greetings,
>
> I'm trying to port my program to openssl 3.0 and in the process I
> need
> to replace EC_GROUP_get_degree(EC_KEY_get0_group(ec)) with something
> that is not deprecated. I'm trying to use EVP_PKEY_get_int_param with
> OSSL_PKEY_PARAM_
On Sun, 2021-12-12 at 00:39 +0200, Graham Leggett via openssl-users
wrote:
> Hi all,
>
> The ENGINE API is deprecated in favour of the new Provider API.
>
> What is the provider equivalent function that replaces
> ENGINE_load_private_key()?
One option would be for a provider to provide provider-
On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 11/9/21, 22:23, "Dr Paul Dale" wrote:
>
> > Currently I've no idea and can't reproduce locally :(
>
> Maybe you'd know how to force the "-engine rdrand" path through
> "openssl.cnf"?
>
> > A rogue configuration
On Fri, 2021-11-05 at 13:48 +, Jason Schultz wrote:
> For setting up the trusted store, when the application starts, it
> calls:
>
> ssl_trusted_certs = X509_STORE_new()
>
> ...and then reads all of the certificates in /etc/ssl/certs/ calling
> X509_STORE_add_cert(trusted_store,cert);
>
>
On Fri, 2021-11-05 at 13:04 +, Jason Schultz wrote:
> I know I've been raising a lot of issues this week, because of
> varying reasons, but I've hit another one that seems like either an
> OpenSSL problem, or something new/different I need to do with OpenSSL
> 3.0 in connection establishment.
>
On Wed, 2021-11-03 at 20:32 +, Jason Schultz wrote:
> 00B741558E7F:error:0308010C:digital envelope routines:(unknown
> function):unsupported:crypto/evp/evp_fetch.c:346:Global default
> library
> context, Algorithm (SHA1 : 96), Properties ()
The "Global default library context" hints at wha
On Tue, 2021-11-02 at 11:42 +0700, Alex Dankow wrote:
> Matt,
>
> Thank you very much for your response. I understand that the FIPS
> certified OpenSSL module is long awaited and the team was quite
> limited in time to complete all features.
> I tried Windows certificates +Openssl because it impl
On Sat, 2021-10-23 at 11:04 +0700, Alex Dankow wrote:
> Hi OpenSSL users and its glorious developers,
>
> Thank you very much for OpenSSL 3!
>
> My question is about writing a provider. I decided to start from a
> Windows certificate storage provider. It already works with "openssl
> storeutl" c
On Thu, 2021-10-14 at 17:36 -0400, Ken Goldman wrote:
> On 10/14/2021 6:39 AM, Matt Caswell wrote:
> >
> > "priv" (OSSL_PKEY_PARAM_PRIV_KEY)
> >
> > The private key value.
> >
> > Since its an integer using EVP_PKEY_get_bn_param() would be
> > appropriate here, but not EVP_PKEY_get_octet_string
1 - 100 of 184 matches
Mail list logo
