On Mon, 2022-12-05 at 16:14 -0800, Benjamin Kaduk via openssl-users
wrote:
> On Mon, Dec 05, 2022 at 11:31:18AM -0800, Thomas Dwyer III wrote:
> > Why does EVP_get_digestbyname("md4") return non-NULL if the legacy
> > provider
> > isn't loaded? Similarly, why does it return non-NULL for "md5"
> > a
On Mon, Dec 05, 2022 at 11:31:18AM -0800, Thomas Dwyer III wrote:
> Why does EVP_get_digestbyname("md4") return non-NULL if the legacy provider
> isn't loaded? Similarly, why does it return non-NULL for "md5" after doing
> EVP_set_default_properties(NULL, "fips=yes")? This seems unintuitive. Legacy
Why does EVP_get_digestbyname("md4") return non-NULL if the legacy
provider isn't loaded? Similarly, why does it return non-NULL for "md5"
after doing EVP_set_default_properties(NULL, "fips=yes")? This seems
unintuitive. Legacy code that does not know about EVP_MD_fetch() checks
the return valu
On Fri, 2022-09-02 at 00:22 +, Wall, Stephen wrote:
> > A compromised server could easily still request the client
> > certificate, no?
> > But as noted, even a compromised server can ask for client
> > credentials and then
>
> Yes, that's true. If the intruder knew to do so. Also, a thief c
> > It is not clear what threat model warrants taking special action when
> > the client certificate is not requested. It could equally be
> > requested and then largely ignored.
>
> A client in a highly secured network knows that every server it connects to
> will
> require a client certificate
_
From: Ramaiah, Ravichandran Bagalur
Sent: Wednesday, June 29, 2022 12:55 PM
To: Matt Caswell ; openssl-users@openssl.org
Subject: RE: [EXTERNAL] Re: SSL error (78c0100): malloc failure while
implementing tls 1.3
Hi Matt,
Below is the error I got
Hi Matt,
Below is the error I got when I printed using ERR_error_string().
error:078C0100:common libcrypto routines::malloc failure
Any pointers on this?
Regards,
Ravi
-Original Message-
From: Matt Caswell
Sent: Tuesday, June 21, 2022 4:25 PM
To: Ramaiah, Ravichandran Bagalur ; opens
On 23/03/2022 18:08, Helde, Paavo wrote:
Great! That does suggest an unknown bug exists in master though...
If you can manage it would be useful for us if you tried the latest master version of
OpenSSL with the "no-asm" config option. My guess is new assembler code might
be the cause of thi
> Great! That does suggest an unknown bug exists in master though...
>
>If you can manage it would be useful for us if you tried the latest master
>version of OpenSSL with the "no-asm" config option. My guess is new assembler
>code might be the cause of this. If turning off assembler resolves the
On 23/03/2022 14:00, Helde, Paavo wrote:
- I notice that you are using the latest master version 3.1.0-dev. The master
branch is where all dev work goes on and consequently may be unstable. You
might be better off using the latest 3.0 stable version, i.e. 3.0.2
Thanks Matt, downgrading to
> Some things you could try:
> - Do you have an alternative compiler you could use? If its a compiler bug
> then swapping to a different compiler might resolve it
Compiler is regular gcc 10.2.1.
> - I notice that you are using the latest master version 3.1.0-dev. The master
> branch is where al
On 23/03/2022 12:39, Helde, Paavo via openssl-users wrote:
It would be interesting to see what output you get from s_client when you use the
"-trace" argument.
Also, is this TLSv1.3 specific? If you add the argument "-no_tls1_3" to
s_client does it start working?
Thanks for looking into th
> It would be interesting to see what output you get from s_client when you use
> the "-trace" argument.
> Also, is this TLSv1.3 specific? If you add the argument "-no_tls1_3" to
> s_client does it start working?
Thanks for looking into this! I paste the outputs here. With -no_tls1_3 it goes
fu
>
> From: Tomas Mraz
> Sent: Friday, March 4, 2022 3:24 PM
> To: Srinivas, Saketh (c)
> Cc: openssl-users
> Subject: Re: [EXTERNAL] Re: bignum to evp key
> This is for some kind of artificial example code, isn't it? Because
> in
> a real world application of a DH/EC
This is for some kind of artificial example code, isn't it? Because in
a real world application of a DH/ECDH key exchange you will always have
a private key for the local peer and a public key for the remote peer.
To transfer the public key to the remote side you will need to somehow
encode it. Ei
i am using openssl 3.0
From: openssl-users on behalf of Matt
Caswell
Sent: Tuesday, February 15, 2022 6:45 PM
To: openssl-users@openssl.org
Subject: [EXTERNAL] Re: need some help with the block size value
On 15/02/2022 12:13, Srinivas, Saketh (c) wrote:
> Hi,
Shane Lontis suggested this:
/Don't return 0 during the Corruption phase unless you are trying to
deliberately make it fail./
//
/OSSL_PROVIDER_self_test() can be used to run the self tests on demand./
//
Dr Paul Dale
On 11/2/22 17:23, Gahlot, Ashish Kumar wrote:
Hi,
Thanks Pau
Shane, any thoughts?
Pauli
On 11/2/22 5:23 pm, Gahlot, Ashish Kumar wrote:
Hi,
Thanks Pauli, the API worked but also I have a callback defined as
below which is failing at corrupt phase:
int SelfTestCb(const OSSL_PARAM params[], void *arg)
{
int ret = 0;
const OSSL_PARAM *p = N
Hi,
Thanks Pauli, the API worked but also I have a callback defined as below which
is failing at corrupt phase:
int SelfTestCb(const OSSL_PARAM params[], void *arg)
{
int ret = 0;
const OSSL_PARAM *p = NULL;
const char *phase = NULL;
const char *type = NULL;
const char *desc
The returned value should be just passed to OSSL_PROVIDER_unload() when
you're no longer using the provider.
Tomas
On Thu, 2022-02-10 at 11:03 +, Srinivas, Saketh (c) wrote:
> do you have an example how to set it. It seems the function returns
> OSSL_PROVIDER. what/where do i set this return
Hi Matt,
I'm able resolve for AES and DES errors, I replaced with function but few
parameter are filled with NULL, please suggest its correct way of doing
The below is the actual source code I'm trying to change
https://github.com/digsrc/wpa_supplicant/blob/master/src/crypto/crypto_openssl.c
tr
On 01/12/2021 13:11, Shivakumar Poojari wrote:
Hi Matt,
your suggestion was very helpful, with your help I moved little forward
and blocked again.
Below code snippet I'm working on,
PEM_read_bio_DHparams and PEM_read_bio_DSAparams reading DH params and
DSA params separately, how do I read
Hi Matt,
your suggestion was very helpful, with your help I moved little forward and
blocked again.
Below code snippet I'm working on,
PEM_read_bio_DHparams and PEM_read_bio_DSAparams reading DH params and DSA
params separately, how do I read separately with PEM_read_bio_Parameters_ex.
or
Can
.html
Matt
Please let me know the Openssl 3.0 API's for the same.
Thanks and Regards,
Sunil
-Original Message-
From: Matt Caswell
Sent: Monday, October 25, 2021 3:03 PM
To: Paramashivaiah, Sunil ;
openssl-users@openssl.org
Cc: Kumar Mishra, Sanjeev
Subject: Re: [EXTERNAL]
rom: Matt Caswell
Sent: Monday, October 25, 2021 3:03 PM
To: Paramashivaiah, Sunil ;
openssl-users@openssl.org
Cc: Kumar Mishra, Sanjeev
Subject: Re: [EXTERNAL] Re: Need Help for Code Changes to Upgrade from OpenSSL
1.0.2 to 3.0
Caveat: I've not tested or compiled the following...but so
Caveat: I've not tested or compiled the following...but something like this:
if (EVP_PKEY_is_a(evpKey, "RSA)) {
keysz = EVP_PKEY_get_bits(evpKey) / 8;
/* some code */
} else if (EVP_PKEY_is_a(evpKey, "EC")) {
char *name;
size_t namesize;
if (!EVP_PKEY_get_utf8_string_param(pk
Hi Matt,
Thanks for the reply. I need to replace the below code.
int keysz,ecGrpId;
switch(evpKey->type)
{
case NID_rsaEncryption:
{
if(evpKey->pkey.rsa)
{
ify_cb = X509_STORE_get_verify_cb(ctx);
Thanks
Shiva kumar
From: Matt Caswell
Sent: Friday, October 8, 2021 8:41 PM
To: Shivakumar Poojari ; openssl-users@openssl.org
Cc: Paramashivaiah, Sunil ; Kumar Mishra,
Sanjeev ; Bhattacharjee, Debapriyo (c)
Subject: Re: [EXTERN
On 08/10/2021 11:07, Shivakumar Poojari wrote:
HI Matt,
For below error i tried your suggestion but return type are different,
so facing issue in replacing, remaining suggestion are worked absolutely
fine
error: invalid use of incomplete type 'X509_STORE_CTX' {aka 'struct
x509_store_ctx_
HI Matt,
For below error i tried your suggestion but return type are different, so
facing issue in replacing, remaining suggestion are worked absolutely fine
>
> error: invalid use of incomplete type 'X509_STORE_CTX' {aka 'struct
> x509_store_ctx_st'}
> ok = ctx->verify_cb(0, ctx);
X50
The functions I suggested support both IPv4 and IPv6. For example in the
BIO_lookup() call the 4th parameter would be AF_INET for IPv4 and
AF_INET6 for IPv6.
Matt
On 07/10/2021 08:18, Shivakumar Poojari wrote:
Hi Matt,
The steps suggested are similarly to the deprecated function so simply
I
Hi Matt,
The steps suggested are similarly to the deprecated function so simply I used
the same code in static function, But i need support for IPV6 as well in the
same function
The function needs to have compatibility to support for both ipv6 and ipv4, do
we have any new function to support b
Thanks Matt!!
your suggestions are very helpful.
From: Matt Caswell
Sent: Tuesday, October 5, 2021 1:20 PM
To: Shivakumar Poojari ; openssl-users@openssl.org
Cc: Paramashivaiah, Sunil ; Kumar Mishra,
Sanjeev ; Bhattacharjee, Debapriyo (c)
Subject: [EXTERNAL]
Hi jordan,
I sent one mail previously with same subject around Thu 9/23/2021 5:50 PM(IST)
But not received any respond back, usually I use to get response with in 12hr.
Hi all
Im not able to find any replacement for BIO_get_port(), BIO_get_host_ip()
In stack overflow i seen some suggestion
htt
Thanks Matt!
From: openssl-users on behalf of Matt
Caswell
Sent: Monday, September 20, 2021 7:43 PM
To: openssl-users@openssl.org
Subject: [EXTERNAL] Re:
On 20/09/2021 14:59, Shivakumar Poojari wrote:
> But how do i manage "f" paramater which is highlighted
t;> https://github.com/openssl/openssl/blob/master/providers/legacyprov.c
>>>>
>>>> Matt
>>>>
>>>> On 15/09/2021 13:26, Petr Gotthard wrote:
>>>>> Shiva,
>>>>> you may also have a look at
>>>>> thehttps://gith
Sent: Wednesday, September 15, 2021 2:18 PM
To: Shivakumar
Poojari;openssl-users@openssl.org
Cc: Paramashivaiah, Sunil;
Bhattacharjee, Debapriyo (c)
Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
I am sorry but as I said providers are not a direct replacement for
EN
(as far as I know) the most simple provider implementation available.
Petr
-Original Message-
From: openssl-users On Behalf Of Tomas Mraz
Sent: Wednesday, September 15, 2021 2:18 PM
To: Shivakumar Poojari;openssl-users@openssl.org
Cc: Paramashivaiah, Sunil; Bhattacharjee, Debapriyo
(c)
Sub
sday, September 15, 2021 2:18 PM
>> To: Shivakumar Poojari ;
>> openssl-users@openssl.org
>> Cc: Paramashivaiah, Sunil ; Bhattacharjee,
>> Debapriyo (c)
>> Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
>>
>> I am sorry but as I said providers are no
priyo
(c)
Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
I am sorry but as I said providers are not a direct replacement for ENGINEs. It
is a completely different implementation of the same concept of pluggable
cryptographical modules for OpenSSL. You can look at the OpenSSL m
kumar Poojari ; openssl-users@openssl.org
Cc: Paramashivaiah, Sunil ; Bhattacharjee,
Debapriyo (c)
Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
I am sorry but as I said providers are not a direct replacement for ENGINEs. It
is a completely different implementation of the
I am sorry but as I said providers are not a direct replacement for
ENGINEs. It is a completely different implementation of the same
concept of pluggable cryptographical modules for OpenSSL. You can look
at the OpenSSL manual pages for the providers.
This is the starting point:
https://www.openssl
Hi Tomas,
As Engine function are deprecated I tried using providers
But how to use providers to get engine functionality tried in man pages
Some sample program will help, maybe some sample program will give the clear
idea how to use provider
Struggling in understand the providers
Please share
V Sat, Sep 11, 2021 at 09:43:56PM -0700, Erik Forsberg napsal(a):
Must be SPARC-specific, all tests pass on my x86/x64 Solaris 11.4 using latest
GCC (11.2)
according the latest buildbot results the tests pass
https://fips.buildbot.openssl.org/#/builders/45/builds/370/steps/5/logs/stdio
61
On 06/09/2021 12:02, Shivakumar Poojari wrote:
Hi
In the below C file, I'm trying to update eay_sterror(line:1352)
function to 3.0, In eay_sterror function deprecated functions are used
CRYPTO_thread_id()
ERR_get_error_line_data()
That function is only used for printing information.
L
Hi
In the below C file, I'm trying to update eay_sterror(line:1352) function to
3.0, In eay_sterror function deprecated functions are used
CRYPTO_thread_id()
ERR_get_error_line_data()
https://github.com/zoulasc/racoon2/blob/master/iked/crypto_openssl.c
[https://opengraph.githubassets.com/df8
> My latest attempt to code the below DER is this. It compiles, but the d2i
> segfaults on apparently the second element.
>
> Anything obviously wrong?
>
> typedef struct {
> ASN1_INTEGER *version;
> ASN1_INTEGER *serialNumber;
> X509_ALGOR *signature;
> X509_PUBKEY *key;
>
On 8/17/2021 12:57 PM, Sands, Daniel via openssl-users wrote:
Now I would like to do the other end, where I have der and I want to
parse back to the structure, using d2i()
1 - Is there a tutorial on this?
Seems like you don't need one. If you got i2d working you should have d2i
already!
I
> >> Now I would like to do the other end, where I have der and I want to
> >> parse back to the structure, using d2i()
> >>
> >> 1 - Is there a tutorial on this?
> >
> > Seems like you don't need one. If you got i2d working you should have d2i
> already!
> >
>
> I wasn't clear. The input and out
l Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Matt Caswell
> Sent: Thursday, July 1, 2021 9:40 AM
> To: openssl-users@openssl.org
> Subject: Re: [EXTERNAL] Re: GNU Make erroring on makefile
>
>
> On 01/07/2021 15:06, Joe Carro
Thanks Matt. That clears it up.
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Matt Caswell
Sent: Thursday, July 1, 2021 9:40 AM
To: openssl-users@openssl.org
Subject: Re: [EXTERNAL] Re: GNU Make erroring on makefile
On 01/07/2021 15
On 01/07/2021 15:06, Joe Carroll wrote:
Windows 10
perl Configure VC-WIN64A
The VC-WIN64A target generates a Makefile suitable for consumption by
nmake. Hence its not possible to use GNU make with it.
It *is* possible to build for Windows using GNU make with a different
target however.
Windows 10
perl Configure VC-WIN64A
-Original Message-
From: Richard Levitte [mailto:levi...@openssl.org]
Sent: Thursday, July 1, 2021 8:25 AM
To: Joe Carroll
Cc: openssl-users@openssl.org
Subject: [EXTERNAL] Re: GNU Make erroring on makefile
How did you configure, and on what platfor
Thanks for the reply Michel! Looks like both SRP and PSK could co-exist on the
same context.
I also just got this to work. The only quirk that made this work is that I had
to set the maximum version of the TLS version to 1.2 from the client side via
SSL_CTX_set_max_proto_version. This was a pec
Thanks for the response Ben!
We are targeting TLS1.2. For testing, we have one server that has both
callbacks enabled. On the client side, we have two clients, 1 establishing SRP
connections with the usual calls (set_srp_username,set_srp_password) and it
works. The other client establishes conn
From: Narayana, Sunil Kumar
Sent: Thursday, December 17, 2020 8:17 AM
To: Sands, Daniel ; openssl-users@openssl.org
Subject: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0
Hi,
For the equivalent replacement of DH_compute_key in 3.0, we
tried to perform the steps suggeste
Hi Daniel,
Thanks we will try it out.
One more doubt regarding DH_generate_key, as per earlier suggestion we tried
following changes to replicate the generate key, but we observe that the out
put key is not matching with the one that is obtained by DH_generate_key() of
older ver
a, Sunil Kumar ; openssl-users@openssl.org
Subject: RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0
NOTICE: This email was received from an EXTERNAL sender
We do have generated the key using EVP_PKEY_gen as suggested in e
We do have generated the key using EVP_PKEY_gen as suggested in earlier emails,
but since this was a non-ephemeral and we wanted to store the key in "raw"
octet bytes, so we did extracted the whole DH priv/pub key pair out from the
key generated via EVP_PKEY_gen ( using as suggested…
EVP_PKEY
Viktor,
Thank you.
Yury
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Tuesday, September 8, 2020 10:56 AM
To: openssl-users@openssl.org
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL
option
On Tue, Sep 08, 2020 at
On Tue, Sep 08, 2020 at 05:39:51PM +, Yury Mazin via openssl-users wrote:
> I have a question based on the response provided to me:
>
> My question is why following openssl commands (version 1.1.1f) return
> those TLSv1.3 ciphers as offering no authentication and no encryption?
It does not.
openssl-users@openssl.org
> Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl
> -cipher aNULL option
>
> On Fri, Sep 04, 2020 at 07:00:01PM +, Yury Mazin via openssl-
> users wrote:
>
> > Thank you Benjamin,
> >
> > According to OpenSSL
Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
From: Yury Mazin
Sent: Friday, September 4, 2020 12:43 PM
To: openssl-users@openssl.org
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL
optio
Viktor,
Thank you for clarifying it.
Yury
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Friday, September 4, 2020 12:10 PM
To: openssl-users@openssl.org
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL
option
On Fri
On Fri, Sep 04, 2020 at 07:00:01PM +, Yury Mazin via openssl-users wrote:
> Thank you Benjamin,
>
> According to OpenSSL , aNULL stands for no-authentication.
Specifically, SSL 3.0 through TLS 1.2 ciphers in which the server and
client exchange no certificates, and the TLS handshake consists
Thank you Benjamin,
According to OpenSSL , aNULL stands for no-authentication.
NULL-ciphers that you mention would be part of eNULL group, that offer no
encryption.
Does it mean that all 3 default protocols of TLS 1.3 offer no authentication
(because they are listed under command
openssl ciphers
The key itself is good. Its encoding in the CSR isn't.
Looks like the public key was X9.62 encoded in its uncompressed form (i.e.
start with a 04 octet, and then the octets composing the x and y coordinates),
and then wrapped into an ASN.1 OCTET STRING (i.e. use the 04 tag, plus a 0x41
length, a
> The second certificate seems garbaged at the 4th RDN of the
> issuerName.
> The Base64 edition might have added or deleted some characters.
Sorry, looks like my manual word wrapping lost a character:
-BEGIN CERTIFICATE-
MIIHbDCCBVSgAwIBAgIIO7L2MrGOOTMwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNV
The second certificate seems garbaged at the 4th RDN of the issuerName.
The Base64 edition might have added or deleted some characters.
Cordialement,
Erwann Abalea
Le 25/06/2020 16:00, « openssl-users au nom de Angus Robertson - Magenta
Systems Ltd »
a écrit :
More information, the origi
On Wed, Apr 25, 2012, Spence, Thomas CIV USAF AFDW 844 CS/SCOX wrote:
> Million THANKS! I never knew about SNAP!
>
> Okay I did try 3 files:
>
> openssl-1.0.1-stable-SNAP-20120425.tar.gz (OpenSSL 1.0.1b-dev)
> openssl-1.0.2-stable-SNAP-20120425.tar.gz (OpenSSL 1.0.2-dev)
> openssl-SNAP-20120425
Million THANKS! I never knew about SNAP!
Okay I did try 3 files:
openssl-1.0.1-stable-SNAP-20120425.tar.gz (OpenSSL 1.0.1b-dev)
openssl-1.0.2-stable-SNAP-20120425.tar.gz (OpenSSL 1.0.2-dev)
openssl-SNAP-20120425.tar.gz (OpenSSL 1.1.0-dev)
They are perfect without any error...
I need to underst
71 matches
Mail list logo
