Re: openssl-users Digest, Vol 95, Issue 27

--Randall S. BeckerNexbridge Inc. Original message From: רונן לוי Date: 2022-10-23 09:26 (GMT-05:00) To: openssl-users@openssl.org, Michael Wojcik Subject: Re: openssl-users Digest, Vol 95, Issue 27 Subject: Porting OpenSSL to vxWorks (using cygwin)Hi Michael,- Why are you

Re: openssl-users Digest, Vol 95, Issue 27

u can reach the person managing the list at > openssl-users-ow...@openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > >1. RE: openssl-users D

Re: openssl-users Digest, Vol 95, Issue 27

eplying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > >1. RE: openssl-users Digest, Vol 95, Issue 24 (Michael Wojcik) >2. OpenSSL 1.1.1 Windows dependencies (David Harris) >3.

RE: openssl-users Digest, Vol 95, Issue 24

> From: openssl-users On Behalf Of ??? > Sent: Tuesday, 18 October, 2022 11:58 > I have downloaded perl strawberry, but I have no clue how to get rid of the > built-in perl that comes in cygwin, and point cygwin to use the strawberry > perl. You don't have to remove the Cygwin version of p

Re: openssl-users Digest, Vol 95, Issue 24

I have downloaded perl strawberry, but I have no clue how to get rid of the built-in perl that comes in cygwin, and point cygwin to use the strawberry perl. Need Assistance! ‫בתאריך יום ג׳, 18 באוק׳ 2022 ב-0:49 מאת <‪openssl-users-requ...@openssl.org ‬‏>:‬ > Send openssl-users mailing list submi

Re: openssl-users Digest, Vol 88, Issue 18

On Mon, Mar 14, 2022 at 12:47:26PM -0700, Edward Tsang via openssl-users wrote: > I guess I need to explicitly set X509_STORE_CTX_set_error(ctx, > X509_V_OK) before return 1 in the example if I need caller > SSL_get_verify_result to return X509_V_OK? Yes, but I'd like to strongly suggest that thi

Re: openssl-users Digest, Vol 88, Issue 18

I was hoping to tolerate some error "for now" and flag it and continue the whole process (complete the handshake and treat the ssl connection as "pass"). So for my case long res = SSL_get_verify_result( sslCtx ) from caller should return X509_V_OK. I guess I need to explicitly set X509_STORE_CTX_se

Re: [openssl-users] Verifying Android hardware attestation certificates with OpenSSL

Did you ever get to the root of this? -Philip > On Oct 30, 2018, at 5:52 PM, Pietu Pohjalainen wrote: > > Dear all, > > I have been trying to verify hardware attestation certificates originating > from different Android phones with the OpenSSL tool. There seems to be not > too much informat

Re: openssl-users Digest, Vol 77, Issue 36

? 2021-04-22 1:08 غرينتش+03:00, openssl-users-requ...@openssl.org : > Send openssl-users mailing list submissions to > openssl-users@openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users > or, via email, send

RE: openssl-users Digest, Vol 77, Issue 6

t;; openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: RE: openssl-users Digest, Vol 77, Issue 6 > It isn't possible to do what you are wanting. RAND_METHOD replaces the RNG > everywhere. It cannot be done on a per thread process. Well, technically it *is* possible.

RE: openssl-users Digest, Vol 77, Issue 6

, April 5, 2021 3:18 AM To: openssl-users@openssl.org Subject: Re: openssl-users Digest, Vol 77, Issue 6 Vishwanath, It isn't possible to do what you are wanting. RAND_METHOD replaces the RNG everywhere. It cannot be done on a per thread process. Pauli On 4/4/21 9:55 pm, Vishwana

Re: openssl-users Digest, Vol 77, Issue 6

t;Re: Contents of openssl-users digest..." Today's Topics:    1. Re: openssl-users Digest, Vol 77, Issue 4 (Dr Paul Dale) -- Message: 1 Date: Sat, 3 Apr 2021 18:48:48 +1000 From: Dr Paul Dale To: openssl-users@openssl.org

RE: openssl-users Digest, Vol 77, Issue 6

than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: openssl-users Digest, Vol 77, Issue 4 (Dr Paul Dale) -- Message: 1 Date: Sat, 3 Apr 2021 18:48:48 +1000 From: Dr Paul Dale To: openssl-u

Re: openssl-users Digest, Vol 77, Issue 4

I would be **very** concerned about bypassing a blocking RAND.  It is almost certainly blocking because it does not have enough randomness to satisfy your request.  By skipping this, you are likely getting poor quality random values and this can effectively negate any security you are gaining f

RE: openssl-users Digest, Vol 77, Issue 4

Thank You Paul and Matthias for your help. The reason I am trying to have separate RAND_METHOD for two threads is, the first thread which runs DNS bind code registers for RAND_METHOD through dnssec module in it. It registers via either ENGINE_set_default_RAND() or RAND_set_rand_method() based o

Re: openssl-users Digest, Vol 73, Issue 29

@Jochen Bern Thanks for your reply! I didn't describe the problem clearly due to lack of tls domain knowledge. Now I know my cert is self-signed end entity cert, and the statement I found on openssl website does not apply to me. The behavior is similar(Actually not the same, since my two certs ha

RE: openssl-users Digest, Vol 73, Issue 29

> From: openssl-users On Behalf Of Jochen > Bern > Sent: Friday, 25 December, 2020 03:37 I believe David von Oheimb has already provided a solution for the original problem in this thread (setting subjectKeyIdentifier and authorityKeyIdentifer lets OpenSSL pick the right certificate from the tr

RE: openssl-users Digest, Vol 73, Issue 29

> From: openssl-users On Behalf Of Jochen > Bern > Sent: Friday, 25 December, 2020 03:37 I believe David von Oheimb has already provided a solution for the original problem in this thread (setting subjectKeyIdentifier and authorityKeyIdentifer lets OpenSSL pick the right certificate from the tr

Re: openssl-users Digest, Vol 73, Issue 29

On 25.12.20 00:35, openssl-users-requ...@openssl.org digested: > Message: 3 > Date: Fri, 25 Dec 2020 07:35:40 +0800 > From: ??? > > @Jochen actually, the certs have different SN, which indeed is not > consistent with the man doc. ... how so? Different certs having different SNs is what is suppos

Re: openssl-users Digest, Vol 69, Issue 7

Hi Mark, Thanks for your response. Let me check with the details you provided. Rakesh Parihar Sr. Software Engineer rakesh.pari...@encora.com Ahmedabad, IN [cid:e36974b4-09e5-4d04-aa9a-0e25aa504920] encora.com

Re: [openssl-users] 'openssl ca -serial' command line always exit with error 1 ?

Hi Michael, On 28/04/2020 15:21, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of tincanteksup Sent: Tuesday, April 28, 2020 07:02 [tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf -keyfile private/ca.key -cert ca.crt

RE: [openssl-users] 'openssl ca -serial' command line always exit with error 1 ?

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > tincanteksup > Sent: Tuesday, April 28, 2020 07:02 > [tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf > -keyfile private/ca.key -cert ca.crt -status $serial_number > > [tct@arch-hyv-live-64

Re: openssl-users Digest, Vol 63, Issue 35

Thank you! That was the issue. Clay > On Feb 21, 2020, at 7:54 AM, openssl-users-requ...@openssl.org wrote: > > Message: 5 > Date: Fri, 21 Feb 2020 22:51:51 +1000 > From: Dr Paul Dale > To: openssl-users > Subject: Re: CRYPTO_secure_malloc_init() fails without error message > Message-ID: <900

Re: openssl-users Digest, Vol 63, Issue 19

plz how can automatically recover this problam On Wed, 12 Feb 2020, 14:59 , wrote: > Send openssl-users mailing list submissions to > openssl-users@openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users >

Re: [openssl-users] issue with EVP_EncryptUpdate in XTS mode?

On 25/01/2019 20:16, Andrew Tucker wrote: > I was doing some comparisons of XTS and GCM mode using the EVP APIs and found > a > discrepancy that seems to be an issue with XTS. > > In GCM mode if the buffer is encrypted in one call to EVP_EncryptUpdate or > with > several calls with smaller bu

Re: [openssl-users] [openssl-project] OpenSSL 3.0 and FIPS Update

Thanks for the speculation on validated platforms, Mark. Please be careful about using this resource as a medium for self-promotion. - Walt Walter Paley w...@safelogic.com SafeLogic - FIPS 140-2 Simplified

Re: openssl-users: DKIM, DMARC and all that jazz, and what it means to us

On Mon, 18 Feb 2019 22:51:09 +0100, Jakob Bohm wrote: > Having a DMARC record without DKIM signatures (including DKIM > signing mails relayed with openssl.org as From: address) is either > an RFC violation or very close to one. I suspected that. We're not quite ready for full blown DKIM yet, so I

Re: [openssl-users] Comments on the recent OpenSSL 3.0.0 specification

(Resend from correct account) On 15/02/2019 18:35, Salz, Rich via openssl-users wrote: (as for "possibly not the FIPS provider", that's exactly right. That one *will* be a loadable module and nothing else, and will only be validated as such... meaning that noone can stop you from hacking around

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

On Mon, Feb 18, 2019 at 2:18 PM Jakob Bohm via openssl-users < openssl-users@openssl.org> wrote: > On 17/02/2019 14:26, Matt Caswell wrote: > > On 16/02/2019 05:04, Sam Roberts wrote: > >> On Fri, Feb 15, 2019 at 3:35 PM Matt Caswell wrote: > >>> On 15/02/2019 20:32, Viktor Dukhovni wrote: >

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

On 17/02/2019 14:26, Matt Caswell wrote: On 16/02/2019 05:04, Sam Roberts wrote: On Fri, Feb 15, 2019 at 3:35 PM Matt Caswell wrote: On 15/02/2019 20:32, Viktor Dukhovni wrote: On Feb 15, 2019, at 12:11 PM, Sam Roberts wrote: OpenSSL could delay the actual shutdown until we're about to retu

Re: openssl-users: DKIM, DMARC and all that jazz, and what it means to us

On 16/02/2019 00:02, Richard Levitte wrote: On Fri, 15 Feb 2019 18:33:30 +0100, Lewis Rosenthal wrote: ... I strongly encourage you to re-think this. Everyone else on this list whose server has been properly configured to not trash legitimate messages must now be inconvenienced by the needs of

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

On 16/02/2019 05:04, Sam Roberts wrote: > On Fri, Feb 15, 2019 at 3:35 PM Matt Caswell wrote: >> On 15/02/2019 20:32, Viktor Dukhovni wrote: On Feb 15, 2019, at 12:11 PM, Sam Roberts wrote: >>> OpenSSL could delay the actual shutdown until we're about to return >>> from the SSL_accept() t

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

On Fri, Feb 15, 2019 at 3:35 PM Matt Caswell wrote: > On 15/02/2019 20:32, Viktor Dukhovni wrote: > >> On Feb 15, 2019, at 12:11 PM, Sam Roberts wrote: > > OpenSSL could delay the actual shutdown until we're about to return > > from the SSL_accept() that invoked the callback. That is SSL_shutdow

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

On 15/02/2019 20:32, Viktor Dukhovni wrote: >> On Feb 15, 2019, at 12:11 PM, Sam Roberts wrote: >> >> In particular, I'm getting a close_notify alert, followed by two >> NewSessionTickets from the server. >> >> The does SSL_read()/SSL_get_error(), it is returning >> SSL_ERROR_ZERO_RETURN, so I

Re: openssl-users: DKIM, DMARC and all that jazz, and what it means to us

On Fri, 15 Feb 2019 18:33:30 +0100, Lewis Rosenthal wrote: > > Hi, Richard... > > I'm not going to place my reply after Jakob's, as his makes a number > of excellent points, with many of which I wholeheartedly agree (I'm > not big on DKIM and DMARC, myself). However, a few points specific to > th

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

> On Feb 15, 2019, at 12:11 PM, Sam Roberts wrote: > > In particular, I'm getting a close_notify alert, followed by two > NewSessionTickets from the server. > > The does SSL_read()/SSL_get_error(), it is returning > SSL_ERROR_ZERO_RETURN, so I stop calling SSL_read(). > > However, that means th

Re: openssl-users: DKIM, DMARC and all that jazz, and what it means to us

I did re-enable everyone that had [B] (for bounce) as reason for not receiving mail, but I may have gotten one or two that were disabled by choice. Sorry about that... Cheers Richard Richard Weinberger skrev: (15 februari 2019 18:46:14 CET) >Am Freitag, 15. Februar 2019, 16:03:42 CET schrieb

Re: openssl-users: DKIM, DMARC and all that jazz, and what it means to us

Am Freitag, 15. Februar 2019, 16:03:42 CET schrieb Richard Levitte: > So, to mitigate the problem, we've removed all extra decoration of the > messages, i.e. the list footer that's usually added and the subject > tag that indicates what list this is (I added the "openssl-users:" > that you see manu

Re: openssl-users: DKIM, DMARC and all that jazz, and what it means to us

Hi, Richard... I'm not going to place my reply after Jakob's, as his makes a number of excellent points, with many of which I wholeheartedly agree (I'm not big on DKIM and DMARC, myself). However, a few points specific to the case at hand, if I may: Richard Levitte wrote: Hi all, It seem l

Re: [openssl-users] Comments on the recent OpenSSL 3.0.0 specification (Monday 2019-02-11)

>(as for "possibly not the FIPS provider", that's exactly right. That one *will* be a loadable module and nothing else, and will only be validated as such... meaning that noone can stop you from hacking around and have it linked in statically, but that would make it invalid re

Re: [openssl-users] Comments on the recent OpenSSL 3.0.0 specification (Monday 2019-02-11)

On 15/02/2019 12:23, Matt Caswell wrote: On 15/02/2019 03:55, Jakob Bohm via openssl-users wrote: These comments are on the version of the specification released on Monday 2019-02-11 at https://www.openssl.org/docs/OpenSSL300Design.html General notes on this release: - The release was not ann

Re: [openssl-users] [openssl-project] OpenSSL 3.0 and FIPS Update

Responding to some earlier questions: > Can you give any guidance on which platforms will be validated with the OpenSSL FIPS 3.0 module? My recollection is that it will only be a handful of platforms. I would expect the number of platforms to be small. The wonderful 5 sponsors of the FIPS projec

Re: openssl-users: DKIM, DMARC and all that jazz, and what it means to us

On 15/02/2019 16:03, Richard Levitte wrote: Hi all, It seem like DMARC, SPF, DKIM, or *something* is tripping us up quite a bit. Earlier this afternoon (that's what it is in Sweden at least), us postmasters got a deluge of bounce reports from mailman, basically telling us that it got something

Re: [openssl-users] Comments on the recent OpenSSL 3.0.0 specification (Monday 2019-02-11)

On Fri, 2019-02-15 at 11:23 +, Matt Caswell wrote: > > On 15/02/2019 03:55, Jakob Bohm via openssl-users wrote: > > yout - but this is useful input. > > > > > FIPS-specific issues: > > > > - The checksum of the FIPS DLL should be compiled into the FIPS- > > capable OpenSSL library, since a

Re: [openssl-users] Comments on the recent OpenSSL 3.0.0 specification (Monday 2019-02-11)

On 15/02/2019 03:55, Jakob Bohm via openssl-users wrote: > These comments are on the version of the specification released on > Monday 2019-02-11 at https://www.openssl.org/docs/OpenSSL300Design.html > > General notes on this release: > > - The release was not announced on the openssl-users and

Re: [openssl-users] Comments on the recent OpenSSL 3.0.0 specification (Monday 2019-02-11)

Note: these are my personal answers. I'm sure (and hope) that other in our team will chip in (and possibly disagree with me) On Fri, 15 Feb 2019 04:55:38 +0100, Jakob Bohm wrote: > > These comments are on the version of the specification released on > Monday 2019-02-11 at https://www.openssl.org

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

On 14/02/2019 22:51, Sam Roberts wrote: > In particular, I'm getting a close_notify alert, followed by two > NewSessionTickets from the server. This sounds like a bug somewhere. Once you have close_notify you shouldn't expect anything else. Is that an OpenSSL server? Matt -- openssl-users mai

Re: [openssl-users] OpenSSL 3.0 and FIPS Update

>Yes - I do expect you to be able to build just the validated source independently of the rest of the tarball so that you could (for example) run the latest main OpenSSL version but with an older module. Which means that this doesn't have to happen in the first release since there

Re: [openssl-users] OpenSSL 3.0 and FIPS Update

>Integrity of validated source code when other parts of the tarball get regular changes? The design doc, just recently published, talks about this a bit. Not all details are known yet. >Building the validated source code in a controlled environment separate from the full tar

Re: [openssl-users] [openssl-project] OpenSSL 3.0 and FIPS Update

Can you give any guidance on which platforms will be validated with the OpenSSL FIPS 3.0 module? My recollection is that it will only be a handful of platforms. It would be helpful to have an idea which platforms will and will not be included. Any additional information about how other platfo

Re: [openssl-users] Questions about Ciphers

On 14/02/2019 16:42, Patrice Guérin wrote: > Hello, > > I have two questions : > > * I use OBJ_NAME_do_all_sorted() with  OBJ_NAME_TYPE_CIPHER_METH to get the > list of supported cipher methods > Is there a difference between lowercase and uppercase names ? > I've noticed that som

Re: [openssl-users] OpenSSL 3.0 and FIPS Update

anks, Mark Ludwig -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jakob Bohm via openssl-users Sent: Thursday, February 14, 2019 10:34 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] OpenSSL 3.0 and FIPS Update On 13/02/2019 2

Re: [openssl-users] OpenSSL 3.0 and FIPS Update

On 14/02/2019 16:34, Jakob Bohm via openssl-users wrote: > On 13/02/2019 20:12, Matt Caswell wrote: >> >> On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote: >>> On 13/02/2019 12:26, Matt Caswell wrote: Please see my blog post for an OpenSSL 3.0 and FIPS Update: https://www.op

Re: [openssl-users] OpenSSL 3.0 and FIPS Update

On 13/02/2019 20:12, Matt Caswell wrote: On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote: On 13/02/2019 12:26, Matt Caswell wrote: Please see my blog post for an OpenSSL 3.0 and FIPS Update: https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ Matt Given this announcement, a fe

Re: [openssl-users] [openssl-project] OpenSSL 3.0 and FIPS Update

On 13/02/2019 20:28, Michael Richardson wrote: > > Matt Caswell wrote: > > Please see my blog post for an OpenSSL 3.0 and FIPS Update: > > > https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ > > Thank you, it is very useful to have these plans made up front. > I think your po

Re: [openssl-users] [openssl-project] OpenSSL 3.0 and FIPS Update

Matt Caswell wrote: > Please see my blog post for an OpenSSL 3.0 and FIPS Update: > https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ Thank you, it is very useful to have these plans made up front. I think your posts should probably explain what happened to 2.x, and if this repr

Re: [openssl-users] OpenSSL 3.0 and FIPS Update

On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote: > On 13/02/2019 12:26, Matt Caswell wrote: >> Please see my blog post for an OpenSSL 3.0 and FIPS Update: >> >> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ >> >> Matt > > Given this announcement, a few questions arise: > > -

Re: [openssl-users] OpenSSL 3.0 and FIPS Update

On 13/02/2019 12:26, Matt Caswell wrote: Please see my blog post for an OpenSSL 3.0 and FIPS Update: https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ Matt Given this announcement, a few questions arise: - How will a FIPS provider in the main tarball ensure compliance  with the stric

Re: [openssl-users] FIPS Module for OpenSSL 1.1.1

of Paul > Dale > > *Sent:* Wednesday, February 13, 2019 1:24 AM > *To:* openssl-users@openssl.org > *Subject:* Re: [openssl-users] FIPS Module for OpenSSL 1.1.1 >   > > The answer hasn’t changed: there is no firm date. > > Progress is being made however. > >

Re: [openssl-users] FIPS Module for OpenSSL 1.1.1

From: openssl-users on behalf of Paul Dale Sent: Wednesday, February 13, 2019 1:24 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] FIPS Module for OpenSSL 1.1.1 The answer hasn’t changed: there is no firm date. Progress is being made however. Pauli -- Oracle Dr Paul

Re: [openssl-users] Man page suggestion - SSL_get_verify_result

On 12/02/2019 22:29, Hal Murray wrote: > Is there a better place for things like this? > > Please add X509_verify_cert_error_string to the SEE ALSO section of the man > page for SSL_get_verify_result Please raise an issue on github for this sort of thing. Even better create a pull request. M

Re: [openssl-users] FIPS Module for OpenSSL 1.1.1

The answer hasn't changed: there is no firm date. Progress is being made however. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Jason Schultz [mailto:jetso...@hotmail.com] Sent: Wednesday, 13 February 20

Re: [openssl-users] Multiplexing TLS / non-TLS connections on a single socket

On Tue, Feb 12, 2019 at 11:22:47PM +0100, Jakob Bohm via openssl-users wrote: > At least in older versions of OpenSSL, you could create a custom BIO > that buffers the socket data and lets you look at it before passing > it to the SSL/TLS layer or directly to your code according to the > contents.

Re: [openssl-users] Multiplexing TLS / non-TLS connections on a single socket

On 12/02/2019 21:23, Paul Smith wrote: Hi all. We have a service that currently implements a home-grown secure connection model based on SRP using AES as the cipher. We want to add support for TLS 1.2/1.3 as well, but we have to maintain backward- compatibility. Our app is in C++ and using Ope

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

Hi Rajinder, Have you tried the “socket_transport_name_set” call in your main program? ScottN From: openssl-users On Behalf Of Rajinder Pal Singh Sent: Friday, February 08, 2019 12:54 PM To: m...@foocrypt.net Cc: openssl-users Subject: Re: [openssl-users] How to use a specific ip interface

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

Thanks Mark. Will definitely try this. Appreciate your help. Will keep you losted. Regards. On Sat, Feb 9, 2019, 8:45 AM open...@foocrypt.net HI Rajinder > > Perhaps a tunnel may help ? > > Have a look at man -s ssh, check out binding to interfaces and setting up > a tunnel from one Nic through

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

It appears you could create() a socket, bind() it to the interface you want to use, possibly connect() it, and then pass it to either BIO_s_connect() or BIO_s_socket() depending on which meets your needs. -Kyle H On Sat, Feb 9, 2019 at 7:21 AM Rajinder Pal Singh wrote: > > Thanks Mark for the pr

Re: [openssl-users] how is it possible to confirm that a TLS ticket was used?

On Wed, Feb 6, 2019 at 1:01 PM Viktor Dukhovni wrote: > On Tue, Feb 05, 2019 at 02:43:03PM -0800, Sam Roberts wrote: > Your ticket rotation approach looks a bit fragile. I agree, though perhaps I should not have described what was happening as rotation. The test that was failing with TLS1.3 was o

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

HI Rajinder Perhaps a tunnel may help ? Have a look at man -s ssh, check out binding to interfaces and setting up a tunnel from one Nic through to your endpoint. Have a look at nectar or nc as its called these days for listening on the endpoint of the tunnel as your basic http 1.1 server, and

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

Thanks Mark for the prompt reply. Absolutely makes sense. Actually, i am on Nonstop HPE servers. There are no internal routing tables or so to say static routes. Environment is different from unix/linux. >From Application perspective, we choose what ip interface to use. Wondering if we can force

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Viktor Dukhovni > Sent: Friday, February 08, 2019 13:00 > > > On Feb 8, 2019, at 12:55 PM, Michael Wojcik > wrote: > > > > For IPv4: Create your socket, bind it to the local interface you want to > use (specifying a po

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

Hi Rajinder There shouldn’t be any issues depending on how your host OS is performing the routing to the network the SSL/TLS endpoint is on. Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to make sure you can connect to the web server. — Regards, Mark A. Lane >

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

> On Feb 8, 2019, at 12:55 PM, Michael Wojcik > wrote: > > For IPv4: Create your socket, bind it to the local interface you want to use > (specifying a port of 0 if you want an ephemeral port assigned as in the > usual case), then connect to the peer. You'll probably want to enable > SO_REUSE

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Rajinder Pal Singh > Sent: Friday, February 08, 2019 12:20 > I want to use a specific ip interface (out of several available ethernet > interfaces available > on my server) to test TLS/SSL connectivity to a remote se

Re: [openssl-users] Adding custom OBJ identifiers

On Monday, 4 February 2019 16:56:56 CET Dmitry Belyavsky wrote: > Dear Hubert, > > On Mon, Feb 4, 2019 at 6:52 PM Hubert Kario wrote: > > On Thursday, 31 January 2019 11:09:00 CET Dmitry Belyavsky wrote: > > > Hello, > > > > > > What is best practice to add own object identifiers to the > > > >

Re: [openssl-users] how is it possible to confirm that a TLS ticket was used?

On Tue, Feb 05, 2019 at 02:43:03PM -0800, Sam Roberts wrote: > I tracked down my problem, its due to a change in the relative order > of handshake completion (as detected by the info callback, anyhow), > and the callback to SSL_CTX_set_tlsext_ticket_key_cb(). > > With TLS1.2, I can rotate ticket

Re: [openssl-users] how is it possible to confirm that a TLS ticket was used?

I tracked down my problem, its due to a change in the relative order of handshake completion (as detected by the info callback, anyhow), and the callback to SSL_CTX_set_tlsext_ticket_key_cb(). With TLS1.2, I can rotate ticket keys on the server when the handshake completes, and they will only appl

Re: [openssl-users] how is it possible to confirm that a TLS ticket was used?

> On Feb 5, 2019, at 10:41 AM, Sam Roberts wrote: > >> However, because in TLS 1.3, session >> tickets are sent *after* the completion of the handshake, it is >> possible that the session handle you're saving is the one that does >> not yet have any associated tickets, because they've not yet bee

Re: [openssl-users] how is it possible to confirm that a TLS ticket was used?

On Mon, Feb 4, 2019 at 9:46 PM Viktor Dukhovni wrote: > On Mon, Feb 04, 2019 at 03:54:48PM -0800, Sam Roberts wrote: > However, because in TLS 1.3, session > tickets are sent *after* the completion of the handshake, it is > possible that the session handle you're saving is the one that does > not

Re: [openssl-users] how is it possible to confirm that a TLS ticket was used?

On 04/02/2019 23:54, Sam Roberts wrote: > And is it possible that this is different for TLS1.2 and 1.3? > > Using TLS1.3, SSL_session_reused() is always returning false, I'm not > sure if that's because I'm doing something else wrong, and the ticket > is not being accepted and a full handshake

Re: [openssl-users] how is it possible to confirm that a TLS ticket was used?

On Mon, Feb 04, 2019 at 03:54:48PM -0800, Sam Roberts wrote: > And is it possible that this is different for TLS1.2 and 1.3? The resumption API is the same. However, because in TLS 1.3, session tickets are sent *after* the completion of the handshake, it is possible that the session handle you'r

Re: [openssl-users] Adding custom OBJ identifiers

Dear Hubert, On Mon, Feb 4, 2019 at 6:52 PM Hubert Kario wrote: > On Thursday, 31 January 2019 11:09:00 CET Dmitry Belyavsky wrote: > > Hello, > > > > What is best practice to add own object identifiers to the > crypto/objects/* > > files? > > > > It's not a problem to add all the necessary stri

Re: [openssl-users] Adding custom OBJ identifiers

On Thursday, 31 January 2019 11:09:00 CET Dmitry Belyavsky wrote: > Hello, > > What is best practice to add own object identifiers to the crypto/objects/* > files? > > It's not a problem to add all the necessary strings to the > crypto/objects/objects.txt file and invoke 'make generate_crypto_obj

Re: [openssl-users] Some documentation about key derivation and block padding

Hi all, So, I found some hints on stack overflow (https://stackoverflow.com/questions/6772465/is-there-any-c-api-in-openssl-to-derive-a-key-from-given-string) and an implementation with pyCrypto (https://gist.github.com/mimoo/11383475). I still can't get the expected results but these raise some q

Re: [openssl-users] Smartcard cert used for encrypt\decrypt

On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" wrote:     > Does anybody know how to use the smartcard to encrypt and decrypt files? Smartcard performs public-key crypto operations, which aren't suitable for bulk processing, such as file encryption/decryption. In general,

Re: [openssl-users] Smartcard cert used for encrypt\decrypt

> Does anybody know how to use the smartcard to encrypt and decrypt files? Hi Boyd, there are many ways to encrypt/decrypto with smartcard but since you wrote to the list of OpenSSL I answer you how to do with OpenSSL. In the meantime you need two other software, in addition to openssl, the engin

Re: [openssl-users] Smartcard cert used for encrypt\decrypt

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Boyd Ako > Sent: Wednesday, January 30, 2019 18:08 > Does anybody know how to use the smartcard to encrypt and decrypt files? This may depend somewhat on the type of smartcard. While PKCS#11 is a standard, there are

Re: [openssl-users] is the openssl wiki down for maintenance, or is something broken?

On 30/01/2019 21:21, Sam Roberts wrote: > https://wiki.openssl.org/index.php/TLS1.3 > > is returning > > ``` > Sorry! This site is experiencing technical difficulties. > Try waiting a few minutes and reloading. > > (Cannot access the database) > ``` > Something was broken. Fixed now. Matt

Re: [openssl-users] EVP_Encrypt/EVP_Decrypt input/output buffers requirements

Hello Matt, Thank you very much. Patrice. Matt Caswell a écrit : On 30/01/2019 09:45, Patrice Guérin wrote: Hello to all, Documentation does not provide input/output buffers requirements for encryption/decryption, so is it safe to submit the same buffer (ie, input=output) for these operatio

Re: [openssl-users] OpenSSL 1.1.1 Support for DH Ciphers?

On 30/01/2019 00:11, Kurt Roeckx wrote: On Tue, Jan 29, 2019 at 02:42:48PM -0500, Viktor Dukhovni wrote: On Jan 29, 2019, at 2:23 PM, Rich Fought wrote: The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers are supported: TLS1.0: DH-RSA-AES128-SHA DH-RSA-AES256-SHA The

Re: [openssl-users] EVP_Encrypt/EVP_Decrypt input/output buffers requirements

On 30/01/2019 09:45, Patrice Guérin wrote: > Hello to all, > > Documentation does not provide input/output buffers requirements for > encryption/decryption, so > is it safe to submit the same buffer (ie, input=output) for these operations ? > If not, what is the minimum distance 'd' required (in

Re: [openssl-users] OpenSSL 1.1.1 Support for DH Ciphers?

On Tue, Jan 29, 2019 at 02:42:48PM -0500, Viktor Dukhovni wrote: > > On Jan 29, 2019, at 2:23 PM, Rich Fought wrote: > > > > The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers > > are supported: > > > > TLS1.0: > > DH-RSA-AES128-SHA > > DH-RSA-AES256-SHA > > The static

Re: [openssl-users] OpenSSL 1.1.1 Support for DH Ciphers?

> On Jan 29, 2019, at 2:23 PM, Rich Fought wrote: > > The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers > are supported: > > TLS1.0: > DH-RSA-AES128-SHA > DH-RSA-AES256-SHA The static DH and ECDH ciphers have been removed. > TLS1.2: > DH-RSA-AES128-SHA256 > DH-RSA-AE

Re: [openssl-users] issue with EVP_EncryptUpdate in XTS mode?

Thanks for the feedback Matt. I definitely missed this difference between XTS and GCM and didnt realize one supports "streaming" and one doesnt. For our application we only ever call EncryptUpdate once so XTS works well but its great to understand the limitations and make sure future changes dont

Re: [openssl-users] RSA Digital Signing

On 27/01/2019 17:43, prithiraj das wrote: > Hi All, > > Using OpenSSL, I need to implement digital signing. My approach as of now is: > 1)  At the sender side, generate the hash of the data using sha256. > 2)  Encrypt the hash of the data using RSA Private key for the purpose of > signing. Send

Re: [openssl-users] RSA Digital Signing

> On Jan 27, 2019, at 12:43 PM, prithiraj das wrote: > > Using OpenSSL, I need to implement digital signing. My approach as of now is: > 1) At the sender side, generate the hash of the data using sha256. > 2) Encrypt the hash of the data using RSA Private key for the purpose of > signing. Send

Re: [openssl-users] issue with EVP_EncryptUpdate in XTS mode?

On 25/01/2019 20:16, Andrew Tucker wrote: > I was doing some comparisons of XTS and GCM mode using the EVP APIs and found > a > discrepancy that seems to be an issue with XTS. > > In GCM mode if the buffer is encrypted in one call to EVP_EncryptUpdate or > with > several calls with smaller buf

Re: [openssl-users] SSL_read() returns -1, and SSL_read_ex does not update readbytes where a record containing a session ticket is being read (TLS 1.3)

On Thu, Jan 24, 2019 at 11:09:40PM +0700, Arran Cudbard-Bell wrote: > We could use this to determine what SSL_ERROR_WANT_READ is indicating. As it > seems SSL_ERROR_WANT_READ could indicate two conditions in this scenario: > > 1) No pending bytes - Additional handshake messages were processed,

Re: [openssl-users] decrypt error

uftrag von Jakob Bohm via openssl-users Gesendet: Freitag, 25. Januar 2019 02:17 An: openssl-users@openssl.org Betreff: Re: [openssl-users] decrypt error Since this seems to be a certificate issue, would it be possible to make the server log all the certificate checking steps and errors with t

Re: [openssl-users] decrypt error

Since this seems to be a certificate issue, would it be possible to make the server log all the certificate checking steps and errors with the failing certificates. One obvious test would be to try connecting to the "openssl s_server" utility with a similar configuration and lots of debug options

  1   2   3   4   5   6   7   8   9   10   >