OpenSSL 3 support for status_request_v2

Hi, I have a requirement to support the TLS status_request_v2 extension for TLS 1.2 (rfc6961) using OpenSSL 3.x... Looking at the API I've successfully used SSL_CTX_add_custom_ext() to add the extension to the client hello, my server code is also picking this and generating the extension i

Re: Setting a group to an existing EVP_PKEY in OpenSSL 3

On 25/10/2022 00:21, Kory Hamzeh wrote: I haven’t done exactly what you are trying, but something similar.  See EVP_PKEY_set_params: https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_set_params.html The specific parm to

RE: Setting a group to an existing EVP_PKEY in OpenSSL 3

up, curve_name); } else { // error } Martin From: Kory Hamzeh Sent: Monday, October 24, 2022 7:22 PM To: amar...@xtec.com Cc: openssl-users@openssl.org Subject: Re: Setting a group to an existing EVP_PKEY in OpenSSL 3 I haven’t done exactly what you are trying, but something sim

Re: Setting a group to an existing EVP_PKEY in OpenSSL 3

n via openssl-users > wrote: > > Hi, > > How can I set a GROUP to an existing EC type EVP_PKEY in OpenSSL 3? > > In 1.0.2 I was using this code having the EC_KEY: > > EC_KEY_set_group(eckey, EC_GROUP_new_by_curve_name(nid)); > > In OpenSSL 3 still EC_G

Setting a group to an existing EVP_PKEY in OpenSSL 3

Hi, How can I set a GROUP to an existing EC type EVP_PKEY in OpenSSL 3? In 1.0.2 I was using this code having the EC_KEY: EC_KEY_set_group(eckey, EC_GROUP_new_by_curve_name(nid)); In OpenSSL 3 still EC_GROUP_new_by_curve_name(nid) can be used, but I don't know how to go from

Re: OpenSSL 3 ECC Key use question

the object database. Tomas Mraz On Sun, 2022-10-23 at 13:46 -0400, Martin via openssl-users wrote: > Hi, >   > How can I get the nid from the curve name for a EC key in OpenSSL 3? > I’m porting code from OpenSSL 1.0.2. >   > I’m converting this: >   > ecc_curve_type =

OpenSSL 3 ECC Key use question

Hi, How can I get the nid from the curve name for a EC key in OpenSSL 3? I'm porting code from OpenSSL 1.0.2. I'm converting this: ecc_curve_type = EC_GROUP_get_curve_name(EC_KEY_get0_group((const EC_KEY *)eckey)); if(ecc_curve_type == NID_undef)

OpenSSL-3 ENGINESDIR development vs deployment

Background, earlier versions of my project were using OpenSSL 1.n.n, the output stayed within it's checkout directory, and the .DLLs deployed to where-ever the project was deployed. Now trying to implement OpenSSL 3, after compiling it seems to be keep referring to the directories i

Re: Loading raw EC and RSA keys with OpenSSL 3

Tomas Mraz wrote: > Jonathan Wernberg wrote: >> Hi openssl-users mailing list. >> >> We are having some troubles converting some code from OpenSSL 1.x to >> OpenSSL 3.x APIs, to get rid of deprecation warnings, and hope >> someone may be able to give us

Re: Loading raw EC and RSA keys with OpenSSL 3

On Tue, 2022-08-23 at 12:09 +, Jonathan Wernberg wrote: > TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to > read in an EC private key from raw format into an EVP_PKEY object > ready to be used? What is the easiest way to convert an RSA public > key from raw

Loading raw EC and RSA keys with OpenSSL 3

TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to read in an EC private key from raw format into an EVP_PKEY object ready to be used? What is the easiest way to convert an RSA public key from raw modulus and exponent components to proper DER encoded SubjectPublicKeyInfo data

Re: DH parameter reading in OPENSSL 3

On Wed, Jul 13, 2022 at 06:45:48PM +0200, Dirk Stöcker wrote: > The openssl documentation may be logical for someone who knows all the > parts and how they work together, but for everybody else it's a large > glob of isolated files which you simply can't bring together. You have > pages which so

Re: DH parameter reading in OPENSSL 3

Hello, The work-around is to put the DH parameters first. That would mean changing external interface of the software which I don't like much. Otherwise, you'd need to resort to the more general OSSL_STORE API, which loads objects of various types, and you can then ignore the ones you don

Re: DH parameter reading in OPENSSL 3

On Wed, Jul 13, 2022 at 06:47:15PM +0200, Dirk Stöcker wrote: > > https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L148-L205 > > Thanks a lot. Works in principle now with one exception. The previous > approach worked for a file, where first comes the PEM certificate and

Re: DH parameter reading in OPENSSL 3

Hello, https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L148-L205 Thanks a lot. Works in principle now with one exception. The previous approach worked for a file, where first comes the PEM certificate and afterwards the DH params. The new approach only works when th

Re: DH parameter reading in OPENSSL 3

examples I used actually are correct and not written by somebody who also doesn't understand it. I already looked for more than 4 hours at openssl 3 documentation and wasn't able to find the correct approach even after trying lot's of variants of the functions which Viktor sho

Re: DH parameter reading in OPENSSL 3

use PEM_read_bio_Parameters(). Tomas Mraz On Wed, 2022-07-13 at 16:35 +0200, Dirk Stöcker wrote: > Hello, > > when upgrading to openssl3 my code states that some functions are > deprecated in openssl 3, but even after reading documentation I was > unable to find a non-depreca

Re: DH parameter reading in OPENSSL 3

On Wed, Jul 13, 2022 at 04:35:42PM +0200, Dirk Stöcker wrote: > when upgrading to openssl3 my code states that some functions are > deprecated in openssl 3, but even after reading documentation I was > unable to find a non-deprecated replacement. https://github.com/vdukhovni/pos

DH parameter reading in OPENSSL 3

Hello, when upgrading to openssl3 my code states that some functions are deprecated in openssl 3, but even after reading documentation I was unable to find a non-deprecated replacement. Task is to read DH parameters in PEM format from a file and use them for the current "context"

Re: OpenSSL 3 PKCS#11 Provider

Dear Timo, I'm aware of Simo Sorce (in CC) efforts in this area: https://github.com/simo5/libp11/tree/ossl3provider On Tue, Jun 28, 2022 at 7:45 AM Timo Teras wrote: > Hi all, > > I am looking into implementing an OpenSSL 3 PKCS#11 Provider. Similar > to libp11 engine, but t

OpenSSL 3 PKCS#11 Provider

Hi all, I am looking into implementing an OpenSSL 3 PKCS#11 Provider. Similar to libp11 engine, but targetting the new OpenSSL 3 APIs. Are any of you aware of any such existing work/project? Or if someone is interested in helping in any way (coding, testing, documenting, etc.) feel free to

Re: OpenSSL 3 HTTP client C++ example?

&& echo ok Regards, David On 20.06.22 10:54, Benedikt Hallinger wrote: Hi there, I currently try to get my hands dirty with C++ and the new HTTPs client introduced with OpenSSL 3. However I struggle to get started. My goal is to open a https secured website and download its cont

Re: OpenSSL 3 HTTP client C++ example?

expected. > > Meanwhile I got it working - see the example attached. > > > > Example build and usage: > > > > gcc http_client.c -Iinclude -L. -lcrypto -lssl -o http_client > > > > ./http_client https://httpbin.org/ &&; echo ok > > > > R

Re: OpenSSL 3 HTTP client C++ example?

in apps/lib/apps.c, but it turns out that the adaptation of app_http_get_asn1() and app_http_tls_cb() for receiving plain text (rather than ASN.1 encoded data) from the server is not straightforward because OSSL_HTTP_get() may close the SSL read BIO prematurely. Also the behavior of non-blocking

OpenSSL 3 HTTP_Open client C++ example?

Hi there, I currently try to get my hands dirty with C++ and the new HTTPs client introduced with OpenSSL 3. However I struggle to get started. My goal is to open a https secured website and download its contents into a std::string for further parsing. Does someone on the list know of a

Problem Compiling Fetchmail 7 with Openssl 3

I am trying to compile fetchmail 7 (which requires Openssl 3) on my CentOS 7 system. I installed Openssl 3 from source and it seems to be working as expected. However, when I try to compile fetchmail 7 it fails with these errors: undefined reference to `OpenSSL_version' undefined referen

Intel CET in OpenSSL 3.x and VIA C3 Nehemiah - Illegal instruction

Hi folks, Not sure if this is intended behaviour or not... The use of Intel Control-flow Enforcement Technology (CET) in OpenSSL 3.0.2 is giving me issues on a VIA C3 Nehemiah based system. Turns out that while the VIA C3 Nehemiah is a i686 class x86 processor, it does not implement all the nop o

Re: Mac OS X and openssl 3

>> Just wondering if Apple OS is compatible with OPenssl 3 . >> > >MacOS should work just fine with OpenSSL 3.0. At least master is >regularly tested, e.g. > >https://github.com/openssl/openssl/runs/6151999376?check_suite_focus=true It works fine

Re: Mac OS X and openssl 3

On 24/04/2022 00:13, The Doctor via openssl-users wrote: Just wondering if Apple OS is compatible with OPenssl 3 . MacOS should work just fine with OpenSSL 3.0. At least master is regularly tested, e.g. https://github.com/openssl/openssl/runs/6151999376?check_suite_focus=true Matt

Mac OS X and openssl 3

Just wondering if Apple OS is compatible with OPenssl 3 . -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOT

Re: Static OpenSSL 3 library with FIPS

was a deliberate day 1 design decision. Matt -Original Message- *From*: Matt Caswell <mailto:matt%20caswell%20%3cm...@openssl.org%3e>> *To*: openssl-users@openssl.org <mailto:openssl-users@openssl.org> *Subject*: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS *Date*: F

RE: Static OpenSSL 3 library with FIPS

%3cm...@openssl.org%3e>> To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS Date: Fri, 25 Mar 2022 20:22:02 + On 25/03/2022 18:33, Paul Spencer wrote: Q: Is it possible to have a static (.a) OpenSSL 3 libra

Re: Static OpenSSL 3 library with FIPS

On 25/03/2022 18:33, Paul Spencer wrote: Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support? This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special linking in the Makefile). However, with SSL3, if I go Configure no-module enable-fips then it

Static OpenSSL 3 library with FIPS

Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support? This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special linking in the Makefile). However, with SSL3, if I go Configure no-module enable-fips then it silently disables FIPS. Is there any way to do

Re: OpenSSL 3 FIPS on iOS

Failure to load the FIPS Provider would then result. So we're unsure how OpenSSL 3 FIPS can be deployed within iOS apps from the Apple App Store. Would be great to hear whether anyone else has got this working and through an Apple app review.

Re: OpenSSL 3 FIPS on iOS

ore Distribution remains troublesome though and what if Apple re-sign the app and consequently the FIPS framework? Failure to load the FIPS Provider would then result. So we're unsure how OpenSSL 3 FIPS can be deployed within iOS apps from the Apple App Store. Would be great to hear whether anyone else has got this working and through an Apple app review.

OpenSSL 3 FIPS on iOS

remains troublesome though and what if Apple re-sign the app and consequently the FIPS framework? Failure to load the FIPS Provider would then result. So we're unsure how OpenSSL 3 FIPS can be deployed within iOS apps from the Apple App Store. Would be great to hear whether anyone else has got this working and through an Apple app review.

OpenSSL 3 TLS cipher pipelining support with providers

Greetings, Is there any specific reason why pipelining is not supported with providers? I can see below code in ssl/record/ssl3_record.c if (provided) { int outlen; /* Provided cipher - we do not support pipelining on this path */ if (n_recs > 1) {

Re: OpenSSL 3: FIPS DRBG Tests

is is processing slightly munged CAVs data and does everything you should need. 3. And finally, our existing test, based on openssl-fips-2.0.5 called FIPS_drbg_new(). That function allows you to pass an EC curve NID in the upper 16 bits of the drbg type. Not sure how to do this in OpenSSL 3, howev

Re: OpenSSL-3.+ how to configure [random]?

unsubscribe Get Outlook for iOS<https://aka.ms/o0ukef> From: openssl-users on behalf of Dr Paul Dale Sent: Wednesday, November 10, 2021 2:20:03 PM To: openssl-users@openssl.org Subject: Re: OpenSSL-3.+ how to configure [random]? I'm pretty sure the

OpenSSL 3: FIPS DRBG Tests

curve NID in the upper 16 bits of the drbg type. Not sure how to do this in OpenSSL 3, however, I see no mention of EC curves in: https://csrc.nist.gov/csrc/media/projects/cryptographic-algorithm-validation-program/documents/drbg/drbgvs.pdf So it may be a moot issue. Thanks, Kory

Re: OpenSSL-3.+ how to configure [random]?

ibrary: OpenSSL 3.0.0 7 sep 2021) $ OPENSSL_CONF="" openssl rand -engine pkcs11 -hex 8 Engine "pkcs11" set. $ OPENSSL_CONF="" openssl-1.1 rand -engine pkcs11 -hex 8 engine "pkcs11" set. $ OPENSSL_CONF="" ~/openssl-3/bin/openssl version OpenSSL 3.1.0-dev (L

Re: OpenSSL-3.+ how to configure [random]?

I'm pretty sure the underlying problem is that there is a call to RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the latter). These completely replace the built in RNG infrastructure with the RAND_METHOD/engine.  If the engine then fails to produce output for any reason, t

Re: OpenSSL-3.+ how to configure [random]?

Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes - the same solution worked. There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider. In any case, removing PKCS#11 engine from the [engines] section alleviated this problem. T

Re: OpenSSL-3.+ how to configure [random]?

Just chiming in quickly to mention that this could be related to https://github.com/openssl/openssl/issues/16996 Nicola On Wed, Nov 10, 2021 at 10:33 AM Tomas Mraz wrote: > > On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL > wrote: > > On 11/9/21, 22:23, "Dr Paul Dale" wrote:

Re: OpenSSL-3.+ how to configure [random]?

On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL wrote: > On 11/9/21, 22:23, "Dr Paul Dale" wrote: > > >    Currently I've no idea and can't reproduce locally :( > > Maybe you'd know how to force the "-engine rdrand" path through > "openssl.cnf"? > > >    A rogue configuration

Re: OpenSSL-3.+ how to configure [random]?

> > Pauli > > On 10/11/21 1:10 pm, Blumenthal, Uri - 0553 - MITLL wrote: > > Thank you! > > > > I'm trying to: > > > > a. understand why something like "openssl-3 rand -hex 4" does

Re: OpenSSL-3.+ how to configure [random]?

- 0553 - MITLL wrote: > Thank you! > > I'm trying to: > > a. understand why something like "openssl-3 rand -hex 4" does not work (returns empty string), but "openssl-3 rand -engine rdrand -hex 4" works fine, and gives me my random by

Re: OpenSSL-3.+ how to configure [random]?

gine rdrand -hex 4 Engine "rdrand" set. 61f1666d $ Pauli On 10/11/21 1:10 pm, Blumenthal, Uri - 0553 - MITLL wrote: > Thank you! > > I'm trying to: > > a. understand why something like "openssl-3 rand -hex 4" does not work (retur

Re: OpenSSL-3.+ how to configure [random]?

53 - MITLL wrote: Thank you! I'm trying to: a. understand why something like "openssl-3 rand -hex 4" does not work (returns empty string), but "openssl-3 rand -engine rdrand -hex 4" works fine, and gives me my random bytes - here's an illustration $ openssl3 vers

Re: OpenSSL-3.+ how to configure [random]?

Thank you! I'm trying to: a. understand why something like "openssl-3 rand -hex 4" does not work (returns empty string), but "openssl-3 rand -engine rdrand -hex 4" works fine, and gives me my random bytes - here's an illustration $ openssl3 version OpenSSL 3.1.

Re: OpenSSL-3.+ how to configure [random]?

Currently there is exactly one seed source that is usable in OpenSSL 3.0: "SEED-SRC".  It is documented in EVP_RAND-SEED-SRC.  The reason the seed source can be set is to allow you to use a third party provider than includes one. If you want to force RDRAND as the only seeding source, this nee

OpenSSL-3.+ how to configure [random]?

"man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*. Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:

Re: OpenSSl 3 statically linking a provider

On Tue, 2021-09-14 at 21:46 -0700, Kory Hamzeh wrote: > I have written a custom provider which I need to include (link) with > my Application at link time rather than load it at run-time. The init > function is defined like this: > > OSSL_provider_init_fn sck_provider_init; > > int sck_provider_i

OpenSSl 3 statically linking a provider

I have written a custom provider which I need to include (link) with my Application at link time rather than load it at run-time. The init function is defined like this: OSSL_provider_init_fn sck_provider_init; int sck_provider_init(const OSSL_CORE_HANDLE *handle, const O

OpenSSL 3.x binaries naming convention (on Windows)

me) that the naming convention of binaries for OpenSSL 3 on Windows platform is like this: libcrypto-3.dll (and libssl-3.dll) for the 32 bits (release) builds libcrypto-3-x64.dll (and libssl-3-x64.dll) for the 64 bits (release) builds Is this naming

Re: OPenssl 3 Beta 1

On Fri, Jul 02, 2021 at 04:12:29PM +0200, Tomas Mraz wrote: > On Fri, 2021-07-02 at 07:53 -0600, The Doctor wrote: > > So far working better with openssh 8.6 . > > > > Ruby 2.7 and rust is of concern. > > Language bindings are expected to require some minor changes to be able > to properly work w

OPenssl 3 Beta 1

So far working better with openssh 8.6 . Ruby 2.7 and rust is of concern. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.

Re: OPenssl 3 Beta 1

On Fri, 2021-07-02 at 07:53 -0600, The Doctor wrote: > So far working better with openssh 8.6 . > > Ruby 2.7 and rust is of concern. Language bindings are expected to require some minor changes to be able to properly work with OpenSSL 3.0. Hopefully the maintainers of these language bindings foll

Re: 3 failures with Openssl 3 alpha

e "current" IV state (which > the now-deprecated EVP_CIPHER_CTX_iv() used to return) but it's calling the > wrong openssl function to obtain it. See PR #12233 > <https://github.com/openssl/openssl/pull/12233> for additional discussion. > > > Regards, > Tom.III > Will

3 failures with Openssl 3 alpha

1) The openssh project does not work openssh 8.4+ 2) Rust and OPEnssl 3 are not agrreing 3) ca_root_nss project and openssl 3 have a difference of opinion. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan Presi

Re: 3 failures with Openssl 3 alpha

ssl function to obtain it. See PR #12233 <https://github.com/openssl/openssl/pull/12233> for additional discussion. Regards, Tom.III > 2) Rust and OPEnssl 3 are not agrreing > > 3) ca_root_nss project and openssl 3 have a difference of opinion. > > -- > Member - Li

Re: openssl-3

On Wed, Aug 05, 2020 at 04:49:36PM +0300, me...@cyberia.net.sa wrote: > > > Hello, > > > > > > I have sucesfully installed openssl 3.x version but when I was trying to > check the version wheather it installed sucesfully or not, it gives error as > below

openssl-3

Hello, I have sucesfully installed openssl 3.x version but when I was trying to check the version wheather it installed sucesfully or not, it gives error as below , any assistance would be highly appreciated thanks in advance. [root@nc ~]# /usr/local/bin/openssl versioin -a /usr

Current openssl 3 alpha dev 2 and upcoming openssh 8.3

Odd. Found this today. In make test , the test stops at simple transfer. In openssh-8.2p1 I worked find to a point. Any changes in the 3 aplha daily snaphots that could cause this? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Ne

Re: Current openssl 3 alpha dev 2 and upcoming openssh 8.3

On 13/05/2020 08:00, The Doctor wrote: > Odd. Found this today. In make test , the test stops at simple > transfer. > > In openssh-8.2p1 I worked find to a point. > > Any changes in the 3 aplha daily snaphots that could cause this? > Nothing that springs to mind. There have been numerous

Re: Minimum gcc version required for openssl 3.x?

icular > option isn't being passed with -Wl like the others. Is there a minimum > supported gcc version for openssl 3.x? None has been specified. You might want to submit your patch as a PR. Matt

Minimum gcc version required for openssl 3.x?

I searched all the docs I could find but I was unable to locate any statements regarding gcc compatibility for openssl 3.x. I'm having a problem cross-compiling for arm using gcc-4.4.5: rm -f libssl.so && \ ln -s libssl.so.3 libssl.so arm-linux-gnueabi-gcc -Iinclude -fPIC -

Re: openssl 3 and deprecation

On 12/05/2020 15:35, Billy Brumley wrote: > Howdy Folks, > > I checked https://www.openssl.org/policies/releasestrat.html but did > not manage to find an answer. > > At what stages is marking a function deprecated still allowed? Only > before beta? Or at all stages? Or is it case-by-case with

openssl 3 and deprecation

Howdy Folks, I checked https://www.openssl.org/policies/releasestrat.html but did not manage to find an answer. At what stages is marking a function deprecated still allowed? Only before beta? Or at all stages? Or is it case-by-case with potential OMC vote? Thanks BBB

Re: openssl 3 alpha 1 test failures on AIX

On 07/05/2020 01:22, Norm Green wrote: > All tests on AIX fail like this.  Is this a known issue?  What debugging > information is needed?  Should I open an issue on github? Yes - please open an issue on github. > > Also note I had to set LD_LIBRARY_PATH to the SSL build directory to get > th

Re: openssl 3 alpha 1 test failures on AIX

I would have to build a new perl from source, but the perl I'm using meets the requirements. I built the current version (5.24.0) from a source a while back when openssl started requiring at least 5.10.0. Tests pass on the same machine with openssl 1.1.1 . On 5/6/2020 5:33 PM, Benjamin Kadu

Re: openssl 3 alpha 1 test failures on AIX

On Wed, May 06, 2020 at 05:22:17PM -0700, Norm Green wrote: > All tests on AIX fail like this.  Is this a known issue?  What debugging > information is needed?  Should I open an issue on github? > > Also note I had to set LD_LIBRARY_PATH to the SSL build directory to get the > tests to run at all.

openssl 3 alpha 1 test failures on AIX

All tests on AIX fail like this.  Is this a known issue?  What debugging information is needed?  Should I open an issue on github? Also note I had to set LD_LIBRARY_PATH to the SSL build directory to get the tests to run at all. normg@sky>gmake test     make depend && make _tests