RE: Open SSL 1.1.1 and Vxworks 5.4.2 - Query on Entropy source

-users@openssl.org Subject: Open SSL 1.1.1 and Vxworks 5.4.2 - Query on Entropy source Hi Users, A beginner on cryptography and Open SSL here. First query - On our VxWorks 5.4.2 based system with Open SSL 1.1.1, I would like to know what entropy source would be used by RAND_priv_bytes() to

Re: Query minimum RSA key size?

> On Sep 26, 2022, at 11:47, Viktor Dukhovni wrote: > > On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote: > >>> The security levels are documented. You can set the security level >>> in the cipher string: >>> >>> DEFAULT:@SECLEVEL=1 >>> >>> or via the API. >> >> Ahh, OK. In

Re: Query minimum RSA key size?

On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote: > > The security levels are documented. You can set the security level > > in the cipher string: > > > >DEFAULT:@SECLEVEL=1 > > > > or via the API. > > Ahh, OK. Indeed, when I set that as the cipher string the error goes away.

Re: Query minimum RSA key size?

> On Sep 26, 2022, at 10:01, Viktor Dukhovni wrote: > > On Mon, Sep 26, 2022 at 09:52:29AM -0400, Felipe Gasper wrote: > >> OpenSSL 1.1.0k introduced behaviour that rejects 1,024-bit RSA key sizes. > > No such change was made. Perhaps your OS distribution has bumped the > default (TLS) secur

Re: Query minimum RSA key size?

On Mon, Sep 26, 2022 at 09:52:29AM -0400, Felipe Gasper wrote: > OpenSSL 1.1.0k introduced behaviour that rejects 1,024-bit RSA key sizes. No such change was made. Perhaps your OS distribution has bumped the default (TLS) security level from 1 (80-bit or more) to 2 (~112 bit or more). You can l

Query minimum RSA key size?

Hello, OpenSSL 1.1.0k introduced behaviour that rejects 1,024-bit RSA key sizes. Is the new minimum key size queryable? It appears to be 2,048, but in the event that that changes again I’d ideally love just to grab that value from OpenSSL itself rather than hard-coding it.

Re: Query: related to SNI & OSCP

On 21/09/22 5:37 pm, udhayakumar wrote: Hi openssl Team, i am  develop simple HTTPS tunnel between  my client and any one public server . connection established. 1) but with certificate and ocsp request  how i  verify the server . 2) how i  get SNI from client hello packet during handshake

Query: related to SNI & OSCP

Hi openssl Team, i am  develop simple HTTPS tunnel between  my client and any one public server . connection established. 1) but with certificate and ocsp request  how i  verify the server . 2) how i  get SNI from client hello packet during handshake. i can't figure out the proper function.

RE: Query regarding EVP_PKEY_CTX_set_cb

Hi Bala, > Can you please help to understand the use of the callback function that can > be set during key generation ? AFAI remember, nothing special except provide a way to show work is still running (using a progress bar for example) and a mechanism to cancel the generation if it lasts too

Query regarding EVP_PKEY_CTX_set_cb

Hi All, Can you please help to understand the use of the callback function that can be set during key generation? 1> For ex: In the OpenSSL 3.0 code, the callback "genrsa_cb" is defined in the file "apps/genrsa.c" : What exactly is being done in this callback function? What does EVP_PKE

Re: Query reg. using certificates bigger than 4k for EAP-TLS

Hi Vishal, On 20/10/21 13:34, Vishal Sinha wrote: Hi Matt The certificate is not large as such. But since it's a chain, the overall size crosses 4k. We used BIO_set_write_buffer_size() API to increase the size from 4k to 8k of the BIO buffer in SSL context. just out of curiosity: does th

Re: Query reg. using certificates bigger than 4k for EAP-TLS

I'm also a bit confused at how this became the limiting factor for the application in question. https://datatracker.ietf.org/doc/html/draft-ietf-emu-eaptlscert-08 has some discussion of how large certificates can cause issues for EAP (as well as some guidance to EAP deployments as to how to reduc

Re: Query reg. using certificates bigger than 4k for EAP-TLS

Your scenario is still not quite clear to me. It sounds like you are using a BIO_f_buffer() BIO to buffer data. This is on the server side right? Are you encountering this problem for server writes? Since you are talking about the certificate chain, I assume you are referring to the server wri

Re: Query reg. using certificates bigger than 4k for EAP-TLS

Hi Matt The certificate is not large as such. But since it's a chain, the overall size crosses 4k. We used BIO_set_write_buffer_size() API to increase the size from 4k to 8k of the BIO buffer in SSL context. Regards Vishal On Wed, Oct 20, 2021 at 3:26 PM Vishal Sinha wrote: > Hi > > We are us

Re: Query reg. using certificates bigger than 4k for EAP-TLS

On 20/10/2021 10:56, Vishal Sinha wrote: We are using openssl 1.1.1c version on our client and server. Client and Server are doing EAP-TLS authentication using certificates which are more than 4k in size (using 1 root CA and 2 intermediate CAs). We noticed that the server is not able to hand

Query reg. using certificates bigger than 4k for EAP-TLS

Hi We are using openssl 1.1.1c version on our client and server. Client and Server are doing EAP-TLS authentication using certificates which are more than 4k in size (using 1 root CA and 2 intermediate CAs). We noticed that the server is not able to handle it gracefully due to insufficient buffer

Re: query on PEM_write_bio_PKCS8PrivateKey

On 25/09/2021 06:06, SIMON BABY wrote: Hi Team, I have a query. I see the below API is used to write the private key in encrypted PKCS#8 format. / / / PEM_write_bio_PKCS8PrivateKey()/ and /PEM_write_PKCS8PrivateKey()/ write a private key in an EVP_PKEY structure in PKCS#8

query on PEM_write_bio_PKCS8PrivateKey

Hi Team, I have a query. I see the below API is used to write the private key in encrypted PKCS#8 format. *PEM_write_bio_PKCS8PrivateKey()* and *PEM_write_PKCS8PrivateKey()* write a private key in an EVP_PKEY structure in PKCS#8 EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based

Re: Query regarding openssl-3.0.0 ecdsa self tests

It is not a bug, the pairwise test is sufficient. It's just a misleading name. And I do not think it will cause any problem with FIPS validation, this can be documented. Tomas On Mon, 2021-08-30 at 16:53 +0530, Nagarjun J wrote: > Hello, > > Then, is this a bug in ECDSA POST ? Or have to rename

Re: Query regarding openssl-3.0.0 ecdsa self tests

Hello, Then, is this a bug in ECDSA POST ? Or have to rename the test , as it is misleading and can cause problems in FIPS certification ? Thanks, Nagarjun On Mon, Aug 30, 2021 at 3:51 PM Tomas Mraz wrote: > The question was about the fips module POST (power on self test) and > there what I wr

Re: Query regarding openssl-3.0.0 ecdsa self tests

The question was about the fips module POST (power on self test) and there what I wrote applies. Having special RNG providing constant data to ECDSA/DSA would be possible to do but it is not required, it would needlessly complicate the code, and add a risk of having such constant RNG being accident

Re: Query regarding openssl-3.0.0 ecdsa self tests

This is not really true. At least, for some of the tests. https://github.com/openssl/openssl/blob/master/test/ecdsatest.c#L73 That hijacks the RNG to feed the expected nonce, so it can check vs a KAT. Cheers, BBB On Mon, Aug 30, 2021 at 12:40 PM Tomas Mraz wrote: > > Hello, > > your analysis

Re: Query regarding openssl-3.0.0 ecdsa self tests

Hello, your analysis is right. It does only pairwise consistency test as the KAT is impossible to do for regular DSA and ECDSA due to random nonce being input of the signature algorithm and thus the signature always changes. Tomas On Fri, 2021-08-27 at 22:47 +0530, Nagarjun J wrote: > Hi, > > D

Query regarding openssl-3.0.0 ecdsa self tests

Hi, Does openssl-3.0.0 really does ecdsa KAT ? The post test logs says "ECDSA KAT :PASS. But when i debuged the code it actually doing ECDSA pairwise consistency test. Thanks, Nagarjun

Re: query on key usage OIDs

On Fri, Jul 16, 2021 at 01:11:04PM +0200, Jakob Bohm via openssl-users wrote: > Question was how to retrieve those lists for any given certificate, > using currently supported OpenSSL APIs. > > The lists of usage bits and extusage OIDs in any given certificate > are finite, even if the list of va

Re: query on key usage OIDs

Question was how to retrieve those lists for any given certificate, using currently supported OpenSSL APIs. The lists of usage bits and extusage OIDs in any given certificate are finite, even if the list of values that could be in other certificates is infinite. On 2021-07-16 06:44, Kyle Hamilto

Re: query on key usage OIDs

Also, OIDs for extendedKeyUsage can be defined per-application, so there's no way to compile a full list of them. -Kyle H On Fri, Jul 16, 2021 at 4:23 AM Viktor Dukhovni wrote: > > > On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote: > > > > I am looking for openssl APIs to get all the OIDs associa

Re: query on key usage OIDs

> On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote: > > I am looking for openssl APIs to get all the OIDs associated with user > certificate Key usage extension. For example my sample Key usage extension > from the certificate is below: > X509v3 extensions: > X509v3 Key Usage: critical

query on key usage OIDs

Hi Team, I am looking for openssl APIs to get all the OIDs associated with user certificate Key usage extension. For example my sample Key usage extension from the certificate is below: X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment I

Re: How to query current settings/policies?

rd coded paths (what about OPENSSL_CONF environment variable?) and > > guesses. > > > > Furthermore it knows nothing about Gentoo Linux for example. But > > even > > with Ubuntu, you could have a policy in place which overrides set > > OPENSSL_TLS_SECURITY_LEVEL=2 f

Re: How to query current settings/policies?

d have a policy in place which overrides set > OPENSSL_TLS_SECURITY_LEVEL=2 from configure. > > Is there a way to use openssl CLI to query this information and > allow > test suites for example to skip tests on a more reliable way? Or > what's > the recommended wa

How to query current settings/policies?

d guesses. Furthermore it knows nothing about Gentoo Linux for example. But even with Ubuntu, you could have a policy in place which overrides set OPENSSL_TLS_SECURITY_LEVEL=2 from configure. Is there a way to use openssl CLI to query this information and allow test suites for example to skip tests

Query regarding ECC

Hi, ECC Partial Public key validation is already supported in openssl-1.0.2l or Openssl-2.0.16 ? Regards Nagarjun

Query on engine support in OpenSSL 1.0.2h

Hi All, We currently use OpenSSL 1.0.2h, we are in the process of upgrading to OpenSSL 1.1.1. To address some legacy functionalities we are planning to write engines for OpenSSL 1.0.2h offload crypto operation to external components. We have few queries regarding the same 1. Can we offload a

Re: Query on SSL Mutual Authentication on Server

On 2021-03-01 17:28, Viktor Dukhovni wrote: On Mon, Mar 01, 2021 at 09:21:29PM +0530, Archana wrote: I am new to SSL programming. On our SSL Server implementation, we are trying to enforce Mutual Authentication. Is it Mandatory to provide a user defined Callback using SSL_ctx_setverify() No ca

Re: Query on SSL Mutual Authentication on Server

On Mon, Mar 01, 2021 at 09:21:29PM +0530, Archana wrote: > I am new to SSL programming. On our SSL Server implementation, we are > trying to enforce Mutual Authentication. Is it Mandatory to provide a user > defined Callback using SSL_ctx_setverify() No callback is required (callbacks are primari

Query on SSL Mutual Authentication on Server

I am new to SSL programming. On our SSL Server implementation, we are trying to enforce Mutual Authentication. Is it Mandatory to provide a user defined Callback using SSL_ctx_setverify() If yes, Is it expected to do the IP or hostname validation?

i2d & ASN1_SEQUENCE related query in openssl 1.1.1.

Hi, I am trying to write replacement ASN1 macros for i2d/d2i functions in openssl 1.1.1 Previously: typedef struct pkcs7_issuer_and_subject_st { X509_NAME *issuer; /* Certificate Issuer's name */ X509_NAME *subject; /* Certificate's subject name */ } PKCS7_ISSUER_AND_SUBJEC

query on api PKCS12_parse()

Hello, I am using the api PKCS12_parse for creating the private key and certs. When I send a wrong password to the API, my process crashes in the call PKCS12_parse(). The same API works fine when I pass the correct passwd. Can someone please help to send some clues to resolve/debug this issue. p

Re: query on dns resolver

On Thu, Aug 20, 2020 at 11:56:45PM +0200, David von Oheimb wrote: > OpenSSL has one function, namely BIO_lookup_ex(), that uses DNS lookup > functions. Since commit 28a0841bf58e3813b2e07ad22f19484308e2f70a of > 02 Feb 2016 it uses getaddrinfo(). Right, but even this is not "DNS lookup". It is h

Re: query on dns resolver

On Thu, Aug 20, 2020 at 11:59:01AM +0300, Dmitry Belyavsky wrote: > OpenSSL uses gethostbyname/gethostbyaddr Also getaddrinfo(3), I hope in preference to the obsolete interfaces. There is no explicit use of DNS in OpenSSL, and many OpenSSL applications open their own TCP connections, and then as

Re: query on dns resolver

OpenSSL uses gethostbyname/gethostbyaddr grep -r gethost . will give you some clues On Wed, Aug 19, 2020 at 11:51 PM SIMON BABY wrote: > I was looking at the openssl 1.0.2j code and trying to find how it > resolves the dns domain name IP address from name. > > 1. Does it use the OS supported ut

query on dns resolver

I was looking at the openssl 1.0.2j code and trying to find how it resolves the dns domain name IP address from name. 1. Does it use the OS supported utilities like nslookup, gethostip etc? 2. Do we need a recursive dns server IP address to define in resolv.conf? 3. Can I know the APIs and files

Query on openssl-1.1.0h build error

Hello, I am working for a project which has dependency on openssl library. When I try to build the openssl package with below bit bake recipe (got from open embedded yocto ) it is failing with below errors.Could you please help to resolve my issue. http://cgit.openembedded.org/openembedded-core/t

Re: Query regarding SSL_ERROR_SSL during SSL handshake

On 24/02/2020 03:49, Mahendra SP wrote: > Hi Matt, > > Thank you for the inputs.  > I have one more query. Is it appropriate to check for the errno in this > case and take action based on the errno values ? No, errno should not be checked unless SSL_get_error returns SSL_ERROR

Re: Query regarding SSL_ERROR_SSL during SSL handshake

Hi Matt, Thank you for the inputs. I have one more query. Is it appropriate to check for the errno in this case and take action based on the errno values ? Thanks Mahendra On Wed, Feb 19, 2020 at 3:09 PM Matt Caswell wrote: > > > On 19/02/2020 05:16, Mahendra SP wrote: > > Hi

Re: Query regarding SSL_ERROR_SSL during SSL handshake

On 19/02/2020 05:16, Mahendra SP wrote: > Hi All, > > We are using Openssl version 1.0.2h. When we call SSL_do_handshake, > sometimes we notice that handshake fails with error SSL_ERROR_SSL.  > As per the documentation for this error, it is non recoverable and fatal > error.  Documentation also

Query regarding SSL_ERROR_SSL during SSL handshake

Hi All, We are using Openssl version 1.0.2h. When we call SSL_do_handshake, sometimes we notice that handshake fails with error SSL_ERROR_SSL. As per the documentation for this error, it is non recoverable and fatal error. Documentation also mentions to check the error queue for further details.

Re: Query regarding adding support aes-cbc-hmac-sha1 on non x86 platform through engine

On 14/01/2020 07:42, Phani 2004 wrote: > Thanks for the quick response Matt. > Is there any specific reason why it was designed that way in 1.1.1? These ciphers are really quite unusual. Normally we have an implementation of ciphers on all platforms. These are the exception and were added much

Re: Query regarding adding support aes-cbc-hmac-sha1 on non x86 platform through engine

Thanks for the quick response Matt. Is there any specific reason why it was designed that way in 1.1.1? It looks little odd that we need a non-NULL EVP_cipher object even though we do not use it/need it. I am looking for support for ARM architecture. I can't wait till 3.0. Is there any chance we m

Re: Query regarding adding support aes-cbc-hmac-sha1 on non x86 platform through engine

On 13/01/2020 06:20, Phani 2004 wrote: > Hi Team, > > I am trying to add support on an hardware engine for aes-cbc-hmac-sha1. > I have observed that currently aes-cbc-hmac-sha1 is supported only for > x86 architecture.  > "EVP_aes_128_cbc_hmac_sha1" api returns NULL for non-x86 platforms. The >

Query regarding adding support aes-cbc-hmac-sha1 on non x86 platform through engine

Hi Team, I am trying to add support on an hardware engine for aes-cbc-hmac-sha1. I have observed that currently aes-cbc-hmac-sha1 is supported only for x86 architecture. "EVP_aes_128_cbc_hmac_sha1" api returns NULL for non-x86 platforms. The openssl speed app calls the "EVP_get_cipherbyname" call

Query related to obtaining of temp key

Hi All, I have a query related to getting thetemporary key used during the key exchange. As a TLS client, I am able to getthe key using the API  SSL_get_peer_tmp_key().  But when acting as TLS Server, I usedAPI SSL_get_tmp_key(). ThisAPI is returning the temp key for TLS1.3 ciphers but for

query regarding openssl and FIPS

Hi I have two queries. I am new to FIPS validation. The first query is 1. We have a system which is using Arm Cortex-A9 on ThreadX. If I cross compile FIPS module 2.0.16 for Threadx ( Arm Cortex-A9 ) and use openssl 1.0.2s. Can we claim that our product is FIPS compliant ? The second query is 2

Re: Query related to SSL_CTX_set_msg_callback_arg

> On Jun 10, 2019, at 10:54 AM, Jeremy Harris wrote: > >> |void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(SSL *, >> SSL_SESSION *));| >> >> >> How do we specify a user-defined callback data pointer in that call? > > You don't; you additionally use > SSL_CTX_set_msg_callback_

Re: Query related to SSL_CTX_set_msg_callback_arg

On 10/06/2019 15:21, J. J. Farrell wrote: > |void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(SSL *, > SSL_SESSION *));| > > > How do we specify a user-defined callback data pointer in that call? You don't; you additionally use SSL_CTX_set_msg_callback_arg() which the OP said h

Re: Query related to SSL_CTX_set_msg_callback_arg

On 10/06/2019 11:05, Jeremy Harris wrote: On 10/06/2019 09:32, Viktor Dukhovni wrote: On Mon, Jun 10, 2019 at 07:16:26AM +, shalu dhamija via openssl-users wrote: Actually while setting the callback, we can not pass the user-defined/application data. You can however attach it to the SSL

Re: Query related to SSL_CTX_set_msg_callback_arg

On 10/06/2019 09:32, Viktor Dukhovni wrote: > On Mon, Jun 10, 2019 at 07:16:26AM +, shalu dhamija via openssl-users > wrote: > >> Actually while setting the callback, we can not pass the >> user-defined/application data. > > You can however attach it to the SSL connection handle as "ex_dat

Re: Query related to SSL_CTX_set_msg_callback_arg

On Mon, Jun 10, 2019 at 07:16:26AM +, shalu dhamija via openssl-users wrote: > Actually while setting the callback, we can not pass the > user-defined/application data. You can however attach it to the SSL connection handle as "ex_data": https://github.com/vdukhovni/postfix/blob/maste

Re: Query related to SSL_CTX_set_msg_callback_arg

Actually while setting the callback, we can not pass the user-defined/application data. For example: void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,                             int (*new_session_cb)(SSL *, SSL_SESSION *)); When the callback arrives, I have SSL* and SSL_SESSION*. Earlier I was gettin

Re: Query related to session resumption in TLS1.3

On Sun, Jun 09, 2019 at 10:39:36AM +, shalu dhamija wrote: > "The default number of tickets is 2; the default number of tickets sent > following a resumption handshake is 1". But in my case, following the > resumption handshake, I am always getting two session tickets from the > serve

Re: Query related to SSL_CTX_set_msg_callback_arg

On 09/06/2019 11:31, shalu dhamija wrote: > Hi All,In openssl 1.0.2, I was using  SSL_CTX_set_msg_callback_arg() API to > set the application specific argument. And in the callback, I was retrieving > that argument from SSL pointer received in the callback e.g. > "ssl->msg_callback_arg"But in op

Re: Query related to session resumption in TLS1.3

Hi Viktor,Thanks for your response. In my code, somehow, the ssl_read was not getting called ( due to some bug) due to which the session ticket was not being read resulting in no callback. I have fixed it and its working now.Now the resumption using TLS1.3 is working fine but I want to clarify

Query related to SSL_CTX_set_msg_callback_arg

Hi All,In openssl 1.0.2, I was using  SSL_CTX_set_msg_callback_arg() API to set the application specific argument. And in the callback, I was retrieving that argument from SSL pointer received in the callback e.g. "ssl->msg_callback_arg"But in openssl1.1.1, the SSL structure members are no more

Re: query related to openssl certificate generation of Ed X25519, X448

: > > Hi , > Have query regarding generation of X255519 and X448 certificate chain > > Below is the script which i used to generate certificate chain of Ecdsa type. > https://github.com/raja-ashok/sample_certificates/blob/master/ECC_Prime256_Certs/gen_ecc_cert.sh > > Now for gene

query related to openssl certificate generation of Ed X25519,X448

Hi , Have query regarding generation of X255519 and X448 certificate chain Below is the script which i used to generate certificate chain of Ecdsa type. https://github.com/raja-ashok/sample_certificates/blob/master/ECC_Prime256_Certs/gen_ecc_cert.sh Now for generating EdDSA certificate chain I

Re: Query related to session resumption in TLS1.3

On Thu, May 16, 2019 at 04:22:13PM +, shalu dhamija via openssl-users wrote: > But the same flow does not work for TLS1.3. In TLSv1.3, sessions are > established after the main handshake has completed. So, I have implemented > the callback SSL_CTX_sess_set_new_cb. And in the callback, I am sto

Query related to session resumption in TLS1.3

Hi All, I am in process of using TLS1.3 using openssl 1.1.1b version in my client application. In order to use session resumption, I have implemented an external cache when acting as the client. The key to the cache is combination of host and port and the value  associated is SSL_SESSION*.   B

Re: [openssl-users] Query on API availability for openssl versions

On 17/10/17 10:01, Grace Priscilla Jero wrote: > Thank you Matt for the quick response. > For "2," does it mean that every cipher suite can operate in multiple > levels?  > I thought that there were specific set of cipher suites operating in > each of the levels. Not quite. The security levels l

Re: [openssl-users] Query on API availability for openssl versions

The security levels are simply a classification of the cipher suites by quality.  Typically one would select all ciphers above a certain level. Most cipher suites work with all protocol levels >= a certain level, with SSL2 (dead) and TLS1.3 (future) being exceptions. Selecting something like "TLS

Re: [openssl-users] Query on API availability for openssl versions

Thank you Matt for the quick response. For "2," does it mean that every cipher suite can operate in multiple levels? I thought that there were specific set of cipher suites operating in each of the levels. Thanks, Grace On Tue, Oct 17, 2017 at 2:25 PM, Matt Caswell wrote: > > > On 17/10/17 09:2

Re: [openssl-users] Query on API availability for openssl versions

On 17/10/17 09:21, Grace Priscilla Jero wrote: > Hi All, > > 1) > The below APIs used to set the maximum and minimum versions are > available in 1.1.0f version of OPENSSL. > >  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); >  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int v

[openssl-users] Query on API availability for openssl versions

Hi All, 1) The below APIs used to set the maximum and minimum versions are available in 1.1.0f version of OPENSSL. int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); int SSL_set_min_proto_version(SSL *ssl, int version);

Re: [openssl-users] Query regarding the SCTP events for DTLS connections

> On 28. Sep 2017, at 20:36, mahesh gs wrote: > > Hi, > > We have an application which has SCTP connections we have secured the SCTP > connections using the openssl DTLS. DTLS is working as expected other than > the SCTP events. > > We use the API "BIO_new_dgram_sctp" to create a BIO object

[openssl-users] Query regarding the SCTP events for DTLS connections

Hi, We have an application which has SCTP connections we have secured the SCTP connections using the openssl DTLS. DTLS is working as expected other than the SCTP events. We use the API "BIO_new_dgram_sctp" to create a BIO objects and we register a callback function to openssl using API "BIO_dgra

Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

@openssl.org Subject: Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS Ø I am unable to find the openssl-fips module for 1.1.0f. Do you know when it will be available? We have no date. Work hasn’t fully started, and isn’t fully funded. Perhaps your company would like to

Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

Ø I am unable to find the openssl-fips module for 1.1.0f. Do you know when it will be available? We have no date. Work hasn’t fully started, and isn’t fully funded. Perhaps your company would like to help? :) See our blog for updates (look in the archive for postings with FIPS in the title;

[openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

Hi All, We would want to build our openssl 1.1.0f with FIPS but we noticed it is mentioned as “The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others”. I am unable to find the openssl-fips module for 1.1.0f. Do you know when it will be available? Could you pl

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On Tue, May 2, 2017 at 8:27 AM, Michael Wojcik < michael.woj...@microfocus.com > wrote: It may be worth noting that nearly all well-written UNIX applications > should set the disposition of SIGPIPE to SIG_IGN. SIGPI

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

el Wojcik Distinguished Engineer, Micro Focus From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of mahesh gs Sent: Monday, May 01, 2017 23:59 To: openssl-users@openssl.org Subject: Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write Yes, ours is a library and we

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

> On May 2, 2017, at 5:06 AM, Matt Caswell wrote: > >> Yes, ours is a library and we do not wish to ignore the signal process >> wide because the consumer of our library (application) might want to >> handle the SIGPIPE for there own socket handling. > > Could you use pthread_sigmask() to only

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On Tue, May 2, 2017 at 2:36 PM, Matt Caswell wrote: > > > On 02/05/17 06:59, mahesh gs wrote: > > Hi Matt, > > > > Sorry for delayed response. I was on leave. > > > > Yes, ours is a library and we do not wish to ignore the signal process > > wide because the consumer of our library (application)

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On 02/05/17 06:59, mahesh gs wrote: > Hi Matt, > > Sorry for delayed response. I was on leave. > > Yes, ours is a library and we do not wish to ignore the signal process > wide because the consumer of our library (application) might want to > handle the SIGPIPE for there own socket handling. C

Re: [openssl-users] Query regarding DTLS handshake

> On 2. May 2017, at 08:03, mahesh gs wrote: > > > > On Sun, Apr 30, 2017 at 11:11 PM, Michael Tuexen > wrote: > > On 20. Apr 2017, at 20:01, mahesh gs wrote: > > > > Hi, > > > > This issue occur purely based on the time (sequence of events) at which SSL > > read_state_machine enter the po

Re: [openssl-users] Query regarding DTLS handshake

On Sun, Apr 30, 2017 at 11:11 PM, Michael Tuexen < michael.tue...@lurchi.franken.de> wrote: > > On 20. Apr 2017, at 20:01, mahesh gs wrote: > > > > Hi, > > > > This issue occur purely based on the time (sequence of events) at which > SSL read_state_machine enter the post processing of certificate

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

Hi Matt, Sorry for delayed response. I was on leave. Yes, ours is a library and we do not wish to ignore the signal process wide because the consumer of our library (application) might want to handle the SIGPIPE for there own socket handling. Thanks, Mahesh G S On Thu, Apr 27, 2017 at 4:36 PM,

Re: [openssl-users] Query regarding DTLS handshake

> On 20. Apr 2017, at 20:01, mahesh gs wrote: > > Hi, > > This issue occur purely based on the time (sequence of events) at which SSL > read_state_machine enter the post processing of certificate verify which is > received from client. > > Handshake works fine if the certificate verify post p

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On Thu, Apr 27, 2017 at 04:32:33PM +0100, Matt Caswell wrote: > >>> Does openssl provide any way to set MSG_NOSIGNAL on sendmsg (Underlying > >>> TCP/IP socket layer) ? > >> > >> No. You will have to modify the code yourself. > > > > Actually, it is possible to do the I/O in application code,

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

Great article. Who is the author? Sent from Mail for Windows 10 From: Viktor Dukhovni Sent: Thursday, April 27, 2017 11:54 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write On Thu, Apr 27, 2017 at 12:32:42PM +, Salz, Rich via openssl

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On 27/04/17 15:53, Viktor Dukhovni wrote: > On Thu, Apr 27, 2017 at 12:32:42PM +, Salz, Rich via openssl-users wrote: > >>> Does openssl provide any way to set MSG_NOSIGNAL on sendmsg (Underlying >>> TCP/IP socket layer) ? >> >> No. You will have to modify the code yourself. > > Actually

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On Thu, Apr 27, 2017 at 12:32:42PM +, Salz, Rich via openssl-users wrote: > > Does openssl  provide any way to set MSG_NOSIGNAL on sendmsg (Underlying > > TCP/IP socket layer) ? > > No. You will have to modify the code yourself. Actually, it is possible to do the I/O in application code, u

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

> Does openssl  provide any way to set MSG_NOSIGNAL on sendmsg (Underlying > TCP/IP socket layer) ? No. You will have to modify the code yourself. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On 27-04-17 13:01, Wouter Verhelst wrote: > On 27-04-17 12:56, mahesh gs wrote: >> Hi, >> >> We are using Openssl for establish a secure communications for both >> TCP/SCTP connections. >> >> In our application it is possible that remote end forcefully disconnect >> the connection due to which >>

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On 27/04/17 11:56, mahesh gs wrote: > Hi, > > We are using Openssl for establish a secure communications for both > TCP/SCTP connections. > > In our application it is possible that remote end forcefully disconnect > the connection due to which > > SSL_Write raises a SIGPIPE which we want to s

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On 27-04-17 12:56, mahesh gs wrote: > Hi, > > We are using Openssl for establish a secure communications for both > TCP/SCTP connections. > > In our application it is possible that remote end forcefully disconnect > the connection due to which > > SSL_Write raises a SIGPIPE which we want to sup

[openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

Hi, We are using Openssl for establish a secure communications for both TCP/SCTP connections. In our application it is possible that remote end forcefully disconnect the connection due to which SSL_Write raises a SIGPIPE which we want to suppress. Does openssl provide any way to set MSG_NOSIGNA

Re: [openssl-users] Query regarding DTLS handshake

Matt Caswell wrote on 04/20/2017 03:23 PM: > > > On 20/04/17 14:19, Martin Brejcha wrote: >> >> >> Matt Caswell wrote on 04/20/2017 01:29 PM: >>> >>> >>> On 20/04/17 12:26, mahesh gs wrote: Hi Matt, Yes I raised github case for the same issue. I also tried running this call

Re: [openssl-users] Query regarding DTLS handshake

On 20/04/17 14:19, Martin Brejcha wrote: > > > Matt Caswell wrote on 04/20/2017 01:29 PM: >> >> >> On 20/04/17 12:26, mahesh gs wrote: >>> Hi Matt, >>> >>> Yes I raised github case for the same issue. I also tried running this >>> call flow with the latest SNAPSHOT code (openssl-SNAP-20170419)

Re: [openssl-users] Query regarding DTLS handshake

Matt Caswell wrote on 04/20/2017 01:29 PM: > > > On 20/04/17 12:26, mahesh gs wrote: >> Hi Matt, >> >> Yes I raised github case for the same issue. I also tried running this >> call flow with the latest SNAPSHOT code (openssl-SNAP-20170419) and >> handshake is successful with the latest SNAPSHO

Re: [openssl-users] Query regarding DTLS handshake

On 20/04/17 12:26, mahesh gs wrote: > Hi Matt, > > Yes I raised github case for the same issue. I also tried running this > call flow with the latest SNAPSHOT code (openssl-SNAP-20170419) and > handshake is successful with the latest SNAPSHOT code which is not an > official release. > > I check

  1   2   3   4   >