mancha :
> Any reason for the s_client -fallback_scsv option check to be within an
> #ifndef OPENSSL_NO_DTLS1 block?
Thanks for catching this. No, there's no good reason for that; I should
move it elsewhere.
Bodo
Hi Steve!
I will try to take that path, thank you!
//Fredrik
On Mon, Oct 13, 2014 at 6:08 PM, Dr. Stephen Henson wrote:
> On Mon, Oct 13, 2014, Fredrik Jansson wrote:
>
>> Hi!
>>
>> I have a device where I cannot access the client certificate's private
>> key directly, but have access to veri
I just realised I can create a RSA_METHOD object and set that in my engine.
But what about ECDSA_ENGINE?
There is no struct definition available in the public headers, and no
public functions to change the members of the struct, e.g. set a new
signing function.
Is this not possible with ECDSA?
On Wed, Oct 15, 2014, Fredrik Jansson wrote:
> I just realised I can create a RSA_METHOD object and set that in my engine.
>
> But what about ECDSA_ENGINE?
>
> There is no struct definition available in the public headers, and no
> public functions to change the members of the struct, e.g. set a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 0.9.8zc released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8zc of our open sourc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.0o released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.0o of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.1j released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.1j of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [15 Oct 2014]
===
SRTP Memory Leak (CVE-2014-3513)
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL 0.9.8 End Of Life Announcement
==
The OpenSSL Project is today making the following announcement:
Support for version 0.9.8 will cease on 31st December 2015.
No further releases of 0.9.8 will be made after
How does the newly introduced [1] support for the Downgrade SCSV stop
an attacker from removing the SCSV from an outgoing ClientHello ? Am I
missing something, or is there no hash to ensure that the ClientHello
received by the server has not been tampered with ?
[1] https://tools.ietf.org/html/dra
The hello message is protected by digests at the end of the handshake.
Otherwise the national scale adversary (NSA) could tweak anything. The point
about fallback is the attacker doesn't have to touch the content to make the
client fallback, it just has to interrupt at the TCP layer
--
Princ
Apologies if this is a duplicate post. I tried first via Google Groups, but
apparently it's read-only. ;-)
Has anyone else built 0.9.8zc with FIPS 1.2.4? I've been unable to get a build
that passes the 'make test' phase. I'm using build scripts that worked for
0.9.8.zb. (More details on th
I have a question on the intersection of Patch to mitigate
CVE-2014-3566 ("POODLE") [0] and context options.
If the context options are set to remove SSLv3:
SSL_CTX* ctx = ...
long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
The
> If the context options are set to remove SSLv3:
> Then is the following needed from [0]:
>
> SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV)
You might care about fallback from TLS 1.2 (which has PFS) to TLS 1.1 (which
doesn't).
I recommend that you always set that flag.
--
Principal Sec
I'd like to be able to disable SSLv3 for all openssl-enabled applications
in a single configuration file if possible, so that this doesn't have to
be done for each application.
I realize that this could be done by building openssl from source but
I imagine it could also be possible to configure t
> I'd like to be able to disable SSLv3 for all openssl-enabled applications in a
> single configuration file if possible, so that this doesn't have to be done
> for
> each application.
No it's not possible.
Not enhancement idea, tho.
--
Principal Security Engineer, Akamai Technologies
IM: rs..
> > I'd like to be able to disable SSLv3 for all openssl-enabled
> > applications in a single configuration file if possible, so that this
> > doesn't have to be done for each application.
>
> No it's not possible.
>
> Not enhancement idea, tho.
AARGH. "Nice" enhancement idea.
--
Principal S
Hello,
I want to disable SSLv3 for a tomcat / tcnative deployment on Windows.
Tomcat lacks the ablitity to disable SSLv3 while retaining TLSv1.1 and
TLSv1.2, so I'm attempting to disable SSLv3 at build time with no-ssl3.
This was successful on Linux, but not on Windows. I was able to build
Hello,
I want to disable SSLv3 for a tomcat / tcnative deployment on Windows.
Tomcat lacks the ablitity to disable SSLv3 while retaining TLSv1.1 and
TLSv1.2, so I'm attempting to disable SSLv3 at build time with no-ssl3.
This was successful on Linux, but not on Windows. I was able to build
Greetings folks. trying to compile 0.9.8zc on aix 7.1 (and 6.1) with various
versions on xlc
Aix 7.1 has xlc 11.1
Aix 6.1 has xlc 9
Both fail given these steps:
./config shared threads
Compiles for aix-cc
making all in crypto/rsa...
gmake[2]: Entering directory `/san/dev/ssl/0.9.8/crypto/rsa'
c
Hello Rich,
Unfortunately not all applications read the openssl config file...
On Thu, Oct 16, 2014 at 2:53 AM, Salz, Rich wrote:
> > > I'd like to be able to disable SSLv3 for all openssl-enabled
> > > applications in a single configuration file if possible, so that this
> > > doesn't have to
21 matches
Mail list logo
