On 15/10/2019 15:43, Stephan Seitz wrote:
Hi!
I was looking at the output of „openssl ecparam -list_curves” and
trying to choose a curve for the web server together with letsencrypt.
It seems, letsencrypt supports prime256v1, secp256r1, and secp384r1.
Then I found the site https://safecurves
does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.
On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl
On 30/10/2019 04:04, ratheesh kannoth wrote:
Hi,
1. what are these h0h4 ?
2. How are they generated ?
3. Could you help to locate code in openssl ?
typedef struct SHAstate_st {
SHA_LONG h0, h1, h2, h3, h4;
SHA_LONG Nl, Nh;
SHA_LONG data[SHA_LBLOCK];
unsigned int num;
}
Regarding #1: Using libSSL.a instead of libSSL.so should avoid using
libSSL.so by definition. Otherwise something went seriously wrong
with the linking. Same for any other library.
On 05/11/2019 18:22, Aijaz Baig wrote:
Thank you for the information.
I will address your points here:
1. I was
On 13/11/2019 15:23, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Aijaz Baig
Sent: Wednesday, November 13, 2019 01:45
I am trying to statically link libssl.a and libcrypto.a into a static library
of my own
which I will be using in an applicat
On 2020-02-28 03:37, Salz, Rich via openssl-users wrote:
*>*Per section Supported Groups in RFC 8446 [1], FFDHE groups could be
supported.
I was wrong, sorry for the distraction.
As others have pointed out, it will be in the next (3.0) release.
Note that the group identifiers for the hardw
On 2020-03-03 07:46, Phani 2004 wrote:
Hi Team,
I am trying to implement mac-then-encrypt for aes_cbc_hmac_sha1
combined cipher. From the code i could understand that the first 16
bytes were being used as explicit IV while decrypting and the hmac is
done for 13 bye AAD and 16 byte Fin record
On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the beha
That link shows whatever anyone's browser is configured to handle when
clicking
the link.
The important thing is which browsers you need to support, like the ones on
https://www.ssllabs.com/ssltest/clients.html
Beware that the list I just linked is woefully incomplete for those of
us who
acti
Summary: The OpenSSL 1.1.1g test suite contains at least two bugs:
TestBug#1: Test suite fails if local network has no IPv6, error message
(non-
verbose) doesn't say that's the issue. [ Testing IPv6 makes sense,
rejecting
regression tests on inadequate machines is important to avoid silent
A few corrections:
OpenSSL included CMS (RFC3369) support since 1.0.0 (see the CHANGES
file), though for a long time, there was an arbitrary disconnect between
functions named CMS and functions named PKCS#7 even though it should
have been a continuum.
The PKCS#7 and CMS standards equally and
On 2020-04-22 15:22, Hubert Kario wrote:
On Tuesday, 21 April 2020 21:29:58 CEST, Jakob Bohm via openssl-users
wrote:
That link shows whatever anyone's browser is configured to handle
when clicking
the link.
The important thing is which browsers you need to support, like the
ones on
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
This obviously causes "make test" to do nothing with the message "Tests are
not supported with your chosen Configure options" .
Unfortunately, neith
On 12/05/2020 16:01, Matt Caswell wrote:
On 12/05/2020 14:50, Jakob Bohm via openssl-users wrote:
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
Looking at the code here:
https://
On 2020-06-15 09:37, Viktor Dukhovni wrote:
On Mon, Jun 15, 2020 at 06:07:20AM +, Jordan Brown wrote:
Supplying names for the arguments in function prototypes makes them
easier to read, but risks namespace problems.
Yes, which I why, some time back, I argued unsuccessfuly that we SHOULD
NOT
On 2020-06-18 18:13, Salz, Rich via openssl-users wrote:
BN_bin2bn assumes that the size of a BN_ULONG (the type of a bn->d) is
BN_BYTES. You have already told us that sizeof(*d) is 4. So BN_BYTES
should also be 4. If BN_BYTES is being incorrectly set to 8 on your
platform the
On 2020-06-25 13:25, Hubert Kario wrote:
On Thursday, 25 June 2020 12:15:00 CEST, Angus Robertson - Magenta
Systems Ltd wrote:
A client is having problems reading Polish Centum issued personal
certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
mostly.
Using PEM_read_bio_X509
You may also check out the results of the popular ssllabs.com test here:
https://www.ssllabs.com/ssltest/analyze.html?d=jnior.com&hideResults=on
Note however that in recent years they have become quite aggressive in
labeling things as "weak" when they are simply "slightly less than the
best that
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Looking at x86_64cpuid.pl, I see jumps to ".Lintel" etc. being conditional
on stuff other than the CPU being an Intel CPU, while the code in there is
generally unreadable due
On 2020-07-26 01:56, Jan Just Keijser wrote:
On 23/07/20 02:35, Jakob Bohm via openssl-users wrote:
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Thanks, I somehow missed that document as I was grepping the code
On 06/08/2020 22:17, Quanah Gibson-Mount wrote:
--On Thursday, August 6, 2020 1:21 PM -0700 Dan Kegel
wrote:
lists 861 packages, belonging to something like 400 projects, that
depend
on openssl
Unfortunately, due to Debian's odd take on the OpenSSL license, many
projects that can u
The key thing to do is to make those client applications not request the
ssl23-method from OpenSSL 0.9.x .
ssl23 explicitly requests this backward-compatibility feature while
OpenSSL 3.x.x apparently deleted the
ability to respond to this "historic" TLS hello format, which is also
sent by some n
On 2020-08-31 16:28, Marc Roos wrote:
Why don't you block the whole compute cloud of amazon?
ec2-3-21-30-127.us-east-2.compute.amazonaws.com
Please note, that at least our company hosts a secondary MX in the EC2
cloud, with the option to direct my posts to the list through that
server. However
On 2020-09-01 01:52, Viktor Dukhovni wrote:
On Sun, Aug 30, 2020 at 07:54:34PM -0500, Kyle Hamilton wrote:
I'm not sure I can follow the "in all cases it's important to keep
the key
and cert in the same file" argument, particularly in line with openat()
usage on the cert file after privilege t
On 2020-09-01 04:26, Viktor Dukhovni wrote:
On Aug 31, 2020, at 10:57 PM, Jakob Bohm via openssl-users
wrote:
Given the practical imposibility of managing atomic changes to a single
POSIX file of variable-length data, it will often be more practical to
create a complete replacement file, then
On 2020-09-01 06:57, Viktor Dukhovni wrote:
On Mon, Aug 31, 2020 at 11:00:31PM -0500, David Arnold wrote:
1. Construe symlinks to current certs in a folder (old or new / file by file)
2. Symlink that folder
3. Rename the current symlink to that new symlink atomically.
This is fine, but does no
On 2020-09-03 09:42, Marc Roos wrote:
PTR record, SPF, DKIM and DMARC are also set by spammers, and sometimes
even just before a spam run. It is either choosing to do amazons work or
not having any work. If more and more are blocking the amazon cloud it
would make their clients leave and this fi
On 2020-09-03 12:25, Marc Roos wrote:
Why are you defending amazon? Everyone processing significant mail and
http traffic is complaining about them. They were even listed in
spamhaus's top 10 abuse networks (until they started contributing to
them?)
Because we are sending non-spam mail from a
On 2020-09-09 14:39, OpenSSL wrote:
OpenSSL Security Advisory [09 September 2020]
=
Raccoon Attack (CVE-2020-1968)
==
Severity: Low
The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker
On 2020-09-10 09:03, Tomas Mraz wrote:
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
Wouldn't a more reasonable response for 1.0.2 users have been to
force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
cipher
suites
and telling affected peop
On 2020-10-23 15:45, Matt Caswell wrote:
On 23/10/2020 14:10, Brett Stahlman wrote:
It seems that the CAPI engine is breaking the server verification somehow.
Note that the only reason I'm using the ca-bundle.crt is that I couldn't
figure out how to get CAPI to load the Windows "ROOT" certifica
PSS signatures, but failing to
pass that job to the CAPI engine. I was commenting on how that might be
made to work.
On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users
mailto:openssl-users@openssl.org>> wrote:
On 2020-10-23 15:45, Matt Caswell wrote:
>
>
Recently, the EJBCA developers publicly warned (via the Mozilla root store
policy mailing list) other CA vendors that they had incorrectly implemented
the handling of the "notAfter" X509 field, resulting in certificates that
lasted 1 second longer than intended.
Prompted by this warning, I checke
On 2020-11-09 09:58, Venkata Mallikarjunarao Kosuri via openssl-users wrote:
Hi
We are trying to work scenario to openssl OCSP responder busy, but we
are not sure how to make OCSP responder busy could please throw some
pointer to work on.
Ref https://www.openssl.org/docs/man1.0.2/man1/ocsp.
(Top posting to match what Mr. André does):
TCP without keepalive will time out the connection a few minutes after
sending any data that doesn't get a response.
TCP without keepalive with no outstanding send (so only a blocking
recv) and nothing outstanding at the other end will probably hang
al
On 07/12/2020 12:39, Matt Caswell wrote:
On 04/12/2020 13:28, Narayana, Sunil Kumar wrote:
Hi,
We are trying to upgrade our application from openssl
usage of 1.0.2 to openssl 3.0, during which we observe following errors.
Looks like the below #def been removed from 1.1 onward
On 2021-01-07 18:05, Ken Goldman wrote:
On 1/7/2021 10:11 AM, Michael Wojcik wrote:
$ cat /etc/redhat-release && openssl version
CentOS Linux release 7.9.2009 (Core)
OpenSSL 1.0.2k-fips 26 Jan 2017
Ugh. Well, OP should have made that clear in the original message.
And this is one of the pro
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse,
PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips
provider. It looks like that is because they try to load PKCS12KDF
which is not implemented in the fips provider. These wer
't be validated, it doesn't belong in the FIPS provider.
Pauli
On 26/1/21 10:48 pm, Tomas Mraz wrote:
On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote:
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote:
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie:
legacy
algorithms it only shows that the "true" FIPS mode was not as "true" as
you might think. There were some crypto algorithms like the KDFs
outside of the FIPS module boundary.
Tomas Mraz
On Thu, 2021-01-28 at 09:26 +0100, Jakob Bohm via openssl-users wrote:
Does that mean
t.
Anyway OpenSSL 3.0 gives you all the flexibility needed.
Tomas
On Thu, 2021-01-28 at 10:24 +0100, Jakob Bohm via openssl-users wrote:
Does FIPS 140 or the related legal requirements limit the use of
higher
level compositions such as PKCS12KDF, when using only validated
cryptography for the und
. Because it can
be used only with obsolete encryption algorithms anyway - the best one
being 3DES for the encryption and SHA1 for the KDF.
Tomas
On Thu, 2021-01-28 at 11:08 +0100, Jakob Bohm via openssl-users wrote:
If the context does not limit the use of higher level compositions,
then
OpenSSL
Also note that the official ASN.1 declaration for
AlgorithmIdentifier (from X.509 (2012), section 7.2) marks
the parameters field as OPTIONAL, so parsers really should
accept its absence.
However if broken parsers are common (this thread
only found one such parser), maybe it would be
good practic
If only one or a few parsers are broken, they need to be fixed.
If many broken parsers have proliferated due to generators
semi-violating DER by not omitting the empty field, that has become the
new reality that generators must deal with.
PKIX arbitrarily limiting serial numbers to 159 bits has
On 2021-03-01 17:28, Viktor Dukhovni wrote:
On Mon, Mar 01, 2021 at 09:21:29PM +0530, Archana wrote:
I am new to SSL programming. On our SSL Server implementation, we are
trying to enforce Mutual Authentication. Is it Mandatory to provide a user
defined Callback using SSL_ctx_setverify()
No ca
On 2021-04-15 12:57, Michal Moravec wrote:
Follow-up on my previous email:
I modified my proof-of-problem program to load PKCS7 file into PKCS7
and convert it to CMS_ContentInfo using the BIO (See convert.c in the
attachment). It is similar to this:
handle_encrypted_content(SCEP *handle, SC
On 2021-05-19 19:56, Michael McKenney wrote:
I installed Openssl 1.1.1k and Ubuntu 20.04 did an upgrade and
reverted it back to 1.1.1f. Usually Ubuntu upgrades don’t break it.
OpenSSL 1.1.1f 31 Mar 2020 (Library: OpenSSL 1.1.1k 25 Mar 2021)
built on: Thu Apr 29 14:11:04 2021 UTC
platfor
annot access '/usr/locallib/libssl*': No such file or directory
$ ls -alF /usr/local/bin/openssl
ls -alF /usr/local/bin/openssl
ls: cannot access '/usr/local/bin/openssl': No such file or directory
$ /usr/local/bin/openssl version -a
/usr/local/bin/openssl version -a
-bash:
On 2021-05-28 22:50, Michael Wojcik wrote:
Just realized I sent this directly to Graham instead of to the list.
-Original Message-
From: Michael Wojcik
Sent: Friday, 28 May, 2021 09:37
To: 'Graham Leggett'
Subject: RE: X509_verify_cert() rejects all trusted certs with "default"
X509_V
Dear team,
It would be nice if there was a user- and security-friendly best
practice document for distributions (such as Linux distributions) that
freeze on an OpenSSL release version (such as 1.1.1z) and then backport
any important fixes.
Perhaps something like the following:
1. The distri
On 2021-06-17 15:49, Viktor Dukhovni wrote:
On Sat, Jun 12, 2021 at 10:20:22PM +0200, Gaardiolor wrote:
When I compare those, they are exactly the same. But that's the thing, I
think server.sig.decrypted should be prepended with a sha256 designator
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 0
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I'm curious how exactly an SSL client verifies an SSL server's
certificate which is signed by a CA. So, during the SSL handshake,
when the server sends its certificate, will the SSL client first
checks the `Issuer`'s `CN` field from the x509
On 2021-06-18 16:23, Michael Wojcik wrote:
From: openssl-users On Behalf Of Jakob
Bohm via openssl-users
Sent: Friday, 18 June, 2021 07:10
To: openssl-users@openssl.org
Subject: Re: reg: question about SSL server cert verification
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I&#
On 2021-06-18 17:07, Viktor Dukhovni wrote:
On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
Now the client simply works backwards through that list, checking if
each certificate signed the next one or claims to be signed by a
certificate in /etc/certs. This
On 2021-06-25 22:26, Richard Levitte wrote:
On Wed, 23 Jun 2021 10:51:05 +0200,
Tomas Mraz wrote:
On Wed, 2021-06-23 at 08:12 +, Kumar Mishra, Sanjeev wrote:
Notice: This e-mail together with any attachments may contain
information of Ribbon Communications Inc. and its Affiliates that is
c
Question was how to retrieve those lists for any given certificate,
using currently supported OpenSSL APIs.
The lists of usage bits and extusage OIDs in any given certificate
are finite, even if the list of values that could be in other
certificates is infinite.
On 2021-07-16 06:44, Kyle Hamilto
On 2021-08-11 13:52, Keine Eile wrote:
Hi list members,
I have a .p7f in hands, which seems to be a DER encoded PKCS7
structure in some way, I can use 'openssl pkcs' to transform it in a
PEM form, I also can pull a bunch of certificates out of it. But I
know, there is some encrypted pay load
This is a known deficiency of how Apple rushed adding support for their
M1 ARM Desktop CPU to the XCode build suite.
When building a desktop macOs program file with XCode, it will
implicitly try to build both an x86_64 and an arm64 variant, and will
get very surprised your compiled open source
On 21/08/2021 19:42, Michael Wojcik wrote:
From: rgor...@centerprism.com
Sent: Saturday, 21 August, 2021 11:26
My openssl.cnf (I have tried `\` and `\\` and `/` directory separators):
Use forward slashes. Backslashes should work on Windows, but forward slashes work
everywhere. I don't know th
For the below symptoms, I would recommend a watching the application
port with WireShark.
This should show any the TLS protocol deviations and any problems in
handling and establishing the TCP connections.
On 2021-08-19 00:38, David Bowers via openssl-users wrote:
* We have a server that has
Hi fellow sufferer,
I used to do a lot of manual patching of OpenSSL 1.0.x to remove the
insane object interdependencies (such as objects named foolib.c being
nexus points that bring in tonnes of irrelevant code because someone was
too unfamiliar with basic library concepts to make an actual l
On 2021-09-14 12:14, Dr Paul Dale wrote:
> ...low security RNGs and other antifeatures.
Huh Where? Why plural?
The only **one** I'm aware of is the one I added to stochastically
flush the property cache where it doesn't need to be cryptographically
secure.
Some applications need mor
So is there no longer an API to feed entropy to the default or FIPS
default RNG?
Creating an entire provider just to feed input to the FIPS provider
seems overkill.
On 2021-09-14 01:00, Dr Paul Dale wrote:
Try working from providers/implementations/rands/seed_src.c You'll
need to reimplemen
On 2021-10-14 18:43, Philip Prindeville wrote:
Hi,
I need to generate CSR's with some Extensions included that use our PEN's as
allocated by IANA.
Are there any examples of this?
Also, I'm looking at X509_REQ_add_extensions_nid() and it takes a
STACK_OF(X509_EXTENSION) but it doesn't seem to
Which is indeed what I do in our notarized MacOsX and iOS applications.
However to do so, I have historically needed to clean up OpenSSL source
code to actually behave as a proper static library where only used
functions are linked in. Most notably, the source files named xxx_lib.c
tend to ca
Please note that the embedded github links don't work for me, as all
I get is an error page with a log in form.
One major issue with any QUIC implementation is how closely that
protocol is tied to Google and their desire to have web browsers
quickly load elements from 3rd part webservers, such as
On 2021-11-25 15:00, Matt Caswell wrote:
Please see the new blog post by Tim Hudson giving an update on the
OpenSSL Project.
https://www.openssl.org/blog/blog/2021/11/25/openssl-update/
Followup:
While the OpenSSL leadership may think they have made things easier
for algorithm developers, th
On 26/12/2021 16:21, Grégory Widmer via openssl-users wrote:
Dear OpenSSL users,
I have a question about OpenSSL. Recently, I asked myself if there was
a maximum bit length for the modulus of a RSA key.
I tried to type :
user@host:~$ openssl genrsa 32768
Warning: It is not recommended to us
On 2022-01-05 09:45, Tomas Mraz wrote:
...
So you're basically asking to put something like - "The parameter most
probably won't fit into unsigned int." - to every such parameter
documented for PKEYs?
"unsigned BIGNUM" instead of "unsigned integer" would be short and much
clearer
in the descr
On 17/01/2022 09:49, Tomas Mraz wrote:
On Mon, 2022-01-17 at 09:36 +0100, Milan Kaše wrote:
Hi,
I successfully implemented OpenSSL v3 provider which provides store
and keymgmt and I can use it to sign a cms with the following
command:
openssl cms -sign -signer myprov:cert=0014 -provider myprov
On 2022-10-31 01:11, Alexei Khlebnikov wrote:
Hello Geoff,
Try the following function, receive the serial number via the
"pserial" pointer. But avoid changing the number via the pserial
pointer because it points inside the OCSP_CERTID structure.
int OCSP_id_get0_info(ASN1_OCTET_STRING **piN
On 2022-11-06 23:14, raf via openssl-users wrote:
On Sat, Nov 05, 2022 at 02:22:55PM +, Michael Wojcik
wrote:
From: openssl-users On Behalf Of raf via
openssl-users
Sent: Friday, 4 November, 2022 18:54
On Wed, Nov 02, 2022 at 06:29:45PM +, Michael Wojcik via openssl-users
wrote:
On 2022-11-15 21:36, Phillip Susi wrote:
Jakob Bohm via openssl-users writes:
Performance wise, using a newer compiler that implements int64_t etc. via
frequent library calls, while technically correct, is going to run
unnecessarily slow compared to having algorithms that actually use the
On 04/10/2018 17:14, Salz, Rich via openssl-users wrote:
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded. 1.1.1 has a good random number generator and auto-seeds.
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG
On 04/10/2018 17:38, Salz, Rich wrote:
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?
Poor locking; been known to crash.
Simple bug, not a reason to change the algorithm.
Does not reseed.
But can be reseeded if so desired, sub
Actually, for public CAs, the current standard (the CAB/F
Basic Requirements) require (a), (b) or (c), and prohibit
(d).
The prohibition on (d) is stated indirectly as a prohibition
against putting something that isn't the subjects validated
public DNS name in CN.
In practice, most public CAs us
On 10/10/2018 13:55, RudyAC wrote:
Hello,
when verifying a signed email with CMS_verify() the verification failed.
That is not the main problem.
My problem is that the out data is empty. Using the library I got following
error:
OpenSSL Error code all:<772382878d>
OpenSSL Error code lib:
On 11/10/2018 06:44, Paul Chubb wrote:
Hi thanks for the responses. I try not to do crypto for the very
reasons you raise - i simply don't know enough and your (good) pointed
questions have demonstrated that.
Context:
We are trying for GDPR and other privacy law compliance. We probably
need
On 16/10/2018 06:19, Viktor Dukhovni wrote:
On Oct 15, 2018, at 9:22 PM, Viktor Dukhovni wrote:
pointing the CACertFile to 750KB file with 149 certificates.
With 149 certs, and typical CA names O(80) bytes, we're looking at
~12KB of cert names, which should fit into an extension that can be
u
On 16/10/2018 16:39, Dmitry wrote:
Hello!
I have a C++ programme, ECDSA key pair and some string to sign. The
programme generates signature and saves it into a file
(signature.bin). Then I check the validity of the signature via the
following command:
openssl dgst -verify ec_public.pem -sig
SAFESEH requires any code that sets up Win32/i386 SEH handlers
to include special assembler directives to add the handler code
address to a special list which the linker then puts in the
compiled program for the Windows runtime (NTDLL.DLL etc.) to
check to make sure it is only calling back to your
On 20/10/2018 15:59, Kaushal Shriyan wrote:
On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah
mailto:murugesh.pitcha...@gmail.com>>
wrote:
Hi,
You may list down what ciphers configured : "openssl ciphers"
Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
Ah, I guess it wanted you to also compile OpenSSL for i386 and putting
that (different!) opensslconf.h in the i386-specific directory.
That also means you should have moved opensslconf.h to the subdir, not
copied it.
On 22/10/2018 20:42, Skip Carter wrote:
Found the problem!
Thanks to Selva for
On 23/10/2018 17:22, Selva Nair wrote:
On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
wrote:
Hi!
I'm trying to get a handle on the CAPI engine, because I need to have a
secure Keystore on Windows. Furthermore I need it to work with Qt's
QSslKey, which fortunately can be c
On 25/10/2018 00:34, Skip Carter wrote:
I have a server-side application that fails when some clients connect:
waiting for SSL accept()...
SSL_accept() (0) failure -1
SSL_accept() (1) failure 5
[DEBUG] Error string : error:0005:lib(0):func(0):DH lib
SSL_accept() sockerrno is: 0
I think
On 26/10/2018 23:08, Ken Goldman wrote:
I've been happily using the Shining Light 32-bit binaries with both
openssl 1.0 and 1.1 and mingw.
On a new machine, I tried the 64-bit binaries. However, they're
missing the openssl/lib/mingw directory where the .a files resided.
It looks like the li
On 02/11/2018 08:50, Thulasi Goriparthi wrote:
Hi,
I am going through the checks done by EC_KEY_check_key method. I see
the following checks in order.
1. Is point at infinity? - reject.
2. Is point not on curve? reject.
3. Is point not in the primary subgroup? reject.
4. If priv key(scalar) ava
test assumes the other test does it.
On Fri, 2 Nov 2018 at 16:53, Jakob Bohm via openssl-users
wrote:
On 02/11/2018 08:50, Thulasi Goriparthi wrote:
Hi,
I am going through the checks done by EC_KEY_check_key method. I see
the following checks in order.
1. Is point at infinity? - reject.
2. Is
On 05/11/2018 15:56, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of lu zhihong
Sent: Thursday, November 01, 2018 05:58
when complie openssl 1.1.1 on linux 32bit platform, i met some compile
warning,like:
crypto/ec/curve448/curve448_tables.c
On 03/11/2018 08:56, Walter H. wrote:
Hello,
it is a little bitte weird/strange/complicated;
On 02.11.2018 23:05, Matt Caswell wrote:
On 02/11/2018 21:51, Walter H. wrote:
Hello,
when I try to connect tohttps://www.3bg.at/
I get the following error
Handshake with SSL server failed: error:14
On 03/11/2018 10:11, Hanno Böck wrote:
On Sat, 3 Nov 2018 12:28:02 +0500
Марк Коренберг wrote:
Try openssl cms ( as newer alternative to s/mime)
cms is not newer than s/mime, it's the underlying message format of
s/mime.
According to this
https://www.openssl.org/docs/man1.0.2/apps/openssl.ht
On Debian systems, the standard procedure on Debian is to build your
private/different versions of openssl (or anything else) in /usr/local,
while leaving the Debain modified OpenSSL in /usr .
This should keep your own code and Debian code out of each others way.
Any programs you need to use wit
I think you missed the following:
Because CBC is the oldest block cipher mode in SSL and
TLS, the cipher suites using CBC don't include the
letters "CBC" in their names.They simply don't mention
a different mode (such as GCM or CCM).
For example ECDHE-RSA-AES128-SHA uses AES128 in CBC mode.
On
On 25/11/2018 22:30, Viktor Dukhovni wrote:
On Nov 25, 2018, at 4:23 PM, Jeremy Harris wrote:
That isn't the package name, it is text defined in openssl/opensslv.h
That happens when "OPENSSL_FIPS" is defined:
# define OPENSSL_VERSION_NUMBER 0x101000b0L
# ifdef OPENSSL_FIPS
# define
Hi,
The ability of a TLS client to optionally send a list of trusted
CAs to the TLS server is not new in TLS 1.3.
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TLS 1.3 also a
On 26/11/2018 20:04, Viktor Dukhovni wrote:
On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users
wrote:
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TL
On 27/11/2018 11:50, EYAL INBAR wrote:
Hello
I try to add API,CMP_build_KUR_req, to crypto lib and get
Error: CMP_build_KUR_req does not have a number assigned
Any suggestion?
This means you are compiling for a platform (probably Windows
or OS/2) where names exported from DLLs are assigned un
If GSCheck is just a tool to check if you remembered to build
code with the buffer overflow checks that Microsoft C can
insert, then you should just treat this as a warning that the
tool doesn't know how to check code from other compilers (in
this case the manual work of the OpenSSL team).
On 28/
On 28/11/2018 23:42, Jonathan Larmour wrote:
On 28/11/18 21:41, Daniel Kahn Gillmor wrote:
On Wed 2018-11-28 19:54:34 +, Jonathan Larmour wrote:
On 28/11/18 17:02, Matt Caswell wrote:
Please see the following blog post about OpenSSL Versioning and License:
https://www.openssl.org/blog/blo
On 01/12/2018 21:53, Viktor Dukhovni wrote:
On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote:
Are there compatibility concerns around changing error message
text for which users may have created regex patterns in scripts?
I agree the text could be better, but not sure in what rel
1 - 100 of 180 matches
Mail list logo
