On Wed, Oct 30, 2019 at 02:12:19PM -, Frederick Gotham wrote:
>
> It appears that OpenSSL will kick and scream and refuse to die not
> matter how hard you hit it. If I try to generate a random number like
> this:
>
> openssl rand -hex 8
>
> Then it seems it will try in this order:
>
>
On Sat, Nov 23, 2019 at 04:42:50PM -0800, Hal Murray wrote:
>
> I see a lot of clutter in log files from things like
> error:1408F10B:SSL routines:ssl3_get_record:wrong version number
> I assume they are from bad guys probing for openings.
>
> Is the error code returned by ERR_get_error() const
On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote:
>
> I *think* what is happening is the server is checking the chain it has
> been configured with, spotting that it includes a SHA1 based signature
> and therefore refusing to respond at all because the client has not
> indicated SHA1 s
On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote:
>
> Debian 10 omits all the SHA1 entries from the above list. Note that
> Debian 10 will only allow SHA1 if the security level is explicitly set
> to 0 (via the -cipher "DEFAULT:@SECLEVEL=0" command line arg). Probably
> because the deb
On Tue, Apr 21, 2020 at 10:49:25PM +0100, Matt Caswell wrote:
>
> Looks like the failing call is here:
>
> if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
>(const void *)&on, sizeof(on)) != 0) {
>
> To which we get an errno indicating "Invalid argument". So it loo
On Wed, Apr 22, 2020 at 11:02:47AM +0200, Michael Tuexen wrote:
> > On 22. Apr 2020, at 10:38, Matt Caswell wrote:
> >
> >
> >
> > On 21/04/2020 23:45, Michael Tuexen wrote:
> >>> Looks like the failing call is here:
> >>>
> >>> if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
> >>>
On Fri, Apr 24, 2020 at 01:26:05PM +0200, Yann Ylavic wrote:
>
> - DH_bits(dh) (used for logging only in httpd)
> Replaced by BN_num_bits(DH_get0_p(dh)).
> Not sure this one should be deprecated, it seems to be used in several
> places in openssl codebase still, no replacement?
I think the replac
On Thu, Jun 04, 2020 at 09:00:08AM -0700, John Baldwin wrote:
> At the moment there are 3 open PRs related to Kernel TLS offload
> support that I'm aware of:
>
> - 11589 adds TLS1.3 for Linux, has one approval from Matt Caswell
> - 10626 adds TLS1.3 for FreeBSD, from which 11589 is derived, but wi
going on.
>
> Over on an ntpsec list, Kurt Roeckx reported that he was still waiting...
>
> Richard's message said "I", so I sent him a copy off list. Correcting that...
So I took a look at at the EVP_PKEY case, and it seems we spend most
of our time doing:
-
On Thu, Jun 18, 2020 at 10:41:40AM +0200, Tomas Mraz wrote:
> > I question the default behaviour, I think most people don't need
> > that support.
>
> Unfortunately that would be an API break that could be very hard to
> discover, so I do not think we can change this even in 3.0.
But I think the
On Thu, Jun 18, 2020 at 02:12:56PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> I think that the default behavior should change for 3.0, and the API change
> described in the Release Notes. I find that alternative less impacting that
> this silent sudden performance deterioration.
Note that I
On Thu, Jun 18, 2020 at 07:24:39PM +0200, Kurt Roeckx wrote:
>
> Now that a large fraction of the cost has been found, I can look
> again to see where the biggest cost in 3.0 comes from now and if we
> can do something about it.
So a code path that I've noticed before when looki
On Fri, Jul 03, 2020 at 12:51:19PM +, Salz, Rich via openssl-users wrote:
> * topic: Change some words by accepting PR#12089
>
> *
>
> * 4 against, 3 for, no absensions
>
> I am at a loss for words.
>
> I can’t contribute to a project that feels this way.
I would like to point ou
On Sun, Jul 12, 2020 at 12:29:43AM -0400, Viktor Dukhovni wrote:
>
> The main outstanding issue for which I'm authoring a new PR, is that
> each of the above results in SSL_CONF_cmd() returning an error for
> contexts of the other type or for contexts that are for a specific fixed
> version of TLS
On Thu, Jul 23, 2020 at 02:35:28AM +0200, Jakob Bohm via openssl-users wrote:
> The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
> it (in assembler) seemto have no clear documentation.
Have you seen the OPENSSL_ia32cap manpage?
Kurt
On Mon, Aug 24, 2020 at 01:38:41PM -0700, John Baldwin wrote:
> On 8/18/20 9:49 AM, Matt Caswell wrote:
> >
> >
> > On 17/08/2020 18:55, John Baldwin wrote:
> >> 1) Is 'auth_level' supposed to work for this? The CHANGES.md change
> >>references SSL_CTX_set_security_level and openssl(1) claim
On Thu, Dec 10, 2020 at 05:14:00PM +0200, Cosmin Apreutesei wrote:
> Hello,
>
> I have a question regarding SSL_write() and returning SSL_ERROR_WANT_WRITE
> from the write callback.
>
> _After_ SSL_write() returns with SSL_ERROR_WANT_WRITE (because my write
> callback returned SSL_ERROR_WANT_WRI
On Wed, Mar 03, 2021 at 04:14:17PM +0530, Vadivel P wrote:
> Hi OpenSSL team,
>
> We are looking for the command line option or any other way to increase the
> DHE G Parameter length to 256 bytes, by default it's 2 now, we need to
> modify it as 256 byte on the server side for our testing either b
On Thu, Sep 11, 2014 at 12:20:47PM -0600, The Doctor wrote:
> ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo
> ../certs/demo/*.pem
> ls: error initializing month strings
> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN
> = Test CA (1024 bit)
> er
On Tue, Nov 04, 2014 at 02:39:41PM -0500, Salz, Rich wrote:
> Thanks for the detailed feedback!
>
> > 1. The list of applicable signing keys included in the tarballs and
> > elsewhere only lists the fingerprints
>
> We'll fix that.
I don't think their is anything wrong with fingerprints. Howev
On Wed, Nov 05, 2014 at 03:57:48PM +0530, Venkat V wrote:
> Hi
>
> Can you please let me know if FTP service can be impacted by POODLE
> vulnerability
The attack depends on being able to let the client connect
multiple times and have control over part of the plain text.
In theory a browser could
On Wed, Nov 05, 2014 at 02:07:16PM -0500, Salz, Rich wrote:
> > It boggles the mind that to this day that patch has not been integrated in
> > the
> > 5 years since the bug was opened.
>
> So many things about openssl can boggle the mind :)
>
> In this particular case, I think the issue is that
On Wed, Nov 05, 2014 at 07:04:37PM +0100, Kurt Roeckx wrote:
> On Wed, Nov 05, 2014 at 03:57:48PM +0530, Venkat V wrote:
> > Hi
> >
> > Can you please let me know if FTP service can be impacted by POODLE
> > vulnerability
>
> The attack depends on being able to
On Fri, Nov 14, 2014 at 06:35:51AM +, Viktor Dukhovni wrote:
> On Fri, Nov 14, 2014 at 06:26:24AM +, Vaghasiya, Nimesh wrote:
>
> [ It is rude to ask user questions on the dev list (moved to Bcc). ]
>
> > We are in process of disabling SSLv3 and SSLv2 protocols from all of our
> > FreeBS
On Mon, Nov 24, 2014 at 03:30:20PM +0800, ?? wrote:
> Hi all,
> From the release notes, seems TLS1.2 is only supported in 1.0.1 branch,
> however it is not an easy job to migrate from 0.9.8 to 1.0.1 unless there is
> no any other resort.
> If this is true, is there a plan to support TLS1.2 in 0.9
On Wed, Dec 03, 2014 at 04:04:16PM +0530, T@Run..! Polisetty wrote:
> Hai All,
>
>We are using Openssl for DTLS Negotiations. When we run the Valgrind
> with this setup. We are finding some major loss of memory at one place.
Can you check with a current git version? There have b
On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote:
> On 26/11/14 02:05, Salz, Rich wrote:> We will soon be freezing the mailing
> list memberships for a couple of days.
> >
> >We are moving to a new server and upgrading the mail infrastructure
>
> Are you aware that the headers for the mailman c
On Fri, Dec 05, 2014 at 09:57:05PM +0100, Walter H. wrote:
> On 05.12.2014 21:46, Kurt Roeckx wrote:
> >On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote:
> >>On 26/11/14 02:05, Salz, Rich wrote:> We will soon be freezing the mailing
> >>list memberships for a coup
On Fri, Dec 05, 2014 at 02:50:00PM -0700, Philip Prindeville wrote:
> On Dec 5, 2014, at 1:57 PM, Walter H. wrote:
>
> > On 05.12.2014 21:46, Kurt Roeckx wrote:
> >> On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote:
> >>> On 26/11/14 02:05, Salz, Rich wrot
On Sat, Dec 06, 2014 at 10:08:30AM +0100, Walter H. wrote:
> On 05.12.2014 23:08, Kurt Roeckx wrote:
> >On Fri, Dec 05, 2014 at 02:50:00PM -0700, Philip Prindeville wrote:
> >>On Dec 5, 2014, at 1:57 PM, Walter H. wrote:
> >>
> >>>On 05.12.2014 21:46, Kurt R
On Wed, Dec 10, 2014 at 09:51:15AM -0700, The Doctor wrote:
> Now POODLE is hitting TLS
>
> http://www.computerworld.com/article/2857274/security0/poodle-flaw-tls-itbwcw.html
>
> Any fixes in the works?
As already said previously, openssl is not affected by this.
kurt
__
On Fri, Dec 19, 2014 at 02:30:07AM +0530, Prabhat Puroshottam wrote:
> ***
> This is for *Client -> Agent*
> ***
[...]
> Version 3.1
[...]
> cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
[...]
> *
On Sun, Dec 28, 2014 at 01:31:38AM +0100, Jakob Bohm wrote:
> 3. The 1.0.x binary compatibility promise seems to not have been
> completely kept. As recently as just this December, As a practical
> example: I had an OS upgrade partially fail due to the presence of
> a self-compiled up to date 1
On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
> Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
> still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
> no-ssl3 application scenario is just one way to exploit this and that
> the ssl23_get_client_
On Sat, Jan 24, 2015 at 04:34:14PM -0500, Avery A. Tarasov wrote:
>
> Important findings:
>
> *1) * IfSSL_library_init() and SSL_load_error_strings() are *removed*
> (which are the only 2 OpenSSL functions I'm using) the handle leaks go
> away..
>
> *2)* IfSSL_library_init() and SSL
On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote:
>
> > It is unfortunate that browsers "lend a helping hand" to such sites.
> So, you want to say that browsers trust connections that don't provide
> intermediate certs during SSL handhake?
> As I know most browsers have also intermediate cert
On Sat, Mar 07, 2015 at 11:47:12AM +, Salz, Rich wrote:
>
> > So this is preserving message boundaries. How do I get the complete
> > message just like with TCP?
>
> No, it just happened that way. TLS does not preserve message boundaries.
As far as I know SSL_read will only return data from
On Tue, Mar 10, 2015 at 10:23:41PM +0300, Serj Rakitov wrote:
> Hello,
>
> I see some delay about 30-40 min for my emails. They arrive and I see them in
> the incoming messages in the list only after 30-40 min. And one email was
> delivered for 2 hours. Is it normal for the openssl-users@openss
On Fri, Mar 13, 2015 at 11:14:18AM -0600, The Doctor wrote:
> What is happening?
>
> In the Moutain Time Zone:
>
> It was at 22:22 MST then 23:22 MDT then 00:22 MDT !!
Do you mean when the snapshot is made? The machine runs in UTC,
and the files seem to be made at 6:22 UTC.
Kurt
On Fri, Apr 03, 2015 at 07:53:59PM +, Salz, Rich wrote:
>
> And the best practice these days is to do it at the application
> layer, and feed the compressed bytes down to TLS.
The BREACH attack makes use of that.
Kurt
___
openssl-users mailing li
On Sun, Apr 26, 2015 at 07:05:11PM +0200, hub...@seznam.cz wrote:
> I tried this command
> openssl.exe s_client -connect ezfile.ch:443
>
> And it returns this kind of error
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
I can not reproduce this. What version ar
On Mon, Apr 27, 2015 at 02:39:08PM +, Salz, Rich wrote:
> > It is weird that it worked for you. Anyway I found a way how to fix it (if
> > I can
> > call it "a fix"). The key is to provide a flag "-servername"
> > to enable SNI (Server Name Indication).
>
> It's not wrong to call it a fix. T
On Fri, May 01, 2015 at 09:01:47PM +0100, Matt Caswell wrote:
>
>
> On 01/05/15 20:09, faraz khan wrote:
> > Matt,
> > Thanks again! To be precise webrtc is using boringssl (Google's fork of
> > openssl). From the commits it seems VERY recent but I'm unable to figure
> > out the last openssl merg
On Tue, Apr 28, 2015 at 09:26:25AM -0500, jack seth wrote:
> Ok I have been doing some experiments with OpenVPN and I can connect using
> 1 bit DH parameters. Any bigger than that up to at least 13824 I get the
> following 'modulus too large' error on the client log:
>
> TLS_ERROR: BIO read
On Mon, May 04, 2015 at 07:21:11AM -0600, The Doctor wrote:
> This also occured in openssl-1.0.2-stable-SNAP-20150503
This will most likely be fixed in the next snapshot.
Kurt
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mail
On Mon, May 04, 2015 at 09:00:21AM -0500, jack seth wrote:
> > There is a limit of 1:
> > #define OPENSSL_DH_MAX_MODULUS_BITS 1
> >
> > I suggest you do not change this. It just gets slower without
> > adding security.
> >
> > I have no idea why it would freeze with something larger than
>
On Mon, May 04, 2015 at 03:12:17PM +, Salz, Rich wrote:
> > I would like to know whether OpenSSL supports TLS 1.3, if supported from
> > which version of OpenSSL the implementation started.
>
> Since TLS 1.3 is not even done yet, no. If I had to guess, I'd say it won't
> be "done" for at l
On Fri, May 15, 2015 at 12:44:03PM +0100, Martin Beynon wrote:
>
> That is right from 100Mbps down to 150 kpbs everything works as expected.
> As I continue tuning down the bandwidth below 150kbps openssl starts to
> stop sending data. It becomes very bursty and there are whole periods of
> second
On Wed, May 20, 2015 at 03:47:33PM +, Scott Neugroschl wrote:
> Is OpenSSL vulnerable to Logjam?
See
http://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
Kurt
___
openssl-users mailing list
To unsubscribe: https://mta.openssl
On Mon, Jun 29, 2015 at 05:48:05AM +, Srinivas wrote:
> Thanks. Makes sense.
>
> But then why are the DES ciphers not listed in the supported cipher list for
> TLSv1.2
> here?https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites
Those are all ciphers that require at least TL
On Wed, Jul 01, 2015 at 01:38:28PM +0300, Ikonta wrote:
> Hi everybody,
>
> Possibly stupid question:
> The default and only known for me OpenSSL database format is flat text file
> (afair index.txt in default openssl.cnf).
> Was ever suggested an idea to provide some alternatives (maybe relation
On Mon, Jul 13, 2015 at 01:03:09PM -0400, Colin Edwards wrote:
> I've been reading/hearing different opinions on the recent vulnerability
> for cert chain forging that was patched (CVE-2015-1793).
>
> Some people are saying the vulnerability only exists if a system is using
> certificate-based cli
On Tue, Jul 14, 2015 at 01:23:52PM -0400, Colin Edwards wrote:
> Thank you, Kurt. The information I was getting (from some sources) was that
> the vulnerability was only present in configurations where the server was
> authenticating a client certificate. The fact is, the vulnerability applies
>
On Sat, Aug 01, 2015 at 06:56:16AM +0200, Jakob Bohm wrote:
>
> The old team would have gone out of their way to make sure
> the standard OpenSSL code would generate backward compatible
> hello records by default
So it's my understanding that you suggest the default OpenSSL
client should:
- Only
1.0.2 long term support
===
The OpenSSL project team would like to announce that the 1.0.2
version will be supported until 2019-12-31.
Further details about the OpenSSL Release Strategy can be found here:
https://www.openssl.org/about/releasestrat.html
The OpenSSL Project Te
On Mon, Nov 30, 2015 at 10:46:45PM +, Michael Wojcik wrote:
> I'm curious if anyone has seen anything like this before.
>
> We have a situation at one customer site. They see it happen every few days.
> No one else has reported it, and we can't reproduce it.
Have you considered that this mig
On Wed, Dec 09, 2015 at 05:13:32PM -0600, Benjamin Kaduk wrote:
> C does not make such a guarantee, though recent-ish POSIX does. (This
> system is a windows one, thought, right?)
There are DSPs that only support 32 bit, they don't have a concept
of 8 bit. But I think there is various code that
On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks for the patch. Unfortunately patch did not work. I continued
> debugging and found that issue was in constant_time_msb.
>
> static inline unsigned int constant_time_msb(unsigned int a) {
> -*return 0 - (a
On Sat, Dec 12, 2015 at 10:23:38PM +0100, Dominik Mahrer (Teddy) wrote:
> Hi everyone
>
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactly this the same question I found as FAQ # 16 (User). But as answer
> there is only explained that openssl will not serve
On Wed, Dec 16, 2015 at 06:23:25PM +, Martin Brampton wrote:
> Is there a way to obtain the amount of data available to be read?
>
> I'm working with a system that operates in non-blocking mode using epoll.
> When an EPOLLIN event is received the aim is to read the data. For the
> non-SSL case
On Tue, Dec 29, 2015 at 08:35:49PM +0100, Felix Rubio Dalmau wrote:
> Hi all,
>
> I have been searching for some time for a solution and I can not
> manage to
> solve my problem. I have a computer that can not connect to some sites, e.g.
> github, by using openssl. I am running a debian
On Tue, Jan 05, 2016 at 03:40:03PM -0700, The Doctor wrote:
> tls.o(.text+0xf32): undefined reference to `SSLv23_server_method'
Are you sure it's finding the correct headers?
Kurt
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/
On Mon, Jan 11, 2016 at 09:38:05PM +0100, Jakob Bohm wrote:
> On 08/01/2016 18:43, Salz, Rich wrote:
> >Are you going to keep posting and posting until you get a response? :(
> >
> >Master branch, 1.1, is not released but will not be vulnerable (may already
> >be fixed)
> >1.0.2 is not vulnerable.
On Tue, Jan 12, 2016 at 04:03:42PM -0500, Jeff Archer wrote:
> I am building from source that came from openssl-1.0.2e.tar.gz but it
> appears to be producing output of libssl.so.1.0.0. Is this what I should
> expect?
Yes. That is the correct soname for all 1.0.X releases.
Kurt
__
On Sat, Jan 16, 2016 at 10:57:46AM +, Diganta Bhattacharjee wrote:
>
> I am looking at (query about) updating a TLS 1.1 solution based on OpenSSL
> 1.0.1b to TLS 1.2. I understand the latest OpenSSL 1.0.2 supports TLS 1.2. At
> first look I believe if we replace the OpenSSL 1.0.1 with OpenSS
On Mon, Feb 08, 2016 at 07:43:00AM -0700, counterpoint wrote:
> Working on a multi-threaded system that is providing an SSL server
> capability, I am running into an odd problem at the end of a connection.
> There seems no functional downside, in that it appears all data is handled
> correctly. The
On Wed, Feb 10, 2016 at 09:03:35PM -0500, Jeffrey Walton wrote:
> As far as I know, there are no constants for TLS 1.0 and 1.1, so we
> can't extend this in clients:
>
> const SSL_METHOD* method = SSLv23_method();
> ctx = SSL_CTX_new(method);
> ...
>
> const long flags = SSL_OP_NO
On Sun, Feb 21, 2016 at 04:15:45PM +, Sandra Schreiner wrote:
> Hello,
>
> I am currently developing a C++ application with Boost Asio SSL Sockets.
> Boost Asio uses OpenSSL for it's TLS support. My application will be ported
> to Android in the future so I tried to build OpenSSL by myself f
On Wed, Feb 24, 2016 at 05:22:08PM +0100, lists wrote:
>
> Before I try some heavy debugging, does anybody know of a change from
> version 1.0.1e to 1.0.1r that would prevent the commands above from working?
Can you try reverting commit
23a58779f53a9060c823d00d76b3070cad61d9a3? I've attached a p
On Sat, Feb 27, 2016 at 06:23:43PM +, Dr. Stephen Henson wrote:
> On Sat, Feb 27, 2016, Nounou Dadoun wrote:
>
> > Thanks for the response,
> >
> > I'm not sure what you're saying here other than TLS 1.2 client cert auth
> > processing is different from TLS x (where x<1.2); I would assume tha
On Sat, Feb 27, 2016 at 07:45:18PM +, Nounou Dadoun wrote:
> PLATFORM=VC-WIN64A
Can you try a build with no-asm?
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Which compiler and version are you using?
Kurt
On Mon, Feb 29, 2016 at 08:12:10PM +, Nounou Dadoun wrote:
> For the record, I added no-asm to the config options and got exactly the same
> result on the sha512t test. Open to other suggestions ... N
>
>
> Nou Dadoun
> Senior Firmware Devel
>
> Nou Dadoun
> Senior Firmware Developer, Security Specialist
>
>
> Office: 604.629.5182 ext 2632
>
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Kurt Roeckx
> Sent: Monday, February 29, 2016 12:2
On Mon, Feb 29, 2016 at 10:48:22PM +, Nounou Dadoun wrote:
> But this demonstrates that my headaches have been coming from the fact that
> sha384 and sha512 are broken in our build somehow. The no-asm configure
> directive didn't make a difference so maybe a compiler bug or something?
I'm a
On Tue, Mar 01, 2016 at 12:38:20AM +, Nounou Dadoun wrote:
> Is it sufficient to change -O3 to -O2 it in the Configure file or is there
> somewhere else it needs to be changed?
Yes, in Configure should be enough.
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/m
fice: 604.629.5182 ext 2632
> Support: 888.281.5182 | avigilon.com
>
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Kurt Roeckx
> Sent: Tuesday, March 01, 2016 12:16 AM
> To: openssl-users@openssl.org
>
On Fri, Jul 01, 2016 at 03:54:45PM +, Salz, Rich wrote:
>
> > In short: Removing support for DSA in OpenSSL would prevent some of our
> > products from updating to 1.1.x for a significant length of time, probably
> > years.
>
> We have no plans to do that.
But we do change defaults, and it n
On Fri, Jul 01, 2016 at 05:17:35PM +0100, Matt Caswell wrote:
>
> "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
Maybe we should use "-" instead of "!"?
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Sun, Jul 03, 2016 at 07:42:44AM -0700, Igenyar Saharam wrote:
> Hi,
>
>
> Sorry to bother. The suggestion I found is to send email to openssl-users
> with one line message of "unsubscribe openssl-users". I did that but it
> still keeps coming. Could someone kindly instruct me the right way?
E
On Thu, Nov 03, 2016 at 01:53:56PM +0100, Richard Levitte wrote:
> Hi,
>
> I'm curious. Why exactly do you want to change the shared library
> version?
I had to change the soname in Debian (because I dropped all SSLv2
and SSLv3 symbols) and changed it to 1.0.2.
Kurt
--
openssl-users mailin
On Tue, Feb 14, 2017 at 09:30:31AM +, Matt Caswell wrote:
> I am pleased to be able to announce the publication of our new Project
> Bylaws. I have written a short blog post about what we are hoping to
> achieve and some of the thinking that went into these here:
>
> https://www.openssl.org/bl
On Fri, Dec 22, 2017 at 01:06:20PM +, Salz, Rich via openssl-dev wrote:
> Our intent is that all FREE functions can handle NULL. If you find things
> missing or undocumented, please open an issue on GitHub. Thanks!
I think we fixed all such cases in 1.1.0, all *_free() functions
should hand
On Fri, Dec 22, 2017 at 09:30:19AM -0500, Ken Goldman wrote:
> On 12/22/2017 9:24 AM, Salz, Rich via openssl-users wrote:
> > > if (ptr!= NULL) free(ptr);
> > That shouldn’t be necessary for OpenSSL. If you find places where it is,
> > please open an issue.
>
> OK. I'll mention a few, but it'
On Mon, Dec 25, 2017 at 07:44:58PM -0800, Swapnil Deshpande wrote:
> Hi all,
>
> Noob here. I recently discovered that the "-sha1" and "-sha" flags in the
> "openssl dgst" command produce different outputs. I thought those were the
> same algorithms but turns out they are not:
>
> $ echo -n "pass
On Tue, Dec 26, 2017 at 12:38:32PM -0600, Karl Denninger wrote:
>
> What I'm trying to figure out is the "best" way to handle this.
> SSL_CTX_use_PrivateKey accepts a EVP_PKEY pointer,
> SSL_CTX_use_PrivateKey_ASN1 takes an ASN1 structure of length len, but
> what is parameter "pk" (not explained
On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>
> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
> >
> > So if you put locks around the SSL_CTX object when it’s used, then you
> > can use the set private key call to update the key; and then all
> > SSL_new objects after
The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
1.3 brings a lot of changes that might cause incompatibility. For
an overview see https://wiki.openssl.org/index.php/TLS1.3
We are considering if we should enable TLS 1.3 by default or not,
or when it should be enabled. For that, w
On Sun, Apr 29, 2018 at 10:05:39PM -0400, Dennis Clarke wrote:
> On 29/04/18 06:43 AM, Kurt Roeckx wrote:
> > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
> > 1.3 brings a lot of changes that might cause incompatibility. For
> > an overview see htt
On Mon, Aug 06, 2018 at 04:30:54PM +0200, Jakob Bohm wrote:
> The patch below works around this, porting this to OpenSSL 1.1.x
> is left as an exercise for the reader:
Can you please open a pull request on github for that?
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.
On Wed, Aug 01, 2018 at 08:27:38AM +0200, Alex H wrote:
> Hi,
>
> I have trouble understanding the details of TLS shutdown. I get the basics
> but,
>
> Is it possible to receive data after calling SSL_shutdown? Reading the
> specs and docs leaves this rather blurry.
>
> That is, after sending a
On Wed, Aug 01, 2018 at 09:46:37PM +0200, Alex H wrote:
>
> > If your question is whether you can still read any data that may have
> been in flight when you send your close_notify, I believe the answer
> is no. Further data received from the peer is discarded after a
> close_notify is sent.
>
>
On Sun, Aug 12, 2018 at 08:49:35PM +0200, Kurt Roeckx wrote:
> In -pre8 we even have tests covering this behaviour, and the
> manpages have been update to say that it's possible. See
> https://www.openssl.org/docs/manmaster/man3/SSL_shutdown.html
I think this was actually commi
On Sat, Aug 18, 2018 at 07:48:21PM +0200, Juan Isoza wrote:
> What is the difference between draft 28 and rfc for tls 1.3 ?
The drafts used a version that said which draft version it was.
The RFC version has a different version. So the version that's
send in ClientHello is different, and a draft v
On Sun, Aug 19, 2018 at 02:36:30PM +0200, Anton wrote:
> Hello
>
> Does anyone know some examples of applications using
> ADH ciphersuites for TLS connections in production
> environment?
At least postfix can use it for SMTP.
Kurt
--
openssl-users mailing list
To unsubscribe: https://mta.open
On Wed, Aug 22, 2018 at 02:08:42PM -0400, Viktor Dukhovni wrote:
>
>
> > On Aug 22, 2018, at 1:56 PM, Qi Zeng wrote:
> >
> > I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging
> > purpose. With OpenSSL version 1.0.2p, I was able to make it work. However
> > with version
On Fri, Aug 31, 2018 at 06:14:25PM -0700, Jordan Brown wrote:
> We're trying to nail down error reporting for TLS version mismatches,
> and we're seeing a couple of puzzling behaviors.
>
> First, and most puzzling... assume these two command lines:
>
> $ openssl s_server -cert 2018.08.31.a.pe
On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> Hello,
>
> What is the better way, for anyone running, by example, Apache or nginx on
> a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS
> 1.3 ?
>
> Waiting package update to have openssl 1.1.1 ? probably a lot
On Tue, Sep 11, 2018 at 08:10:01PM +0200, Kurt Roeckx wrote:
> On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote:
> > Hello,
> >
> > What is the better way, for anyone running, by example, Apache or nginx on
> > a popular Linux districution (Ubuntu, Debian,
On Thu, Sep 13, 2018 at 08:13:41PM +0200, Jakob Bohm wrote:
> On 13/09/2018 09:57, Klaus Keppler wrote:
> > Hi,
> >
> > thank you for all your responses.
> >
> > I've just tested with Firefox Nightly 64.0a1, and both s_server and our
> > own app (using OpenSSL 1.1.1-release) are working fine.
> >
On Tue, Sep 18, 2018 at 05:11:42PM +, Salz, Rich via openssl-users wrote:
> >My point was about the likelihood of last-draft browsers lingering
> on in the real world for some time (like 1 to 3 years) after the
> TLS1.3-final browser versions ship.
>
> I do not think this is a conc
1 - 100 of 112 matches
Mail list logo