Bug#899137: blhc: Reports missing flags on non-compile lines

Package: blhc Version: 0.07+20170817+gita232d32-0.1 https://qa.debian.org/bls/packages/o/openssl.html currently reports among other things: dpkg-buildflags-missing CPPFLAGS 3 (of 1664), CFLAGS 1 (of 1662), LDFLAGS 2 (of 298) missing (amd64) When I download that file

Re: [ANNOUNCE] NSS 3.37 Release

On 2018-05-08 22:49, Kai Engert wrote: Notable changes: * The TLS 1.3 implementation was updated to Draft 28. I find it unfortunate that you update the draft version to 28 and did not keep it at 26 like some other implementations, since the protocol did not change since draft 26. This makes

Bug#898496: nss: New upstream version

Source: nss Severity: wishlist Hi, NSS 3.37 was released a few days ago adding support for the latest (and final) TLS 1.3 draft. Could you please upload it? Kurt

[openssl-commits] [openssl] master update

The branch master has been updated via 5f96a95e2562f026557f625e50c052e77c7bc2e8 (commit) from a925e7dbf4c3bb01365c961df86da3ebfa1a6c27 (commit) - Log - commit 5f96a95e2562f026557f625e50c052e77c7bc2e8 Author: Kurt

[openssl-commits] [openssl] master update

- commit 3cb7c5cfef25463bd197b0c12ca7966f525ebf73 Author: Kurt Roeckx <k...@roeckx.be> Date: Wed May 9 17:09:50 2018 +0200 Use void in all function definitions that do not take any arguments Reviewed-by: Rich Salz <rs...@openssl.org> GH: #

Re: Wheezy update of libmad?

On Fri, May 11, 2018 at 09:25:17AM +0200, Emilio Pozuelo Monfort wrote: > Hi Kurt, > > On 30/01/18 21:59, Kurt Roeckx wrote: > > On Tue, Jan 30, 2018 at 08:33:53PM +0100, Ola Lundqvist wrote: > >> Dear maintainers, > >> > >> The Debian LTS team w

Accepted libmad 0.15.1b-8+deb8u1 (source amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

ain...@lists.alioth.debian.org> Changed-By: Kurt Roeckx <k...@roeckx.be> Description: libmad0- MPEG audio decoder library libmad0-dev - MPEG audio decoder development library Closes: 287519 Changes: libmad (0.15.1b-8+deb8u1) jessie-security; urgency=high . * Properly check the size of t

Accepted libmad 0.15.1b-8+deb9u1 (source amd64) into proposed-updates->stable-new, proposed-updates

ain...@lists.alioth.debian.org> Changed-By: Kurt Roeckx <k...@roeckx.be> Description: libmad0- MPEG audio decoder library libmad0-dev - MPEG audio decoder development library Closes: 287519 Changes: libmad (0.15.1b-8+deb9u1) stretch-security; urgency=high . * Properly check the size of t

Re: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key generation to policy)

On 2018-05-04 12:10, Tim Hollebeek wrote: It has generally been understood that a string still "contains at least 112 bits of output from a CSPRNG" if that string has been fed through an encoding mechanism like Base64 or Base32. Furthermore, explicit requirements about including mixed case or

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Wed, May 02, 2018 at 07:26:02PM +0200, Sebastian Andrzej Siewior wrote: > On 2018-05-02 18:34:35 [+0200], Kurt Roeckx wrote: > > On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote: > > > * https://github.com/openssl/openssl/pull/5967 > > > > &g

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Wed, May 02, 2018 at 07:26:02PM +0200, Sebastian Andrzej Siewior wrote: > On 2018-05-02 18:34:35 [+0200], Kurt Roeckx wrote: > > On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote: > > > * https://github.com/openssl/openssl/pull/5967 > > > > &g

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote: > * https://github.com/openssl/openssl/pull/5967 > > """ > Commit d316cdc introduced some extra > checks into the session-cache update procedure, intended to prevent > the caching of sessions whose resumption would lead to a

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote: > * https://github.com/openssl/openssl/pull/5967 > > """ > Commit d316cdc introduced some extra > checks into the session-cache update procedure, intended to prevent > the caching of sessions whose resumption would lead to a

Accepted openssl 1.1.1~~pre6-1 (source) into experimental

: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org> Changed-By: Kurt Roeckx <k...@roeckx.be> Description: libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets L

Accepted openssl 1.1.1~~pre6-2 (source) into experimental

: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org> Changed-By: Kurt Roeckx <k...@roeckx.be> Description: libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets L

Accepted openssl 1.1.1~~pre6-2 (source) into experimental

: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org> Changed-By: Kurt Roeckx <k...@roeckx.be> Description: libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets L

Accepted openssl 1.1.1~~pre6-1 (source) into experimental

: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org> Changed-By: Kurt Roeckx <k...@roeckx.be> Description: libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets L

Re: [openssl-project] Travis is currently failing

On Tue, May 01, 2018 at 11:52:46AM +0200, Kurt Roeckx wrote: > On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote: > > > > Can anyone shed any light on this error from travis (master branch is > > failing): > > > > /usr/bin/ld: unrecognized option '--p

Re: [openssl-project] Travis is currently failing

On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote: > > Can anyone shed any light on this error from travis (master branch is > failing): > > /usr/bin/ld: unrecognized option '--push-state--no-as-needed' > /usr/bin/ld: use the --help option for usage information > collect2: error: ld

Re: [openssl-project] Entropy seeding the DRBG

On Mon, Apr 30, 2018 at 06:00:20PM +0200, Richard Levitte wrote: > > So I'd like to have it confirmed that I'm reading this right, that's > about 0.08 entropy bits per 8 data bits? Or is it per data bit? Per symbol, being 8 bits for what you provided. > Depending on the interpretation, we

[openssl-commits] [openssl] master update

The branch master has been updated via d1ae34e92d1ae11a9b650e85790a907e5939cdf6 (commit) from 06444da464c038d7869908aaa26eaa728ae3a032 (commit) - Log - commit d1ae34e92d1ae11a9b650e85790a907e5939cdf6 Author: Kurt

Re: [openssl-users] Call for testing TLS 1.3

On Sun, Apr 29, 2018 at 10:05:39PM -0400, Dennis Clarke wrote: > On 29/04/18 06:43 AM, Kurt Roeckx wrote: > > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS > > 1.3 brings a lot of changes that might cause incompatibility. For > > an overview see htt

Re: [openssl-project] When to enable TLS 1.3

On Sat, Apr 28, 2018 at 04:32:42PM -0400, Viktor Dukhovni wrote: > > > > On Apr 28, 2018, at 2:41 PM, Kurt Roeckx <k...@roeckx.be> wrote: > > > > So should I send that mail? > > I made some editorial changes to the Wiki section on SNI. > No strong vie

[openssl-users] Call for testing TLS 1.3

The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS 1.3 brings a lot of changes that might cause incompatibility. For an overview see https://wiki.openssl.org/index.php/TLS1.3 We are considering if we should enable TLS 1.3 by default or not, or when it should be enabled. For that,

[openssl-commits] [openssl] master update

The branch master has been updated via 148796291e47ad402ddfd1bbe6f34a2652657ec2 (commit) from 0e0f8116e247912f5c48f8b3786e543f37fc1f87 (commit) - Log - commit 148796291e47ad402ddfd1bbe6f34a2652657ec2 Author: Kurt

Re: [openssl-project] Entropy seeding the DRBG

On Sat, Apr 07, 2018 at 04:58:06PM +0200, Richard Levitte wrote: > In the mean time, I've spent a few days going through the docs on all > kinds of data that you can get out from the VMS kernel, most notably > through a system service called sys$getrmi()... there's a gazillion > data points, a

[openssl-commits] [openssl] master update

The branch master has been updated via 5b820d785d6b5f9c3fedcf0ce4e4f0476a1bb9c8 (commit) from 198a2ed791e8f4f00d0b92272987f564ca1d9783 (commit) - Log - commit 5b820d785d6b5f9c3fedcf0ce4e4f0476a1bb9c8 Author: Kurt

Re: [openssl-project] When to enable TLS 1.3 (was: Google's SNI hurdle)

On Thu, Apr 19, 2018 at 07:16:04PM -0400, Viktor Dukhovni wrote: > > * Something else? We could call for testing what really happens on -users? I could also send one to debian-devel-announce, we already have pre4 in experimental. Maybe we can convert the blog post into a wiki, update it to

Re: [openssl-project] When to enable TLS 1.3 (was: Google's SNI hurdle)

On Thu, Apr 19, 2018 at 07:16:04PM -0400, Viktor Dukhovni wrote: > > But not all the friction can be eliminated, and likely not > all providers can be persuaded to be more accommodating. > Which leaves us with some difficult judgement calls: > > * Restrict TLS 1.3 support to just applications

Re: [openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

On Thu, Apr 19, 2018 at 09:15:19PM +0200, Kurt Roeckx wrote: > > It would also be nice that if the client sends an SNI and you have > a certificate for it that it wouldn't select an anonymous cipher. > But then postfix is probably the only one that does anonymous > ciphe

Re: [openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

On Thu, Apr 19, 2018 at 02:02:53PM -0400, Viktor Dukhovni wrote: > > > > On Apr 19, 2018, at 1:49 PM, Viktor Dukhovni > > wrote: > > > > There is no "the name that is being verified". The Postfix SMTP client > > accepts multiple (configurable as a set) names for

Re: [openssl-project] Problems with waiting for specific person to merge

On Thu, Apr 19, 2018 at 09:58:26AM +0200, Richard Levitte wrote: > When someone with write access to the main repo makes a PR and it gets > approved, we usually wait for the person to do the final merge. This is also what we agreed to do a long time ago, including that for PRs of a non-commiter,

Bug#895959: [Pkg-openssl-devel] Bug#895959: libnet-ssleay-perl: FTBFS with openssl 1.1.1 in exp

On Wed, Apr 18, 2018 at 09:46:06PM +0200, Sebastian Andrzej Siewior wrote: > On 2018-04-18 16:14:37 [+0200], Kurt Roeckx wrote: > > I can't see a reason why TLS 1.3 would be different in this regard, > > I expect the same behaviour for all SSL/TLS version. Anyway, it > > coul

Debian Project Leader Election 2018 Results

| 5.87787 | | 2017 | 1062 | 48.882 | 327 |322 | 57 | 30.320 | 6.58729 | | 2017 | 1001 | 47.457 | 343 |333 | 53 | 33.266 | 7.01674 | |--+--++---++-++---| Kurt Roeckx Debian Project Secretary signature.asc Description: PGP

Debian Project Leader Election 2018 Results

| 5.87787 | | 2017 | 1062 | 48.882 | 327 |322 | 57 | 30.320 | 6.58729 | | 2017 | 1001 | 47.457 | 343 |333 | 53 | 33.266 | 7.01674 | |--+--++---++-++---| Kurt Roeckx Debian Project Secretary signature.asc Description: PGP

Re: [openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

On Wed, Apr 18, 2018 at 11:05:05AM -0400, Viktor Dukhovni wrote: > > What I can blame them for is being counter-productively pedantic. Forget the > RFC language, does what they're doing make sense and improve security or is > it just a pointless downgrade justified by RFC text lawyering? I'm

Bug#895959: [Pkg-openssl-devel] Bug#895959: libnet-ssleay-perl: FTBFS with openssl 1.1.1 in exp

On Wed, Apr 18, 2018 at 01:48:48PM +0200, Sebastian Andrzej Siewior wrote: > On 2018-04-18 09:19:28 [+0200], Kurt Roeckx wrote: > > > Anyway, this might have been a bugfix in OpenSSL, which I think > > how would get fixed in all branches. > > Oh. In that case it might end

Bug#895959: [Pkg-openssl-devel] Bug#895959: libnet-ssleay-perl: FTBFS with openssl 1.1.1 in exp

On Wed, Apr 18, 2018 at 12:16:41AM +0200, Sebastian Andrzej Siewior wrote: > > The next thing is that step 24 within 07_sslecho.t blocks forever. As it > turns out one side does "shutdown $s, 2;" (around line 170) while the > other does a read+write operation. In "older" openssl is seems to just

Bug#848864: libtool: diff for NMU version 2.4.6-2.1

On Tue, Apr 17, 2018 at 08:28:24PM +0200, Andreas Boll wrote: > Control: tags 848864 + pending > > Dear maintainer, > > I've prepared an NMU for libtool (versioned as 2.4.6-2.1) and uploaded > it to DELAYED/10. This NMU restores most of the original performance > of libtool 2.4.2. Please feel

Re: [openssl-project] Constant time by default

On Mon, Apr 16, 2018 at 06:06:33PM +0100, Matt Caswell wrote: > > As I say in the PR (marked as WIP) I am seeking feedback as to whether > this is something we should pursue now (i.e. for 1.1.1) or later (post > 1.1.1) or not at all. A related question I have is, do we consider this security

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

On Sun, Apr 15, 2018 at 07:38:48AM +0200, Richard Levitte wrote: > In message on Sat, 14 Apr > 2018 21:13:47 +, "Salz, Rich" said: > > rsalz> We have *no* data points, except our tests, that anything fails to > work. >

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

On Sat, Apr 14, 2018 at 09:54:41PM +0200, Richard Levitte wrote: > Yes, I agree that the TLSProxy tests aren't the most important in this > regard. Also note that this part was a side note. Can you then find examples of what a normal user of the library might be expected to do that fails? I

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

On Sat, Apr 14, 2018 at 09:32:31PM +0200, Richard Levitte wrote: > > a. 1.1.0's test/recipes/70-test_sslextension.t has a couple of tests >that are meant to fail (i.e. if the individual tests fail, the >recipe is successful). When run against 1.1.1 libraries, the >recipe fails, i.e.

Bug#895547: [Pkg-openssl-devel] Bug#895547: Bug#895547: openssl: After symbol versioning, distributed pkgs are missing API symbols (e.g. EVP_PKEY_asn1_set_item)

On Sat, Apr 14, 2018 at 03:10:47PM +0300, Nicola wrote: > > Functions that might possibly be missing are: > > EVP_PKEY_asn1_set_item > > EVP_PKEY_meth_get_init > > EVP_PKEY_meth_get_verify_recover > > EVP_PKEY_meth_get_keygen > > EVP_PKEY_meth_get_derive > > EVP_PKEY_meth_get_verifyctx > >

Bug#895547: [Pkg-openssl-devel] Bug#895547: Bug#895547: openssl: After symbol versioning, distributed pkgs are missing API symbols (e.g. EVP_PKEY_asn1_set_item)

On Fri, Apr 13, 2018 at 11:20:07PM +0300, Nicola wrote: > Or am I just lucky that the function I need was whitelisted when the > versioning script was created for the new release, but the same bug > can still resurface for the symbol OPENSSL_foobar_magic in future > OpenSSL 1.1.0x? Since 1.1.0

Re: Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)

On Mon, Apr 09, 2018 at 10:13:38PM +0200, Sebastian Andrzej Siewior wrote: > I don't know if DAK allows this - it might not care. My understanding what that dak would keep it once it has it, and that you can add it if dak doesn't know about it yet. Kurt

Re: [openssl-project] Entropy seeding the DRBG

On Sat, Apr 07, 2018 at 07:00:21PM +0200, Richard Levitte wrote: > kurt> I wonder if it's useful to have a thread of VMS that collects > kurt> such bits all the time, like the kernel is doing. > > I was pondering something like that, and it does make sense. That, or > creating a generic device

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 08:29:18PM +, Dr. Matthias St. Pierre wrote: > Just for completeness sake: The entropy requirement is 256 and *not* 384 if a > derivation function is used. But one way of implementing the nonce when a DF is not used, is to also have 384 bit in that case, which is our

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 07:15:16PM +0200, Richard Levitte wrote: > > > Kurt Roeckx <k...@roeckx.be> skrev: (8 april 2018 17:36:27 CEST) > >On Sat, Apr 07, 2018 at 08:50:35PM +0200, Kurt Roeckx wrote: > >> On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Ri

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 08:50:35PM +0200, Kurt Roeckx wrote: > On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Rich wrote: > > > Because > > > - It is not clear we need to do so > > > > >That we need to do what? > > > >

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 10:31:58AM +0200, Richard Levitte wrote: > In message <20180408080942.gb3...@roeckx.be> on Sun, 8 Apr 2018 10:09:42 > +0200, Kurt Roeckx <k...@roeckx.be> said: > > kurt> On Sun, Apr 08, 2018 at 07:39:30AM +0200, Richard Levitte wrote: > kurt

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sun, Apr 08, 2018 at 07:39:30AM +0200, Richard Levitte wrote: > In message <20180407190250.ga27...@roeckx.be> on Sat, 7 Apr 2018 21:02:51 > +0200, Kurt Roeckx <k...@roeckx.be> said: > > kurt> On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: > kurt

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Rich wrote: > > Because > > - It is not clear we need to do so > > >That we need to do what? > > Do FIPS compliant random numbers in this release. We will never have that in any release by default, like I already stated a

Re: [openssl-project] Entropy seeding the DRBG

On Sat, Apr 07, 2018 at 07:00:21PM +0200, Richard Levitte wrote: > In message <20180407160031.gb12...@roeckx.be> on Sat, 7 Apr 2018 18:00:32 > +0200, Kurt Roeckx <k...@roeckx.be> said: > > kurt> On Sat, Apr 07, 2018 at 04:58:06PM +0200, Richard Levitte wrote: > k

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: > In message <20180407154649.ga12...@roeckx.be> on Sat, 7 Apr 2018 17:46:50 > +0200, Kurt Roeckx <k...@roeckx.be> said: > > kurt> | For case 2 above, the timestamp must be trusted. A trusted >

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

On Sat, Apr 07, 2018 at 04:48:51PM +, Salz, Rich wrote: > >Like I said in the post I just made, I see zero problems with having > that requirement on systems that can support it. I don't see why we > must lower the bar for *everyone* just because we currently need to do > so

Re: [openssl-project] Entropy seeding the DRBG

On Sat, Apr 07, 2018 at 04:58:06PM +0200, Richard Levitte wrote: > > Can I suggest you try something like > > https://github.com/usnistgov/SP800-90B_EntropyAssessment to at least > > get an idea? You would need to sample 1 variable and feed that into > > it. > > And yeah, sure, especially if all

Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Fri, Apr 06, 2018 at 07:54:44PM +0100, Simon McVittie wrote: > On Fri, 06 Apr 2018 at 19:44:18 +0200, Kurt Roeckx wrote: > > On Fri, Apr 06, 2018 at 01:58:03PM +0100, Simon McVittie wrote: > > > This is probably a bug in libssl1.1 or in python-m2crypto, but I'm > > &g

Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Fri, Apr 06, 2018 at 07:54:44PM +0100, Simon McVittie wrote: > On Fri, 06 Apr 2018 at 19:44:18 +0200, Kurt Roeckx wrote: > > On Fri, Apr 06, 2018 at 01:58:03PM +0100, Simon McVittie wrote: > > > This is probably a bug in libssl1.1 or in python-m2crypto, but I'm > > &g

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Fri, Apr 06, 2018 at 01:58:03PM +0100, Simon McVittie wrote: > Package: osc > Version: 0.162.1-1 > Severity: grave > Justification: osc tool becomes mostly unusable > > This is probably a bug in libssl1.1 or in python-m2crypto, but I'm > reporting it against osc for now, because that's the

Bug#895035: [Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1

On Fri, Apr 06, 2018 at 01:58:03PM +0100, Simon McVittie wrote: > Package: osc > Version: 0.162.1-1 > Severity: grave > Justification: osc tool becomes mostly unusable > > This is probably a bug in libssl1.1 or in python-m2crypto, but I'm > reporting it against osc for now, because that's the

Bug#892276: [Pkg-openssl-devel] Bug#892276: marked as done (libssl-dev: typo in usr/include/openssl/lhash.h)

On Tue, Apr 03, 2018 at 11:54:39PM +0200, Sebastian Andrzej Siewior wrote: > I have just no idea what to do here regarding stable. Do we have plans > to do s-p-u of the last 1.1.0 release? We probably should. Kurt

Bug#892276: [Pkg-openssl-devel] Bug#892276: marked as done (libssl-dev: typo in usr/include/openssl/lhash.h)

> -# define lh_new OPENSSL_lh_new > +# define lh_new OPENSSL_LH_new [...] >* Update to 1.1.1-pre4 (Closes: #892276, #894282). This was fixed like a year ago in the master branch (and so 1.1.1) already, it just wasn't in the stable branch. It should get closed for the next upstream version

Re: Vote status

On Tue, Apr 03, 2018 at 02:20:13AM +0200, Kurt Roeckx wrote: > The vote is running, you can send the emails. You will not get a > ack about your vote until I can look at what's broken, which will > hopefully be tomorrow evening. If you received an error message, I > can reproces

Re: [openssl-project] Entropy seeding the DRBG

On Tue, Apr 03, 2018 at 12:52:50PM +, Salz, Rich wrote: > I had not realized that we just increased the “entropy” requirements by 50%, > from 256 to 384. The original DRBG submission that I did only required 128 > bits. I think that is wrong, and I think the PR that did it (#5503) should >

Re: 825 days success and future progress!

On Tue, Apr 03, 2018 at 02:11:07AM +0200, Jakob Bohm via dev-security-policy wrote: > seems > to be mostly justified as a poor workaround for the browsers and > certificate libraries not properly implementing reliable revocation > checks. The problem is not in the libraries, or even the

Vote status

The vote is running, you can send the emails. You will not get a ack about your vote until I can look at what's broken, which will hopefully be tomorrow evening. If you received an error message, I can reprocess your email. There is no reason to revote at the moment. If you did vote properly you

Debian Project Leader election 2018: First call for votes

Hi, This is the first call for votes on the DPL election of 2018. Voting period starts 2018-04-03 00:00:00 UTC Votes must be received by 2018-04-16 23:59:59 UTC This vote is being conducted as required by the Debian Constitution. You may see the constitution at

Ballot for the vote

Here is the ballot for the vote. Voting period starts 2018-04-03 00:00:00 UTC Votes must be received by 2018-04-16 23:59:59 UTC This vote is being conducted as required by the Debian Constitution. You may see the constitution at https://www.debian.org/devel/constitution. For

[openssl-commits] [openssl] master update

The branch master has been updated via 4cffafe96786558f66e1900ac462f9ccba921132 (commit) from 1238caa725a1dfb5f9d7ef3ba3b014d2af4cab60 (commit) - Log - commit 4cffafe96786558f66e1900ac462f9ccba921132 Author: Kurt

Bug#894597: [Pkg-openssl-devel] Bug#894597: libssl1.0.2: package priority change?

On Mon, Apr 02, 2018 at 08:30:27AM +0200, Daniel Vacek wrote: > Package: libssl1.0.2 > Version: 1.0.2o-1 > Severity: normal > > Hi, I noticed package priority changed from 'important' to 'optional' without > mentioning this in changelog. I was wondering if this is intended or by a > mistake?

[openssl-commits] [openssl] master update

The branch master has been updated via 2a70d65b99e1f2376be705d18bca88703b7e774a (commit) from 2f6f913e9e02441245c974d7c5abe57f37c0420e (commit) - Log - commit 2a70d65b99e1f2376be705d18bca88703b7e774a Author: Kurt

[openssl-commits] [openssl] master update

The branch master has been updated via 2f6f913e9e02441245c974d7c5abe57f37c0420e (commit) from 094925de1ecfcfb8019b21994c45f3dc00ab4e2c (commit) - Log - commit 2f6f913e9e02441245c974d7c5abe57f37c0420e Author: Kurt

Re: Discovering unlogged certificates in internet-wide scans

On Sat, Mar 31, 2018 at 10:14:27PM +, Tim Smith via dev-security-policy wrote: > Hi MDSP, > > I went looking for corpuses of certificates that may not have been > previously logged to CT and found some in the Rapid7 "More SSL" dataset, > which captures certificates from their scans of

Re: Audit Reminder Email Summary

On Tue, Mar 20, 2018 at 12:07:54PM -0700, Kathleen Wilson via dev-security-policy wrote: > Mozilla: Audit Reminder > Root Certificates: >Class 2 Primary CA > Standard Audit: > https://bug1297034.bmoattachments.org/attachment.cgi?id=8849236 > Audit Statement Date: 2017-01-14 > BR Audit:

[openssl-commits] [openssl] master update

- commit 311276ffe32ab0b161c364727cf8676591dbf47c Author: Kurt Roeckx <k...@roeckx.be> Date: Sun Feb 18 20:55:28 2018 +0100 Return error when trying to use prediction resistance There is a requirements of having access to a live entropy source which we can't do with the d

Re: [openssl-project] DRBGs, threads and locking

On Wed, Mar 14, 2018 at 12:49:46PM +, Salz, Rich wrote: > So is having a high-quality, lockless (per-thread) CSPRNG good enough for > now? Phrased like that, I think so. We have enough other stuff to do. So > +1 to Kurt's per-thread approach. I think it's better than what we have in

[openssl-project] DRBGs, threads and locking

So Tim has voted -1 on PR #5547 and wants us to discuss it here and vote on it. I don't know if it's clear to everybody what this is about. If something is not clear, please ask. PR #5461 contains a lot of documentation updates that is related to it, and it might be useful to read it as

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Author: Kurt Roeckx <k...@roeckx.be> Date: Sat Mar 10 16:32:55 2018 +0100 Fix propotype to include the const qualifier Reviewed-by: Andy Polyakov <ap...@openssl.org> GH: #5582 --- Summary of changes:

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Author: Kurt Roeckx <k...@roeckx.be> Date: Sat Mar 10 16:32:55 2018 +0100 Fix propotype to include the const qualifier Reviewed-by: Andy Polyakov <ap...@openssl.org> GH: #5582 --- Summary of changes:

[openssl-commits] [openssl] master update

The branch master has been updated via b38fa9855f65477fb4a6ef943276be8237468e3b (commit) from 3266cf582a8e1b0bd04600658f64e2c9a79cf903 (commit) - Log - commit b38fa9855f65477fb4a6ef943276be8237468e3b Author: Kurt

Re: [openssl-project] VOTE report: Push the release of 1.1.1 beta1 (pre3) forward one week

On Sat, Mar 10, 2018 at 11:45:46AM +0100, Richard Levitte wrote: > Vote text: > > NOTE: THREE DAY VOTE > Why? Because beta1 is currently scheduled to be released in three > days. A longer voting period would hold the release hostage in > practice, and thereby force a push of the release date

[openssl-commits] [openssl] master update

The branch master has been updated via 35503b7cdc38b21739df1163d6d24b00dd386bef (commit) from 3bc0ab06b0224fb72d08baa1843f3d36be361162 (commit) - Log - commit 35503b7cdc38b21739df1163d6d24b00dd386bef Author: Kurt

[openssl-commits] [openssl] master update

The branch master has been updated via 3bc0ab06b0224fb72d08baa1843f3d36be361162 (commit) from b524b808a1d1ba204dbdcbb42de4e3bddb3472ac (commit) - Log - commit 3bc0ab06b0224fb72d08baa1843f3d36be361162 Author: Kurt

Re: [openssl-project] Next release is beta1

On Sun, Mar 04, 2018 at 02:44:01PM +, Salz, Rich wrote: > I also intend to merge the config file .include PR (5351), and I want us to > decide about 4848. I have to agree that I want to resolv 4848 (reading config file to select things like supported ciphers.) An other important change is

Re: [openssl-project] Next release is beta1

On Fri, Mar 02, 2018 at 11:09:30AM +, Matt Caswell wrote: > Just a reminder, in case anyone missed it, that our next planned release > on 13th March is beta1. This means we will be calling a feature freeze > for 1.1.1 and we will create the new branch. If you've got any > outstanding feature

Debian Project Leader Elections 2018: Call for nominations

round 2018-03-18. Details and results for the vote will be published at: http://www.debian.org/vote/2018/vote_001 Please make sure that nominations are sent to (or cc:'d to) debian-vote, and are cryptographically signed. Kurt Roeckx Debian Project Secretary signature.asc Description: PGP signature

[openssl-commits] [openssl] master update

The branch master has been updated via d91f45688c2d0bfcc5b3b57fb20cc80b010eef0b (commit) from b3f9064cc66324d2359dba5350c71540ce869ceb (commit) - Log - commit d91f45688c2d0bfcc5b3b57fb20cc80b010eef0b Author: Kurt

Bug#891570: [Pkg-openssl-devel] Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

On Tue, Feb 27, 2018 at 09:39:11PM +0100, Sebastian Andrzej Siewior wrote: > control: clone -1 -2 > control: reassign -2 libio-socket-ssl-perl 2.056-1 > control: severity -2 normal > control: tags -2 patch > > On 2018-02-27 21:52:23 [+0800], 積丹尼 Dan Jacobson wrote: > > Here is all you need to

Bug#891570: [Pkg-openssl-devel] Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

On Tue, Feb 27, 2018 at 09:39:11PM +0100, Sebastian Andrzej Siewior wrote: > control: clone -1 -2 > control: reassign -2 libio-socket-ssl-perl 2.056-1 > control: severity -2 normal > control: tags -2 patch > > On 2018-02-27 21:52:23 [+0800], 積丹尼 Dan Jacobson wrote: > > Here is all you need to

Bug#891570: [Pkg-openssl-devel] Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

On Tue, Feb 27, 2018 at 02:37:38AM +0800, 積丹尼 Dan Jacobson wrote: > Package: libssl1.1 > Version: 1.1.1~~pre1-1 > Severity: grave > > SSL connect attempt failed error:141A90B5:SSL > routines:ssl_cipher_list_to_bytes:no ciphers available See https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/

Bug#891570: [Pkg-openssl-devel] Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

On Tue, Feb 27, 2018 at 02:37:38AM +0800, 積丹尼 Dan Jacobson wrote: > Package: libssl1.1 > Version: 1.1.1~~pre1-1 > Severity: grave > > SSL connect attempt failed error:141A90B5:SSL > routines:ssl_cipher_list_to_bytes:no ciphers available See https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/

Re: Code signing and malware

On Tue, Feb 27, 2018 at 12:09:01AM +0100, Jakob Bohm via dev-security-policy wrote: > > Hence why an investigation is needed by the 3 CAs named in the paper > (Comodo, Digicert and Apple). They will probably have to do some deep > log inspection to figure out patterns, besides reaching out to

Code signing and malware

I just came across this: https://www.recordedfuture.com/code-signing-certificates/ I think the most important part of it is: "we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate

[openssl-commits] [openssl] master update

The branch master has been updated via 32bda2b2e4900308cb025020d8c8692e1d3c2ba9 (commit) from 649cfb5cbb78e3c4c91ceb65fad2a4daad6047dd (commit) - Log - commit 32bda2b2e4900308cb025020d8c8692e1d3c2ba9 Author: Kurt

[openssl-commits] [openssl] master update

The branch master has been updated via 60595292ae83b112a1854a59379a51f210c04b6c (commit) from 32bda2b2e4900308cb025020d8c8692e1d3c2ba9 (commit) - Log - commit 60595292ae83b112a1854a59379a51f210c04b6c Author: Kurt

Re: [openssl-project] VOTE on travel reimbursement policy

On Wed, Feb 14, 2018 at 10:40:29PM +0100, Richard Levitte wrote: > In message <20180214212414.ga13...@roeckx.be> on Wed, 14 Feb 2018 22:24:14 > +0100, Kurt Roeckx <k...@roeckx.be> said: > > kurt> The call for votes should probably also not go to the project list &g

Re: [openssl-project] VOTE on travel reimbursement policy

On Wed, Feb 14, 2018 at 04:06:44PM +, Salz, Rich wrote: > The policy is in the bureau (not a public repo) so that we have something > concrete to vote on. It is exactly the same as I posted to the project list > before. I would like to see all votes contain the full text and not a

[openssl-commits] [openssl] master update

The branch master has been updated via 72960279562e9af53264155a46b4a0b6a40f9590 (commit) from f11a023adaae8ba037f952fd72dfbcc34733c993 (commit) - Log - commit 72960279562e9af53264155a46b4a0b6a40f9590 Author: Kurt

Re: Certificates with 2008 Debian weak key bug

On 6/02/2018 17:10, Ryan Sleevi wrote: The BRs actually seem to allow this, which at least looks like a bug in the BRs to me. It is allowed, and it's not a bug. It's specifically called out in 3.2.2 of the BRs. It seems that under 3.2.2.3 (b) they can just copy the ccTLD from the domain

<    8   9   10   11   12   13   14   15   16   17   >