[openssl-users] Minor portability fix for Solaris-11.1
Greetings: I ran into a minor test problem when building OpenSSL-1.0.2c. Host: me% uname -a SunOS myname 5.11 11.1 i86pc i386 i86pc Solaris Compiler: me% gcc -v Target: i386-pc-solaris2.11 Thread model: posix gcc version 4.5.2 (GCC) Configuration: CC=gcc; export CC CFLAGS='-m64'; export CFLAGS CPPFLAGS='-I/usr/local/include'; export CPPFLAGS LDFLAGS='-m64 -L/usr/local/lib'; export LDFLAGS Configuring for solaris64-x86_64-gcc The build worked, but running "make test" gave these messages: [...] Testing ciphersuites Testing ciphersuites for TLSv1.2 ./testssl[149]: local: not found [No such file or directory] ./testssl[150]: local: not found [No such file or directory] Testing AES256-GCM-SHA384 Available compression methods: NONE TLSv1.2, cipher TLSv1/SSLv3 AES256-GCM-SHA384, 2048 bit RSA 1 handshakes of 256 bytes done ./testssl[149]: local: not found [No such file or directory] ./testssl[150]: local: not found [No such file or directory] Testing AES256-SHA256 [...] On Solaris-11.1, /bin/sh links to /usr/bin/i86/ksh93, which doesn't handle local variables properly. Using "typeset" fixes it; the patch is below. -- Karl Vogel I don't speak for the USAF or my company vogelke at pobox dot com http://www.pobox.com/~vogelke = *** testssl.origFri Jun 12 10:51:21 2015 --- testssl Wed Jul 1 00:38:52 2015 *** *** 148,151 test_cipher() { ! local cipher=$1 ! local protocol=$2 echo "Testing $cipher" --- 148,151 test_cipher() { ! typeset cipher=$1 ! typeset protocol=$2 echo "Testing $cipher" ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Token Binding Extension?
Does OpenSSL implement the Token Binding extension? https://tools.ietf.org/html/draft-ietf-tokbind-protocol Token Binding finds its roots in Origin Bound Certificates (https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final162.pdf). I'm also aware of some related, independent work by a fellow named Jacob Thompson of Independent Security Evaluators. https://securityevaluators.com/knowledge/case_studies/mutual/ Token Binding and OCB are a useful tool to stop MitM in some security models, like those used on the web and by browsers. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] libtlssep
On Tue, Jun 30, 2015 at 9:55 AM, W. Michael Petullo wrote: > Dear OpenSSL community, > > I am writing to introduce a new TLS library which presently makes use > of OpenSSL: libtlssep. Libtlssep has two aims: (1) to provide a simpler > API to application developers and (2) to encourage the decomposition of > applications into at least two processes, one of which isolates access > to secret cryptographic keys. It was added to the Related Links section of the wiki to help with awareness. https://wiki.openssl.org/index.php/Related_Links#Open_Source_Cryptographic_Libraries Jeff ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] libtlssep
> I am writing to introduce a new TLS library which presently makes use of > OpenSSL: libtlssep. Libtlssep has two aims: (1) to provide a simpler API to > application developers and (2) to encourage the decomposition of > applications into at least two processes, one of which isolates access to > secret cryptographic keys. This is interesting work; thanks for posting about it! You might also be interested in the libtls project in OpenBSD, which has very similar goals. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Alternatives to flat text file database back-end?
On Wed, Jul 01, 2015 at 01:38:28PM +0300, Ikonta wrote: > Hi everybody, > > Possibly stupid question: > The default and only known for me OpenSSL database format is flat text file > (afair index.txt in default openssl.cnf). > Was ever suggested an idea to provide some alternatives (maybe relational > (SQL) database server, or sqlite, or LDAP)? > What can I read (or at least what keywords use to search) about it? You might want to look at: https://pki.openca.org/ http://www.ejbca.org/ Others are: http://xca.sourceforge.net/ tinyca (website doesn't seem to work anymore, it's probably not what you want.) There is also https://github.com/letsencrypt/boulder, but that's probably not what you're looking for. Kurt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Alternatives to flat text file database back-end?
Hi everybody, Possibly stupid question: The default and only known for me OpenSSL database format is flat text file (afair index.txt in default openssl.cnf). Was ever suggested an idea to provide some alternatives (maybe relational (SQL) database server, or sqlite, or LDAP)? What can I read (or at least what keywords use to search) about it? Or it will be better to ask this question into -dev list? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] libtlssep
On 30 June 2015 at 14:55, W. Michael Petullo wrote: > and a research prototype at: > > https://www.flyn.org/projects/libtlssep/ > The libtlssep website. > > We would love to hear any constructive comments you might have, and would > be interested in hearing about any possibility for future collaboration. > I like the concept of using priv sep. :-) I haven't had a chance to look at your code properly, but one thing I noticed from a quick read through the docs was that you're relying on passing fds to t lssep_connect () that will make it impossible for people to write code that works through proxies (HTTP, socks etc.) unless you build support into the library itself. An abstraction along the lines of BIO that provides for working on buffers would really be needed for this use case. Cheers Rich. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users