Re: Replacement for CRYPTO_thread_id() & ERR_get_error_line_data() for openssl3.0

2021-09-03 Thread Matt Caswell
On 03/09/2021 05:58, Shivakumar Poojari wrote: Hi All, We are upgrading our code to openssl 3.0. the below function we trying to replace, searched in the openssl man pages not found proper information. CRYPTO_thread_id() The deprecated implementation of this is a no-op (always returns 0)

Re: How to get rsa-private key in plain text format?

2021-09-03 Thread Matt Caswell
On 03/09/2021 00:21, Shariful Alam wrote: Hello, Is there any command-line tool to get the plain text rsa private key like the following format from .pem file? openssl rsa -in mykey.pem -noout -text Matt

Re: What to replace low-level padding operations with in OSSL 3.0?

2021-09-03 Thread Matt Caswell
On 02/09/2021 22:47, William Roberts wrote: I have code that applies PCKS1.5 padding via RSA_padding_add_PKCS1_type_1 and strips it with RSA_padding_check_PKCS1_type_2 before sending it to the HSM for raw RSA operation to support a legacy PKCS11 interface. Is there any way to perform these tas

Re: Question about constness of EVP_PKEY* arguments in public API

2021-09-02 Thread Matt Caswell
On 02/09/2021 16:43, Romain GEISSLER via openssl-users wrote: I am using the following OpenSSL API: EVP_DigestSignInit, EVP_DigestVerifyInit, EVP_PKEY_size, EVP_SealInit, EVP_OpenInit. And it seems these all take an non-const EVP_PKEY* argument. Does it mean that EVP_PKEY* have some internal s

Re: client authentication status

2021-09-01 Thread Matt Caswell
On 01/09/2021 16:36, Zeke Evans wrote: Is there any way to check the status of client authentication sent in a TLS 1.3 handshake after SSL_connect returns?  With TLS 1.2 SSL_connect seems to always capture the status and return an error code if it failed but not TLS 1.3.  I haven’t been able

Re: Consultation:Additional “ephemeral public key” and “ephemeral private key" implementations for quictls/opens

2021-08-30 Thread Matt Caswell
On 29/08/2021 20:41, Nobuo Aoki wrote: I am trying to identify the implementation where “ephemeral public key” and “ephemeral private key” can be added, I am unclear from your question whether you are asking how to add a new public/private key scheme for integration into TLS. Or whether you

Re: How to get "EVP_PKEY *dhpkey" from NID_X9_62_prime256v1.

2021-08-27 Thread Matt Caswell
On 27/08/2021 08:47, Kumar Mishra, Sanjeev wrote: Hi All, I am upgrading the code from OpenSSL 1.0.1 to OpenSSL 3.0. I am getting compilation errors for deprecated functions and structure like "EC_KEY_new_by_curve_name()" , "SSL_CTX_set_tmp_ecdh()" and "EC_KEY"..etc. The code is like f

OpenSSL Security Advisory

2021-08-24 Thread Matt Caswell
essed before the final release. This issue was reported to OpenSSL on 12th August 2021 by John Ouyang. The fix was developed by Matt Caswell. Read buffer overruns processing ASN.1 strings (CVE-2021-3712) = Severity: Moderate ASN.1 stri

OpenSSL version 1.1.1l published

2021-08-24 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1l released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1l of our open sour

Re: 3.0.0. IMPLEMENT_ASN1_FUNCTIONS missing _it prototypes

2021-08-24 Thread Matt Caswell
On 23/08/2021 20:42, Ken Goldman wrote: I get warnings on all my ASN1_SEQUENCE_END, a missing prototype for the _it functions. The code is working, but I'd like a clean compile. 3.0.0 only, 1.0.2 and 1.1.1 are OK. Example: #include #include #include #include typedef struct {     ASN1

Forthcoming OpenSSL release

2021-08-17 Thread Matt Caswell
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1l. This release will be made available on Tuesday 24th August 2021 between 1200-1600 UTC. OpenSSL 1.1.1l is a security-fix release. The highest severity issue fixed in this release is HIGH: https://ww

Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

2021-08-17 Thread Matt Caswell
On 16/08/2021 21:56, Ken Goldman wrote: I am trying to parse some ASN.1 DER so I can add it to an X.509 certificate. For the input side, a poster showed me ASN1_SEQUENCE, ASN1_SEQUENCE_END, and then DECLARE_ASN1_FUNCTIONS, IMPLEMENT_ASN1_FUNCTIONS which created the i2d() function. It sho

Re: Crash seen in OPENSSL_sk_pop_free

2021-08-13 Thread Matt Caswell
On 13/08/2021 17:31, Bala Duvvuri via openssl-users wrote: Hi All, We are using OpenSSl version 1.1.1d in our program and crash is being seen in "OPENSSL_sk_pop_free" API, we invoke this API in our certificate verification API. Since crash is not seen always, trying to understand from OpenS

Re: OpenSSL beta testing on Solaris and z/OS

2021-08-12 Thread Matt Caswell
On 12/08/2021 01:35, Dennis Clarke via openssl-users wrote: On 8/5/21 00:55, Dr Paul Dale wrote: Dennis, Thanks for the information.  Solaris and z/OS are not tested by the project, so it's good to know they aren't too far from working out of the box. We would definitely be interested in a

Re: EVP_MAX_BLOCK_LENGTH Macro for upgrading application from openssl 1.0.2 to openssl 3.0

2021-08-11 Thread Matt Caswell
On 11/08/2021 08:16, Paramashivaiah, Sunil wrote: Hi All, In our application we are using  MD5_CBLOCK, SHA_CBLOCK, SHA256_CBLOCK, SHA512_CBLOCK macros which are deprecated in openssl 3.0.   We are trying upgrade our application from using openssl 1.0.2 to openssl 3.0.

Re: EVP_MD_CTX_free documentation

2021-07-30 Thread Matt Caswell
All our _free functions will accept NULL. We rely on this extensively *everywhere*. We perhaps could be better at documenting it, but you can rely on it. Matt On 30/07/2021 17:55, Ken Goldman wrote: It would be nice if the documentation would guarantee that this function is a no-op when the p

Re: Accessing bignums of a RSA key with OpenSSL 3.0?

2021-07-30 Thread Matt Caswell
Note that the names are also documented here: https://www.openssl.org/docs/manmaster/man7/EVP_KEYMGMT-RSA.html On 30/07/2021 14:29, Olivier Mascia via openssl-users wrote: Thanks! BIGNUM* n; BIGNUM* e; BIGNUM* d; EVP_PKEY_get_bn_param(cert.key(), OSSL_PKEY_PARAM

OpenSSL version VERSION published

2021-07-29 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 beta 2 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in beta. OpenSSL 3.0 beta 2 has now been made available. We

Re: SSL_connect with TLS 1.3 and client Certificates

2021-07-14 Thread Matt Caswell
On 13/07/2021 19:44, Christian Schmidt wrote: Hello all, I am currently trying to build both client and server of an application that uses TLS 1.3 and mutual authentication using certificates. The application works so far - I can establish connections, certificates are verified, data is succe

Re: RSA_set0_key() equivalent for 3.0.0

2021-07-13 Thread Matt Caswell
On 13/07/2021 22:14, William Roberts wrote: Outside of the migration guide others have pointed out, I think the functions you need are: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_set1_RSA.html Those functions a

Re: EVP_MAC_init - specify the hash algorithm

2021-07-13 Thread Matt Caswell
On 13/07/2021 19:02, Ken Goldman wrote: Porting to 3.0 ... HMAC_Init_ex() had a place for the hash algorithm.  EVP_MAC_init() does not, unless it's embedded in the 'params' parameter. Any advice?  Or a sample for doing an HMAC with 3.0? If its just a straight forward HMAC you want you can

Re: Time for OpenSSL 1.1.1l?

2021-07-12 Thread Matt Caswell
Good question! I'll raise this at OTC tomorrow. Matt On 07/07/2021 19:23, Short, Todd via openssl-users wrote: The cadence of 1.1.1 release is supposed to be quarterly (I seem to recall reading that somewhere, but I can't find it)? It has been almost 4 months since 1.1.1k (25-March-2021) was

Re: CNG engine on GitHub

2021-07-02 Thread Matt Caswell
On 02/07/2021 16:33, Matt Caswell wrote: via the RSA_PKEY_METHOD I meant RSA EVP_PKEY_METHOD. Matt

Re: CNG engine on GitHub

2021-07-02 Thread Matt Caswell
On 02/07/2021 16:18, Reinier Torenbeek wrote: It is not clear to me what you mean with "the OpenSSL engine interface does allow using EVP_PKEY_METHOD callbacks instead of rsa_priv_dec etc.". Can you elaborate (here or on the GitHub issue)? You can hook the RSA calls at different abstraction

Re: Need help in removing secp521r1 from openssl-1.1.1g and adding TLS_GREASE_BA cipher.

2021-07-02 Thread Matt Caswell
penssl.org/docs/man1.1.1/man5/config.html And see the documentation on "Groups" on this page: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html Matt Thanks, Vinod On Fri, Jul 2, 2021 at 4:32 PM Matt Caswell <mailto:m...@openssl.org>> wrote: On 01/07/2021 07:21

Re: Need help in removing secp521r1 from openssl-1.1.1g and adding TLS_GREASE_BA cipher.

2021-07-02 Thread Matt Caswell
On 01/07/2021 07:21, vinod mg wrote: 1) Supress or a way to remove secp521r1 from the currenlty installed openssl. You can specify the list of groups by calling SSL_CTX_set1_groups_list (or SSL_set1_groups_list) from your application. See: https://www.openssl.org/docs/man1.1.1/man

Re: How to simulate "TLS 1.3 Session Resumption" through OpenSSL tools?

2021-07-02 Thread Matt Caswell
On 02/07/2021 10:09, Nan Xiao wrote: Hi OpenSSL users, Greetings from me! From this article (https://www.qacafe.com/resources/examples-of-tls-1-3/) and pcap file (https://www.cloudshark.org/captures/64d433b1585a), I know we can use s_server and s_client to simulate "TLS 1.3 Session Resumption

Re: CNG engine on GitHub

2021-07-02 Thread Matt Caswell
. Matt Thanks, Reinier On Jul 1, 2021, at 4:41 PM, Matt Caswell wrote: Nice! Are there any thoughts to support providers? The engine interface is deprecated in 3.0. Matt On 01/07/2021 18:49, Reinier Torenbeek wrote: Hi, For anyone interested in leveraging Windows CNG with OpenSSL

Re: CNG engine on GitHub

2021-07-01 Thread Matt Caswell
Nice! Are there any thoughts to support providers? The engine interface is deprecated in 3.0. Matt On 01/07/2021 18:49, Reinier Torenbeek wrote: Hi, For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1, you may want to check out this new OpenSSL CNG Engine project on GitHub:

Re: [EXTERNAL] Re: GNU Make erroring on makefile

2021-07-01 Thread Matt Caswell
On 01/07/2021 15:06, Joe Carroll wrote: Windows 10 perl Configure VC-WIN64A The VC-WIN64A target generates a Makefile suitable for consumption by nmake. Hence its not possible to use GNU make with it. It *is* possible to build for Windows using GNU make with a different target however.

Re: SM2/3/4 algorithm based TLS connections

2021-06-29 Thread Matt Caswell
On 29/06/2021 10:29, Kevin Lengauer wrote: Dear openssl-team and users Is it possible with OpenSSL 1.1.1k to do a TLS handshake using key material and certificate based on SM2/SM3/SM4 assuming I somehow got my hands on such keys/certificates? I think it is only possible with OpenSSL 3.0 t

Re: openssl 3.0 beta versus actual

2021-06-25 Thread Matt Caswell
On 25/06/2021 08:01, Sandeep Umesh wrote: Hello While the beta version has been released now, please let us know if there is any timeline to release the actual 3.0 version ? What changes are expected to be 3.0 version compared to its beta ? it is restricted to bug-fixes only ? We are expec

Re: Blog post

2021-06-17 Thread Matt Caswell
y then? Yes we plan to submit a 140-2 validation by the September deadline. Matt Cheers, Ethan On Thu, Jun 17, 2021, 06:43 Matt Caswell <mailto:m...@openssl.org>> wrote: For anyone interested I've written a blog post to accompany the 3.0 beta 1 release. You can read

Re: OpenSSL version 3.0.0-beta1 published

2021-06-17 Thread Matt Caswell
On 17/06/2021 15:43, Steffen Nurpmeso wrote: Fyi, i have $PERL5OPT=-C permanently in my environment, in conjunction with LC_ALL=en_US.utf8 this results in the build error as below. Prefixing LC_ALL=C fixes this. Thanks. I submitted this as an issue on github here: https://github.com/openss

Blog post

2021-06-17 Thread Matt Caswell
For anyone interested I've written a blog post to accompany the 3.0 beta 1 release. You can read it here: https://www.openssl.org/blog/blog/2021/06/17/OpenSSL3.0ReleaseCandidate/ Matt

OpenSSL version 3.0.0-beta1 published

2021-06-17 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 3.0 beta 1 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in beta. OpenSSL 3.0 beta 1 has now been made available.

Re: What's the rationale behind ssl-trace not being built by default?

2021-06-08 Thread Matt Caswell
On 08/06/2021 00:09, Arran Cudbard-Bell wrote: On Jun 7, 2021, at 4:57 PM, Matt Caswell wrote: On 07/06/2021 20:01, Arran Cudbard-Bell wrote: The tables to convert extension IDs and compression methods to humanly readable names are not available outside ssl/t1_trace.c. SSL_trace

Re: What's the rationale behind ssl-trace not being built by default?

2021-06-07 Thread Matt Caswell
On 07/06/2021 20:01, Arran Cudbard-Bell wrote: The tables to convert extension IDs and compression methods to humanly readable names are not available outside ssl/t1_trace.c. SSL_trace() itself produces reams of helpful information as handshakes progress, and is particularly useful for deal

Re: Replay HTTP traffic

2021-05-17 Thread Matt Caswell
On 17/05/2021 14:41, Григорий Сморкалов wrote: Hello. I am trying to debug some ssl related code and I need some help. We have a HTTP client based on libuv and libopenssl for TLS. It is an internal C++ library with its own TCP wrapper around lubuv and HTTP parser. It works fine and our serv

Re: SHA digest differences in version 1.0 and 1.1.1

2021-05-14 Thread Matt Caswell
On 14/05/2021 09:21, openssl@benshort.co.uk wrote: Hi, I am working with some legacy code which was written to use openssl version 1.0. I am trying to make it work with openssl version 1.1.1 but the following line returns NULL.     const EVP_MD* messageDigest = EVP_get_digestbyname

Re: Install/Build openssl with following ciphers - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_G

2021-05-11 Thread Matt Caswell
On 11/05/2021 05:24, Mario Ds Briggs wrote: thanks Matt. I couldnt find the -stdname option on my macOS openssl, In that case you are most likely not using OpenSSL at all but LibreSSL. Or possibly a very old version of OpenSSL. but using ur example above, i could find the ones they map t

Re: Install/Build openssl with following ciphers - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_G

2021-05-10 Thread Matt Caswell
On 10/05/2021 06:38, Mario Ds Briggs wrote: In the openssl libs that i have installed on ubuntu/rhel/mac-os, i dont find the following ciphers when i run 'openssl ciphers' command TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM

Re: Creating a CSR using OpenSSL v1.1.1

2021-04-29 Thread Matt Caswell
On 29/04/2021 15:04, Joe Eremita wrote: datasig_len = i2d_X509_REQ_INFO( req->req_info, NULL ); You can achieve this by instead doing: datasig_len = i2d_re_X509_REQ_tbs(req, NULL); See: https://www.openssl.org/docs/man1.1.1/man3/i2d_re_X509_REQ_tbs.html Matt

Re: How to access different fields of typedef struct evp_pkey_st EVP_PKEY.

2021-04-20 Thread Matt Caswell
On 20/04/2021 11:45, Kumar Mishra, Sanjeev wrote: Hi, I am not getting different functions in OpenSSL 3.0 for accessing different fields of typedef struct evp_pkey_st EVP_PKEY. For Example - code is like this - EVP_PKEY * privKey; - - if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.r

Re: PKCS#1 RSAPublicKey in Openssl 3.0

2021-04-20 Thread Matt Caswell
On 20/04/2021 06:30, Paramashivaiah, Sunil wrote: Hi All,      PEM_read_bio_RSAPublicKey is deprecated in Openssl 3.0. I am unable to find      an alternate API to get EVP_PKEY from Pem format PKCS#1 Public key.      Is PKCS#1 Public key not supported in Openssl 3.0      Please suggest

Re: Maiising Daily Snapshots for 20210416

2021-04-16 Thread Matt Caswell
There was a power outage at the datacentre last night. Everything should hopefully be back to normal now, so hopefully the snapshots will arrive as normal tonight. Matt On 16/04/2021 14:25, The Doctor wrote: Anyone knows what happened?

Re: Fwd: Question about RSA key access mechanism

2021-04-16 Thread Matt Caswell
On 12/04/2021 09:57, Danis Ozdemir wrote: When I define a watchpoint for that address to verify that it has been accessed when a new client connects to the server and make the server continue, I can't see a hit which means this address hasn't been accessed. *I'm attaching the s_client output

Re: Strange warnings while linking to openssl version 1.1.1k

2021-04-12 Thread Matt Caswell
On 12/04/2021 21:52, Robert Smith via openssl-users wrote: Hi, I am getting the following warning while linking my app to openssl version 1.1.1k. Could you advise what can cause these warnings and how to resolve them? Thanks It looks like your environment cannot support the async function

Re: error: redefinition of ‘struct rsa_meth_st’

2021-04-12 Thread Matt Caswell
re are no obvious deficiencies. - C. A. R. Hoare On 4/12/21, 12:43, "openssl-users on behalf of Matt Caswell" wrote: You can look at the dummy async engine which wraps the standard RSA functions inside an engine (as

Re: error: redefinition of ‘struct rsa_meth_st’

2021-04-12 Thread Matt Caswell
You can look at the dummy async engine which wraps the standard RSA functions inside an engine (as well as various other crypto primitives). You can see it here: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/engines/e_dasync.c Matt On 12/04/2021 17:32, Shariful Alam wrote: Dr.

Re: Compilation issue with 1.1.1k version

2021-04-07 Thread Matt Caswell
esday, April 7, 2021, 02:39:46 PM EDT, Matt Caswell wrote: On 07/04/2021 19:31, Boris Shpoungin via openssl-users wrote: > Hello, > > I am using cross compiler toolchain (arm-hisiv200-linux-gnueabi) to > compile openssl library for arm based custom board. > I had no

Re: Compilation issue with 1.1.1k version

2021-04-07 Thread Matt Caswell
On 07/04/2021 19:31, Boris Shpoungin via openssl-users wrote: Hello, I am using cross compiler toolchain (arm-hisiv200-linux-gnueabi) to compile openssl library for arm based custom board. I had no problems to compile version 1.1.1a, however I am having troubles to compile versions 1.1.1i a

Re: Using SSL_CTX_set_min_proto_version

2021-04-07 Thread Matt Caswell
On 07/04/2021 15:22, Tamara Kogan via openssl-users wrote: I have not found any confirmation in TLS specs that the “record layer” version must be 1.0. I did not mean to imply that the specs say that the record layer version *must* be 1.0. Only that that is what OpenSSL *does*. In fact the

Re: Using SSL_CTX_set_min_proto_version

2021-04-06 Thread Matt Caswell
On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote: Hello,  In our client application we are trying to set TLS 1.2 in ClientHello message. The OpenSSL version is 1.1.1h We use the function SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION); If I test the version right after s

Re: Mismatch between renegotiation reported vs functional

2021-03-26 Thread Matt Caswell
On 25/03/2021 21:59, Shaun Robbins wrote: While trying to disable renegotiation the response from openssl reads "Secure Renegotiation IS supported" even though renegotiation is failing. Up until 2009 we just had "Renegotiation" as a concept. Then along came a man-in-the-middle attack on suc

Re: libcrypto.a and FIPs module in OpenSSL 3.0

2021-03-26 Thread Matt Caswell
On 26/03/2021 10:47, Bala Duvvuri via openssl-users wrote: Hi All, We build the "crypto" code in OpenSSL to generate "libcrypto.a" for MIPs platform. Our application links statically with "libcrypto.a" and uses the OpenSSL crypto API's accordingly. With this compilation model, will it be

Re: ssl client write / server accept seems broken

2021-03-23 Thread Matt Caswell
On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps Looks like the original developer already tried to print the contents of the OpenSSL error stack:

Re: ssl client write / server accept seems broken

2021-03-23 Thread Matt Caswell
On 23/03/2021 15:02, Embedded Devel wrote: IM inclined top think the code for the certs is ok, but  can really say, and im not an openssl programmer by any means... just need someone to put eyes on the code and fix it really. The cert looks ok - at least nothing obviously wrong. 2048 bi

Re: ssl client write / server accept seems broken

2021-03-23 Thread Matt Caswell
On 23/03/2021 02:37, Embedded Devel wrote: I have an application previously written for us 10+ years ago that no longer seems to be happy Has something happened that might have caused this? Did you upgrade OpenSSL, or do some other kind of update to your code? Which version of OpenSSL are

Forthcoming OpenSSL release

2021-03-22 Thread Matt Caswell
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1k. This release will be made available on Thursday 25th March 2021 between 1300-1700 UTC. OpenSSL 1.1.1k is a security-fix release. The highest severity issue fixed in this release is HIGH: https://ww

Re: Is SSL_CTX_set_tmp_rsa_callback() only for small keys?

2021-03-15 Thread Matt Caswell
On 15/03/2021 23:53, Thomas Dwyer III wrote: I'm porting some very old code from 1.0.2 to 3.0 (but it still has to compile for both) and I'm trying to understand it's use of SSL_CTX_set_tmp_rsa_callback(). It looks like this was removed in 1.1.0 but it's not obvious to me why it was necessar

Re: Dumping key to file

2021-03-10 Thread Matt Caswell
On 10/03/2021 13:35, Jeremy Harris wrote: On 10/03/2021 13:14, Harish Kulkarni wrote: My application is built along with openssl library source code. We want to dump keys to a file for decrypting TLS flows from network captures.. is there any flag or environment variable which we can set dur

Re: OpenSSL 3.0.0 APIs for creating an EVP_PKEY from a p256 private key octet string

2021-03-10 Thread Matt Caswell
On 10/03/2021 12:08, Stephen Farrell wrote: It seems a pity that one has to special case in two ways there (both keytype and groupname) but I can live with it, For X25519 you can actually pass a groupname of "x25519" through if you want to keep everything consistent. But it's not strictly n

Re: OpenSSL 3.0.0 APIs for creating an EVP_PKEY from a p256 private key octet string

2021-03-10 Thread Matt Caswell
On 10/03/2021 00:53, Stephen Farrell wrote: Hiya, On 09/03/2021 03:09, Benjamin Kaduk wrote: I would have expected that the API should hide the differences other than the group name ... but these APIs are still pretty new to me, too.  If you can point me at your code I might have more to sa

Re: Openssl_3.0.0 stable release

2021-02-17 Thread Matt Caswell
On 17/02/2021 09:28, Nagarjun J wrote: > Any one have idea when openssl-3.0.0 stable version can be expected? We don't have a definitive date at the moment. IMO we are still some months away from beta1. Matt

Re:

2021-02-16 Thread Matt Caswell
On 16/02/2021 19:40, Nagarjun J wrote: > How to verify if the application is using fips provider from > openssl-3.0.0 ( similar to fips_mode() api in openssl-fips-2.0.16) Using the FIPS provider in Openssl 3.0 works quite differently to the old FIPS module. There isn't a one-to-one corresponde

Forthcoming OpenSSL Release

2021-02-09 Thread Matt Caswell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1j. This release will be made available on Tuesday 16th February 2021 between 1300-1700 UTC. OpenSSL 1.1.1j is a security-fix release. The highest severi

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Matt Caswell
nks, >>> Zeke Evans >>> Micro Focus >>> >>> -Original Message- >>> From: openssl-users On Behalf Of >>> Dr Paul Dale >>> Sent: Tuesday, January 26, 2021 5:22 PM >>> To: openssl-users@openssl.org >>> Sub

Re: Default value of a session resumption timeout (300 seconds vs 7200 seconds)

2021-01-27 Thread Matt Caswell
ay not be the same as the server's timeouts. > > -thanks > harish > > > On Mon, Jan 25, 2021 at 11:08 PM Matt Caswell <mailto:m...@openssl.org>> wrote: > > > > On 23/01/2021 15:22, John Thoe wrote: > > Hi list, > >

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Matt Caswell
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: > On 2021-01-25 17:53, Zeke Evans wrote: >> >> Hi, >> >>   >> >> Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, >> PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips >> provider.  It looks like that is because the

Re: Default value of a session resumption timeout (300 seconds vs 7200 seconds)

2021-01-25 Thread Matt Caswell
On 23/01/2021 15:22, John Thoe wrote: > Hi list, > > The session reuse question posted on the mailing list earlier > (https://mta.openssl.org/pipermail/openssl-users/2021-January/013360.html) > reminded of a somewhat similar question I have. > > As per the docs, > https://www.openssl.org/docs/

Re: Random and rare Seg faults at openssl library level

2021-01-12 Thread Matt Caswell
On 12/01/2021 04:23, Gimhani Uthpala wrote: > Hi team, > https://www.openssl.org/docs/man1.0.2/man3/CRYPTO_set_locking_callback.html > :  From this , learnt that for openssl multi-threaded applications to be > run safely, the callback functions to be implemented. > > I am using this in a multi-

Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?

2021-01-12 Thread Matt Caswell
Please raise your patch as a PR so that it can properly reviewed. You'll also need to submit a CLA: https://www.openssl.org/policies/cla.html Thanks Matt On 11/01/2021 22:19, Steffen Nurpmeso wrote: > Hello. > > Matt Caswell wrote in > : > |On 09/01/2021 23:24, St

Re: SSL_CONF_cmd(): SecurityLevel keyword, by chance?

2021-01-11 Thread Matt Caswell
On 09/01/2021 23:24, Steffen Nurpmeso wrote: > Hello. > > I do use SSL_CONF_cmd() (and modules) possibility if it exists, > since it allow users to simply use the features of the newest > OpenSSL library without any code changes on my side. > This is great, and i think i applauded in the past.

Re: How to set amount of salt for PBKDF2/PKCS8 keys?

2021-01-08 Thread Matt Caswell
On 08/01/2021 00:59, Mathias Ricken wrote: > How do I sell openssl to use more salt when generating the private key? Unfortunately the pkcs8 tool does not support setting a custom salt length and always uses the default length of 64 bits. The best I can offer you is a hack of the tool to chang

Re: Random and rare Seg faults at openssl library level

2021-01-07 Thread Matt Caswell
On 06/01/2021 17:10, Gimhani Uthpala wrote: >   I am setting context to use SSLv23_method() s. However, I can see > ssl3_ methods being called. Is there any issue with that?   Just answering this one side question: no, this is normal behaviour. Matt

Re: openssl fips patch for RSA Key Gen (186-4)

2021-01-05 Thread Matt Caswell
On 05/01/2021 11:41, y vasavi wrote: > > Hi All, > > We currently FOM 2.0 module for FIPS certification. > It doesn't have support for RSA Key generation(186-4) > > Are there any patches available ? Definitely there are no official ones (I'm also not aware of any unofficial ones). The 3.0 m

Re: Format error in certificate´s notAfter field

2020-12-23 Thread Matt Caswell
On 22/12/2020 17:43, Raúl Uría Elices wrote: > Hi, > > I´m trying to connect to my vpn server, using tunnelblick, but thinking > this is a openssl stuff... may be I am wrong. > > > When connecting I got (XX is a placeholder) :  > > 2020-12-22 17:32:49.423703 VERIFY ERROR: depth=0, error=form

Re: openssl asym_cipher/signature provider

2020-12-14 Thread Matt Caswell
On 14/12/2020 16:04, Thulasi Goriparthi wrote: > Hello, > > Is it acceptable for an openssl provider to implement an algorithm > (rsaEncryption) as asym_cipher or signature algorithm without > implementing corresponding keymgmt or redirecting the same to the > 'default' provider? > > I ask, as

Re: DH_generate_key

2020-12-10 Thread Matt Caswell
rs-requ...@openssl.org> > > You can reach the person managing the list at > openssl-users-ow...@openssl.org <mailto:openssl-users-ow...@openssl.org> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users d

Re: DH_generate_key

2020-12-10 Thread Matt Caswell
On 09/12/2020 15:31, Matt Caswell wrote: >> our application creates a new DH and using DH_generate_key() > > How do you set up the DH parameters? Do you load them from a file or > generate them in your application? Or some other way? Will it break your > application if

Re: DH_generate_key

2020-12-09 Thread Matt Caswell
On 08/12/2020 17:43, Narayana, Sunil Kumar wrote: > Dear openssl team, > >   > >     While migrating from 1.0.2 to 3.0,  we found that > DH_generate_key() has be deprecated. And as per the man page, it is > advised to use EVP_PKEY_derive_init >

Re: Help with SSL 8152 SEC_ERROR_INVALID_KEY Intermittent Error (first post please be kind!)

2020-12-09 Thread Matt Caswell
On 09/12/2020 11:35, Craig Henry wrote: > Hi, > > This is my first post to this list so please be kind! > > Environment - Linux Centos > SSL - 1.0.2k19-el7 > > Connection - CURL (via PHP) with public / private key auth + http basic auth > > We're having an issue where we are seeing intermitt

Re: Use OpenSSL to decrypt TLS session from PCAP files

2020-12-08 Thread Matt Caswell
On 08/12/2020 15:28, Oren Shpigel wrote: > Hi, thanks for the answer. > > I know wireshark and ssldump have this capability, but I'm looking for a > way to do it in my own software in C++, (using OpenSSL, if possible, but > open to other suggestions as well). Unfortunately OpenSSL does not sup

Re: Regarding #def for 'SSL_R_PEER_ERROR_NO_CIPHER' and 'SSL_R_NO_CERTIFICATE_RETURNED' in openssl3.0

2020-12-07 Thread Matt Caswell
On 07/12/2020 14:26, Jakob Bohm via openssl-users wrote: >>> error: 'SSL_R_PEER_ERROR_NO_CIPHER' was not declared in this scope >> This one was only ever used in the SSLv2 implementation. Since no one >> uses SSLv2 any more and it is considered highly insecure its >> implementation was removed s

Re: Regarding #def for 'SSL_R_PEER_ERROR_NO_CIPHER' and 'SSL_R_NO_CERTIFICATE_RETURNED' in openssl3.0

2020-12-07 Thread Matt Caswell
On 04/12/2020 13:28, Narayana, Sunil Kumar wrote: > Hi, > >     We are trying to upgrade our application from openssl > usage of 1.0.2 to openssl 3.0, during which we observe following errors. > > Looks like the below #def been removed from 1.1 onwards, Should > application also ne

Fwd: Forthcoming OpenSSL Release

2020-12-01 Thread Matt Caswell
FYI Forwarded Message Subject: Forthcoming OpenSSL Release Date: Tue, 1 Dec 2020 04:15:51 -0600 From: Paul Nelson Reply-To: openssl-users@openssl.org To: openssl-annou...@openssl.org The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1

Re: HMAC is deprecated in 3.0 getting error 'HMAC' was not declared in this scope

2020-11-26 Thread Matt Caswell
On 26/11/2020 17:32, Narayana, Sunil Kumar wrote: > Error2 : error: invalid use of incomplete type 'SSL' {aka 'struct > ssl_st'} ssl->d1->mtu = MAX_SEND_PKT_SIZE; Use SSL_set_mtu(ssl, MAX_SEND_PKT_SIZE) instead. Matt

Re: set/get utilities are not available to access variable 'num' of structure bio_st (Matt Caswell)

2020-11-23 Thread Matt Caswell
<mailto:openssl-users-ow...@openssl.org> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > 1. set/get utilities are not available to access variable > 'nu

Re: set/get utilities are not available to access variable 'num' of structure bio_st

2020-11-20 Thread Matt Caswell
On 20/11/2020 13:46, Narayana, Sunil Kumar wrote: > Hi , > >     We are porting our Application from  openssl 1.0.1 to > openssl 3.0. In related to this activity we require to access the > variable ‘*num*’ of structure *bio_st. * > > In older versions the variable was accessed to s

Re: openssl s_client connection fails

2020-11-18 Thread Matt Caswell
On 18/11/2020 11:24, Patrice Guérin wrote: > 3072988928:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert > handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40 This is a very generic "something went wrong" alert that is being received from the server and could be due t

Re: Server application hangs on SS_read, even when client disconnects

2020-11-17 Thread Matt Caswell
On 17/11/2020 13:56, Michael Wojcik wrote: >> From: Kyle Hamilton >> Sent: Tuesday, 17 November, 2020 02:37 >> On Fri, Nov 13, 2020 at 11:51 AM Michael Wojcik >> wrote: >>> From: Brice André Sent: Friday, 13 November, 2020 09:13 >>> "Does the server parent process close its cop

Re: test cases failed after enabling ktls

2020-11-16 Thread Matt Caswell
On 16/11/2020 07:56, rui zang wrote: > Resend in plain text. > == > > Greetings, > > I am trying openssl+ktls on ubuntu 20.04. > I have tried openssl-3.0.0-alpha8 from > https://www.openssl.org/source/openssl-3.0.0-alpha8.tar.gz > and also the current mast

Re: RAND_bytes() thread safety

2020-11-16 Thread Matt Caswell
On 14/11/2020 11:00, Rahul Godbole wrote: > Is OpenSSL function RAND_bytes () thread safe? Short answer: Yes Longer answer: Yes assuming that: - you are using >= OpenSSL 1.1.0 or - you are using OpenSSL 1.0.2 or below and you have set up the locking callbacks AND - You have not compiled Open

Re: ## Application accessing 'ex_kusage' ##

2020-11-16 Thread Matt Caswell
On 13/11/2020 19:10, Narayana, Sunil Kumar wrote: > Hi , > >     We are porting our Application from  openssl 1.0.1 to > openssl 3.0. in related to this activity we require to access the > variable ‘*ex_kusage*’ pointed by *X509* > > But there are no set utilities available to acce

Re: CRYPTO_mem_leaks Error in openssl 1.1.1d

2020-11-10 Thread Matt Caswell
On 10/11/2020 13:37, shiva kumar wrote: > Can you please provide me examples or links to refer it. Google is your friend here. https://valgrind.org/ The above site has a quick start guide which should help. Matt > > On Tue, 10 Nov 2020 at 7:04 PM, Matt Caswell <mailto:m...

Re: CRYPTO_mem_leaks Error in openssl 1.1.1d

2020-11-10 Thread Matt Caswell
On 10/11/2020 13:25, shiva kumar wrote: > Any alternatives for this, if the compiled version doesn't enabled the flag? valgrind? Matt > > On Tue, 10 Nov 2020 at 4:52 PM, Matt Caswell <mailto:m...@openssl.org>> wrote: > > > > On 10/11/2020 0

Re: CRYPTO_mem_leaks Error in openssl 1.1.1d

2020-11-10 Thread Matt Caswell
On 10/11/2020 09:19, shiva kumar wrote: > Hi,  > I'm trying to use the CRYPTO_mem_leaks  API in openssl 1.1.1d, but > during compilation I'm getting error as  > *Unsatisfied symbol "CRYPTO_mem_leaks" * > > I have Included the header  > #include > > one doubt is it is defined under crypto.h >

Re: Questions regarding OpenSSL 3.0 and corresponding FIPS Module

2020-11-05 Thread Matt Caswell
On 05/11/2020 16:54, Jason Schultz wrote: > I read the most recent (10/20) update to the OpenSSL 3.0 release page here: > > https://www.openssl.org/blog/blog/2020/10/20/OpenSSL3.0Alpha7/ > > As well as the release > strategy:  > https://wiki.openssl.org/index.php?title=OpenSSL_3.0_Release_Sche

Re: PRNG not available when multiple providers are configured?

2020-11-04 Thread Matt Caswell
tographic Foundations  > Phone +61 7 3031 7217 > Oracle Australia > > > > >> On 4 Nov 2020, at 4:41 am, Thomas Dwyer III > <mailto:tom...@tomiii.com>> wrote: >> >> On Tue, Nov 3, 2020 at 7:13 AM Matt Caswell > <mailto:m...@openssl.org>>

<    1   2   3   4   5   6   7   8   9   10   >