Re: [openssl-dev] Suspicious crash in 1.0.2
On 02/03/15 01:54, Erik Forsberg wrote: This patch fixes the issue. I had a similar fix, but yours is more complete. Thanks. Another thought. As I looked at this multiblock code I realize it will have some impact on memory usage. Thinking it might be good to have an option to disable the function at runtime so one can chose between memory savings and performance. Particularly in the main branch where these OPENSS_NO_XXX compile time options are going away ? You can already use OPENSSL_SMALL_FOOTPRINT for this purpose. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] openssl x509 -text incorrectly displays non-latin (non-ansi) symbols (missed '-utf8 option?)
Bonjour, Probably an openssl-users question. Use openssl x509 -text -in localhost-server.crt -nameopt oneline,utf8,-esc_msb Your terminal must be able to display UTF8 sequences. I sometimes add the show_type nameopt option, to check things. -- Erwann ABALEA Le 02/03/2015 06:58, Ikonta a écrit : AFAIR in 2004 openssl switched to UTF8 as default bitmask in certificate. But ANSI extension's of utf8 support is still incomplete: $ openssl x509 -text -in localhost-server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=RU, ST=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, L=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, O=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, OU=Apache, CN=\xD1\x82\xD0\xB5\xD1\x81\xD1\x82\xD0\xBE\xD0\xB2\xD1\x8B\xD0\xB9 \xD0\xA6\xD0\x90/emailAddress=root@localhost Validity Not Before: Feb 6 08:28:23 2015 GMT Not After : Sep 15 08:28:23 2020 GMT Subject: C=RU, ST=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, O=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, OU=Apache web server, CN=localhost/emailAddress=apache@localhost … (not attaching exanple certificate file because mail list seems to reject such letters) displays utf8 symbol codes instead of expected human-readably letters (in this case — cyrillic), shown after import this certificate into browser's profile. Probably adding -utf8 option for x509 command should fix this particular issue. P.S. I use =dev-libs/openssl-1.0.1k amd64 build on Gentoo GNU/Linux. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3708] segfault while generating a certificate signing request based on a malformed certificate
Fixed now, thanks for the report. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3726] Cocoapods install BUG
Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead. Downloading dependencies - Installing OpenSSL (1.0.200) Http download $ /usr/bin/curl -f -L -o /Users/Quizer/Development/iOS/testOpenSsl/Pods/OpenSSL/file.tgz https://www.openssl.org/source/openssl-1.0.2.tar.gz; --create-dirs % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (22) The requested URL returned error: 404 Not Found [!] Error installing OpenSSL [!] /usr/bin/curl -f -L -o /Users/Quizer/Development/iOS/testOpenSsl/Pods/OpenSSL/file.tgz https://www.openssl.org/source/openssl-1.0.2.tar.gz; --create-dirs % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (22) The requested URL returned error: 404 Not Found ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG
It seems all the tarballs have disappeared. -- Erwann ABALEA Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates
This code is currently being used by Akamai to check for the validity of certificates. I find it highly unusual for multiple certificates to have the same SubjectDN to be valid simultaneously. All those certificates would need to have a unique serial number; but the Issuer’s serial number is is not included in the certificate, so there’s no easy way to determine the issuing certificate. To validate those chains, the signature would have to be validated using the public key of each certificate that matches the Issuer. That can be an expensive proposition, and there are clients that will give up after the first failure. Have you seen any chains like this IRL? Do you know of any CA that have their chains set up like this? -- -Todd Short // tsh...@akamai.commailto:tsh...@akamai.com // “One if by land, two if by sea, three if by the Internet. On Feb 27, 2015, at 5:31 PM, Brian Smith br...@briansmith.orgmailto:br...@briansmith.org wrote: Short, Todd via RT r...@openssl.orgmailto:r...@openssl.org wrote: Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer. Given that the subject certificate is self-signed, it means that the issuer and the subject are the same certificate. This change verifies that. Github link: https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b Could you explain this more? In your patch, there is a comment that says Input certificate (subject) is self signed. But, the test is that the issuer name equals the subject name. That means the certificate is self-*issued*, not self-*signed*. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 } { Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 } { Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor } All three certificates are self-issued. The issuer of the first certificate is not self-signed but it is self-issued. But, it being self-issued doesn't matter because it isn't a trust anchor. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 } { Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 } { Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor } The first certificate is self-signed and self-issued. It's issuer is not self-signed or self-issued, so your patch would reject this chain. But, this is a valid chain. Cheers, Brian ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates
This code is currently being used by Akamai to check for the validity of certificates. I find it highly unusual for multiple certificates to have the same SubjectDN to be valid simultaneously. All those certificates would need to have a unique serial number; but the Issuer’s serial number is is not included in the certificate, so there’s no easy way to determine the issuing certificate. To validate those chains, the signature would have to be validated using the public key of each certificate that matches the Issuer. That can be an expensive proposition, and there are clients that will give up after the first failure. Have you seen any chains like this IRL? Do you know of any CA that have their chains set up like this? -- -Todd Short // tsh...@akamai.commailto:tsh...@akamai.com // “One if by land, two if by sea, three if by the Internet. On Feb 27, 2015, at 5:31 PM, Brian Smith br...@briansmith.orgmailto:br...@briansmith.org wrote: Short, Todd via RT r...@openssl.orgmailto:r...@openssl.org wrote: Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer. Given that the subject certificate is self-signed, it means that the issuer and the subject are the same certificate. This change verifies that. Github link: https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b Could you explain this more? In your patch, there is a comment that says Input certificate (subject) is self signed. But, the test is that the issuer name equals the subject name. That means the certificate is self-*issued*, not self-*signed*. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 } { Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 } { Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor } All three certificates are self-issued. The issuer of the first certificate is not self-signed but it is self-issued. But, it being self-issued doesn't matter because it isn't a trust anchor. Consider this chain: { Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 } { Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 } { Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor } The first certificate is self-signed and self-issued. It's issuer is not self-signed or self-issued, so your patch would reject this chain. But, this is a valid chain. Cheers, Brian ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG
And the table linking to the latest releases on https://www.openssl.org/source/ is empty. On 02/03/2015 17:27, Erwann Abalea wrote: It seems all the tarballs have disappeared. Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead. -- J. J. Farrell ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG
On 02/03/15 17:50, Jeremy Farrell wrote: And the table linking to the latest releases on https://www.openssl.org/source/ is empty. On 02/03/2015 17:27, Erwann Abalea wrote: It seems all the tarballs have disappeared. Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead. It should all be fixed now. Sorry for the inconvenience. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates
On Fri, Feb 27, 2015 at 09:14:08PM +0100, Short, Todd via RT wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Additional checking of self-signed certificates. Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer. Given that the subject certificate is self-signed, it means that the issuer and the subject are the same certificate. This change verifies that. Github link: https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b What motivates this proposed change? What issues did you run into without it? -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev