[openssl-dev] SNAPSHOT updates
What is happening? In the Moutain Time Zone: It was at 22:22 MST then 23:22 MDT then 00:22 MDT !! -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Never compare your inside with somebody else's outside. -Hugh Macleod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3748] do_name_ex in crypto/asn1/a_strex.c does not treat case 0 in XN_FLAG_SEP_MASK
Hi, when a single -nameopt utf8 or others is used in openss x509 or others, the separator mask is 0. This preempts the command as soon as the Issuer is formatted. It seems that the case 0 should be treated lin the same ways as XN_FLAG_SEP_CPLUS_SPC Best Peter Sylvester ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Suspicious crash in 1.0.2
Hi, Matt. I have not seen this committed to master or 1.0.2 yet ? Another person complained about it too, so its probably good idea to get it checked in. Patch works fine for all my use cases. -- Original Message -- On 28/02/15 06:53, Erik Forsberg wrote: Hi. I seem to have run into a really hard to pin down issue in OpenSSL 1.0.2. Normally, it simply causes an EFAULT during a write syscall, which makes me close the connection, but to investigate, I added a core dump at that time. This is what I see Hi Erik Thanks for the really useful analysis of this issue. Please could you try out the attached patch and see if that solves things for you? Let me know how you get on. Many thanks Matt Attachment: multiblock.patch (0.5 KB) ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3745] OpenSSl Bug, affected release 0.9.8zd
On 3/13/2015 4:00 PM, Rath, Santosh via RT wrote: But when I build the openssl with shared mode, then it is failing and reporting below errors. gcc: /home/ratsa02/openssl/openssl-fips-2.0.2/fips_binary/fipsfips_premain.c: No such file or directory gcc: /home/ratsa02/openssl/openssl-fips-2.0.2/fips_binary/fipsfipscanister.o: No such file or directory make[2]: *** [fips_premain_dso] Error 1 Without looking at the old source, it looks to me like an environment variable or configure script option is missing a trailing / so that instead of getting ../fips/fips_premain.c you get ../fipsfips_premain.c Regards, Steve ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Suspicious crash in 1.0.2
On 13/03/15 20:57, Erik Forsberg wrote: Hi, Matt. I have not seen this committed to master or 1.0.2 yet ? Another person complained about it too, so its probably good idea to get it checked in. Patch works fine for all my use cases. Hi Erik, Don't worry - I've not forgotten about it!! Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3745] OpenSSl Bug, affected release 0.9.8zd
Thank you Stephen, Since the product is already build on openssl.0.9.8.r, and if we upgrade it to openssl0.1.1l then there could be lot of change in terms of API what our product use. And one more pain point is the product is using .so of libcrypto and libssl. But when I build the openssl with shared mode, then it is failing and reporting below errors. gcc: /home/ratsa02/openssl/openssl-fips-2.0.2/fips_binary/fipsfips_premain.c: No such file or directory gcc: /home/ratsa02/openssl/openssl-fips-2.0.2/fips_binary/fipsfipscanister.o: No such file or directory make[2]: *** [fips_premain_dso] Error 1 Pleas shed some advice here, because I struggling to figureout how to build those libraries. Since my release is due in 4 dyas, I have to submit this in 4 days. Thanks Santosh -Original Message- From: Stephen Henson via RT [mailto:r...@openssl.org] Sent: Friday, March 13, 2015 3:34 AM To: Rath, Santosh Cc: openssl-dev@openssl.org Subject: [openssl.org #3745] OpenSSl Bug, affected release 0.9.8zd On Thu Mar 12 22:16:37 2015, santosh.r...@ca.com wrote: Hi I have downloaded the openssl 0.9.8zd source. And I tried below steps to get it install. 1. ./config fipscanisterbuild I did not get any configuration error. 2. make I got the below linker error. make[2]: Entering directory `/home/ratsa02/openssl-0.9.8zd/test' ../fips/fipscanister.o: In function `RSA_padding_check_PKCS1_OAEP': (.text+0x140ab): undefined reference to `CRYPTO_memcmp' collect2: ld returned 1 exit status make[2]: *** [link_app.gnu] Error 1 make[2]: Leaving directory `/home/ratsa02/openssl-0.9.8zd/test' make[1]: *** [fips_shatest] Error 2 make[1]: Leaving directory `/home/ratsa02/openssl-0.9.8zd/test' make: *** [build_tests] Error 1 Note: ( if I ran only configure without fipscanisterbuild option in config, the I don't have any issues.'make' is working fine. But I need the libraries should fips compliance). You don't use that build procedure if you want OpenSSL to be FIPS compliant. You need to build the FIPS module from source first (obeying the security policy) and link the FIPS capable OpenSSL to that. See the user guide for more details. Note that OpenSSL 0.9.8 uses the much older 1.2 module. You should be using the 2.0 module instead and OpenSSL 1.0.1 or later. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3745] OpenSSl Bug, affected release 0.9.8zd
On Fri Mar 13 21:00:30 2015, santosh.r...@ca.com wrote: Thank you Stephen, Since the product is already build on openssl.0.9.8.r, and if we upgrade it to openssl0.1.1l then there could be lot of change in terms of API what our product use. Well if you'd used any OpenSSL 0.9.8 using ./config fipscanisterbuild then the result would not be FIPS compliant as you weren't using the validated FIPS module. In outline you need to download the FIPS module appropriate for your version of OpenSSL. For 0.9.8 the latest is 1.2.4 you can get it from: https://www.openssl.org/source/old/fips/openssl-fips-1.2.4.tar.gz Extract the tarball. Build and install using: ./config fipscanisterbuild make make install Download OpenSSL 0.9.8 latest tarball currently: https://www.openssl.org/source/openssl-0.9.8ze.tar.gz and extract it. Then do: ./config fips make Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] problems building openssl-1.0, 2 win64a binaries with vs2013 on windows 7
On 13/03/2015 22:10, Joey Yandle wrote: ... On side note the error is indication that your nasm is out-of-date and you are missing out some optimizations. I'm using the nasm-2.07 windows installer from sourceforge: http://sourceforge.net/projects/nasm/ Is there something more recent? The page that says This is NASM - the famous Netwide Assembler. Back at SourceForge and in intensive development! Downloads on this page may be out of date. Get the current versions from http://www.nasm.us/; at the top? The current site also shows at the top of Google searches, and says The latest stable version of NASM is 2.11.08 http://www.nasm.us/pub/nasm/releasebuilds/2.11.08/ -- J. J. Farrell w: +44 161 493 4838 ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] problems building openssl-1.0, 2 win64a binaries with vs2013 on windows 7
tmp32\aesni-sha256-x86_64.asm:113: error: symbol `__imp_RtlVirtualUnwind' undefined Can you confirm that attached patch addresses the problem? Yes, that fixes it. However, the build then fails during linking: lib /nologo /out:out32\libeay32.lib @C:\Users\dragon\AppData\Local\Temp\ nm60AD.tmp tmp32\x86_64cpuid.obj : fatal error LNK1112: module machine type 'x64' conflicts with target machine type 'X86' I was able to build 64-bit no-asm binaries, so I'm not sure what's causing the problem here. On side note the error is indication that your nasm is out-of-date and you are missing out some optimizations. I'm using the nasm-2.07 windows installer from sourceforge: http://sourceforge.net/projects/nasm/ Is there something more recent? thanks, Joey ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3744] Enhancement Request
On 03/11/2015 01:28 PM, Shawn Fernandes via RT wrote: Hi, At the moment, we have SSL handshake making use of a single certificate, using a single key-pair present in the certificate. In the event the MITM has the same certificate(SSL - offloader) then the data can be encrypted/decrypted. Would like to know if we can have the enhancement of using random key pair, generated form each certificate, so that each SSL handshake would make use of a random key-pair, and thereby give a different key value to each encryption -decryption, and therby be able to determine if the MITM with a same certificate has decrypted encrypted data. With Regards, Shawn I'm not an expert here, but I must share a couple of considerations that the master of cryptography may want to reject or amend: - if we're talking of non-mutual X509 authentication, that is just the server has a certificate, the solution would be ineffective against a determined attacker who possesses the server certificate because it would be possible, for the MITM, to fully impersonate the server. The MITM would talk with both parts using random keys - as a general security perspective, it is always bad when a private key is compromised. Mutual authentication would help, yes, but you're navigating dangerous waters anyway - the TLS-SRP, in my understanding, involves a pre-shared secret which is not, most often, a viable solution ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] do_name_ex in crypto/asn1/a_strex.c does not treat case 0 in XN_FLAG_SEP_MASK
Hi, when a single -nameopt utf8 or others is used in openss x509 or others, the separator mask is 0. This preempts the command as soon as the Issuer is formatted. It seems that the case 0 should be treated lin the same ways as XN_FLAG_SEP_CPLUS_SPC Best Peter Sylvester ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev