Re: [openssl-dev] [openssl-users] Windows OpenSSL's FIPS Binaries
> does anybody know if there are downloadable binaries of > openssl-fips and/or openssl-fips-ecp (2.0.16 or earlier) for > Windows ? http://wiki.overbyte.eu/wiki/index.php/ICS_Download We have OpenSSL 1.0.2m-fips for Win32, primarily for application testing since our DLLs would not pass FIPS approval processes. They are windows code signed. Also normal 1.1.0 and 1.0.2 versions for Win32 and Win64, all code signed. Angus -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] DTLS in multi-thread and concurrent connection acceptance environment
> I don't know if anyone has ever created any metrics on how far it > can be scaled. I've certainly not seen it if they have. But there > are no knownlimitations on this approach (this is the intended > way to do things). Our Delphi OpenSSL implementation on Windows mostly uses a single thread and event driven code, although Windows itself uses a thread per connection. But we don't support DTLS. I did some testing last year with simple SSL TCP/IP client and server on Windows 10, and had 2,000 simultaneous SSL sessions running on the same PC, always thought client versions of Windows supported far fewer sessions. The main limitation during testing with a single thread was the set-up time for SSL, there is a limit of how many new sessions can be started per second. My test was starting 100 sessions per second, and about 20% failed initially, but succeeded later on retries. I used my own applications for testing, ComCap5 and ComGen5 from https://www.magsys.co.uk/comcap/ ComGen is a TCP/UDP session data generator, configurable for multiple IPs and ports, and volume of sessions. Angus -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Creating requests and certificates with Subject Alternative Names
> I'm creating X509 certificate requests and certificates in code, > trying to add X509v3 Subject Alternative Name, with 1.1.0f. > > But if I add a list of four domains, ie: > The certificate seems to ignore some and repeat others: To answer my own question, I was using ASN1_STRING_set0 instead of ASN1_STRING_set and the original ANSI string was a temporary variable, so got lost as a new string was added since it was not copied. But there must be an easier way of adding SANs to certificates than using undocumented GENERAL_NAME APIs. Angus -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] 1.1.0 pre5 seems to ignore CIPHER_SERVER_PREFERENCE
I have two custom Windows web sites, running released and beta versions of OpenSSL. The beta version only gets an A- score with SSL Labs, whereas the release version gets A+. https://www1.telecom-tariffs.co.uk/serverinfo.htm shows server status, and that it's running OpenSSL 1.1.0-pre5 (beta) 19 Apr 2016, SSL Labs says: 'Cipher Suites (sorted by strength as the server has no preference;) The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.' https://www.telecom-tariffs.co.uk/serverinfo.htm is the main live server running OpenSSL 1.0.2h 3 May 2016, and gets a score A+ saying 'Cipher Suites (SSL 3+ suites in server-preferred order)'. The application is identical with CIPHER_SERVER_PREFERENCE specified and a Mozilla intermediate cipher list (shown on the status page), but SSL Labs suggests there is no server preference so forward security ciphers are not prioritised. The OpenSSL implementation is for Windows Embarcadero Delphi and the free ICS internet component suite which I support, it uses our own Pascal version of the OpenSSL C header files, originally created 10 years ago and updated for each new OpenSSL release, so there is a risk we might miss subtle header changes like constants changing. I realise pre5 is a month old, but can not see this issued raised in the last month. Angus -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev