Re: [openssl-dev] Kerberos
Perhaps people use the --with-krb5-flavor=MIT config which is what we do, and we use itin all the time in 1.0.2. Ken InterSoft International, Inc.Phone: 888-823-1541Fax: 866-701-1260http://www.netterm.comhttp://www.securenetterm.com From: Matt Caswell m...@openssl.org To: openssl-dev@openssl.org Sent: Tuesday, May 5, 2015 7:56 AM Subject: Re: [openssl-dev] Kerberos On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote: What are the problems? The code as it exists today is not compiled by default. I recently fixed a set of issues in master that had not been spotted simply because the code is not regularly compiled and used. One possible solution to that is to turn it on by default...but I think that is worse since it unnecessarily increases the attack surface for those that don't use it (the vast majority). As it turns out the --with-krb5-include Configure option has not been working correctly in 1.0.2 since it was released...but no-one noticed. Due to the infrequency with which it is being used in practice this means that the code is not being kept up to date. There are some technical issues (including its use of single DES) which mean the existing solution is not fit-for-purpose. Viktor is probably better placed to elaborate on those. Either we should invest in the effort to bring it up to a suitable standard or we get rid of it. Given that (I believe) very few people are using it, it seems more sensible to get rid of it. Part of the purpose of my email was to gauge whether I was right that very few people are using it. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: OpenSSL ECCN query
RichardWhy are you asking us about the export status of OpenSSL?KenInterSoft International, Inc.Voice: 888-823-1541Fax: 866-701-1260http://www.netterm.comhttp://www.securenetterm.comFrom: "Trebilcock, Richard" richard.trebilc...@cgi.com To: "openssl-dev@openssl.org" openssl-dev@openssl.org Sent: Monday, December 9, 2013 6:35 AM Subject: OpenSSL ECCN query On the CGI IT UK Limited project I am currently working on, we are looking to export OpenSSL as part of the overall software deliverable. As part of this process, we need to know whether OpenSSL is of United States origin, and if so what the ECCN number is, and does an ENC licence also apply? I would be most grateful if you could provide me with this information. However, failing this, if you could direct me to where I might find the information I require this would also be very helpful. Your assistance with this matter is most appreciated. Best regards, Richard Richard Trebilcock | ILS Engineer Defence | CGI Chaucer House, Springfield Drive, The Office Park, Leatherhead, Surrey, KT22 7LP UK T: +44 01372 838258 | M: +44 (0) 7717 355882 richard.trebilc...@cgi.com | cgi-group.co.uk CGI IT UK Limited. A CGI Group Inc. Company Registered Office: 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom. Registered in England Wales - Number 947968 CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.
Re: Making the CA database more robust
Take a look at xca. Its free and one of the best I have seen. Ken InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com From: Nat Howard open...@track.pupworks.com To: openssl-dev@openssl.org Sent: Friday, November 23, 2012 10:54 AM Subject: Making the CA database more robust Has anyone started (or better yet) completed a project to make the built-in Certification Authority more robust? I've hit my shins a few times on this, once from the lack of concurrency -- yes, I now know (now) that it's documented -- and once because of a system crash at a bad moment -- as near as I can tell. I've looked around for CA software that would store certs and cert statuses and such in a database, but all I've found were front ends to openssl ca and ejbca and openca -- the latter two of which seem like way more than I need. A few searches of the openssl-dev archives didn't show me anything like this. Has anyone done this? Started it? I'd rather not (attempt to) reinvent the wheel….. Thanks for any guidance you can give…. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL FIPS Module 2.0 status update
Steve Thats where the entire fips validation really breaks down. Complete end user confusion on what machine, operating system and processer type can and cannot be used. It must be a real deployment stumbling block for large organizations. Ken InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com From: Steve Marquess marqu...@opensslfoundation.com To: openssl-dev@openssl.org Cc: Vanden, Michelle CTR USAF AFMC AAC/EBYC michelle.vanden@eglin.af.mil Sent: Tuesday, March 6, 2012 8:43 AM Subject: Re: OpenSSL FIPS Module 2.0 status update On 03/06/2012 08:49 AM, Vanden, Michelle CTR USAF AFMC AAC/EBYC wrote: Hello Steve, Will the new certificate support that is has been tested in a Windows 7 That validation will include the following MS Windows platforms: Windows 7 32bit on x86, SSE2 optimization Windows 7 64bit on x86, SSE2 optimization AES-NI optimization is not covered, so for instance the module cannot be used with Windows on many Intel Core i5 processors. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.net __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
openssl-1.0.1-stable-SNAP-20111215 Fails on Windows
The subject OpenSSL version fails with the following error: rc /fotmp32dll\ssleay32.res /d SSL ms\version32.rc link /nologo /subsystem:console /opt:ref /debug /dll /out:out32dll\sslea y32.dll /def:ms/SSLEAY32.def @C:\DOCUME~1\zkrr01\LOCALS~1\Temp\nmc03520. SSLEAY32.def : error LNK2001: unresolved external symbol SRP_have_to_put_srp_use rname SSLEAY32.def : error LNK2001: unresolved external symbol SSL_CTX_set_srp_missing _srp_username_callback out32dll\ssleay32.lib : fatal error LNK1120: 2 unresolved externals LINK : fatal error LNK1141: failure during build of exports file NMAKE : fatal error U1077: 'link' : return code '0x475' Stop. InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com
openssl-1.0.1-stable-SNAP-20111122
The subject 1.0.1 version is now failing with: rc4test.c link /nologo /subsystem:console /opt:ref /debug /out:out32dll\rc4test.ex e @C:\DOCUME~1\zkrr01\LOCALS~1\Temp\nna05836. Creating library tmp32dll\junk.lib and object tmp32dll\junk.exp rc4test.obj : error LNK2001: unresolved external symbol _OPENSSL_cpuid_setup out32dll\rc4test.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'link' : return code '0x460' Stop. InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com
[no subject]
The current openssl-1.0.1-stable-SNAP-2021 and the last 6 or so previous versions fails with the following on Microsoft Windows: ssltest.c link /nologo /subsystem:console /opt:ref /debug /out:out32\ssltest.exe @ C:\DOCUME~1\zkrr01\LOCALS~1\Temp\nne04256. ssleay32.lib(t1_enc.obj) : error LNK2001: unresolved external symbol _bcmp out32\ssltest.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'link' : return code '0x460' Stop. In addition, the following warnings are received: C:\work\openssl-1.0.1-stable-SNAP-2021perl util\mkdef.pl 32 libeay 1ms\libeay32.def WARNING: mkdef.pl doesn't know the following algorithms: NEXTPROTONEG C:\work\openssl-1.0.1-stable-SNAP-2021perl util\mkdef.pl 32 ssleay 1ms\ssleay32.def WARNING: mkdef.pl doesn't know the following algorithms: NEXTPROTONEG Warning: SSL_CTX_set_next_proto_select_cb does not have a number assigned Warning: SSL_CTX_set_next_protos_advertised_cb does not have a number assigned Warning: SSL_export_keying_material does not have a number assigned Warning: SSL_get0_next_proto_negotiated does not have a number assigned Warning: SSL_select_next_proto does not have a number assigned InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com
openssl-1.0.1-stable-SNAP-20111121 Fails on Windows
The current openssl-1.0.1-stable-SNAP-2021 and the last 6 or so previous versions fails with the following on Microsoft Windows: ssltest.c link /nologo /subsystem:console /opt:ref /debug /out:out32\ssltest.exe @ C:\DOCUME~1\zkrr01\LOCALS~1\Temp\nne04256. ssleay32.lib(t1_enc.obj) : error LNK2001: unresolved external symbol _bcmp out32\ssltest.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'link' : return code '0x460' Stop. In addition, the following warnings are received: C:\work\openssl-1.0.1-stable-SNAP-2021perl util\mkdef.pl 32 libeay 1ms\libeay32.def WARNING: mkdef.pl doesn't know the following algorithms: NEXTPROTONEG C:\work\openssl-1.0.1-stable-SNAP-2021perl util\mkdef.pl 32 ssleay 1ms\ssleay32.def WARNING: mkdef.pl doesn't know the following algorithms: NEXTPROTONEG Warning: SSL_CTX_set_next_proto_select_cb does not have a number assigned Warning: SSL_CTX_set_next_protos_advertised_cb does not have a number assigned Warning: SSL_export_keying_material does not have a number assigned Warning: SSL_get0_next_proto_negotiated does not have a number assigned Warning: SSL_select_next_proto does not have a number assigned InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com
Unix CAC certificate based authentication
Steve One of our Army clients (USAMITC) is asking if we know of any Unix based SSH client and or server which will support CAC certificate based authentication other then Tectia. Are you aware of any? Ken InterSoft International, Inc. Voice:888-823-1541 Fax:866-701-1260 or 888-823-1542 supp...@securenetterm.com http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: New Sponsor for the FIPS Validation (PKWARE)
Steve Could you explain what a private label validation is and its associated costs? Ken We are pleased to announce that PKWARE, Inc. (http://www.pkware.com/) has committed to sponsor a new platform for the upcoming FIPS 140-2 validation of the OpenSSL FIPS Object Module v2.0: HP-UX 11i on Itanium 32bit with asm optimization HP-UX 11i on Itanium 64bit with asm optimization This new contribution will leverage the ongoing effort to cover the new platform, thereby significantly increasing the value of the resulting validation. To date the following platforms are included in the validation: Android on ARM VC++ Win32 on x86 uClinux on ARM Fedora 14 on x86-64 asm optimization HP-UX 11i on Itanium 32bit with asm optimization HP-UX 11i on Itanium 64bit with asm optimization Any prospective sponsors of platforms not included in that list are encouraged to contact the OSF. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org InterSoft International, Inc. Voice:888-823-1541 Fax:866-701-1260 or 888-823-1542 supp...@securenetterm.com http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org