[openssl-users] Certificate Revocation List and SSL

[Norm Green]

How does one specify the CRL to the SSL_CTX when setting up a 
connection?  I would expect there to be something similar to 
SSL_CTX_use_certificate(), such as:


int SSL_CTX_use_crl(SSL_CTX *ctx, X509_CRL *crl)

but can nothing like that.

Norm Green


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Windows shared libraries version information needs some fixes

[RTT]

After your forth commit, seems all is working fine. Exe and dlls with, 
and correct, version information now. Thanks.


On 21/03/2018 02:08, Salz, Rich via openssl-users wrote:

Please look athttps://github.com/openssl/openssl/pull/5704  and see if it fixes 
the issues.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Hashing public keys

[Dr. Pala]

Hi Jan,

not sure if this might help you, I solved the problem by using
X509_PUBKEY + i2d_X509_PUBKEY. Here's an example:

   
https://github.com/openca/libpki/blob/b87b647170cb5f71e00baffe609f5a02edfa3845/src/openssl/pki_keypair.c#L307

I hope that helps,

Cheers,
Max


On 3/21/18 1:42 PM, Jan Danielsson wrote:
> Hello,
>
>Given an EVP_PKEY (can contain either RSA or EC key), is there a
> function to generate a hash of the public key?  (I have some vague
> memory of having read a few years ago that there wasn't any standardized
> way to hashing EC keys (+parameters) yet.  If so; has this been remedied?).
>
>(Storing public keys in a DHT, users need to be able to - given a
> public key - generate a hash to check if the hash exists in the DHT).
>

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Hashing public keys

[Dr. Matthias St. Pierre]

Hello Jan,

the canonical way to create the hash of the public key is to use
d2i_PUBKEY() to save the public key in (binary) DER format and then
calculate the hash of that using
EVP_DigestInit()/EVP_DigestUpdate()/EVP_DigestFinal().

Hope that helps,

Matthias


Am 21.03.2018 um 14:42 schrieb Jan Danielsson:
> Hello,
>
>Given an EVP_PKEY (can contain either RSA or EC key), is there a
> function to generate a hash of the public key?  (I have some vague
> memory of having read a few years ago that there wasn't any standardized
> way to hashing EC keys (+parameters) yet.  If so; has this been remedied?).
>
>(Storing public keys in a DHT, users need to be able to - given a
> public key - generate a hash to check if the hash exists in the DHT).
>


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Hashing public keys

[Jan Danielsson]

Hello,

   Given an EVP_PKEY (can contain either RSA or EC key), is there a
function to generate a hash of the public key?  (I have some vague
memory of having read a few years ago that there wasn't any standardized
way to hashing EC keys (+parameters) yet.  If so; has this been remedied?).

   (Storing public keys in a DHT, users need to be able to - given a
public key - generate a hash to check if the hash exists in the DHT).

-- 
Kind Regards,
Jan Danielsson
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL version 1.1.1 pre release 3 published

[Dennis Clarke]

On 20/03/18 08:03 PM, Viktor Dukhovni wrote:




On Mar 20, 2018, at 5:55 PM, Dennis Clarke  wrote:

  signverifysign/s verify/s
rsa 4096 bits 0.082541s 0.001186s 12.1843.0


That seems remarkably slow, is that expected with this CPU?
My laptop (PowerBook pro) is a 12 to 13 times faster:

Doing 4096 bit private rsa's for 10s: 1566 4096 bit private RSA's in 9.99s
Doing 4096 bit public rsa's for 10s: 102768 4096 bit public RSA's in 9.99s
OpenSSL 1.1.1-pre4-dev  xx XXX 
built on: Tue Mar 20 22:07:47 2018 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: cc -fPIC -arch x86_64 -Qunused-arguments -O3 -Wall -DL_ENDIAN 
-DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM 
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM 
-DPADLOCK_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG
  signverifysign/s verify/s
rsa 4096 bits 0.006379s 0.97s156.8  10287.1



You want to see slow ?  Let me show you slow :

root@phobos:~# uname -r
4.15.9-genunix
root@phobos:~# cat /etc/debian_version
buster/sid

root@phobos:~# /usr/bin/openssl version
OpenSSL 1.1.0g  2 Nov 2017

root@phobos:~# /usr/bin/openssl speed rsa4096
Doing 4096 bit private rsa's for 10s: 12 4096 bit private RSA's in 10.74s
Doing 4096 bit public rsa's for 10s: 765 4096 bit public RSA's in 10.00s
OpenSSL 1.1.0g  2 Nov 2017
built on: reproducible build, date unspecified
options:bn(64,32) rc4(4x,int) des(long) aes(partial) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS 
-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM 
-DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM 
-DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" 
-DENGINESDIR="\"/usr/lib/i386-linux-gnu/engines-1.1\""

  signverifysign/s verify/s
rsa 4096 bits 0.895000s 0.013072s  1.1 76.5


Now that is slow.

However I have a sparc unit that reports "inf" or infinite speed so one
 never really knows what one will get.

Dennis
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Windows shared libraries version information needs some fixes

[Matt Caswell]

On 21/03/18 09:36, Matt Caswell wrote:
> 
> 
> On 21/03/18 00:45, RTT wrote:
>> Hello,
>>
>> Building the shared libraries (version 1.1.1 pre 3) for Windows with
>> Visual Studio, targets VC-WIN32 or VC-WIN64A, result in DLLs with
>> version information with outdated copyright date, i.e. "Copyright
>> 1998-2016 The OpenSSL Authors. All rights reserved", and the file
>> description as "OpenSSL application" instead of "OpenSSL shared library".
>>
>> The version information resource file seems to be generated by the
>> script "util\mkrc.pl", that indeed has this old copyright date
>> hardcoded, and the logic that selects the file description that seems to
>> expect a call with a file extension (i.e. mkrc.pl libcrypto.dll, mkrc.pl
>> openssl.exe, ...), but the build.info file is not specifying any file
>> extension to these calls.
>>
>> Also, why the openssl.exe doesn't include version information?
>>
> 
> Please could you raise this as an issue on github so that it gets
> properly tracked?
> 
> https://github.com/openssl/openssl/issues

Ignore this. I see Rich has already created a PR to fix this.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Windows shared libraries version information needs some fixes

[Matt Caswell]

On 21/03/18 00:45, RTT wrote:
> Hello,
> 
> Building the shared libraries (version 1.1.1 pre 3) for Windows with
> Visual Studio, targets VC-WIN32 or VC-WIN64A, result in DLLs with
> version information with outdated copyright date, i.e. "Copyright
> 1998-2016 The OpenSSL Authors. All rights reserved", and the file
> description as "OpenSSL application" instead of "OpenSSL shared library".
> 
> The version information resource file seems to be generated by the
> script "util\mkrc.pl", that indeed has this old copyright date
> hardcoded, and the logic that selects the file description that seems to
> expect a call with a file extension (i.e. mkrc.pl libcrypto.dll, mkrc.pl
> openssl.exe, ...), but the build.info file is not specifying any file
> extension to these calls.
> 
> Also, why the openssl.exe doesn't include version information?
> 

Please could you raise this as an issue on github so that it gets
properly tracked?

https://github.com/openssl/openssl/issues

Thanks

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users