Re: Good at assembler ? (Was:httpd - side channel attack - timing of digest comparisons)

> Secondly - when we get to the end of the shorter string; we can either keep comparing to the last char or \0; or we go ‘modulo’ to the start of the string. Now modulo is perhaps not ideal; and seems to affect the pipeline on the XEON cpu (something I confess not to quite understand; and I cannot

RE: httpd and OpenSSL 1.0.2

It didn't break api compatibly but it sure did break backwards compatibility. I'm pretty sure if you link against 1.0.2 you can't run with an older 1.0.x library. Which is what appears to happen in Mario's case. I'm speculating as to why - being related to improperly replacing a system package

Re: httpd and OpenSSL 1.0.2

Don't be fooled. OpenSSL 1.0.1 did not break binary compatibility, the lib designation remains .so.1.0.0. Can someone confirm whether this was changed in 1.0.2? On May 29, 2015 10:26 AM, "Mario Brandt" wrote: > Hi Andy, > > it seems that you are right. After cheking the lib I saw this > > -rw-r

Re: httpd and OpenSSL 1.0.2

Hi Andy, it seems that you are right. After cheking the lib I saw this -rw-r--r-- 1 root root 4,4M Mai 29 10:51 libcrypto.a lrwxrwxrwx 1 root root 18 Mai 29 10:51 libcrypto.so -> libcrypto.so.1.0.0 -r-xr-xr-x 1 root root 2,6M Mai 29 10:51 libcrypto.so.1.0.0 -rw-r--r-- 1 root root 744K Mai 2

Re: httpd and OpenSSL 1.0.2

On 29 May 2015 at 16:49, Andy Wang wrote: > Yeah, I honestly wasn't really thinking that closely about it. I do know > this. > > The openssl default install results in the following: > libssl.so.1.0.0 > symlinked to > libssl.so > > however, fedora's system provided libraries look like this: > lrw

Re: httpd and OpenSSL 1.0.2

On 05/29/2015 09:20 AM, Rainer Jung wrote: Here you can see the SONAME is libssl.so.1.0.0. This name is added as a dependency into the linked binary. At runtime the runtime linker will look for this file, not for libssl.so. During installation of lobssl.so (resp. libcrypto.so) typically the f

Re: httpd and OpenSSL 1.0.2

Am 29.05.2015 um 15:16 schrieb Wang, Andy: You might want to reconsider that unless you really really are sure you know what you're doing. On a linux distro, the system installed openssl is considered a fundamental platform infrastructure library. I.e. many many things rely on it. openssl ve

RE: httpd and OpenSSL 1.0.2

You might want to reconsider that unless you really really are sure you know what you're doing. On a linux distro, the system installed openssl is considered a fundamental platform infrastructure library. I.e. many many things rely on it. openssl versions are not backward compatible. So if yo

Good at assembler ? (Was:httpd - side channel attack - timing of digest comparisons)

>>> On 28 May 2015, at 17:03, William A Rowe Jr >> > wrote: …. >>> > > On 26 May 2015, at 17:22, Dirk-Willem van Gulik >> > > > wrote: >>> > .. >>> > > So I think that what is needed are two (or three) functions >>> > ... >>> > > - A stri

Re: httpd and OpenSSL 1.0.2

Hi Tom, nope setting LD_LIBRARY_PATH did not solve my problem. That is a bit tricky since I install the new openssl version system wide ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared no-ssl2 Mario On 28 May 2015 at 21:45, Tom Browder wrote: > On Wed, May 27, 2015 at 1:09 PM,