Re: Picking up right openssl version for RFC 5746 support

2010-10-04 Thread Gilles Espinasse
- Original Message - From: kunal patel To: openssl-dev@openssl.org Sent: Tuesday, October 05, 2010 7:28 AM Subject: Picking up right openssl version for RFC 5746 support > > Hi, > I am trying to upgrade the openssl library for my work. Currently, I have 0.9.8g. I am looking > for appropr

Picking up right openssl version for RFC 5746 support

2010-10-04 Thread kunal patel
Hi, I am trying to upgrade the openssl library for my work. Currently, I have 0.9.8g. I am looking for appropriate library version which has the fix for RFC 5746. I cannot move to 1.0.0 version right now. Which stable version should I pick up ? I tried with 0.9.8n but facing lot of compile issues

RE: [openssl.org #2355] Support for SHA2 ciphersuite in TLS

2010-10-04 Thread Yair Elharrar
The RNG in openssl-fips-1.2 is compliant with ANS X9.31, therefore it is OK for use through 2015 (although "deprecated" in the language of SP 800-131). Adding a SP 800-90 RNG (sorry, RBG) to OpenSSL isn't too hard, given that there's an open-source implementation which passes NIST's test vectors

[openssl.org #2353] PATCH: add missing OSCPSigning bits

2010-10-04 Thread Stephen Henson via RT
> [mi...@riseup.net - Wed Sep 29 09:38:36 2010]: > > > In a recent attempt to add missing extended key usage pieces, I noticed > that the OCSPSigning extended key usage was not fully implemented. It is > perfectly possible that I am not fully cognizant of how the code works, > and it is properly

[openssl.org #2351] PATCH: Remove obsolete ipsec extended key usages

2010-10-04 Thread Stephen Henson via RT
> [mi...@riseup.net - Wed Sep 29 09:38:22 2010]: > > > Hi, > > The extended key usages id-kp-ipsecEndSystem, id-kp-ipsecTunnel and > id-kp-ipsecUser are obsoleted as per RFC 4945 ยง 5.1.3.12 section title > "ExtendedKeyUsage": > > ... Note that there were three IPsecrelated object identifiers i

RE: [openssl.org #2355] Support for SHA2 ciphersuite in TLS

2010-10-04 Thread Thomas Francis, Jr.
That's a rather old statement. The latest draft of SP 800-131 (http://csrc.nist.gov/publications/drafts/800-131/draft-sp800-131_spd-june2010.pdf) is a _lot_ more relaxed, and even the early draft referenced at the page below did not require any changes that would require TLS v1.2. Applications

Re: openssl AES-NI on freebsd 8.0 says illegal instructions

2010-10-04 Thread sergio borghese
Hi Jeseem, are you sure that the cpu you are using has AESNI enabled? The toolchain you are using is definitly correct, but the fact that the engine check was not triggered sounds like your SKU has the instraction disabled. You can do a check on the CPU with the below code: #include #include #

[openssl.org #2355] Support for SHA2 ciphersuite in TLS

2010-10-04 Thread Sasha Matison via RT
Hello, What is the current plan to support TLSv1.2 in OpenSSL? NIST issued a statement requiring federal government to switch to SHA2 family of hash functions after 2010: Quote from http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html: "Federal agencies should stop using SHA-1 for