openssl-1.0.1-stable-SNAP-20111217 - Handshake message exceeds max length when using tls v1.2 with cert verification

2011-12-18 Thread Jean Cyr
I encountered this problem implementing app using tls v1.2 method and specifying SSL_VERIFY_PEER. Openssl function ssl3_get_cert_verify calls function method-ssl_get_message specifying a max message length of 514 bytes when in fact it can be longer when using tls 1.2 with peer cert

[openssl.org #2661] openssl-1.0.1-stable-SNAP-20111217 - Handshake message exceeds max length when using tls v1.2 with cert verification

2011-12-18 Thread Jean Cyr via RT
I encountered this problem implementing app using tls v1.2 method and specifying SSL_VERIFY_PEER. Openssl function ssl3_get_cert_verify calls function method-ssl_get_message specifying a max message length of 514 bytes when in fact it can be longer when using tls 1.2 with peer cert

[openssl.org #2662] NPN patch breaks DTLS Finished exchange

2011-12-18 Thread Eric Rescorla via RT
The introduction of NPN support seems to have broken DTLS. [12] ./openssl s_server -dtls1 WARNING: can't open config file: /usr/local/ssl/openssl.cnf Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR 2692642180:error:1408C06F:SSL routines:SSL3_GET_FINISHED:bad

[openssl.org #2663] Apparent bug in the x86 ghash function

2011-12-18 Thread Yoav Nir via RT
Hi I've compiled a recent SNAP of OpenSSL 1.0.1 (from 18/12). I am pretty sure that the assembly language code generated for the ghash function (in ghash-x86.s) is incorrect. The gcm_init_4bit() function generates a 16-entry table of 128-bit values, to be used as a multiplication table. The

[openssl.org #2665] s_client support for starttls ldap

2011-12-18 Thread Rick King via RT
Current OS: CentOS release 5.5 (Final) (RHEL5_64) Currentl openssl version: 1.0.0e Would it be possible to support s_client for starttls connections for ldap? i.e. openssl s_client -connect mail.domain.com:389 -starttls ldap Best Regards, -- Rick King