[openssl-dev] [openssl.org #3888] BUG: BIO_CTRL_DGRAM_SET_DONT_FRAG does nothing on IPv4/Linux

Is present in at least OpenSSL 1.0.2 / master. The code in bss_dgram.c checks if IP_MTUDISCOVER is defined, where it should test for IP_MTU_DISCOVER: diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 5eade50..7cd57bf 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgra

Re: [openssl-dev] F5 termination of TCP connection

Yes, obviously security of the connection ends on offloading device with all consequences. I agree that having TLS end-to-end is great but quite hard to do it with OpenSSL if you need full-duplex connection. So in my case I have SSL till F5. One connection may trigger many transactions inside

Re: [openssl-dev] Do you use EGD or PRNGD?

In message <48ce1b94ef3648d990a5e253a8992...@ustx2ex-dag1mb2.msg.corp.akamai.com> on Mon, 1 Jun 2015 18:33:01 +, "Salz, Rich" said: rsalz> > While HP NonStop is not officially supported, I have been helping to maintain rsalz> > a fork for the platform since December and are current through

Re: [openssl-dev] [openssl-users] Do you use EGD or PRNGD?

> I had to install an entropy gather on Debian desktop because reads to > /dev/random would fail on occasion when the device was opened > O_NONBLOCK. I was not hitting it hard - I was just trying to grab a 32 byte > one-time seed to seed an in-app generator. It was really surprising to see > Debian

Re: [openssl-dev] [openssl.org #3887] PATCH: rsautl and intelligent retry for Public Key parse after Traditional/Subject Public Key Info parse fails

On 5/31/2015 2:46 AM, noloa...@gmail.com via RT wrote: apps.c has a couple of parsing routines called load_pubkey and load_key. rsautl uses those routines. However, there's no option in rsautil to use anything other than a ASN.1/DER or PEM encoded traditional key (or subject public key info).

Re: [openssl-dev] Do you use EGD or PRNGD?

> While HP NonStop is not officially supported, I have been helping to maintain > a fork for the platform since December and are current through 1.0.2a. We > do use prngd. I am looking for ways to get back on the official platform list, > looking for alternatives to prngd for that platform, and try

Re: [openssl-dev] Do you use EGD or PRNGD?

On June 1, 2015 10:03 AM Rich Salz wrote: > We are thinking of removing support for EGD (entropy-gathering daemon) in the next release. > None of our supported platforms have needed it for some time.  If this will cause > an issue for you, please reply soon. While HP NonStop is not officially supp

Re: [openssl-dev] Do you use EGD or PRNGD?

> There is one currently shipping system I am aware of that does need PRNGD. > OpenServer 5 from XinuOS. Which isn't a supported system... ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Do you use EGD or PRNGD?

On Mon, 1 Jun 2015, Salz, Rich wrote: > We are thinking of removing support for EGD (entropy-gathering daemon) > in the next release. None of our supported platforms have needed it for > some time. If this will cause an issue for you, please reply soon. There is one currently shipping system

Re: [openssl-dev] F5 termination of TCP connection

On Mon, Jun 1, 2015 at 12:56 PM, Daniel Kahn Gillmor wrote: > On Mon 2015-06-01 07:36:01 -0400, Krzysztof Kwiatkowski wrote: > >> Yes, that's exactly what we do in our configuration. We have 24 servers >> with rather high workload. SSL is offloaded on F5 load balancer and >> servers behind load ba

Re: [openssl-dev] verify fails for 3-level cert chain when usingX509v3 Authority Key Identifier

Believe that this question will be raised again and again... Yuting Chen -Original Message- From: Erwann Abalea Sent: Monday, June 01, 2015 10:12 AM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] verify fails for 3-level cert chain when usingX509v3 Authority Key Identifier B

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

Note that this (almost) is identical to the Sun Microsystems contribution copyright in s3_both.c, s3_clnt.c s3_lib.c s3_srvr.c, ssl_cert.c ssl_ciph.c, ssl_lib.c and ssl_locl.h… -- -Todd Short // tsh...@akamai.com // “One if by land, two if by sea, three if by the Intern

Re: [openssl-dev] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonsoir John, > Le 1 juin 2015 à 17:20, John Lofgren via RT a écrit : > […] > One remaining question. If this extension is "only a helper and MUST NOT be > used to (in)validate a certificate chain" as you say or as the spec says > "non-critical", then why does 'openssl verify' reject this chain?

Re: [openssl-dev] F5 termination of TCP connection

On Mon 2015-06-01 07:36:01 -0400, Krzysztof Kwiatkowski wrote: > Yes, that's exactly what we do in our configuration. We have 24 servers > with rather high workload. SSL is offloaded on F5 load balancer and > servers behind load balancers receive decrypted traffic. > > I'm not aware of any perfo

Re: [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Erwann, thank you for the explanation. This makes sense now. I looked at the spec and now I understand the purpose the AKI.authorityCertIssuer. What made me misunderstand this in the first place is that 'openssl x509 -text ...' gives no indication that this field is the name of the issuer's issuer.

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

Re: copyrights: Planning to copy the (109-line) main copyright from another source file and append to it: /* * Copyright (C) 2015 Akamai Technologies. ALL RIGHTS RESERVED. * This code was originally developed by Akamai Techno

Re: [openssl-dev] F5 termination of TCP connection

Hi, Yes, that's exactly what we do in our configuration. We have 24 servers with rather high workload. SSL is offloaded on F5 load balancer and servers behind load balancers receive decrypted traffic. I'm not aware of any performance issues. And in fact it's quite good idea as server itself

[openssl-dev] Do you use EGD or PRNGD?

We are thinking of removing support for EGD (entropy-gathering daemon) in the next release. None of our supported platforms have needed it for some time. If this will cause an issue for you, please reply soon. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz _

Re: [openssl-dev] [openssl.org #3882] [BUGFIX] lh_SSL_SESSION_delete() not checked

Depending on how the comparison function was implemented, the insert could still succeed at the point mentioned. In the case of the patch sent for RT 3883, the original implementation of the comparison function always failed if the client IP address was not set (given that RT 3883 does not requ

Re: [openssl-dev] [openssl.org #3882] [BUGFIX] lh_SSL_SESSION_delete() not checked

Depending on how the comparison function was implemented, the insert could still succeed at the point mentioned. In the case of the patch sent for RT 3883, the original implementation of the comparison function always failed if the client IP address was not set (given that RT 3883 does not requ

[openssl-dev] F5 termination of TCP connection

Dear Team, We have a client-server (Server is a C++ process) communication which does a TCP communication over a secure layer. The SSL is achieved by OpenSSL library on that process. Am having some connection problems in the Server side - So inorder to avoid this can I put this SSL under F5 te

Re: [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonjour, > Le 30 mai 2015 à 09:48, John Lofgren via RT a écrit : > > I believe I have pinpointed a typo-error that may be the cause of one or > two other outstanding bugs related to certificate chain validation. This > bug only occurs in a chain of certs at least 3 deep when the certs use > the

Re: [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonjour, > Le 30 mai 2015 à 09:48, John Lofgren via RT a écrit : > > I believe I have pinpointed a typo-error that may be the cause of one or > two other outstanding bugs related to certificate chain validation. This > bug only occurs in a chain of certs at least 3 deep when the certs use > the