On 10/15/2015 05:44 AM, Emilia Käsper via RT wrote:
> Given OpenSSL's eternal type confusion, this check is meant to trap callers
> that get an error return (typically -1) from some API returning signed values
>
Hmm, do we have a sense for how typically "typically" is? Maybe just
adding a check fo
On 2015-10-15 15:41, Matt Caswell via RT wrote:
> The purpose of the sanity check is not then for security, but to guard
> against programmer error. For a correctly functioning program this test
> should never fail. For an incorrectly functioning program it may do. It
> is not guaranteed to fail be
Hi,
Just as a note, in case anybody would find this thread in search for help in
the future:
The described issue likely wouldn't have appeared if following the full
building instructions (for the CMP patch) as mentioned e.g. in RT#3101:
./config
make depend
make stacks
make
Cheers,
Martin
On 10/15/2015 07:41 AM, Matt Caswell via RT wrote:
>
> In summary my opinion is:
> - I believe the sanity check does have some value in guarding against
> programmer error
> - If it were to be compiled away this does not have a detrimental impact
> on security (it just increases the likelihood of a
Rejecting - SCSV is not a TLS extension.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
openssl-1.0.1h-cmp isn't an official OpenSSL version. You should seek help
with whoever provides this library for you.
Cheers,
Emilia
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Curves aren't negotiated with the ciphersuite, but rather via a separate
extension. Since OpenSSL 1.0.2, there are
SSL_CTX_set1_curves and SSL_CTX_set1_curves_list to configure supported curves:
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_ecdh_auto.html
OpenSSL 1.1 also has a security
This was fixed in January: 6fa805f516f5a6ff3872f1d1014a3dc9de460b99
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
This sounds like an application problem.
1) Did you recompile your source? 0.9.7 and 1.0.1 are not binary-compatible.
2) The certificate hash format has changed between 1.0.1 and 0.9.7, which could
explain why the lookup no longer works:
https://www.openssl.org/docs/manmaster/apps/rehash.html
If t
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
On 15/10/15 14:35, Salz, Rich via RT wrote:
>
>> PACKET_buf_init. This code can assume that |len| is from a trusted source.
>>
>> The purpose of the sanity check is not then for security, but to guard
>> against
>> programmer error. For a correctly functioning program this test should never
>>
> PACKET_buf_init. This code can assume that |len| is from a trusted source.
>
> The purpose of the sanity check is not then for security, but to guard against
> programmer error. For a correctly functioning program this test should never
> fail.
I would say that the combination of these two thi
> PACKET_buf_init. This code can assume that |len| is from a trusted source.
>
> The purpose of the sanity check is not then for security, but to guard against
> programmer error. For a correctly functioning program this test should never
> fail.
I would say that the combination of these two thi
Hi,
Recently we updated the openssl crypto from 0.9.7e 25 to 1.0.1e
But it is always crashing while vertifying the certificates from image
When debugged found that crash is happening when
X509_STORE_get_by_subject called with issuer and issuer name is empty
X509_STORE_get_by_subject (&storeCtx
On 15/10/15 04:11, Pascal Cuoq via RT wrote:
> As of 2015-10-14, the function PACKET_buf_init in ssl/packet_locl.h
> reads:
>
> static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf,
> size_t len) { /* Sanity check for negative values. */ if (buf + len <
> buf) return 0;
>
> pkt->cu
Given OpenSSL's eternal type confusion, this check is meant to trap callers
that get an error return (typically -1) from some API returning signed values
and pass that on to PACKET_buf_init as a size_t. For example, ssl3_get_message
returns a long to signal buffer length, and that makes me nervous.
16 matches
Mail list logo
