Re: [openssl-dev] [openssl.org #1596] wrong AKI in cert

When a certificate is re-signed via "x509 -signkey" while keeping the existing extensions (i.e. without "-clrext"), the (unwritten) expectation is that that all that's being changed is the validity dates, and the previous certificate content remains unchanged. Yes, the issuer is updated to match

Re: [openssl-dev] [openssl.org #1596] wrong AKI in cert

When a certificate is re-signed via "x509 -signkey" while keeping the existing extensions (i.e. without "-clrext"), the (unwritten) expectation is that that all that's being changed is the validity dates, and the previous certificate content remains unchanged. Yes, the issuer is updated to match

Re: [openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

> Doesn't seem that way. Not present on VMS, and I can't find it on MDSN > either. So what I'd have to do is downcase the string and do strstr on all lowercase. Might be reasonable - http://rt.openssl.org/Ticket/Displa

Re: [openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

> Doesn't seem that way. Not present on VMS, and I can't find it on MDSN > either. So what I'd have to do is downcase the string and do strstr on all lowercase. Might be reasonable ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.or

[openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

Doesn't seem that way. Not present on VMS, and I can't find it on MDSN either. Vid Thu, 04 Feb 2016 kl. 21.05.13, skrev rsalz: > is strcasestr common? -- Richard Levitte levi...@openssl.org - http://rt.openssl.org/Ticket/Di

[openssl-dev] [openssl.org #3121] Request concerning revoke system for openSSL

There is no defect here. Or at least not enough information. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=3121 Please log in as guest with password guest if prompted _

[openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

is strcasestr common? -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2712 Please log in as guest with password guest if prompted

[openssl-dev] [openssl.org #2918] [PATCH] Testcase for GOST R 34.11-94 (openssl/engines/ccgost/gosthash.c)

GOST is now a separately-maintained engine. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2918 Please log in as guest with password guest if prompted __

[openssl-dev] [openssl.org #2664] config does not allow disabling npn

fixed in master: ; ./config no-npn Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre3-dev (0x0x1013L) * Unsupported options: no-npn -- Rich Salz, OpenSSL dev team; rs...@openssl.org ---

[openssl-dev] [openssl.org #2638] s_client -servername BLAH not honoured with -starttls xmpp

the -xmpphost flag does what you want. In next release. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2638 Please log in as guest with password guest if prompted __

Re: [openssl-dev] [openssl.org #2532] [PATCH] Fix insufficient privilege checking

> On Feb 4, 2016, at 3:37 PM, Rich Salz via RT wrote: > > Rather than replacing all the getenv() calls, a simple wrapper like > OPENSSL_safe_getenv() that includes the issetguid test seems a lot cleaner. > And > the config changes needed to be ported up to master. Where available, this should

Re: [openssl-dev] [openssl.org #2532] [PATCH] Fix insufficient privilege checking

> On Feb 4, 2016, at 3:37 PM, Rich Salz via RT wrote: > > Rather than replacing all the getenv() calls, a simple wrapper like > OPENSSL_safe_getenv() that includes the issetguid test seems a lot cleaner. > And > the config changes needed to be ported up to master. Where available, this should

[openssl-dev] [openssl.org #2571] OCSP send request fails if OCSP server with vhost or reverse proxy

As listed in the ticket, the -host heade can be used to do what you need. Open a new ticket if the docs need more explanation; thanks. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.h

[openssl-dev] [openssl.org #2554] Patch: AF_ALG dynamic engine for linux >= 2.6.38

support for this is in-progress for 1.1 -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2554 Please log in as guest with password guest if prompted __

[openssl-dev] [openssl.org #2536] Memory leak in d2i_RSA_PUBKEY() (concise test code included)

The d2i routines move the pointer to the next thing. So you have do save key, pass in a copy, and then delete the original key. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=

[openssl-dev] [openssl.org #2532] [PATCH] Fix insufficient privilege checking

This is interesting, although unfortunately it's been years since we looked at it and it is out of date. Rather than replacing all the getenv() calls, a simple wrapper like OPENSSL_safe_getenv() that includes the issetguid test seems a lot cleaner. And the config changes needed to be ported up to

[openssl-dev] [openssl.org #2521] Enhancement Request

you can build/install the docs locally ... -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2521 Please log in as guest with password guest if prompted __

Re: [openssl-dev] [openssl.org #2460] OCSP server uses only IP6

> I'm not sure what you think. But all the apps currently only create 1 socket, > which on some OSes could mean that it's IPv6 (or > IPv4) only. It needs more work. Yes, I meant to close the window not the ticket :) Re-opened. -

Re: [openssl-dev] [openssl.org #2460] OCSP server uses only IP6

On Thu, Feb 04, 2016 at 08:07:15PM +, Rich Salz via RT wrote: > i think -- I'm not sure what you think. But all the apps currently only create 1 socket, which on some OSes could mean that it's IPv6 (or IPv4) only. It needs more work. Kurt

[openssl-dev] [openssl.org #2493] [PATCH] Engines: Eliminate the unneccesary null check

sureware engine is no longer supported. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2493 Please log in as guest with password guest if prompted __

[openssl-dev] [openssl.org #2406] Argument type warning on i2d_ASN1_SET

fixed some time ago, works in current release(s). -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2406 Please log in as guest with password guest if prompted ___

[openssl-dev] [openssl.org #2287] A bug of PKCS8?

An old unsuppported release. Please open a new ticket if this is still an issue with the current release(s). thanks. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2287 Plea

[openssl-dev] [openssl.org #2496] [PATCH] Fix compile problems when various ciphers are disabled

most of this is fixed in master, maybe all. if there are still issues, please open a new ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2496 Please log in as guest wi

[openssl-dev] [openssl.org #2460] OCSP server uses only IP6

i think -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2460 Please log in as guest with password guest if prompted ___ openssl-de

[openssl-dev] [openssl.org #2449] [BUG] openssl 1.0.0d warnings during build and ACCVIO on OpenVMS

VMS support is back in master (openssl 1.1) -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2449 Please log in as guest with password guest if prompted __

[openssl-dev] [openssl.org #2281] Bug in 1.0.0: SSL_new() leaks s->param if s->method->ssl_new() fails

this is fixed in master. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2281 Please log in as guest with password guest if prompted _

[openssl-dev] [openssl.org #2386] Bug Report and Patch: Incompatible types in SKM_ASN1_SET_OF_d2i

fixed some time ago. works in 1.0.2 and fixed even better in next release :) -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2386 Please log in as guest with password guest if

[openssl-dev] [openssl.org #2402] PATCH: config and Configure for Xcode Awareness

Please open a new ticket (and patch or GitHub PR) against master if this is still an issue. I don't think it is. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2402 Please lo

[openssl-dev] [openssl.org #2285] [patch] use winsock2.h

I forget which ticket had it, but we already had some of this discussion and the code we have is correct. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2285 Please log in as

[openssl-dev] [openssl.org #2195] [PATCH] Set default field separator in do_name_ex() ("nameopt" switch)

This was fixed. Doc not being fixed, please suggest changes. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2195 Please log in as guest with password guest if prompted _

[openssl-dev] [openssl.org #2212] Override DH bits restriction

Five years without commentary. Unlikely to happen, closing ticket. please re-open if still an issue. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2212 Please log in as gues

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

On 04/02/2016 16:45, Short, Todd via RT wrote: > FYI: The rational for why these APIs are deprecated. > http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html#tag_03_356_08 That's the superseded POSIX.1-2001 standard, where these functions were made obsolescent. They're no long

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

I'm new to implementing crypto, but this seems like a great learning opportunity. What's the best way for me to get ramped up through self-study? I'm interested in the Camellia cipher, and contributing meaningful additions to the OpenSSL library. Moonchild: thank you for your detailed explanation

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

I'm new to implementing crypto, but this seems like a great learning opportunity. What's the best way for me to get ramped up through self-study? I'm interested in the Camellia cipher, and contributing meaningful additions to the OpenSSL library. Moonchild: thank you for your detailed explanation

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On 2/4/16, 12:10 , "openssl-dev on behalf of Kurt Roeckx via RT" wrote: >On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote: >> Really? >> >> That's all we get, a one-liner, no explanation, no rationale, response? >> It's not even "brand new" functionality, Camellia as a raw cipher

[openssl-dev] Evolution of build refactoring

Hi, some time ago, I announced the refactor-build branch on github. It has gone through a bit of rearrangement, and the commits that lay out the ground have made it into master by now. The rest is still going through internal review. Meanwhile, I would very much like to hear from Cygwin folks,

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote: > Really? > > That's all we get, a one-liner, no explanation, no rationale, response? > It's not even "brand new" functionality, Camellia as a raw cipher is already > in there, the only difference is wrapping it into GCM-based suite

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote: > Really? > > That's all we get, a one-liner, no explanation, no rationale, response? > It's not even "brand new" functionality, Camellia as a raw cipher is already > in there, the only difference is wrapping it into GCM-based suite

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

> If you see ways in which the code in proposed pull requests is > unmaintainable, share them. Nobody on the team is able to take the time to do it. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thursday 04 February 2016 13:08:15 Salz, Rich via RT wrote: > > That's all we get, a one-liner, no explanation, no rationale, > > response? > Take a look at some of the discussion here: > https://github.com/openssl/openssl/pull/154 > https://github.com/openssl/openssl/pull/148 You m

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

FYI: The rational for why these APIs are deprecated. http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html#tag_03_356_08 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." --

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

On Thu, 2016-02-04 at 03:04 +, Rich Salz via RT wrote: > So guys, sorry for dropping the ball. Where are we on this now? Going backwards. I don't seem to be able to configure with 'no-ui no-engines' any more. :) -- David WoodhouseOpen Source Technology Centre davi

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

OpenSSL is generally able to compile with the musl C library (same idea as uClibc): OpenSSL 1.0.2f: ./config make depend CC=/usr/local/bin/musl-gcc ./config make ./config is run twice, because "make depend" fails since domd can’t find the makedepend command after CC is set to musl-gcc. However,

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

On Tue, 2015-12-08 at 12:56 +, Salz, Rich via RT wrote: > I think that instead of the #ifdef being removed, the if() test > should be removed.   > This was my mistake. What was the verdict here? I'm trying to update my builds, as promised this morning. But EDK2 has updated to 1.0.2e and i

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

On Tue, 2015-12-08 at 12:56 +, Salz, Rich via RT wrote: > I think that instead of the #ifdef being removed, the if() test > should be removed.   > This was my mistake. What was the verdict here? I'm trying to update my builds, as promised this morning. But EDK2 has updated to 1.0.2e and i

Re: [openssl-dev] [openssl.org #4288] [BUG] Xmm7 register is cobbered in aesni_gcm_decrypt on win64

Fixed. Kurt - http://rt.openssl.org/Ticket/Display.html?id=4288 Please log in as guest with password guest if prompted ___ openssl-dev mailing list To unsubscribe: https://mta.

Re: [openssl-dev] Openssl SNAP 20160204 development

On Thu, Feb 04, 2016 at 06:39:19AM -0700, The Doctor wrote: > All right, I can compile,but > > test/recipes/70-test_sslcertstatus.t > > is hang in an infinite loop. > > Any explanation? That's an issue I'm not aware of yet, nor did I see it in any of our automated test runs. Can you give some

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

I missed a link: https://github.com/openssl/openssl/issues/320 Nobody is pressuring us. I am sure you mean that in a kind and concerned way, and are not trying to be insulting. If you can find someone on the openssl-dev team who is willing to take on the work, then it could go into OpenSSL. O

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/02/2016 14:08, Salz, Rich via RT wrote: > >> That's all we get, a one-liner, no explanation, no rationale, >> response? > > Take a look at some of the discussion here: > https://github.com/openssl/openssl/pull/374 > https://github.com/opens

[openssl-dev] Openssl SNAP 20160204 development

All right, I can compile,but test/recipes/70-test_sslcertstatus.t is hang in an infinite loop. Any explanation? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfol

[openssl-dev] [openssl.org #2256] CVS HEAD: question: must this be hardcoded '8' or is it 'md_len' in disguise? :-S

The length is specified by the standards and is less than the digest length. Closing this ticket. Matt - http://rt.openssl.org/Ticket/Display.html?id=2256 Please log in as guest with password guest if prompted _

[openssl-dev] [openssl.org #2887] [PATCH] decode more message/content types in apps

fixed in master for next release with commit 7429b39. thanks. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2887 ___ openssl-dev m

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

> That's all we get, a one-liner, no explanation, no rationale, response? Take a look at some of the discussion here: https://github.com/openssl/openssl/pull/374 https://github.com/openssl/openssl/pull/154 https://github.com/openssl/openssl/pull/148 I would suggest that i

[openssl-dev] [openssl.org #3095] Incorrect result in HMAC functions when key is null

Fixed in master now, commit b1413d9bd9d823ca1ba2d6cdf4849e635231 ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

On Thu, 2016-02-04 at 03:04 +, Rich Salz via RT wrote: > So guys, sorry for dropping the ball. Where are we on this now? I see four patches still at the top of  http://git.infradead.org/users/dwmw2/openssl.git but I've completely forgotten. I'll update and rebase my patches on both the OpenSS

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/02/2016 11:18, Nich Ramsey via RT wrote: > Moonchild: what advantages does Camellia have over AES? Sincerely asking > since I'm not familiar. It's comparable to AES in terms of how it can theoretically be broken with algebra, as well as its p

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

On Thu, 2016-02-04 at 03:04 +, Rich Salz via RT wrote: > So guys, sorry for dropping the ball. Where are we on this now? I see four patches still at the top of  http://git.infradead.org/users/dwmw2/openssl.git but I've completely forgotten. I'll update and rebase my patches on both the OpenSS

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

Moonchild: what advantages does Camellia have over AES? Sincerely asking since I'm not familiar. OpenSSL team: I second Moonchild's curiosity, why is there no plan for integration when the raw cipher is already present in the code base? If it's a lack of resources you can dedicate, would you be op

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

Moonchild: what advantages does Camellia have over AES? Sincerely asking since I'm not familiar. OpenSSL team: I second Moonchild's curiosity, why is there no plan for integration when the raw cipher is already present in the code base? If it's a lack of resources you can dedicate, would you be op

[openssl-dev] [openssl.org #3830] [PATCH] Fix test execution on Windows

I just tried this and can't verify this, it works beautifully and as intended when I try. The issue appears to be a non-issue, as the command should create the serial file and therefore not require its presence beforehand. See '-CAcreateserial'. Cheers, Richard Vid Sat, 02 May 2015 kl. 06.05.21,

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

Really? That's all we get, a one-liner, no explanation, no rationale, response? It's not even "brand new" functionality, Camellia as a raw cipher is already in there, the only difference is wrapping it into GCM-based suites. Patches are available, too. Sounds like OpenSSL isn't as open as one mig

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Really? That's all we get, a one-liner, no explanation, no rationale, response? It's not even "brand new" functionality, Camellia as a raw cipher is already in there, the only difference is wrapping it into GCM-based suites. Patches are available, t

[openssl-dev] [openssl.org #4290] HMAC_Init_ex() return bug

On Wed Feb 03 18:32:20 2016, mikkrat...@gmail.com wrote: > I built it using cocoapods, the OpenSSL headers show 1.0.2f. > I’ll try to make some sample program tomorrow. > > > > On 3 veebr 2016, at 18:27, Salz, Rich via RT wrote: > > > >> I’m running OS X 10.11.3 and OpenSSL 1.0.206 > > > > I canno

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Thank you very much, Matt, Rich. I will read through these docs tomorrow. On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT wrote: > > > On 04/02/16 06:34, Salz, Rich via RT wrote: > > It’s late and my response was incomplete. > > The other part has already landed in master, and that's the "a

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

Thank you very much, Matt, Rich. I will read through these docs tomorrow. On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT wrote: > > > On 04/02/16 06:34, Salz, Rich via RT wrote: > > It’s late and my response was incomplete. > > The other part has already landed in master, and that's the "a

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

On 04/02/16 06:34, Salz, Rich via RT wrote: > It’s late and my response was incomplete. > The other part has already landed in master, and that's the "async engine" > support. See: https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html https://www.openssl.org/docs/manmaster/ssl/SSL

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

On 04/02/16 06:34, Salz, Rich via RT wrote: > It’s late and my response was incomplete. > The other part has already landed in master, and that's the "async engine" > support. See: https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html https://www.openssl.org/docs/manmaster/ssl/SSL

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

On 04/02/16 05:49, Rich Salz via RT wrote: > currently in master, planned for 1.1 scheculed for april 2017 That would be April 2016!! Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

On 04/02/16 05:49, Rich Salz via RT wrote: > currently in master, planned for 1.1 scheculed for april 2017 That would be April 2016!! Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2752] objects.txt - update of extended key usage

Am 04.02.2016 um 02:25 schrieb Rich Salz via RT: > I'm going to add these: > id-kp 21 : secureShellClient : SSH Client > id-kp 22 : secureShellServer : SSH Server > I also found 22-26 from RFC 6495. Any others? > > ___ > openssl-dev mailing list > To unsu