Re: [openssl-dev] Upcoming build system change

In message <16020900205830_2020a...@antinode.info> on Tue, 9 Feb 2016 00:20:58 -0600 (CST), "Steven M. Schweda" said: sms> > - Perl! Reports tell me that version 5.10.1 works fine [...] sms> sms>Perhaps, but around here, the current version fails pretty badly: sms> sms> ALP $ perl --versi

Re: [openssl-dev] Upcoming build system change

> - Perl! Reports tell me that version 5.10.1 works fine [...] Perhaps, but around here, the current version fails pretty badly: ALP $ perl --version This is perl 5, version 22, subversion 1 (v5.22.1) built for VMS_AXP The generated descrip.mms is defective. It starts out reasonable, wi

[openssl-dev] [openssl.org #4299] s_server cmd

Hi, - added missing help option messages - ecdh_single option is removed as it is a no-op and not an option supported in earlier versions - ssl_ctx_security_debug() was invoked before ctx check for NULL - trusted_first option can be removed, as it is always enabled in 1.1. But n

Re: [openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open

On Mon, Jan 25, 2016 at 06:24:55pm +, Sara Dickinson via RT wrote: > Hi, > > I would like to request that support be added to OpenSSL to enable client > applications to make use use of TCP Fast Open > (https://tools.ietf.org/html/rfc7413 ) > when initiat

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Mon, Feb 08, 2016 at 05:30:52pm +, Nich Ramsey via RT wrote: > I said I would be willing to help, but got no reply on how best to ramp up > on developing a stable addition likely to be accepted by the dev team. FWIW, the necessary code has already been written (by me) for this particular fe

Re: [openssl-dev] SSL_R_HTTP_REQUEST no longer supported in 1.1.0

On 08/02/16 20:49, Rainer Jung wrote: > The constant SSL_R_HTTP_REQUEST is still defined, but I can't find code > that sets it and practical experiments indicate it is no longer set. > > In Apache land we use it to detect "HTTP spoken on HTTPS port". OpenSSL > 1.0.2 has code in ssl23_get_client_

Re: [openssl-dev] BIO_new_connect after refactoring

In message <56b90a75.8030...@roumenpetrov.info> on Mon, 08 Feb 2016 23:36:53 +0200, Roumen Petrov said: openssl> Richard Levitte wrote: openssl> > That patch just got merged into master, commit openssl> > 80926502986a97eed53afe1d85fc074e40829547 openssl> 10x openssl> It seems to me #4296 is seco

Re: [openssl-dev] BIO_new_connect after refactoring

Richard Levitte wrote: That patch just got merged into master, commit 80926502986a97eed53afe1d85fc074e40829547 10x It seems to me #4296 is second report. Cheers, Richard In message <56b718f3.9070...@roumenpetrov.info> on Sun, 07 Feb 2016 12:14:11 +0200, Roumen Petrov said: openssl> Hello,

[openssl-dev] SSL_R_HTTP_REQUEST no longer supported in 1.1.0

The constant SSL_R_HTTP_REQUEST is still defined, but I can't find code that sets it and practical experiments indicate it is no longer set. In Apache land we use it to detect "HTTP spoken on HTTPS port". OpenSSL 1.0.2 has code in ssl23_get_client_hello() that checks read bytes against "HEAD",

Re: [openssl-dev] Duplicate APIs?

On Mon, Feb 08, 2016 at 10:17:37AM -0500, Viktor Dukhovni wrote: > What'll likely happen is that SSL_session_reused() will be the > new name of the SSL_cache_hit() function, and SSL_cache_hit will > become a macro referencing that function: > >int SSL_session_reused(const SSL *ssl); >#if

Re: [openssl-dev] version script

On Mon, Feb 08, 2016 at 01:41:10PM +, Catalin Vasile wrote: > I'm trying to compile a custom OpenSSL library to work with nginx. > nginx requires that the SSL library have version data included in the .so > files, so I'm using this patch[1] for this. > The problem is that if I set the library

Re: [openssl-dev] [openssl.org #2021] sni bug

> A correct logic is one single function(the code of check and parse combined) > that collects the values of extensions and then treat them calls callbacks in > a > defined order. Yes, but right now we've got what we've got :) > Actually it seems that you could influence the server behavoiur i

Re: [openssl-dev] [openssl.org #2021] sni bug

> A correct logic is one single function(the code of check and parse combined) > that collects the values of extensions and then treat them calls callbacks in > a > defined order. Yes, but right now we've got what we've got :) > Actually it seems that you could influence the server behavoiur i

Re: [openssl-dev] Do you use the JPAKE feature?

It’s currently “experimental” and we’re thinking of dropping it completely from the next release. If you use it, please reply here soon. All of my openssl builds have JPAKE enabled. But I cannot call myself a user of it. I’d rather not see it dropped, but I can’t claim operational impact if yo

[openssl-dev] Do you use the JPAKE feature?

It's currently "experimental" and we're thinking of dropping it completely from the next release. If you use it, please reply here soon. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

> I'm still years away from having enough crypto/C programming experience, > what in particular should I be working on? Read the link. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

> I'm still years away from having enough crypto/C programming experience, > what in particular should I be working on? Read the link. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4075 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsub

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

Ok thanks for clarifying. What does it take to become a member of the dev team? I'm still years away from having enough crypto/C programming experience, what in particular should I be working on? Basically, what kind of skills would you like to see? Thanks again for the quick reply, I'll check o

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

Ok thanks for clarifying. What does it take to become a member of the dev team? I'm still years away from having enough crypto/C programming experience, what in particular should I be working on? Basically, what kind of skills would you like to see? Thanks again for the quick reply, I'll check o

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

> I said I would be willing to help, but got no reply on how best to ramp up on > developing a stable addition likely to be accepted by the dev team. There's no hard-and-fast rules. We recently added some text: https://openssl.org/community/getting-started.html But again, for the specific requ

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

I said I would be willing to help, but got no reply on how best to ramp up on developing a stable addition likely to be accepted by the dev team. I read the material online about contributing, and it refers ultimately back to this mailing list. Are there other online materials/resources I can read

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

I said I would be willing to help, but got no reply on how best to ramp up on developing a stable addition likely to be accepted by the dev team. I read the material online about contributing, and it refers ultimately back to this mailing list. Are there other online materials/resources I can read

[openssl-dev] [openssl.org #4298] [Bug] Random number generation failing with FIPS and Android < 5.0

I'm using OpenSSL in FIPS mode as part of an Android app. I'm using the NDK. I create an EC Curve with EC_GROUP_new_curve_GFp() and then delete it with EC_GROUP_clear_free(). This presumably uses a lot of entropy as, while this may succeed running once, all further attempts for the next several

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

Am 08.02.2016 um 13:34 schrieb Matt Caswell: On 08/02/16 12:11, Rainer Jung wrote: I'm adding support for OpenSSL 1.1.0 to the Apache web server. I struggle to migrate the renegotiation code in the case wehere we want the client to send a client cert. The current code works like explained in

[openssl-dev] test_sslcertstatus.t

in the OPENSSL-SNAP-20160203 this test goes no problem Since OPENSSL-SNAP-20160204 this test hangs. The script has not changed, What else could be the issue? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republi

Re: [openssl-dev] Version 1.0.2 on Red Hat/Centos 5.x

There is no issue in compilation on centos 5. On 8 Feb 2016 21:37, "Sullivan, George E." wrote: > Due to IAVA 2015-A-0034 we are going to download the code and sneaker net > it to our private domain. The process to sneaker net it can be rather long > due to various approval steps required.Ha

[openssl-dev] Version 1.0.2 on Red Hat/Centos 5.x

Due to IAVA 2015-A-0034 we are going to download the code and sneaker net it to our private domain. The process to sneaker net it can be rather long due to various approval steps required.Has anyone compiled this on 5.x since we would also want to grab any prereqs during this process to sav

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 15:46, Viktor Dukhovni wrote: > >> On Feb 8, 2016, at 9:49 AM, Matt Caswell wrote: >> >> Actually, yes that is a good point. There could be some subtle security >> issues there. You probably need to additionally check that you are not >> halfway through a handshake: >> >> SSL_renego

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

> On Feb 8, 2016, at 9:49 AM, Matt Caswell wrote: > > Actually, yes that is a good point. There could be some subtle security > issues there. You probably need to additionally check that you are not > halfway through a handshake: > > SSL_renegotiate(ssl); > SSL_do_handshake(ssl); > do { >re

Re: [openssl-dev] Duplicate APIs?

> On Feb 8, 2016, at 10:06 AM, Short, Todd wrote: > > I noticed that: > > * SSL_cache_hit(SSL*), and > * SSL_session_reused(SSL*ssl) --> > SSL_ctrl(ssl,SSL_CTRL_GET_SESSION_REUSED,0,NULL) > > are practically the same thing; both return s->hit. > > Are both really needed? I started a thread

[openssl-dev] Duplicate APIs?

Hi, I know OpenSSL is making 1.1 not ABI compliant to 1.0, so, maybe now is a good time to clean this up? I noticed that: * SSL_cache_hit(SSL*), and * SSL_session_reused(SSL*ssl) --> SSL_ctrl(ssl,SSL_CTRL_GET_SESSION_REUSED,0,NULL) are practically the same thing; both return s->hit. Are both

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

> over 40% of Alexa top 1 million TLS enabled servers enable Camellia That's different than actual use, as you know. > I don't see it mentioned anywhere in documentation, especially not in > ciphers(1) man page. So, is it not so severe, or should the Camellia be > removed from DEFAULT? It prob

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 14:36, Viktor Dukhovni wrote: > >> On Feb 8, 2016, at 9:26 AM, Matt Caswell wrote: >> >> SSL_renegotiate(ssl); >> SSL_do_handshake(ssl); >> do { >>read_some_app_data(); >>if(no_client_cert_yet()) { >>discard_app_data(); >>} >> } while(no_client_cert_yet()); > >

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

> over 40% of Alexa top 1 million TLS enabled servers enable Camellia That's different than actual use, as you know. > I don't see it mentioned anywhere in documentation, especially not in > ciphers(1) man page. So, is it not so severe, or should the Camellia be > removed from DEFAULT? It prob

Re: [openssl-dev] BIO_new_connect after refactoring

That patch just got merged into master, commit 80926502986a97eed53afe1d85fc074e40829547 Cheers, Richard In message <56b718f3.9070...@roumenpetrov.info> on Sun, 07 Feb 2016 12:14:11 +0200, Roumen Petrov said: openssl> Hello, openssl> openssl> With master branch my ssh ocsp tests start to fail

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

> On Feb 8, 2016, at 9:26 AM, Matt Caswell wrote: > > SSL_renegotiate(ssl); > SSL_do_handshake(ssl); > do { >read_some_app_data(); >if(no_client_cert_yet()) { >discard_app_data(); >} > } while(no_client_cert_yet()); At what point in the handshake would a query for client cer

Re: [openssl-dev] version script

On 08/02/16 13:41, Catalin Vasile wrote: > I'm trying to compile a custom OpenSSL library to work with nginx. > nginx requires that the SSL library have version data included in the .so > files, so I'm using this patch[1] for this. > The problem is that if I set the library versiont to 1.0.1 int

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 13:45, Tomas Mraz wrote: > On Po, 2016-02-08 at 12:34 +, Matt Caswell wrote: >> >> On 08/02/16 12:11, Rainer Jung wrote: >>> >> Renegotiation isn't entirely within the control of the server. A >> server >> can request that a renegotiation takes place. It is up to the client >> w

[openssl-dev] version script

I'm trying to compile a custom OpenSSL library to work with nginx. nginx requires that the SSL library have version data included in the .so files, so I'm using this patch[1] for this. The problem is that if I set the library versiont to 1.0.1 into that script, when I start nginx or trigger ldd o

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On Po, 2016-02-08 at 12:34 +, Matt Caswell wrote: > > On 08/02/16 12:11, Rainer Jung wrote: > >  > Renegotiation isn't entirely within the control of the server. A > server > can request that a renegotiation takes place. It is up to the client > whether it honours that request immediately; or

[openssl-dev] [openssl.org #4297] [PATCH] remove double initialization of cryptodev engine

From: Cristian Stoica cryptodev engine is initialized together with the other engines in ENGINE_load_builtin_engines. The initialization done through OpenSSL_add_all_algorithms is redundant. Signed-off-by: Cristian Stoica --- crypto/engine/eng_all.c | 12 crypto/engine/engine.h |

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 12:34, Matt Caswell wrote: > > > On 08/02/16 12:11, Rainer Jung wrote: >> I'm adding support for OpenSSL 1.1.0 to the Apache web server. >> >> I struggle to migrate the renegotiation code in the case wehere we want >> the client to send a client cert. The current code works like exp

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 12:11, Rainer Jung wrote: > I'm adding support for OpenSSL 1.1.0 to the Apache web server. > > I struggle to migrate the renegotiation code in the case wehere we want > the client to send a client cert. The current code works like explained in > > http://www.linuxjournal.com/node/

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thursday 04 February 2016 17:10:45 Kurt Roeckx via RT wrote: > On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote: > > Really? > > > > That's all we get, a one-liner, no explanation, no rationale, > > response? It's not even "brand new" functionality, Camellia as a > > raw cipher

[openssl-dev] How to do reneg with client certs in 1.1.0 API

I'm adding support for OpenSSL 1.1.0 to the Apache web server. I struggle to migrate the renegotiation code in the case wehere we want the client to send a client cert. The current code works like explained in http://www.linuxjournal.com/node/5487/print After using SSL_set_verify() it calls

[openssl-dev] [openssl.org #4296] Fix possible crash in BIO_parse_hostserv()

Hi, If BIO_parse_hostserv() is invoked with only (no port), it was running into crash when trying to check for any further colons existed in the parsed , as pointer to is NULL in this case. To reproduce the issue: $ openssl s_client -connect seg faults I have created a pull request