Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Mon, Feb 08, 2016 at 05:30:52pm +, Nich Ramsey via RT wrote: > I said I would be willing to help, but got no reply on how best to ramp up > on developing a stable addition likely to be accepted by the dev team. FWIW, the necessary code has already been written (by me) for this particular

Re: [openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open

On Mon, Jan 25, 2016 at 06:24:55pm +, Sara Dickinson via RT wrote: > Hi, > > I would like to request that support be added to OpenSSL to enable client > applications to make use use of TCP Fast Open > (https://tools.ietf.org/html/rfc7413 ) > when

[openssl-dev] [openssl.org #4253] [PATCH] Build system fixes for GCC

Hello, I opened two pull request regarding fixes for builds using GCC: * Fix versioned GCC detection https://github.com/openssl/openssl/pull/552 * Support link time optimization with GCC https://github.com/openssl/openssl/pull/553 Cheers signature.asc Description: PGP signature

Re: [openssl-dev] [openssl.org #4157] Download Documentation

Seems to me this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4159] BUG ::: Null dereference in ssl3_free

Kurt said this is fixed in git, can be closed I guess. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4026] patches to eliminate some warnings from clang

Looks like some things are already fixed in master, does this needs any more actions? Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4219] [typos] DANE related docs

Seems fixed in master, so this can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4183] No SSL_CIPHER_description() for ChaCha20/Poly1305

Looks fixed in master, can probably be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4140] GITHUB PULL REQUEST: do not load engines twice

PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4112] GH458: Fix "primarility" typo

PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4222] Wrong definition of the macro SSL_set1_sigalgs in ssl.h (PR #519)

PR merged, can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4174] Support the TLS Feature (aka Must Staple) X.509v3 extension (RFC7633)

PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

This has been (partially) fixed, so it can probably be closed. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4054] [BUG] engine-provided ciphers are unavailable for command-line utility

Seems that this works in master, so it can probably be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4239] [PATCH] fixing wildcard matching on punycode domains

On Fri, Jan 15, 2016 at 06:08:38pm +, Viktor Dukhovni via RT wrote: > > > On Jan 15, 2016, at 10:32 AM, Zi Lin via RT wrote: > > > > > > Yes, this will get fixed. Thanks. Patches merged, can be closed now. Cheers ___

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

(sorry for the delay, but I've been travelling and moving) On Sat, Oct 31, 2015 at 11:01:22pm +, Brian Smith via RT wrote: > On Sat, Oct 31, 2015 at 11:50 AM, Alessandro Ghedini via RT <r...@openssl.org> > The point is to let the person building OPENSSL say "I want th

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

On Wed, Nov 11, 2015 at 01:06:54PM +, Kurt Roeckx via RT wrote: > On Wed, Nov 11, 2015 at 12:37:56PM +0000, Alessandro Ghedini via RT wrote: > > On Wed, Nov 11, 2015 at 11:52:56AM +, Kurt Roeckx via RT wrote: > > > On Wed, Nov 11, 2015 at 11:16:56AM +, Alessandro Gh

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

On Wed, Nov 11, 2015 at 11:52:56AM +, Kurt Roeckx via RT wrote: > On Wed, Nov 11, 2015 at 11:16:56AM +0000, Alessandro Ghedini via RT wrote: > > > > I also added support for explicit_bzero() on OpenBSD. > > An explicit_bzero() call is no better than whatever > OPENSSL

[openssl-dev] [openssl.org #4113] [PATCH] Cleanup and update README

Hi, the current README in master contains a lot of outdated information and some weird wording, so I prepared a patch to fix it. See the following GitHub pull request: https://github.com/openssl/openssl/pull/457 Cheers ___ openssl-bugs-mod mailing

[openssl-dev] [openssl.org #4114] Continuous integration for Windows

Hi, the current Travis CI setup lacks support for proper Windows support, so I prepared a patch to add configuration for the AppVeyor service [0] which provides continuous integration on Windows. See the following GitHub pull request: https://github.com/openssl/openssl/pull/456 Cheers [0]

[openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

Hi, the current platform-generic implementation of OPENSSL_cleanse() is very weird and IMO overly complex (its initial intent was to cleanse with values other than 0, but AFAICT none of the asm implementations do it), so I reimplemented it in a simpler way. I was also wondering whether it would

[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

Hi, I don't know what your intentions are with FIPS support in master, but after the removal of most if the fips/ code, several bits and pieces of now broken code have remained in the codebase. IMO it'd be better to just remove it for now. See the following GitHub pull request:

[openssl-dev] [openssl.org #4117] [PATCH] Remove useless locking code

Hi, in commit 070c233 I didn't notice that the CRYPTO_w_lock()/CRYPTO_w_unlock() calls are now useless, so I made a patch to fix that. See the following GitHub pull request: https://github.com/openssl/openssl/pull/454 Cheers ___ openssl-bugs-mod

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

On Sat, Oct 31, 2015 at 07:59:03PM +, Brian Smith via RT wrote: > Alessandro Ghedini via RT <r...@openssl.org> wrote: > > > I was also wondering whether it would make sense to just drop the asm > > implementations. Does the speed-up justify the added complexity? >

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Fri, Oct 09, 2015 at 05:02:47pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 07:57:21pm +0000, Alessandro Ghedini via RT wrote: > > FYI, I just pushed another patch that does the above (moving the check and > > sending an alert) which I think is the best o

[openssl-dev] [openssl.org #4090] [PATCH] Assorted fixes

Hello, I've prepared a few patches to fix several minor-ish issues (I though it didn't make much sense to submit them one by one). See GitHub pull request at: https://github.com/openssl/openssl/pull/436 The patches are: - Do not treat 0 return value from BIO_get_fd() as error (fixes RT#4068) -

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

On Mon, Oct 12, 2015 at 01:45:20PM +, Hubert Kario via RT wrote: > On Friday 09 October 2015 18:05:19 Matt Caswell via RT wrote: > > On 09/10/15 19:02, Hubert Kario via RT wrote: > > > And for good measure, I also created a test script that > > > combines fragmentation with interleaving. > >

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 07:57:21pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 06:26:27pm +0000, Alessandro Ghedini via RT wrote: > > On Thu, Oct 08, 2015 at 06:14:00pm +, Alessandro Ghedini via RT wrote: > > > On Thu, Oct 08, 2015 at 05:19:06pm +,

Re: [openssl-dev] [openssl.org #4084] correction to the message i sent earlier...

This was supposed to be a reply to another message (#4083), but a new report has been created instead. I think it can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

On Fri, Oct 09, 2015 at 06:05:19pm +, Matt Caswell via RT wrote: > > > On 09/10/15 19:02, Hubert Kario via RT wrote: > > And for good measure, I also created a test script that > > combines fragmentation with interleaving. > > Did you try my patch with it? And if so what happened? I just

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thu, Oct 08, 2015 at 12:47:21AM +, Moonchild via RT wrote: > Hello people, > > An enhancement request here for OpenSSL to add support for Camellia in GCM > with ECC key exchange. > > Rationale: > Camellia has been recognized as a modern and supported cipher by ENISA, > NESSIE, CRYPTREC,

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thu, Oct 08, 2015 at 11:39:56am +, Salz, Rich via RT wrote: > Also, note that the earliest this could happen is for 1.1 (it's a new > feature), and it's not high on our priority list for that release right now. > Patches that are regularly rebased against master would help. I rebase my

Re: [openssl-dev] [openssl.org #3982] [PATCH] Fix unhandled error condition in sslv2 client hello parsing

The GitHub pull request was merged, so this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 04:12:50pm +, Hubert Kario via RT wrote: > The server does not abort connection upon receiving a Client Hello > message with malformed session_id field. > > Affects 1.0.1, 1.0.2 and master. > > In SSLv3 and all versions of TLS (e.g. RFC 5246), the SessionID is >

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 06:14:00pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 05:19:06pm +0000, Alessandro Ghedini via RT wrote: > > On Thu, Oct 08, 2015 at 04:12:50pm +, Hubert Kario via RT wrote: > > > The server does not abort connection upon receiv

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 05:19:06pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 04:12:50pm +, Hubert Kario via RT wrote: > > The server does not abort connection upon receiving a Client Hello > > message with malformed session_id field. > > >

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 06:26:27pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 06:14:00pm +0000, Alessandro Ghedini via RT wrote: > > On Thu, Oct 08, 2015 at 05:19:06pm +, Alessandro Ghedini via RT wrote: > > > On Thu, Oct 08, 2015 at 04:12:50pm +, H

Re: [openssl-dev] [openssl.org #4081] crypto/evp/e_dsa.c is orphaned

On Thu, Oct 08, 2015 at 04:18:53pm +, Kaduk, Ben via RT wrote: > crypto/evp/e_dsa.c contains only a single static struct variable, and > the file appears unreferenced from anywhere else in the tree. > > It should be safe to remove. This is now fixed in my "Remove useless code" patch at

Re: [openssl-dev] [openssl.org #4068] Bug ocsp - bio_get_fd

On Fri, Oct 02, 2015 at 02:06:12am +, vince technical address via RT wrote: > Hi, > > Can you tell me why in the source file "ocsp.c" (apps directory), the test > on the return of the function BIO_get_fd defines 0 as an invalid file > descriptor? > > if (BIO_get_fd (CBIO, & fd) <= 0) > >

Re: [openssl-dev] [openssl.org #4069] Malformed Client Hello messages are accepted (custom message padding and length)

On Fri, Oct 02, 2015 at 11:26:36am +, Hubert Kario via RT wrote: > Current git checkout of 1.0.1, 1.0.2 and master accept malformed Client > Hello messages. > > If the client sends a Client Hello message with extensions.length field > equal to 0, but padded with bytes > FF01 0001 00 > then

Re: [openssl-dev] [openssl.org #4069] Malformed Client Hello messages are accepted (custom message padding and length)

On Fri, Oct 02, 2015 at 11:51:10am +, Alessandro Ghedini via RT wrote: > On Fri, Oct 02, 2015 at 11:26:36am +, Hubert Kario via RT wrote: > > Current git checkout of 1.0.1, 1.0.2 and master accept malformed Client > > Hello messages. > > > > If the client s

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

On Wed, Sep 30, 2015 at 02:01:54am +, Rich Salz via RT wrote: > We fixed this in a slightly different way. We made BIO_new_file and BIO_s_file > return an alternate implementation that returns run-time failures. Almost all > of the OpenSSL code uses the BIO object, so we didn't have to remove

Re: [openssl-dev] [openssl.org #3986] [PATCH] Implement HKDF algorithm (RFC 5869)

Just FYI, I updated the GitHub pull request [0] with the following: - Merged patches into a single commit. This just makes more sense, and it's not much more complicated to review. - Added HKDF_Extract() function to the interface. This is basically equivalent to calling HMAC(), but the TLS

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 02:02:36pm +, Hubert Kario via RT wrote: > On Friday 25 September 2015 13:55:56 Alessandro Ghedini via RT wrote: > > On Fri, Sep 25, 2015 at 01:20:12pm +, Hubert Kario via RT wrote: > > > Current OpenSSL-1.0.1, 1.0.2 as well as state-machine-rewr

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 03:02:27pm +, Hubert Kario via RT wrote: > On Friday 25 September 2015 14:51:17 Alessandro Ghedini via RT wrote: > > As a matter of test I changed the ssl_get_message() in > > ssl3_get_client_hello() to use 0xFF (uint24 max) as maximum size, >

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 04:17:33PM +, Matt Caswell via RT wrote: > > > On 25/09/15 17:05, Alessandro Ghedini via RT wrote: > > On Fri, Sep 25, 2015 at 03:02:27pm +, Hubert Kario via RT wrote: > >> On Friday 25 September 2015 14:51:17 Alessandro Ghedini via RT

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 05:11:39pm +, Hubert Kario via RT wrote: > On Friday 25 September 2015 16:54:02 Alessandro Ghedini via RT wrote: > > On Fri, Sep 25, 2015 at 04:17:33PM +, Matt Caswell via RT wrote: > > > On 25/09/15 17:05, Alessandro Ghedini via RT wrote: >

[openssl-dev] [openssl.org #4062] [PATCH] Fix build failure

Hello, due to commit a93d3e0 the ./config script currently fails with the error: > Operating system: x86_64-whatever-linux2 > This system (linux-x86_64) is not supported. See file INSTALL for details. see the following GitHub pull request for a fix: https://github.com/openssl/openssl/pull/412

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 01:20:12pm +, Hubert Kario via RT wrote: > Current OpenSSL-1.0.1, 1.0.2 as well as state-machine-rewrite branches > reject Client Hello messages bigger than 2^14+4 bytes. IIRC SSLv3 does place the limit at 2^14 or so bytes, so I think the problem is that OpenSSL only

Re: [openssl-dev] [openssl.org #4048] [PATCH] Fix potential read buffer overflow in PACKET_strndup()

The GitHub pull request was merged, so this can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4052] [PATCH] Print debug info for extended master secret extension

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/404 This is like RT#4016, but for extended master secret. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

[openssl-dev] [openssl.org #4048] [PATCH] Fix potential read buffer overflow in PACKET_strndup()

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/399 It provides a short analysis of the problem and a fix. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] [openssl.org #3986] [PATCH] Implement HKDF algorithm (RFC 5869)

Hello, FYI I rebased the code [0] on master and updated it to use the new test suite framework. As mentioned in the GitHub PR, I kept the actual implementation and the tests on two separate commits for easier review, but if you prefer I can squash them together. Could someone please review this?

Re: [openssl-dev] [openssl.org #1542] others quick patches for memory leaks in pk7_smime.c and pk7_mime.c

The proposed patch is mangled and very hard to read, but I think all proposed changes have already been committed, or the code has been removed. So I think this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #1543] memory leak in crypto/asn1/x_x509a.c

Same as #1542, the patch is mangled but I think everything is already fixed so this can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4030] Re: [openssl-dev #1542] others quick patches for memory leaks in pk7_smime.c and pk7_mime.c

On Sat, Sep 05, 2015 at 01:49:23pm +, Alessandro Ghedini via RT wrote: > The proposed patch is mangled and very hard to read, but I think all proposed > changes have already been committed, or the code has been removed. > > So I think this can be closed now. Ugh, w

Re: [openssl-dev] [openssl.org #4031] Re: [openssl-dev #1543] memory leak in crypto/asn1/x_x509a.c

On Sat, Sep 05, 2015 at 01:49:52pm +, Alessandro Ghedini via RT wrote: > Same as #1542, the patch is mangled but I think everything is already fixed so > this can be closed. Same as #4031. It was supposed to be a reply to #1543 and can be closed.

[openssl-dev] [openssl.org #4031] Re: [openssl-dev #1543] memory leak in crypto/asn1/x_x509a.c

Same as #1542, the patch is mangled but I think everything is already fixed so this can be closed. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

[openssl-dev] [openssl.org #4030] Re: [openssl-dev #1542] others quick patches for memory leaks in pk7_smime.c and pk7_mime.c

The proposed patch is mangled and very hard to read, but I think all proposed changes have already been committed, or the code has been removed. So I think this can be closed now. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] [openssl.org #3985] [PATCH] Fix potential memory leaks

The corresponding GitHub pull request was merged, so this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4016] [PATCH] Print debug info for ALPN extension

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/371 Which simply adds ALPN to the -tlsextdebug output, so that the extension is not shown as unknown. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

[openssl-dev] [openssl.org #4017] [PATCH] Implement Camellia GCM suites (RFC 6367)

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/374 Which adds support for Camellia GCM and adds the correspondent TLS cipher suites. Most of the code comes from the AES GCM implementation, so maybe there's an opportunity for some refactoring there. This fixes issue

Re: [openssl-dev] [openssl.org #4017] [PATCH] Implement Camellia GCM suites (RFC 6367)

On Sat, Aug 22, 2015 at 01:17:36PM +, Stephen Henson via RT wrote: On Sat Aug 22 10:21:42 2015, alessan...@ghedini.me wrote: Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/374 Which adds support for Camellia GCM and adds the correspondent TLS cipher

[openssl-dev] [openssl.org #3985] [PATCH] Fix potential memory leaks

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/354 which fixes memory leaks on error conditions in X509_add1_reject_object() and PKCS7_verify(). Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

[openssl-dev] [openssl.org #3986] [PATCH] Implement HKDF algorithm (RFC 5869)

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/355 which implements the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869, and used by QUIC and TLS 1.3. It comes with tests as defined in the Appendix A of the same RFC. Cheers

Re: [openssl-dev] [openssl.org #3985] [PATCH] Fix potential memory leaks

On Wed, Aug 05, 2015 at 11:01:13am +, Alessandro Ghedini via RT wrote: Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/354 which fixes memory leaks on error conditions in X509_add1_reject_object() and PKCS7_verify(). I also added a couple more patches fixing

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On Tue, Mar 24, 2015 at 01:19:31PM +0100, Stephen Henson via RT wrote: On Fri Mar 20 13:20:07 2015, alessan...@ghedini.me wrote: Months have passed and I haven't received a reply yet (even worse, the recent obfuscation of the OCSP structures in 6ef869d7d0a9d made it impossible to

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in

[openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in crypto/ocsp/ocsp_vfy.c in the OCSP_basic_verify() function, the X509_STORE_CTX_init()