On Mon, 15 Feb 2016, The Doctor wrote:
> Just tested this on the old BSD/OS machine
>
> works with openssl 1.0.2X
>
> Openssl 1.1.X issues
Thanks for testing.
OpenSSH won't work with OpenSSL until someone ports it and writes
compat shims to make it work with both OpenSSL 1.0.x and 1.1.x. The
1.1
On Sun, 26 May 2013, Florian Kirstein wrote:
> Hi,
>
> On Sat, May 25, 2013 at 10:37:44AM -0500, Jonathan Brown wrote:
> > Please also increase the iteration amount to be optionally user specified.
> > This way you we can dramaticly slow down a potential brute force attack
> > against a captured
Hi,
I'm a bit concerned about the protection afforded by the PEM format to
private keys against offline brute-force attacks. PEM seems to use a
decent KDF, but uses a fixed iteration count of 1. Am I correct in my
understanding that this cannot be changed without breaking the format?
PEM is pretty
Hi,
Is there any reason why PEM_write_DSAPublicKey() is not enabled in pem_all.c?
We'd like to use this in OpenSSH.
Index: crypto/pem/pem.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/pem/pem.h,v
retrieving revision 1.10
diff -u -p
Hi,
"openssl pkeyutl -peerform" will SEGV due to dereferencing the NULL
termination of the argv array, here's a fix:
Index: pkeyutl.c
===
RCS file: /cvs/src/lib/libssl/src/apps/pkeyutl.c,v
retrieving revision 1.1.1.2
diff -u -p -r1.1
Hi,
"openssl pkeyutl -peerform" will SEGV due to dereferencing the NULL
termination of the argv array, here's a fix:
Index: pkeyutl.c
===
RCS file: /cvs/src/lib/libssl/src/apps/pkeyutl.c,v
retrieving revision 1.1.1.2
diff -u -p -r1.1
typo fixes that have accrued in OpenBSD's import of OpenSSL over
the years
Index: MacOS/GetHTTPS.src/ErrorHandling.hpp
===
RCS file: /cvs/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp,v
retrieving revision 1.1.1.1
retrieving
On Sun, 1 Feb 2009, Bodo Moeller via RT wrote:
> > we'll cope ;)
>
> Here's my version of the patch. Let me know if it looks OK for you.
looks good to me
-d
__
OpenSSL Project http://www.opens
On Sun, 1 Feb 2009, Bodo Moeller via RT wrote:
> > we'll cope ;)
>
> Here's my version of the patch. Let me know if it looks OK for you.
looks good to me
-d
__
OpenSSL Project http://www.openssl
On Sun, 1 Feb 2009, Bodo Moeller via RT wrote:
> >> What is the rationale of not having a newline at the end? It's text,
> >> after all?
> >
> > no rationale, just an oversight.
> >
>
> So ... I was going to add the newline while working on the patch, but
> then it occurred to me as you said
On Sun, 1 Feb 2009, Bodo Moeller via RT wrote:
> >> What is the rationale of not having a newline at the end? It's text,
> >> after all?
> >
> > no rationale, just an oversight.
> >
>
> So ... I was going to add the newline while working on the patch, but
> then it occurred to me as you said
On Sun, 1 Feb 2009, Bodo Moeller via RT wrote:
> > [...@mindrot.org - Fr. 30. Jan. 2009, 11:52:17]:
>
> > This patch adds a -hex option to the rand app. E.g.
> >
> > $ openssl rand -hex 8
> > d203552d5eb39e76
>
> What is the rationale of not having a newline at the end? It's text,
> after all?
On Sun, 1 Feb 2009, Bodo Moeller via RT wrote:
> > [...@mindrot.org - Fr. 30. Jan. 2009, 11:52:17]:
>
> > This patch adds a -hex option to the rand app. E.g.
> >
> > $ openssl rand -hex 8
> > d203552d5eb39e76
>
> What is the rationale of not having a newline at the end? It's text,
> after all?
Hi,
This diff changes the s_client and s_server apps to use getaddrinfo
for address parsing rather than manual IPv4 parsing and gethostbyname.
This allows specification of port by name:
openssl s_client -connect bugzilla.mindrot.org:https
But the main point is to support IPv6. You can now speci
Hi,
This patch adds a -hex option to the rand app. E.g.
$ openssl rand -hex 8
d203552d5eb39e76
Patch is from Matthieu Herrb (matth...@openbsd.org) via OpenBSD CVS.
-d
Index: apps/rand.c
===
RCS file: /cvs/src/lib/libssl/src/apps/r
On Fri, 9 Jan 2009, Brad House wrote:
> BTW, I didn't see in the changelog the fact that tls extensions were
> enabled by default between 0.9.8i and j...
It's there, 3rd entry:
> *) Enable TLS extensions by default.
> [Ben Laurie]
-d
_
On Mon, 1 Sep 2008, Harald Welte wrote:
> Hi Michal,
> Hi OpenSSL developers,
>
> as part of my work for VIA, I am trying to find out what we can do to
> make sure the VIA Padlock RNG is activated by default.
What are the consequences of the kernel and OpenSSL contending over
the RNG? Wouldn't i
On Fri, 12 Sep 2008, Harald Welte wrote:
> On Thu, Sep 11, 2008 at 09:32:14AM -0400, Geoff Thorpe wrote:
> > > > I don't think there's any taboo or a strong opposition against
> > > > the patch. It's just that Andy hasn't followed up, I sort of
> > > > given up and moved to other projects and the
On Wed, 6 Aug 2008, Stanislav Meduna wrote:
> So what should the applications calling openssl actually
> do if this happens? Now the ssh/apache/... simply exit,
> which is bad (it left me without an access to a remote
> box...).
Exiting is the best behaviour - continuing without a good source
of
Hi,
I'm also interested in the license status of this code. The Sun
convenant was removed for all files but this one. Was this an oversight
or was it intended?
If the latter, what is the point of removing the convenant from
the other files when this seems to be an inseperable part of the
openssl-
On Sun, 5 Mar 2006, Kurt Roeckx wrote:
> Hi,
>
> I would like to properly place the documetation in the 1SSL,
> 3SSL, 5SSL and 7SSL section.
It might be proper for your operating system, but it certainly
isn't correct for everyone. None of the operating systems I have
at hand even have a 3ssl s
David Schwartz wrote:
>>>openssl prime 2
>>
>>2 is not prime
>>
>>openssl version openssl-0.9.8a
>
>
> This is a known issue. The prime testing code was designed to test large
> primes.
rubbish, it is a simple overeager optimisation. Attached is a fix.
-d
Index: lib/libssl/src/crypto/bn/
Andy Polyakov via RT wrote:
Summary can be found at http://cvs.openssl.org/chngview?cn=14145. Point
is that I assumed that RC4_KEY structure initialized by RC4_set_key is
passed down to RC4 verbatim in its original memory location, while
OpenSSH takes freedom to swap the structures initialized in
Richard Levitte via RT wrote:
> [EMAIL PROTECTED] - Mon Jun 6 07:15:40 2005]:
>
>
>>Richard Levitte via RT wrote:
>>
>>>Thanks for the positive report! Apropos the 'test skipped' stuff,
>>
>> I'm
>>
>>>not sure why skipping tests on unbuilt algorithms is self-defeating.
>>
>>It didn't skip o
Richard Levitte via RT wrote:
> Thanks for the positive report! Apropos the 'test skipped' stuff, I'm
> not sure why skipping tests on unbuilt algorithms is self-defeating.
It didn't skip only the tests on unbuilt algorithms, it skipped *all*
the tests.
> Anyway, I'm resolving this ticket.
>
Richard Levitte via RT wrote:
Thanks for the positive report! Apropos the 'test skipped' stuff, I'm
not sure why skipping tests on unbuilt algorithms is self-defeating.
It didn't skip only the tests on unbuilt algorithms, it skipped *all*
the tests.
Anyway, I'm resolving this ticket.
[EMAIL
Hi,
Here is a testlog for OpenBSD -current. We probably won't get around to
integrating 0.9.8 until after OpenBSD-3.8 is released.
I hacked the 'test skipped' stuff our of util/selftest.pl - I think skipping
tests because of no-mdc2 and no-rc5 is somewhat self-defeating
-d
OpenSSL self-test r
e will be too upset with another binary incompatible
OpenSSL release :)
-d
--
| By convention there is color, \\ Damien Miller <[EMAIL PROTECTED]>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space
On Thu, 24 Jan 2002, Richard Levitte - VMS Whacker wrote:
> My first attepmt was to do the whole thing with cpp macros. However,
> after giving it some thought, that could cause a number of problems;
> one is that macros have zero type safety. You can give those macros
> exactly whatever withou
Did OpenSSL pass its own self-tests?
When you compiled OpenSSL or OpenSSH, did you have any old OpenSSL header
files lying around? These are a frequent cause of weird problems.
You could try putting a printf() before the above call to see if the
correct passphrase is getting passed to OpenSS
s is enough to break structure alignment. If
so, is there any way of making OpenSSL more robust in the face of
different compiler options?
-d
--
| Damien Miller <[EMAIL PROTECTED]> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org
strings
and detecting overflow.
http://www.openbsd.org/cgi-bin/man.cgi?query=strlcpy
http://www.openbsd.org/cgi-bin/man.cgi?query=strlcat
-d
--
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <[EMAIL PRO
ize of the reads can be limited?
-d
PS. did you get the ERR_error_string_n() patch I sent to the list a
couple of days back? I haven't heard any feedback...
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org
, define "sufficient". In OpenSSL, it's "whatever the user wants
> to throw at me, I'll eat until it stops". /dev/urandom hardly ever
> stops :-)...
Data greater than md_rand.c's STATE_SIZE is going to be wasted.
-d
--
| "Bombay is 250ms from New
specified
separated by a OS-dependent character. The separator
is ; for MS-Windows, , for OpenVSM, and : for all
^^^
-d
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.
On Sun, 9 Apr 2000, OpenSSL Project wrote:
> o ERR_error_string(..., buf) does not know how large buf is,
> there should be ERR_error_string_n(..., buf, bufsize)
> or similar.
Diff attached.
-d
--
| "Bombay is 250ms from New York in the new world order"
gz".
This will pull the spec file from the tarball and build source
and binary RPMs from it.
You shouldn't need the --buildroot as the spec file provides it.
-d
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
|
ld order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work)
%define libmaj 0
%define libmin 9
%define librel 5
%define librev a
Release: 1
%define openssldir /var/ssl
Summary: Secure Sockets Layer and cryptography
The result is that you'd get a threads(3ssl), err(3ssl),
> passwd(1ssl), rc4(3ssl).
Why not openssl_passwd, openssl_err, etc?
-d
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [EM
On Tue, 29 Feb 2000, GOMEZ Henri wrote:
> Did you have modified something to the spec file
> for the final 0.9.5 ?
Attached.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email:
On Mon, 28 Feb 2000, Damien Miller wrote:
> I have attaches an RPM spec file for those interested.
Doh - bad spec file. Attached is one that works.
-d
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [EM
er.
Builds OK on Redhat Linux 6.1, tests pass OK. OpenSSH builds and operates
OK too.
I have attaches an RPM spec file for those interested.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [
On Wed, 16 Feb 2000, Lutz Jaenicke wrote:
> 2. As of the latest snapshot, OpenSSL became picky of seeding the PRNG.
>I have EGD available, as it was recommended for OpenSSH; the sample code
>for querying it being quite simple.
The Linux/Unix port of OpenSSH will be switching over to a Un
format
was best to present this in, but (to my knowledge) there was no
consensus.
I am therefore submitting it in ASCII format in the hope that it gets
included in 0.9.5 (or whatever the next release will be).
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new world
lows one to make better estimates of the available
entropy.
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work)
-BEGIN
seperate program?
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.0 (GNU/Linux)
Co
;t looked),
but it would be trivial to cook some up.
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work)
-BEGIN PGP SIGNATURE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 8 Oct 1999, Richard Levitte - VMS Whacker wrote:
> From: Damien Miller <[EMAIL PROTECTED]>
>
> dmiller> Go right ahead, but it might be worthwhile to have an
> dmiller> openssl.conf.5 page as well.
>
> I ab
gt; I can include some of your text though if you've no objections.
Go right ahead, but it might be worthwhile to have an openssl.conf.5
page as well.
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Please find attached a second draft of the openssl.conf
documentation. This version fixes several errors in the X.509v3
extensions section documentation.
Comments?
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new
.
Once it is cleaned up and has been properly reviewed, it would be
good to have this included as part of the standard documentation.
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: [EMAIL
messages.
- - It adds -newreq-nopw to generate a request and private key without a
PEM passphrase.
This makes CA.pl suck a bit less :)
Regards,
Damien Miller
- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogic.com.au/~dmill
the output it produces is very readable.
If I go ahead and start producing patches to add doxygen inline to
Openssl header files will they be included?
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www
I have built RPMs of OpenSSL 0.9.4 under Redhat 6.0 and uploaded them
to ftp.replay.com.
I have also attached a spec file so you can build you own.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogic.com.a
but we should decide on a documentation standard.
The GNOME people are getting good results with documents embedded in
the code itself. Using these API and developer documents are
automatically generated. Would the OpenSSL developers be interested in
adopting something similar?
Regards,
Damien Miller
-
On Mon, 26 Jul 1999, Dan Razzell wrote:
> Damien Miller <[EMAIL PROTECTED]> wrote:
>
> > I want to add the facility to pass user data to password callback
> > functions. e.g.
NB the changes have already been added to the CVS repository.
> It's good to see th
I notice that my patch to include a user data field to pem password
callbacks was not included in the status report. Does this mean
that it was rejected?
If so, what needs to be done to get it included? I have seen little
consensus on the API to use.
Regards,
Damien Miller
--
| "Bomb
is can be done with a text editor.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogic.com.au/~dmiller
| Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work)
_
is worthwhile to get them
all out of the way at once.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogic.com.au/~dmiller
| Email: [EMAIL
ignores this extra (garbage) argument.
Except for the extra field in ssl_ctx - that would have to be moved to
the end or it will break alignment.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
|
cked-in openssl directory to its pristine state? "make dclean"
leaves a lot of extra makefiles which complicate the process
of getting a clean diff.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilog
other advantage would be to make parts of the library distributable
and hackable by people who live in countries with oppressive export
regimes.
Thoughts?
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogi
Will the upcoming 0.9.3 release support building of dynamic libs
"out-of-the-box"?
Regards,
Damien
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogic.com.au/~dmiller
| Email: [EMAIL PROTECTED] (home) -or- [EM
" them. They will end up in that Attic and are still
accessible from CVS.
Regards,
Damien Miller
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.ilogic.com.au/~dmiller
___
l/certs and /etc/openssl/keys, etc.
This would also be a great boon to binary package makers.
The SSLeay-0.9.1b RPM already includes some patches which do some of
this. I can forward them if you wish.
Regards,
Damien Miller
PS. Is there a TODO/Wishlist for OpenSSL anywhere?
--
| "Bomb
65 matches
Mail list logo
