"we want a lightweight cipher and NSA gave us
one".
If there is serious demand for more lightweight ciphers in TLS I'd
expect some kind of open and transparent competition like it happened
with AES or SHA3 - or at least some open discussion in CFRG. However I'm
not convinced this demand even e
t I'd find more
concerning is that from what I observed there hasn't been a lot of
research about speck.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
openssl/openssl/issues/4856
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
ntly noticed that OpenSSL
still enables the heartbeat extension by default in every clienthello
it sends.
In the whole Heartbleed aftermath nobody was ever able to tell me where
TLS Heartbeats are used. It's a feature in order to have a feature.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@h
oudflare etc.) speak up and say that
in the future they'll boycott vendors that deploy such
Internet-breaking devices.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
it on
> various cryptographic libraries and applications that use them.
I can't answer on how to best report those bugs, but:
That sounds like interesting research.
Will you make the tool and the corresponding scientific publication
public?
--
Hanno Böck
https://hboeck.de/
mail/jabber: h
.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgphcvkUwXBql.pgp
Description: OpenPGP digital signature
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Hi,
The latest news on the openssl start page is
16-Mar-2016Beta 1 of OpenSSL 1.1.0 is now available: please download
and test it
However the latest download on /source is
2016-Mar-16 17:43:30openssl-1.1.0-pre4.tar.gz
Is pre4 supposed to be the same as beta1?
--
Hanno Böck
https
8 and
256 bit aes is imho mostly irrelevant in practice.
The difference between the two approaches may become mostly irrelevant
once all major browsers support at least one aead mode with 256 bit,
but I'm not sure if that's going to happen any time soon.
--
Hanno Böck
https://hboeck.de/
mail/j
of the (most likely more secure) AES128 in GCM mode.
Can this be changed before 1.1.0 gets out?
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgp9aiNaxHyXU.pgp
Description: OpenPGP digital signature
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org
> Certainly out-of-range. Not sure about point invalidity. But can
> you open one or two tickets for this?
Done now, RT tickets #4241 and #4242.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpgTXmArTMuk.pgp
Description: OpenPGP digital signature
tps://boringssl.googlesource.com/boringssl/+/38feb990a183362397ebc62774cc07374d146c83%5E%21/#F0
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpbFDbhMq0Sb.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing l
if openssl supported camellia-gcm modes.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgp3rZeH9NrDa.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo
that
OpenSSL doesn't add any new features without a clear explanation what
advantage they bring in which situation - and who is likely going to
use that feature.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1036765
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
.
In the spirit of making OpenSSL as useful as possible for everyone I
would consider a permissive license that's more compatible (e.g. MIT) a
wiser choice.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpRcb97ky2Ry.pgp
Description: OpenPGP digital signature
,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpGwx2xAtO7J.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
), patch should be noncontroversial to apply right away, right?
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpgIXrPMG9HN.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
To unsubscribe: https
/Display.html?id=3332user=guestpass=guest
Fix parallel builds:
https://rt.openssl.org/Ticket/Display.html?id=2084user=guestpass=guest
Build fix of 64 bit on 32 bit systems:
https://bugs.gentoo.org/show_bug.cgi?id=542618
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
-attack-breaking-ssl-with-13-year-old-rc4-weakness
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgp3WfFXnHCdN.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org
://mta.openssl.org/pipermail/openssl-dev/2015-January/000421.html
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgp0DzpKqWEVG.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
To unsubscribe: https
On Tue, 10 Feb 2015 21:15:36 +
Salz, Rich rs...@akamai.com wrote:
Comments?
Sounds good.
I'd further suggest to move everything that's not PFSAEAD
from HIGH to MEDIUM.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpwviI3Wtd4z.pgp
Description: OpenPGP
sanitizer.
What's the plan here? Replace openssl's own memory management by
default with standard memory management calls or is the plan to
disable the possibility to have standard memory management at all?
If the latter I'd vote against removing that flag.
cu,
--
Hanno Böck
http://hboeck.de/
mail
(1.0.2a/b)? I would prefer not having to wait with that till 1.1.0.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
--- openssl-1.0.2-stable-SNAP-20150115/ssl/ssl_ciph.c 2014-12-17 15:01:30.0 +0100
+++ openssl-1.0.2-stable-SNAP-20150115-hash/ssl/ssl_ciph.c
boringssl and submit them.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpOzx88GMmMN.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman
-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-NULL-SHA:ECDHE-ECDSA-NULL-SHA:AECDH-NULL-SHA:ECDH-RSA-NULL-SHA:ECDH-ECDSA-NULL-SHA:NULL-SHA256:NULL-SHA:NULL-MD5
--
Hanno Böck
http://hboeck.de
mostly as
it is, just add one further sorting step that will bring GCM ciphers in
front of non-gcm ones.
I think that should give the desired result.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgp99F4AWZVtw.pgp
Description: OpenPGP digital signature
with
it.
(this doesn't answer whether chacha20-poly1305 or aes-gcm should be
considered better, but I don't know if there is a clear consensus on
that)
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpPvtdfvznZX.pgp
Description: OpenPGP digital signature
.
Thoughts?
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpqaniJapD9b.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo
On Mon, 15 Dec 2014 20:31:53 -0500
Salz, Rich rs...@akamai.com wrote:
Is this a theoretical issue, or have you seen it in widespread use?
www.openssl.org would be an example where you can see it live and
real :-)
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
preferred over
GCM.
(But good to note that a quick fix is to disable SSLHonorCipherOrder
on affected apache servers)
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgpwmI84M_rUC.pgp
Description: OpenPGP digital signature
@STRENGTH
Result: no GCM in chrome/ff, but FS in all ssl labs reference browsers
(and A+ rating).
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgplMFinTgEl3.pgp
Description: OpenPGP digital signature
___
openssl-dev
be available (just
point chrome to https://www.openssl.org to see it).
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
pgps7WZymtGQM.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
openssl-dev@openssl.org
https
and use
such dedicate pss keys.
I'm interested: Who has created these certificates and what software
was used there?
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
- now there's a proposal for a downgrade protection extension that only
tries to fix a problem we wouldn't have in the first place if people
didn't introduce stupid workarounds for broken stuff)
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description
On Thu, 1 May 2014 14:29:44 +0200
Kurt Roeckx k...@roeckx.be wrote:
On Thu, May 01, 2014 at 01:35:19PM +0200, Hanno Böck wrote:
Maybe this should teach us a lesson: Adding more and more
Workarounds for broken stuff isn't the way to go forward. The way
to go forward is to fix broken
asking themselves if they'd better invest their time
in improving openssl or helping out libressl.
So to the openssl devs: Please give some answers.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
devs create a new beta2 version that includes the
heartbleed fix?
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
support, because nobody uses that
anyway and DSA is a bad algorithm.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
an extension that
nobody uses shouldn't happen. So the default of that switch should be
off, unless someone has a convincing argument otherwise. Adding
features because we can is not helpful and adds attack surface.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
for SSL implementations.
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
be
tested in a reasonable way by the client. (e.g. testing if a prime
really is a prime is not efficiently possible for large key exchanges -
and there are also weak primes)
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
signature.asc
Description: PGP signature
://twitter.com/matthew_d_green/status/377946072532140032
https://twitter.com/matthew_d_green/status/377946680395845633
I am not familiar with the details, but want to bring it up for
discussion here. Maybe it should be disabled or at least discouraged in
the docs.
cu,
--
Hanno Böck
http://hboeck.de/
mail
bugtracker).
But I agree - going to AES-GCM is the only sane solution at the moment
and everyone should migrate as soon as possible - everything else is
really too broken to rely on it for the medium term.
--
Hanno Böck mail/jabber: ha...@hboeck.de
GPG: BBB51E42 http
design. Connection limits can help (though they shouldn't be
limited to renegotiation), but it's not really a nice solution.
--
Hanno Böck mail/jabber: ha...@hboeck.de
GPG: BBB51E42 http://www.hboeck.de/
signature.asc
Description: PGP signature
- The interim solution may be just disabling AES and rely on RC4.
So I'd like to repeat my question and hope some of the openssl devs
will answer:
When can we expect a TLS 1.1/1.2 enabled version? What's the status of
openssl 1.0.1?
--
Hanno Böck mail/jabber: ha...@hboeck.de
GPG
and going to tls
1.1 or 1.2 should fix it.
AFAIK, openssl current release 1.0.0 has no tls 1.2, but the
planned openssl 1.0.1 should have.
Which leads to the question: Is there a planned timeline for a 1.0.1
release and could this be accelerated if the issue turns out to be
serious?
--
Hanno Böck
1.0.0d and current cvs code)
--
Hanno Böck mail/jabber: ha...@hboeck.de
GPG: BBB51E42 http://www.hboeck.de/
JETZT zu Ökostrom wechseln: http://atomausstieg-selber-machen.de
signature.asc
Description: PGP signature
Hi,
I was wondering if openssl CVS head is capable of doing cms signing
with rsa pss. Seems not, openssl cms doesn't recognize the
-sigopt rsa_padding_mode:pss
parameter.
Anyone working on this?
cu,
--
Hanno Böck mail/jabber: ha...@hboeck.de
GPG: BBB51E42 http
an openssl version supporting PSS will be out)
cu,
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de
http://schokokeks.org - professional webhosting
signature.asc
Description: This is a digitally signed message part.
Am Samstag 31 Mai 2008 schrieb Daniel Black:
On Sat, 31 May 2008 07:13:32 pm Hanno Böck wrote:
This patch adds some dependencies to the Makefile targets to allow
parallel make to succeed. Please apply.
(Patch is taken from Gentoo Linux)
as attached?
yes... it probably was too late when
This patch will create the /lib/engines directory if it doesn't exist on
installation. Please apply.
(Patch taken from gentoo linux)
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED]
--- openssl-0.9.8/engines/Makefile
This patch adds some dependencies to the Makefile targets to allow parallel
make to succeed. Please apply.
(Patch is taken from Gentoo Linux)
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED]
signature.asc
Description
ready. I'd only like to know if it's something
like we're shortly before release or it'll take years till then or
something in between.
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber: [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed
53 matches
Mail list logo