_key)
+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
Is there a clear point in time after which the OpenSSL 1.1.0 API is
expected to be fully frozen for the release (well, other than the final
public release showing up)?
(*) https://ww
() and
SSL_SESSION_print(). In addition to that, it seems to be changing
DTL1_BAD_VER value for SSL_SESSION_print().
It should also be noted that the new implementation does not match the
man page for SSL_get_version():
https://www.openssl.org/docs/manmaster/ssl/SSL_get_v
nsion that can currently be
added:
00 05 00 05 01 00 00 00 00
Parsing ServerHello:
Accept status_request_v2 extension
Parsing CertificateStatus:
Accept certificate status type ocsp_multi(2)
--
Jouni MalinenPGP id EFC895FA
--
openssl-dev mailing li
ory leaks, those were not caused by the OpenSSL
library itself. As such, I've already added the #ifdef based on OpenSSL
version. This has the additional benefit of marking up code for cleanup
once OpenSSL 1.0.2 support terminates in the future.
--
Jouni Malinen
On Mon, Feb 15, 2016 at 09:34:33PM +, Matt Caswell wrote:
> On 15/02/16 21:25, Jouni Malinen wrote:
> > Is this change in OpenSSL behavior expected? Is it not allowed to call
> > EVP_cleanup() and then re-initialize OpenSSL digests with
> > SSL_library_init()?
>
>
On Mon, Feb 15, 2016 at 10:52:27PM +0200, Jouni Malinen wrote:
> On Mon, Feb 15, 2016 at 07:04:20PM +, OpenSSL wrote:
> >OpenSSL version 1.1.0 pre release 3 (alpha)
> It looks like something in pre release 3 has changed behavior in a way
> that results in SSL_CTX_ne
pre release 3 or is there supposed to be some
changes needed in applications using OpenSSL to work with this auto
init/de-init libssl change?
--
Jouni MalinenPGP id EFC895FA
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
ser.pem
$OPENSSL verify -trusted ca-incorrect.pem -purpose sslclient user.pem
$OPENSSL verify -trusted ca.pem -purpose sslserver server-eku-client.pem
$OPENSSL verify -trusted ca.pem -purpose sslserver server-expired.pem
--
Jouni MalinenPGP id EFC895FA
_
e patch on top of pre-rel 2 (+ CRL fix)
and the current master branch snapshot fixed all the test cases that I
saw failing previously.
--
Jouni MalinenPGP id EFC895FA
___
openssl-dev mailing list
To unsubs
S: Certificate verification failed, error 19 (self signed certificate in
certificate chain) depth 1 for '/C=FI/O=w1.fi/CN=Root CA'
So this has to be something with how the chain verification code gets
configured.. I'll see if I can find the commit that changed the behavior
to make it a b
2:23:35 2016 -0500
>
> Always initialize X509_STORE_CTX get_crl pointer
Thanks! This applied on top of pre-rel 2 does indeed resolve the CRL
issue I saw.
--
Jouni MalinenPGP id EFC895FA
___
openssl-dev mai
==627==by 0x20441A6D1E48C1FF: ???
==627==by 0xFFF00038F: ???
==627==by 0xFFF00038F: ???
==627==by 0x1: ???
==627==by 0x654653F: ???
==627== Address 0x1003029407 is not stack'd, malloc'd or (recently) free'd
--
Jouni Malinen
t, I was able to pass all my EAP regression tests.
--
Jouni MalinenPGP id EFC895FA
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
idea what happened with these OpenSSL client state machine changes
and how to get this fixed to restore EAP-FAST functionality?
--
Jouni MalinenPGP id EFC895FA
___
openssl-dev mailing list
To unsubscribe:
On Fri, Jul 31, 2015 at 08:36:46PM +0100, Matt Caswell wrote:
> https://github.com/openssl/openssl/commit/e1e088ec7f2f33c4c4ad31312d62c536441d4358
Thanks! With this, all my EAP test cases are now passing with the
OpenSSL master branch snapshot.
--
Jouni Mali
On Thu, Jul 30, 2015 at 11:00:45AM +0100, Matt Caswell wrote:
> On 28/07/15 15:09, Jouni Malinen wrote:
> > The remaining issue for EAP-FAST server is in the
> > SSL_set_session_secret_cb() callback not having access to the correct
> > server_random through SSL_get_server
andler on the TLS server side as well as on
the client side (where it seems to work now).
--
Jouni MalinenPGP id EFC895FA
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
ter
the key_block). It would be nice to be able to get those out from
OpenSSL without having to implement the PRF for this externally (and
without exporting the master key for that matter).
--
Jouni MalinenPGP id EFC895FA
_
support this use case.
I'm trying to run the full hostapd/wpa_supplicant test suite with all
OpenSSL releases, so I should at least notice regressions in the
relevant areas pretty quickly. In theory, I could also do this on
snapshot builds (or repository snapshots in general)
on which derives the secret in EAP-FAST specific way
(master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
server_random + client_random, 48)).
--
Jouni MalinenPGP id EFC895FA
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
to go that far in
extra complexity.)
--
Jouni MalinenPGP id EFC895FA
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
On Tue, Dec 15, 2009 at 10:18 AM, Tomas Mraz via RT wrote:
> If you call just SSL_library_init() and PKCS12_PBE_add some pkcs12 files
> will not be loadable and moreover the openssl will crash due to missing
> checks for ciphers not found. I've reported the crash in a separate
> report. Perhaps th
get an updated
patch for OpenSSL in the latest wpa_supplicant release
(openssl-0.9.8i-tls-extensions.patch applies to OpenSSL 0.9.8k).
--
Jouni MalinenPGP id EFC895FA
_
Here's a backport version of the session ticket override patch against
OpenSSL 0.9.8i. This provides the same API that was committed into 0.9.9
tree and it can be used with the current development snapshot of
wpa_supplicant/hostapd 0.6.x for EAP-FAST.
--
Jouni Ma
to be working fine and will
make it much easier for distributions to include EAP-FAST support in the
future.
--
Jouni MalinenPGP id EFC895FA
__
OpenSSL P
to be working fine and will
make it much easier for distributions to include EAP-FAST support in the
future.
--
Jouni MalinenPGP id EFC895FA
__
OpenSSL P
his version and
hostapd/wpa_supplicant, but I haven't committed the matching changes yet
into my repository since I did not want to change the API use there
before the modified version gets into the OpenSSL repository.
--
Jouni MalinenPGP id EFC895FA
Thi
his version and
hostapd/wpa_supplicant, but I haven't committed the matching changes yet
into my repository since I did not want to change the API use there
before the modified version gets into the OpenSSL repository.
--
Jouni MalinenPGP id EFC895FA
Thi
indentation in that patch is also inconsistent with the rest of OpenSSL.
The attached version should clean up indentation to match with rest of
the code.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077)
indentation in that patch is also inconsistent with the rest of OpenSSL.
The attached version should clean up indentation to match with rest of
the code.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077)
t remains from the initial patch that was done
before the session ticket support was added to OpenSSL. In practice,
SSL_set_hello_extension() is only used to replace the SessionTicket
extension (ext_type=35) and any mechanism that allows this to be done
would be fine.
--
t remains from the initial patch that was done
before the session ticket support was added to OpenSSL. In practice,
SSL_set_hello_extension() is only used to replace the SessionTicket
extension (ext_type=35) and any mechanism that allows this to be done
would be fine.
--
patch update must be removed from the patch. This
version was tested with openssl-SNAP-20080928.tar.gz.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is
to
OpenSSL development as someone outside the core development team would
also be appreciated if no one in the core team is interested in looking
into this or providing comments.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS
articular change and would welcome any recommendations
on how to handle this issue for EAP-FAST (RFC 4851).
--
Jouni MalinenPGP id EFC895FA
__
OpenSSL Project
enSSL would be very helpful.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev <[EMAIL PROTECTED]>
(sent to
to be
used with EAP-FAST?
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 4507) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev <[EMAIL PROTECTED]>
(sent to ope
to be
used with EAP-FAST?
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 4507) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev <[EMAIL PROTECTED]>
(sent to ope
igned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -uprN openssl-SNAP-20070610.orig/util/ssleay.num
openssl-SNAP-20070610/util/ssleay.num
--- openssl-SNAP-20070610.orig/util/ssleay.num 2006-11-30 06:01:18.0
-0800
+++ openssl-SNAP-20070610/util/ssleay.num 2007-
ntation is desired, it would probably be a
combination of adding the PAC-Opaque extension (a.k.a. SessionTicket TLS
extension) and taking care of a callback for fetching pre-shared secret
for session resumption.
--
Jouni Malinen
using
draft-salowey-tls-ticket-07.txt. Has anyone taken a look at that and are
there plans on adding support for it in 0.9.9-dev? The patch mentioned
above includes at least the parts of this that are needed for peer side
implementation of EAP-FAST. tls-ticket draft may include somewhat more
generi
to contribute to OpenSSL. If you are
outside US, it looks like the only missing part would be in adding
string "[PATCH]" to the subject line when sending the patch to this
mailing list.
--
Jouni MalinenPGP id EFC895FA
diff -uprN openssl-0.9.8
s. The attached patch is a combination of your separate
t1_ext.c file and the other changes with the small modifications
mentioned above. This is against OpenSSL 0.9.8 beta 6.
--
Jouni MalinenPGP id EFC895FA
diff -uprN openssl-0.9.8-beta6.orig/include/o
just changed number of functions to skip certificate
request and validation during the handshake. This is clearly not
suitable to be applied as-is, but I hope it would be enough to generate
some comments on how this should be done correctly.
--
Jouni Ma
44 matches
Mail list logo