[openssl-dev] [openssl.org #3816] Call of memcmp with null pointers in obj_cmp()

Patch applied. Many thanks. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-users] Kerberos

On 08/05/15 09:40, Matt Caswell wrote: > > > On 08/05/15 02:28, Jeffrey Altman wrote: > >> Regardless, the inability to improve the support in this area has left >> the those organizations that rely upon 2712 with the choice of use >> insecure protocols or re-imp

[openssl-dev] [openssl.org #2958] Bug report: dtls handshake loops after 'certificate verify' packet loss

This has been fixed in commit a0bd649336 on master, and similar commits for 1.0.2 and 1.0.1. Many thanks for your report. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3847] [PATCH] Fix the heap corruption in libeay32!OBJ_add_object

Patch applied in commit 56d88027f026afd97ddf4e501f98437ca9819bfb. Many thanks. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3840] [PATCH] Add missing NULL check in X509V3_parse_list()

Patch applied. Many thanks. Closing ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3842] [PATCH] Add missing terminating NULL to speed_options table

Patch applied. Many thanks. Closing ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3818] [BUG] dovecot imap-login segfault when running nmap -sV

This patch has now been applied to the main repo, so closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-users] Kerberos

On 08/05/15 02:28, Jeffrey Altman wrote: > Regardless, the inability to improve the support in this area has left > the those organizations that rely upon 2712 with the choice of use > insecure protocols or re-implement the applications. I do not believe > that any sane OS or application vendor

[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

Closing this ticket now. I've given some consideration to the proposal for a DTLSv0_9_client_method(). I think however that the audience for this is *very* limited...certainly no new applications should be using this. I am sincerely hoping that sooner or later the whole DTLS1_BAD_VER thing will dis

[openssl-dev] [openssl.org #3662] [bug report]DTLS memory leak in dtls1_accept when use PSK in opensll 1.0.1j

Please see: https://www.openssl.org/support/faq.html#PROG13 Also see RT ticket 3824. Closing this ticket as 3824 seems the better place to track this issue. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope

[openssl-dev] [openssl.org #2246] dtls1.h includes winsock.h, overriding the #undefs from ossl_typ.h on Windows

I don't believe the specific compilation problems described are a current issue. dtls1.h does still include winsock.h as previously discussed on openssl-dev (re ticket 2187). This has been removed from the forthcoming OpenSSL 1.1.0. Closing this ticket. Matt __

[openssl-dev] [openssl.org #2869] [PATCH] DTLS Mobility support

Thanks for your submission. In the absence of an RFC for this, we will not be applying this patch. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2829] OpenSSL port in FreeBSD: DTLS networking problem

I would be interested in seeing patches against master to provide this capability on platforms other than Linux. In particular Windows would be very useful. However, given the length of time this issue has been open, and the absence of a patch, I am closing this ticket for now. Matt _

[openssl-dev] [openssl.org #2809] [PATCH] DTLS/SCTP struct authchunks Bug

This patch seems to have already been applied. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2808] [PATCH] DTLS/SCTP Finished Auth Bug

This patch already seems to have been applied. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2535] [PATCH] Add SCTP support for DTLS (RFC 6083)

SCTP support was added, but this ticket doesn't seem to have been closed. Closing it now. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2484] [PATCH] DTLS: wrong fragment reassembly

I don't believe this is a current issue. Please reopen if it is. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1716] Bug report for DTLS

I believe this was fixed some while ago. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1714] DTLS: Memory leak when server receives close alert from unknown peer

This was fixed some while ago. Closing ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1711] DTLS: Handshake does not detect missing/incomplete records in flight.

I don't believe this is an issue any more. Therefore I am closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2539] bug: OpenSSL 1.0.0d - unexpected DTLS handshake retransmits

I am unable to read the attached pcap for some reason. However the suggested patch does not look correct to me. The timer should be started at this point in order to retransmit the Client's Finished message if required. Without access to the pcap there isn't enough information in this report for me

[openssl-dev] [openssl.org #2662] NPN patch breaks DTLS Finished exchange

Don't know when this was fixed but this is no longer the case. Closing ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1715] DTLS: Finished message is not buffered for retransmition

Don't know when this was fixed - but this is no longer the case. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3008] Possible bug when using DTLS with a BIO pair

The MTU logic has been extensively revised since this ticket was raised so I am assuming this is no longer an issue. If that's not the case please reopen this ticket. Closing. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/ma

[openssl-dev] [openssl.org #3487] Possible Bug: Crash in dtls1_do_write

Not enough information in this ticket to track down the problem. I'm assuming that by now you've resolved this issue. If not please send further details to the openssl-users mailing list. Closing this ticket. Matt ___ openssl-dev mailing list To unsubsc

[openssl-dev] [openssl.org #3041] [Bug] DTLS message_sequence number wrong in rehandshake ServerHello

Looks like this patch was applied some time ago in commit 83a3af9f4e61170afad6f79f161fad8245ae1f95. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3109] [openssl.org #3041[PATCH] DTLS message_sequence number wrong in rehandshake ServerHello

This ticket was opened in error. Closing. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1709] DTLS BUG: retransmition of handshake messages does not work

I don't believe this is the case any more. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3835] [PATCH] Initialize potentially uninitialized local variables

Patch applied. Thanks. Note that actually all of these are bogus warnings. In none of the instances fixed was there an actual code path which resulted in an uninitialised variable being used - it's just that the compiler was unable to figure that out and so issues spurious warnings. Matt ___

Re: [openssl-dev] Kerberos

On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote: > What are the problems? The code as it exists today is not compiled by default. I recently fixed a set of issues in master that had not been spotted simply because the code is not regularly compiled and used. One possible solution to that

[openssl-dev] Kerberos

I am considering removing Kerberos support from OpenSSL 1.1.0. There are a number of problems with the functionality as it stands, and it seems to me to be a very rarely used feature. I'm interested in hearing any opinions on this (either for or against). Thanks in advance for your input, Matt __

[openssl-dev] [openssl.org #2839] [PATCH] Support DTLS compatibility with DTLS1_BAD_VER client

Thanks for the patch, but (as you might have guessed by now!) we will not be adding this capability. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3793] rec_layer_s3.c and `if (&s->rlayer.read_ahead && !SSL_IS_DTLS(s))`

I fixed this a few weeks ago in commit 4118dfdcc8, but forgot to close the ticket. Closing now. Thanks for the report. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3818] [BUG] dovecot imap-login segfault when running nmap -sV

he patch simply ensures that any subsequent attempt to use the SSL object will immediately return with an error. Let me know how you get on. Matt >From 3296c9fc237954cdad1cb1d9699ef2bee85c3da6 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 23 Apr 2015 20:01:33 +0100 Subject: [PATCH]

[openssl-dev] [openssl.org #3786] [PATCH] Check return value of CRYPTO_malloc

Patch applied. Many thanks. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Fwd: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report)

trouble this is causing, am I safe to do so in this situation? I can't foresee any problems with doing that. Obviously though we only support official releases. Matt > > Thanks, > > Dominyk > > Sent from OS X. If you wish to communicate more securely my PGP > Public K

Re: [openssl-dev] Fwd: OpenSSL fails to connect to Google on OS X 10.10.3 (Bug Report)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/04/15 14:30, Dominyk Tiller wrote: > Apologies. Either I'm an idiot or autocorrect is feeling amusing > today. I meant https://gist.github.com/DomT4/f86618bdfe2f27c8d66a > rather than https://gist.github.cok/DomT4/f86618bdfe2f27c8d66a. > > Sen

Re: [openssl-dev] Missing API features

On 20/04/15 21:34, Richard Moore wrote: > > > On 20 April 2015 at 21:25, Salz, Rich > wrote: > > What is the information you’re looking for? “kx=X25519” or > kx=”2KRSA” or … ? I picked those because sometimes there’s a > keysize, and other times it’s imp

Re: [openssl-dev] Patch for CRL-Times in "openssl ca"

On 15/04/15 17:57, Felix Dörre wrote: > Hi, > > I'd like to specify the start and end times for the CRLs generated with > "openssl ca". I prepared a patch and created a Github Pull-Request > (https://github.com/openssl/openssl/pull/258). Is there anything else, I > can do to help that this chang

[openssl-dev] [openssl.org #3803] s_server with ECDHE fails

Hi Yuval This is a known issue that has already been fixed in git and will be in the next release. Regards Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Hello, OpenSSL!

On 13/04/15 19:20, Andrejs Igumenovs wrote: > Dear DevTeam, > > I am willing to contribute to The OpenSSL Project. > How and where do I start? Here is a good place: https://wiki.openssl.org/index.php/Main_Page#Feedback_and_Contributions Matt ___ ope

[openssl-dev] [openssl.org #3658] Memory leak in dtls1_send_server_certificate dtls1_buffer_message

Off list discussions have identified that this issue was due to user code incorrectly re-calling DTLSv1_listen after it has already successfully returned. Therefore closing this issue. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openss

[openssl-dev] [openssl.org #3768] [BUG] using s_server with ECDHE-RSA is broken on OpenSSL 1.0.1m

Fixed, thanks to a patch supplied by John Foley. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Merging Gentoo patches on OpenSSL

On 01/04/15 18:32, Hanno Böck wrote: > Hello, > > The Gentoo package for OpenSSL currently has a number of patches. > The last OpenSSL 1.0.2a update took a bit longer due to that - > patches had to be adjusted first. How many patches are you talking about? > > I think most (if not all) of the

[openssl-dev] [openssl.org #3775] BUG REPORT: misspelled UNKOWN in the source code

On Tue Mar 31 18:51:49 2015, apev...@hp.com wrote: > Hi! > > This is no impact but it would be nice to have UNKNOWN spelled right. Thank > you! > > /home/pevnev/tmp/openssl-1.0.2a/crypto/asn1 > > [pevnev@blessed03 asn1]$ grep UNKOWN * > > asn1_err.c: {ERR_REASON(ASN1_R_UNKOWN_FORMAT), "unknown form

Re: [openssl-dev] Reminder: OpenSSL's EC private key encoding is broken

On 25/03/15 23:40, Douglas E Engert wrote: > > The attached patch against https://github.com/openssl/openssl > makes sure the EC private key in an OCTETSTRING retains leading zeros > when converting from BIGNUM to OCTETSTRING. > Thanks for the patch. This has been applied. Matt _

[openssl-dev] [openssl.org #3758] [PATCH] fix malloc define typo

Patch applied. Many thanks. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD

On 03/03/15 15:14, David Woodhouse wrote: > On Tue, 2015-03-03 at 14:43 +0000, Matt Caswell wrote: >> >> On 03/03/15 14:28, David Woodhouse wrote: >>> On Tue, 2015-03-03 at 12:00 +, Matt Caswell wrote: >>>> >>>>> I'll look at adding

Re: [openssl-dev] Forthcoming OpenSSL releases

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/03/15 19:05, Matt Caswell wrote: > > Forthcoming OpenSSL releases > > The OpenSSL project team would like to announce the forthcoming > release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.

[openssl-dev] Forthcoming OpenSSL releases

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will

[openssl-dev] [openssl.org #3751] Undefined behavior invoked in aes_core.c

On Mon Mar 16 15:21:24 2015, bernd.edlin...@softing.com wrote: > Hi, > > This gets reported by GCC-5.0.0 with -fsanitize=undefined in OpenSSL > 1.0.0m 5 Jun 2014: > > aes_core.c:1144:30: runtime error: left shift of 136 by 24 places > cannot be represented in type 'int' > aes_core.c:1151:30: runtim

Re: [openssl-dev] [openssl.org #3621] Support legacy CA removal, ignore unnecessary intermediate CAs in SSL/TLS handshake by default

On 16/03/15 09:45, Kai Engert via RT wrote: > Thank you very much for your work on this issue! > In my testing so far, it works as requested. > > I noticed the code changes in x509_vfy.c apply fine on top of the 1.0.2 > stable branch, and the test suite succeeeds. > > Will you consider to add t

Re: [openssl-dev] Suspicious crash in 1.0.2

On 13/03/15 20:57, Erik Forsberg wrote: > Hi, Matt. > I have not seen this committed to master or 1.0.2 yet ? > Another person complained about it too, so its probably > good idea to get it checked in. > > Patch works fine for all my use cases. Hi Erik, Don't worry - I've not forgotten about i

Re: [openssl-dev] Fwd: DTLS handshake not getting completed

On 09/03/15 16:38, Kannamraju P wrote: > I am using openssl-1.0.1h . Please can you try the git HEAD (OpenSSL_1_0_1-stable) and let me know if you still have the same issue. There have been quite a few DTLS fixes that have gone in since 1.0.1h. Thanks Matt ___

Re: [openssl-dev] Fwd: DTLS handshake not getting completed

On 09/03/15 15:17, Kannamraju P wrote: > Hi Matt, > > I already have SSL_CTX_set_read_ahead(ctx, 1); set , still running > into the same > issue.Any idea what could be the issue. Hmwhat version of OpenSSL are you using? Do you still get this if you use the git HEAD version? Matt ___

[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

Fixed in this commit: https://github.com/openssl/openssl/commit/f7683aaf36341dc65672ac2ccdbfd4a232e3626d Thanks for the patch. I'm leaving this ticket open for now to consider the DTLS 0.9 method stuff (which I would look at from a master only, point of view). Matt

[openssl-dev] [openssl.org #3703] 1.0.2 regression with Cisco DTLS_BAD_VER

Fixed in this commit: https://github.com/openssl/openssl/commit/5178a16c4375471d25e1f5ef5de46febb62a5529 Closing ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Fwd: DTLS handshake not getting completed

On 08/03/15 04:04, Kannamraju P wrote: > -- Forwarded message -- > From: "Kannamraju P" mailto:pkannamr...@gmail.com>> > Date: Mar 6, 2015 12:44 AM > Subject: DTLS handshake not getting completed > To: mailto:openssl-us...@openssl.org>> > Cc: > > Hi All, > > I am testing out a

[openssl-dev] [openssl.org #3711] [RFC PATCH] 1.0.2 regresssion: Wrong SSL version in DTLS_BAD_VER ClientHello

As with #3703, patch is still in review - I will chase. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3703] 1.0.2 regression with Cisco DTLS_BAD_VER

Patch for this is still going through review at the moment. I'll chase it. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3730] openssl 1.0.2 compile failure with OPENSSL_FIPS

On Fri Mar 06 16:02:37 2015, duane.bron...@riverbed.com wrote: > Openssl guys, > > It looks like an accidental * slipped into *pcurveslen in > ssl/t1_lib.c. This patch fixes it and also a warning, but I still get > an installed but unpackaged error that could be my fault. Still > investigating. Hi

[openssl-dev] [openssl.org #3728] Question: does "sslv3" in log mean we're using SSLv3?

On Thu Mar 05 17:42:49 2015, richard.c.pater...@sas.com wrote: > Apologies if this is the incorrect forum for this question. > > We’re > seeing error messages like SSL3_READ_BYTES and > SSL3_GET_SERVER_CERTIFICATE for some reason; > > - > SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > -

[openssl-dev] [openssl.org #3725] [PATCH] Use warning/fatal constants instead of numbers with comments

Patch applied. Many thanks. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3726] Cocoapods install BUG

This was due to a temporary issue on the openssl website. Should all be fixed so closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD

On 03/03/15 16:37, Nikos Mavrogiannopoulos wrote: > On Tue, 2015-03-03 at 15:33 +0000, Matt Caswell wrote: > >> 2) The killer: the gnutls licence is incompatible with the OpenSSL >> licence ... I don't think (?) that causes a problem if we're just >> ex

Re: [openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD

On 03/03/15 15:14, David Woodhouse wrote: > On Tue, 2015-03-03 at 14:43 +0000, Matt Caswell wrote: >> >> On 03/03/15 14:28, David Woodhouse wrote: >>> On Tue, 2015-03-03 at 12:00 +, Matt Caswell wrote: >>>> >>>>> I'll look at adding

Re: [openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD

On 03/03/15 15:03, Nikos Mavrogiannopoulos wrote: > On Tue, 2015-03-03 at 14:43 +0000, Matt Caswell wrote: > >>> It's the wrong thing to test against *anyway* since there are plenty of >>> failure modes in which a regression could be introduced in generic code

Re: [openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD

On 03/03/15 14:28, David Woodhouse wrote: > On Tue, 2015-03-03 at 12:00 +0000, Matt Caswell wrote: >> >>> I'll look at adding test cases to exercise the DTLS_BAD_VER support, >> to >>> try to avoid this kind of thing happening in future. >>> >&

Re: [openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD

On 03/03/15 11:36, David Woodhouse wrote: > On Tue, 2015-03-03 at 08:58 +0000, Matt Caswell wrote: >> Fixes for #3703 and #3711 are currently going through the review >> process so should be in soon hopefully. > > Thanks. Should I have known that? I've been monitori

Re: [openssl-dev] DTLS_BAD_VER regression fixes for 1.0.2 and HEAD

On 03/03/15 08:18, David Woodhouse wrote: > On Mon, 2015-02-23 at 14:34 +, David Woodhouse wrote: >> I have created pull requests on Github for HEAD and 1.0.2: >> https://github.com/openssl/openssl/pull/228 (master) >> https://github.com/openssl/openssl/pull/229 (OpenSSL_1_0_2-stable) >> >> T

Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG

On 02/03/15 17:50, Jeremy Farrell wrote: > And the table linking to the latest releases on > https://www.openssl.org/source/ is empty. > > On 02/03/2015 17:27, Erwann Abalea wrote: >> It seems all the tarballs have disappeared. > >> Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : >> Hello guy

Re: [openssl-dev] Suspicious crash in 1.0.2

On 02/03/15 01:54, Erik Forsberg wrote: > This patch fixes the issue. > I had a similar fix, but yours is more complete. > Thanks. > > Another thought. As I looked at this multiblock code I realize it > will have some impact on memory usage. Thinking it might be good > to have an option to disab

Re: [openssl-dev] Suspicious crash in 1.0.2

On 28/02/15 06:53, Erik Forsberg wrote: > Hi. > I seem to have run into a really hard to pin down issue in > OpenSSL 1.0.2. Normally, it simply causes an EFAULT during > a write syscall, which makes me close the connection, but > to investigate, I added a core dump at that time. This is what I se

[openssl-dev] [openssl.org #3704] OpenSSL HEAD breaks OpenConnect VPN client

Hi David, I've just pushed a slightly amended version of this patch to master/1.0.2/1.0.1. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3719] Bug report: Documentation for -no_explicit option of "openssl ocsp" missing

Steve has added documentation for this. Closing ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3718] Broken NAME header in doc/crypto/d2i_ECPKParameters.pod (master and 1.0.2)

Patch applied. Many thanks. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2634] Cross-signed certs rejected by OpenSSL because root cert not base of chain

On 25/02/15 13:18, Matt Caswell wrote: > This is not a bug as such in OpenSSL but an addition to the existing > verify algorithm. As such this won't be backported to released versions > (which only receive bug fixes). It will however be in OpenSSL 1.1.0. I should add that Open

[openssl-dev] [openssl.org #2634] Fail to verify server with a trusted CA root in the middle of the chain

Closing this ticket, as per my previous comments. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2634] Cross-signed certs rejected by OpenSSL because root cert not base of chain

On 24/02/15 21:28, na...@sitetruth.com via RT wrote: > This is an old bug from 2011, generated originally by someone who put a > self-signed cert in their cert chain. Until now, it's been ignored. > It's become a big problem now that Verisign cross-signed one of their > major root certs (VeriSig

Re: [openssl-dev] [openssl.org #2634] Cross-signed certs rejected by OpenSSL because root cert not base of chain

On 24/02/15 21:28, na...@sitetruth.com via RT wrote: > This is an old bug from 2011, generated originally by someone who put a > self-signed cert in their cert chain. Until now, it's been ignored. > It's become a big problem now that Verisign cross-signed one of their > major root certs (VeriSig

[openssl-dev] [openssl.org #3637] [PATCH] x509: skip certs if in alternative cert chain

The patch I mentioned previously has now been applied to master in the following commits: da084a5ec6 15dba5be6a 25690b7f5f fa7b01115b The behaviour is now that openssl will attempt to build a trust chain as it did previously. If that fails, it will then look to see if there is an alternative chai

[openssl-dev] [openssl.org #3621] Support legacy CA removal, ignore unnecessary intermediate CAs in SSL/TLS handshake by default

Please see the following commits to master in relation to this issue: da084a5ec6 15dba5be6a 25690b7f5f fa7b01115b The behaviour is now that openssl will attempt to build a trust chain as it did previously. If that fails, it will then look to see if there is an alternative chain that can be constr

[openssl-dev] [openssl.org #3714] OpenSSL 1.0.2 "make test" bus error in evp_test (Solaris 10 Sparc, sun4u)

On Tue Feb 24 12:20:20 2015, dw...@infradead.org wrote: > On Mon, 2015-02-23 at 23:20 +0100, Matt Caswell via RT wrote: > > Thanks Rainer. > > > > Closing this as a gcc bug. > > Such a statement should always be associated with a *link* to the > relevant bug, in thi

[openssl-dev] [openssl.org #3714] OpenSSL 1.0.2 "make test" bus error in evp_test (Solaris 10 Sparc, sun4u)

Thanks Rainer. Closing this as a gcc bug. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] OpenSSL HEAD breaks OpenConnect VPN client

On 16/02/15 17:33, David Woodhouse wrote: > On Mon, 2015-02-16 at 13:25 +0000, Matt Caswell wrote: >> That sounds like a bug. I can't think of a reason why this should >> exclude DTLS. > > This fixes it to work with DTLS1_BAD_VER too: > > diff --git a/ssl/ssl

Re: [openssl-dev] OpenSSL HEAD breaks OpenConnect VPN client

On 16/02/15 12:45, David Woodhouse wrote: > The Cisco AnyConnect VPN protocol establishes a connection over HTTPS > and negotiates parameters (cipher, master secret & session ID) for a > DTLS connection which is then "resumed". > > The OpenConnect VPN client handles this by using SSL_SESSION_new

[openssl-dev] Code Reformat blog post

I have posted a new blog article covering the recent reformat activity: https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/ It's basically a review of what we did, how we did it and the problems we encountered. It also discusses the various tags that we've created in the repo, and

Re: [openssl-dev] The evolution of the 'master' branch

On 07/02/15 14:41, Richard Moore wrote: > > > On 3 February 2015 at 22:02, Rich Salz > wrote: > > As we've already said, we are moving to making most OpenSSL data > structures opaque. We deliberately used a non-specific term. :) > As of Matt's commit of t

Re: [openssl-dev] Submitting new bugs to rt via mail broken?

On 10/02/15 19:23, Rainer Jung wrote: > Hello everyone, > > I sent a mail to r...@openssl.org 3 days ago, subject "OpenSSL 1.0.2 "make > test" bus error in evp_test (Solaris 10 Sparc, sun4u)". > > The mail didn't create a new ticket in RT, nor was it forwarded to the > dev list. > > Should I r

[openssl-dev] [openssl.org #3692] OpenSSL bug(s) && patch

On Tue Feb 10 14:44:18 2015, cristifa...@gmail.com wrote: > Version: 1.0.2 > Platform: Windows x86 (VC-WIN32) > Compiled with: openssl-fips-2.0.5 > > Hi all, > I browsed the open bug list for a little while, but i didn't find > this. This was raised in ticket 3673 and fixed by this commit: 6fa805f

Re: [openssl-dev] ms\version32.rc(47) : fatal error RC1004: unexpected end of file found

On 04/02/15 21:34, John Foley wrote: > Is anyone seeing the following error when building master on Windows? > > ms\version32.rc(47) : fatal error RC1004: unexpected end of file found > > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Windows > Kits\8.1\bin\x86\rc.EXE"' : return code '0x1

Re: [openssl-dev] The evolution of the 'master' branch

On 04/02/15 06:51, Timo Teras wrote: > On Tue, 3 Feb 2015 17:02:31 -0500 > Rich Salz wrote: > >> As we've already said, we are moving to making most OpenSSL data >> structures opaque. We deliberately used a non-specific term. :) >> As of Matt's commit of the other day, this is starting to happe

Re: [openssl-dev] Windows build broken?

On 28/01/15 14:23, John Foley wrote: > Thanks for fixing this. Windows is now building on 1_0_1-stable. > Having said that, you inspired me to add another job on my jenkins > server to to a sanity build on master for Windows. I'm seeing the > following error when trying to build on master usin

Re: [openssl-dev] [PATCH] Export ASN1 templates for DH and ECDH groups

Please submit patches to r...@openssl.org. Matt On 27/01/15 16:15, Dr. Matthias St. Pierre wrote: > From: "Dr. Matthias St. Pierre" > > Add missing forward declarations and export declarations for DHparams > and EC[PK]PARAMETERS. > > Add public functions to convert between EC_GROUP objects and

[openssl-dev] [openssl.org #3637] [PATCH] x509: skip certs if in alternative cert chain

On Thu Dec 18 15:31:48 2014, fe...@indutny.com wrote: > In situations like [0] the server may provide alternative certificate > chain, which is no longer valid in the current certificate store. In > fact the issuer of the leaf (or some intermediate) cert is known and > trusted, but the alternative

Re: [openssl-dev] Is X509_V_FLAG_TRUSTED_FIRST safe to backport to 1.0.1

On 15/01/15 17:06, Fedor Indutny wrote: > Matt, > > Thank you for reply. > > May I ask you when do you think your patch may land in 1.0.2 or whatever? > > If this is something of your long term goals and not going to land > anywhere soon. Could you please tell me about issues in my patch (eith

[openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works

On Thu Jan 15 17:21:35 2015, matt wrote: > In response to your previous documentation question it is > (unfortunately) > undocumented. :-( > The best I can offer you is the source code: > int read_ahead; /* Read as many input bytes as possible * (for non- > blocking > reads) */ > With regards to yo

Re: [openssl-dev] OCB patent stuff

On 27/01/15 13:12, david.ll...@fsmail.net wrote: > > >> Why? We have an explicit licence enabling its use - so why shouldn't it >> be on? >> >> Matt > > > You do, but I don't, and other users of OpenSSL don't either. According to > my legal advice at least - your Lawyer may disagree. The l

Re: [openssl-dev] OCB patent stuff

On 27/01/15 12:02, david.ll...@fsmail.net wrote: > Hi, > > Quick note about this (or could you refer me to the discussion that I > missed). Although I have no problems with explicitly patented code being > included with OpenSSL, shouldn't the default for such code be "off" with an > explicit

Re: [openssl-dev] Compile 1.0.2 release in FIPS mode

On 26/01/15 13:18, Lars Lavén wrote: > Hi, > > I just tried to compile 1.0.2 in FIPS mode and unfortunately I get a > compilation error. The function tls1_get_curvelist in ssl/t1_lib.c (line > 437) still looks like it did in beta 3: Hi Lars, This is fixed already in git. Please see commit 6fa8

<    2   3   4   5   6   7   8   9   10   >