Re: [openssl-dev] please make clear on website that 1.1.0e is Development release, not GA / Production release

On 21.03.2017 01:13, Jason Vas Dias wrote: On 20/03/2017, Kurt Roeckx wrote: The latest ntp release is 4.2.8p9 which should just work with openssl 1.1.0. (I have no idea why they don't list it on their download page now, or why the development version is so old.) No, the latest version is 4

Re: The Future of OpenSSL

Am 23.04.2014 19:30, schrieb Hanno Böck: Hi, For lack of a better name I chose this subject. I have the feeling I need to ask some questions here, because I - as probably many others out there - would like to contribute in making a better openssl. Just to recap a few things that happened: * Kur

Re: OpenSSL should disable or remove heartbeat

Am 15.04.2014 14:35, schrieb Michael Tuexen: On 15 Apr 2014, at 14:26, Fedor Indutny wrote: Hello Hanno! Despite not a being an active community member, I'd like to share my thoughts on it, if you don't mind. I certainly agree that this extension has a quite faulty specification and very q

Re: ssleay PRNG entropy

Am 23.10.2013 18:49, schrieb Fedor Indutny: Hello Richard, Yes, I see what this comment means. But what's the difference between RAND_bytes() and RAND_pseudo_bytes() then? They seems to be using exactly the same amount of entropy and can't ever fail or return `0` (meaning that data is insecure).

Re: ssleay PRNG entropy

Am 21.10.2013 13:09, schrieb Fedor Indutny: Hello devs! I just found that its impossible to get error from `RAND_bytes()` if running on default `RAND_SSLeay()` method. There're a couple of reasons and observations, that are confirming it (sorry for using github, its just more convenient to me):

Re: SSL session resumption and server certificate validation

Am 02.07.2013 14:17, schrieb Ivan Zhakov: Hi, Currently OpenSSL doesn't re-validate server certificate if existing SSL session is reused using SSL_set_session(). Server certificate chain also is not stored in SSL session. Is it intentional behavior or just not implemented feature/bug? It would

Re: Detecting MITM attacks automatically - hard, but not impossible

Am 28.02.2013 18:15, schrieb Salz, Rich: *The* John Nagle? Comparing his mail address with the content of http://lambda-the-ultimate.org/user/12742 seems to answer the question with "Yes" ;-). Best regards, Richard __ OpenS

Re: openssl 1.0.1 and rumors about TLS 1.0 attacks

Am 20.09.2011 22:31, schrieb Hanno Böck: Am Tue, 20 Sep 2011 20:37:35 +0200 schrieb Richard Könning: Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2. You then see that the problem is already addressed in OpenSSL 0.9.6d, over seven years ago. See also http

Re: openssl 1.0.1 and rumors about TLS 1.0 attacks

ection 6, subsection "OpenSSL and the Empty Message". Ciao, Richard Könning __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Auto