https://github.com/openssl/openssl/pull/495
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-
1.0.1k 8 Jan 2015
>
>
> dpkg -l openssl
>> ii openssl 1.0.1k-3+deb8u1amd64 Secure
>> Sockets Layer toolkit - cryptographic utility
>
> tried also to compile the newest one from openssl.org and u
X509_FLAG_NO_SIGNAME))
{
- if(X509_signature_print(bp, x-sig_alg, NULL) = 0)
+ if(X509_signature_print(bp, ci-signature, NULL) = 0)
goto err;
#if 0
if (BIO_printf(bp,%8sSignature Algorithm: ,) = 0)
--
Rob Stradling
Senior
to bridge the cert included on the
'-issuer' flag with a single root specified on the '-CA' flag. (It currently
does not.)
-cem
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL
This can presumably be resolved as fixed, given the commit on #2626 just
now.
On 29/09/10 20:54, Rob Stradling via RT wrote:
NIST (SP800-57 Part 1) recommends a minimum RSA key size of 2048-bits beyond
2010. From January 1st 2011, in order to comply with the current Microsoft[1]
and Mozilla[2
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
:!SSLv2
I wonder how many of these ciphers are actually ever negotiated in
real-world use.
The padding extension is only used if the ClientHello would be between 256 and
511 bytes in length so if you reduce the number of ciphersuites it wont be
used.
--
Rob Stradling
Senior Research Development
certificates, one with an RSA key and
one with an ECC key).
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
]clear_chain_certs() - clear the current certificate's chain.
The patch also adds these functions to, and fixes some existing errors
in, SSL_CTX_add1_chain_cert.pod.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
diff --git a/doc/ssl
On 06/11/13 17:27, Dr. Stephen Henson wrote:
On Wed, Nov 06, 2013, Rob Stradling wrote:
These 2 #defines exist for SSL_CTX-extra_certs:
SSL_CTX_add_extra_chain_cert
SSL_CTX_get_extra_chain_certs
SSL_CTX_clear_extra_chain_certs
In 1.0.2-dev, the #defines
or
not that would be better than the first option.
Any preference?
Thanks.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http
?
Or, is SSL_CTX_set_ecdh_auto(ctx, 1); the only supported way of doing
it in 1_0_2?
Thanks.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http
On 14/06/13 14:16, Ben Laurie wrote:
On 14 June 2013 14:08, Rob Stradling rob.stradl...@comodo.com wrote:
snip
Apparently the ECDHE-ECDSA bug is in SecureTransport, which is an integral
component of OSX.
https://developer.apple.com/library/mac/#documentation/security/Reference
used to be set in
SSL_OP_ALL, and has previously been used for at least 2 other purposes!
http://cvs.openssl.org/chngview?cn=18974
http://cvs.openssl.org/chngview?cn=22501
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
and easy to install.
No server administrator will want to deploy ECDHE-ECDSA if it means
breaking compatibility with even a small fraction of deployed browsers.
Hence why this patch is, unfortunately, necessary.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust
On 14/06/13 10:20, Ben Laurie wrote:
On 14 June 2013 09:39, Rob Stradling rob.stradl...@comodo.com wrote:
On 13/06/13 17:39, Ben Laurie wrote:
...and don't intend to fix their broken ECDSA support in Safari.
Ben, you've got your wires a bit crossed there.
The ECDHE-ECDSA ciphersuites
On 14/06/13 12:31, Ben Laurie wrote:
On 14 June 2013 12:25, Rob Stradling rob.stradl...@comodo.com wrote:
snip
Ah, so you're criticizing Apple for not being willing to force all OSX
10.8.x users to update to 10.8.4.
No.
If OSX 10.8.x has a mechanism that allows Apple to force updates
On 14/06/13 13:58, Ben Laurie wrote:
On 14 June 2013 13:57, Rob Stradling rob.stradl...@comodo.com wrote:
snip
Safari's User-Agent string reveals the OSX version that it is running on. A
few weeks ago I analyzed some webserver logs to get an idea of historical
OSX update rates. Based
What do people think?
No keep the patch.
I think you misunderstood what Ben meant by pull.
See man git-pull
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project
of the existing *ancient* flags. Does
anyone really care about compatibility with a bug in SSLeay 0.80 for example?
I'd wondered about that. If you're happy to reallocate one of the
ancient flags, please do!
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Safari versions a few years from now.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7ad8a54..fff73eb 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3076,7 +3076,10 @@ void ssl3_clear(SSL *s)
OPENSSL_free(s
On 21/09/12 15:38, Rob Stradling via RT wrote:
On 21/09/12 15:12, Rob Stradling via RT wrote:
On 21/09/12 15:04, Stephen Henson via RT wrote:
snip
Easiest solution is to also backport ssl_get_server_send_pkey see:
http://cvs.openssl.org/chngview?cn=22840
I didn't think of that. Thanks
:02:54 2012]:
Attached are patches for 1.0.0 and 0.9.8.
Note, I updated the original change to retain compatibility with
existing behaviour as far as possible. See:
http://cvs.openssl.org/chngview?cn=22808
Steve.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust
I didn't think of that. Thanks!
I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or
Ben get there first).
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL
On 21/09/12 15:12, Rob Stradling via RT wrote:
On 21/09/12 15:04, Stephen Henson via RT wrote:
snip
Easiest solution is to also backport ssl_get_server_send_pkey see:
http://cvs.openssl.org/chngview?cn=22840
I didn't think of that. Thanks!
I'll prepare patches to backport 22840 to 1.0.0
Attached are patches for 1.0.0 and 0.9.8.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26
:54 2012]:
Attached are patches for 1.0.0 and 0.9.8.
Note, I updated the original change to retain compatibility with
existing behaviour as far as possible. See:
http://cvs.openssl.org/chngview?cn=22808
Steve.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating
of that. Thanks!
I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or
Ben get there first).
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project
On 21/09/12 15:12, Rob Stradling via RT wrote:
On 21/09/12 15:04, Stephen Henson via RT wrote:
snip
Easiest solution is to also backport ssl_get_server_send_pkey see:
http://cvs.openssl.org/chngview?cn=22840
I didn't think of that. Thanks!
I'll prepare patches to backport 22840 to 1.0.0
On 07/09/12 11:51, Rob Stradling wrote:
Attached is an updated patch for CVS HEAD, plus a patch for the 1.0.2
branch.
Are you still accepting patches for 1.0.1?
Attached is a patch for 1.0.1.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Index: ssl
Attached is an updated patch for CVS HEAD, plus a patch for the 1.0.2
branch.
Are you still accepting patches for 1.0.1?
Any chance of reviewing these patches soon?
Thanks.
On 19/06/12 21:15, Rob Stradling via RT wrote:
The OCSP Stapling Callback function (s-ctx-tlsext_status_cb) is called
to be in the function's last if
statement: if (sign_nid hash_nid)
I suggest:
- int sign_nid, hash_nid;
+ int sign_nid, hash_nid = 0;
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project
On 18/06/12 11:40, Rob Stradling wrote:
On 16/06/12 23:31, Dr. Stephen Henson wrote:
snip
Is there a way to patch httpd so that it can work around the
limitations in the OpenSSL API and always send the correct OCSP
Response?
Possible changes to OpenSSL:
Should the Stapling Callback function
with an installation of httpd 2.4.2
that has both an RSA cert and an ECC cert configured.
If this patch is OK, I'd like to backport it to the OpenSSL 1.0.x branch
as well.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Index: ssl/s3_srvr.c
without breaking binary compatibility.
See if adding:
c-key = c-pkeys + i;
to ssl_get_server_send_cert fixes this.
Which it wont because the status callback is called too soon as you noted.
Would moving the status callback to a sufficiently later point in the
handshake work?
--
Rob
.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
majord...@openssl.org
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange
.
RFC 2560 defines OCSP, but not OCSP Stapling.
OCSP Stapling is the popular term for the Certificate Status Request TLS
Extension defined most recently by RFC 6066 (previous versions: RFC 4366, RFC
3546).
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
sizes smaller than 2048 bits. All CAs
should stop issuing intermediate and end-entity certificates with RSA key size
smaller than 2048 bits under any root.
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
openssl-us...@openssl.org
Automated List Manager majord...@openssl.org
Rob Stradling
Senior Research Development Scientist
C·O·M·O·D·O - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
Comodo CA
40 matches
Mail list logo
