This is an enhancement request.
OpenSSL 1.1 hides details of structures used to load X.509 certificates,
in particular - x509_lookup_method_st , x509_lookup_st and x509_object_st.
This impact non OpenSSL projects as external application has to
duplicated those structures.
Request is OpenSSL do
Stephen Henson via RT wrote:
> On Sat Jun 25 22:09:59 2016, open...@roumenpetrov.info wrote:
>> Above is reason the request to remove const from return argument of get0
>> methods.
> We had a discussion about this and the preference was to have get methods
> retain const for various reasons.
>
> In
Hello,
Recently declaration of a number of get0 methods was changed to return
constant values (BIGNUM).
Lets me quote description of an allocator "/ECDSA_SIG_new()/ allocates a
new *ECDSA_SIG* structure (note: this function also allocates the
BIGNUMs) and initialize it."
Now lets try to write
It is expected DH_free(DH_new()); to leaks memory. Usually XXX method
initialize "extra data".
Sample code is without code that clear library, at least
CRYPTO_cleanup_all_ex_data is missing.
Roumen
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2363
Please log in as guest wit
Hi Rich,
Rich Salz via RT wrote:
> fixed in commit 985c3146967633707f7c165df82bb0fd8f279758 thanks for the
> report!
From initial patch is missing line with header += 9.
Please could you review parsing with ENCRYPTED
Roumen
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4320
Ple
Hello,
Function argument is pointer to ENGINE - please find attached patch
Regards,
Roumen Petrov
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4312
Please log in as guest with password guest if prompted
>From 2f2e1f210ec3c8452ecd041604fd14071a4b59ca Mon Sep 17 00:00:00 2001
Fro
Rich Salz via RT wrote:
> we did everything we want to do, closing this.
What about to remove declaration of FIPS_mode and FIPS_mode_set?
Those functions could be used by external packages at configure time to
detect that fips is not supported at all.
Note 1.0.0 does not declare both functions.
R
In 1.0.2 branch commit 94c2f77a62be7079ab1893ab14b18a30157c4532 add
functions to set ECDSA_METHOD structure.
One on functions is to set flags. Until now ECDSA flags are defined only
in non-installed header.
1) "0003-move-some-ECDSA_METHOD-declarations-after-descriptio.patch"
First patch is cosm
Also patches for commands:
- pkey : "0017-pkey-cmd-restore-keys-from-engine.patch"
- req : "0018-req-cmd-restore-keys-from-engine.patch"
>From 0ea1c0b9b600977e93efed4545166ec4ae245bc9 Mon Sep 17 00:00:00 2001
From: Roumen Petrov
Date: Sat, 9 Jan 2016 14:52:14 +0200
Subject: [PATCH 17/19] pkey cmd
Salz, Rich via RT wrote:
> So you're saying just close this ticket?
>
No. My request is to restore flexible engine command line and optionally
help string.
I only disagree with proposed partial correction for command line.
___
openssl-dev mailing list
Salz, Rich via RT wrote:
> Tweaked, sigh.
> ; ./util/opensslwrap.sh engine - dynamic -pre
> engine: Cannot mix flags and engine names.
> engine: Use -help for summary.
> exit 1
>
If engine name cannot be at any position then please keep it as is. i.e.
at last position. In this ca
Salz, Rich via RT wrote:
> Please see this:
>
> https://github.com/openssl/openssl/compare/master...richsalz:rt4194?expand=1
>
It should fail with openssl engine - dynamic -pre
SO_PATH:/lib/libfoo.so
Help string looks good.
Roumen
___
Rich Salz via RT wrote:
> [SNIP]
> out = dup_bio_out(FORMAT_TEXT);
> - prog = opt_init(argc, argv, engine_options);
> if (!engines || !pre_cmds || !post_cmds)
> goto end;
> + while ((argv1 = argv[1]) != NULL && *argv1 != '-') {
> + sk_OPENSSL_STRING_push(engines, *argv1);
> + argc--;
> + argv++;
>
Salz, Rich via RT wrote:
> I don't know that I would call it a regression, but rather a difference. :)
> I'll fix the summary but not the old uncommon behavior.
Unlike other commands engine is flexible and documented behaviour (see
previous post with quoted text).
As result in samples first is en
Hi,
Implementation of common option processing for OpenSSL commands broke
ENGINE key
format.
The patches attached to this email are only for tested command.
1) dgst command (see 0003-dgst-cmd-restore-keys-from-engine.patch)
Key form is described as any but value type of input ('<') is too
res
Update patch sent to request tracker - without gap for CRYPTO_EX_INDEX
Salz, Rich wrote:
>> External cryptographic modules may store addition information to key.
>> What about to define CRYPTO_EX_DATA for ec keys?
> That is the plan -- we will remove EX_EX_DATA and the internal API and just
> us
Hello,
After remove of some global variables in export file left double
information for non existent functions.
For instance before:
X509_CERT_PAIR_it 3534
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
X509_CERT_PAIR_it 3534
EXIST:EXPORT_VAR_AS_FUNCTION:FU
Hello,
OpenSSL engine command allows user to specify cryptographic module name
at any position.
For instance README.ENGINE recommend following:
openssl engine dynamic \
-pre SO_PATH:/lib/libfoo.so \
The master branch (future 1.1) requires engine names to be specified
after all o
Hello,
In master branch structure X509_VERIFY_PARAM is declared as opaque.
For following attributes "get"-method is not defined:
- check_time : applicable if flag X509_V_FLAG_USE_CHECK_TIME is set
- inh_flags
- purpose
- trust
- policies: stack of opaques ASN1 objects
- id : opaque structure, may
Mike Frysinger via RT wrote:
> atm, the windres code in openssl is only usable via the cross-compile prefix
> option unlike all the other build tools. So add support for the standard $RC
> / $WINDRES env vars as well.
> ---
> [SNIP]
> else{
> s/^CC=.*$/CC= $cc/;
>
Rich Salz via RT wrote:
> SO_REUSEADDR is done.
It is not activated in ocsp.c .
The rest is fixed in 1.+
[SNIP]
__
OpenSSL Project http://www.openssl.org
Development Mailing List
Stephen Henson via RT wrote:
> I've finally had time to look into this. Please see if this fixes the issue:
May be is not related, but this engine lack call of
ENGINE_register_pkey_asn1_meths . It seems to me without this
registration initialization is different . If engine configuration is
wit
Leandro Santiago via RT wrote:
> I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on
> mingw-w64 (gcc 4.7), but I'm having errors.
> I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10
> 64-bit and Windows 7 32-bit having the same errors.
>
> The command line I use
Hi,
RFC 6187 "X.509v3 Certificates for Secure Shell Authentication" defines
two extended key usage
( http://tools.ietf.org /html/rfc6187#section-2.2.2 ) with numbers 21
and 22 for secure shell client and server respectively.
Currently in OpenSSL last number defined is 10.
This request is only
Kevin Vargo via RT wrote:
> Some minor updates to the openssl.spec: wrapping ifarch around the various
> lib dirs to get the right files in the right places.
>
> See attached diff
>
Configure script and spec are not consistent regarding multilib. It
seems to me spec file should use libdir script
Hi Guido,
Guido Trentalancia via RT wrote:
> Hello.
>
> I was trying to run the testsuite for openssl-fips-1.2.3 but I get a
> problems with several tests.
[SNIP]
> OpenSSL self-test report:
[SNIP]
> Target: linux-x86_64
[SNIP]
> gcc version 4.6.1 (GCC)
Please could you confirm that duri
Nick Lewis via RT wrote:
> Roumen
>
> Thank you for looking at the patch
[SNIP]
> + if (issuer_num&& (issuer_num< x_num))
>
> Please find a corrected version below
>
> Best Regards
> Nick
>
[SNIP]
With update version i confirm that regression test of a software now
pass with Op
Nick Lewis via RT wrote:
> The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not
> work correctly for some combinations of ctx->chain, x and issuer. For example
> when the cert x is in the chain at a location other than the top, a path loop
> is incorrectly declared. Also if
Marc Wäckerlin via RT wrote:
> Hi OpenSSL
>
> I managed to Cross Compile OpenSSL on Linux so that I can develop OpenSSL
> applications that run on Windows entireliy inside a Linux build environment.
>
> It even builds the executables and the DLLs on Linux.
>
> Please add my changes to the official
Andrey Kulikov via RT wrote:
> Hello,
>
> Please find file attached: server_cert_from_engine4.patch
> This is a patch to allow loading server SSL certificate by ENGINE.
>
> [SNIP]
>
> After applying this patch s_server will accept "-certform ENGINE" option.
>
> This patch supplied by Stonesoft Corp
See attached file with patch for openssl dsa command: print
-pubin/-pubout options.
Also -engine flags is moved at same position as for rsa command.
Roumen
Index: apps/dsa.c
===
RCS file: /work/repo/mirror/openssl/openssl/apps/dsa.c
Obsolete code prevent dsa command to use keys stored into engine.
The attached patch remove open of input file and left all to load_xxx
functions.
See for reference rsa command that work fine.
Roumen
Index: apps/dsa.c
===
RCS file:
Dr. Stephen Henson wrote:
> [snip]
> I've updated the sources so they are now avaiable outside FIPS mode.
>
> Steve.
>
10x solved, please close.
Roumen
__
OpenSSL Project http://www.openssl.or
The mingw cross-build of current HEAD(2011-01-31) fail :
WARNING: mkdef.pl doesn't know the following algorithms:
NEXTPROTONEG
Creating library file: libcrypto.dll.a
Cannot export FIPS_dh_free: symbol not defined
.
Cannot export RSA_X931_generate_key_ex: symbol not defined
collect2: ld
Guenter via RT wrote:
> Hi,
> it seems that all native MingW32 versions (tested with MingW32 4.50)
> lack of stuff to compile e_capi.c:
[SNIP]
> make[1]: *** [e_capi.o] Error 1
> make[1]: Leaving directory `/d/openssl-1.0.0b/engines'
>
> Therefore I've added some more define tests to OpenSSL 1.0.0b
M.-A. Lemburg via RT wrote:
> An application that only includes openssl/ssl.h from OpenSSL
> 1.0.0 and doesn't use winsock.h will run into problems on Windows,
> since the dtls1.h header file includes the winsock.h header file long
> after the ossl_typ.h header file was loaded.
What about to defin
Kaspar Brand via RT wrote:
> When using "-nameopt" with the x509/req/ca commands, OpenSSL will
> currently "abort" the output if no sep_xxx option is provided. Examining
> the certificate from https://rt.openssl.org with "openssl 509 -noout
> -text -nameopt utf8" e.g. gives
>
> Certificate:
>
;
> On Tue, Jan 12, 2010 at 11:14 PM, Roumen Petrov via RT
> wrote:
>> Alon Bar-Lev via RT wrote:
>>>
>>> The following is required in order to make beta4 compile using mingw (w64).
>>>
>>> Every time there is #includesome symbols should be rem
Alon Bar-Lev via RT wrote:
>
> The following is required in order to make beta4 compile using mingw (w64).
>
> Every time there is #include some symbols should be removed.
> Also, there is no need to #include if e_os2.h was included.
[SNIP]
> diff -urNp openssl-1.0.0-beta4.org/e_os.h openssl-1.0
kmx via RT wrote:
> Hi,
>
> I have experienced the enclosed failure during building of
> openssl-1.0.0-beta4 by 32-bit native compiler from mingw-w64.sf.net project.
>
> At the beginning it might be good to summarize how many mingws we
> currently have:
> #1) 32-bit gcc-3.x toolchan from mingw.org
May be is good to document that numbers in "hash dir" starts from zero.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated Li
Maarten Litmaath wrote:
> Hi Stephen,
>
>> I can't see how anything could cause an issue with 85 CAs. The attached
>> descriptions imply it might be a mod_ssl issue (not reproducible with
>> s_server).
>
> There is a bit more information now in our ticket:
>
> https://savannah.cern.ch/bugs/?
Alon Bar-Lev via RT wrote:
> Attached are patches, please address this issues, it is hard to keep sync
> this way.
> The order of the issue is according to importance, (1, 2, 3) blockers.
> Thanks!
>
> 1. _XOPEN_SOURCE cannot be used in mingw, strptime is never used anyway?
>
> 2. Make domd use
The attached patch is for openssl head and allow capi engine to be build
with mingw (tested with cross-compilation). Details for the patch follow:
Build:
- export of OPENSSL_isservice:
The new capi engine require function OPENSSL_isservice() if engine
dialog is enabled.
To get correct record in
patch updated to current cvs 20080217
Roumen
openssl-cvs20080217-mingw.patch.gz
Description: application/gzip
And now against CVS
openssl-cvs-mingw.diff.gz
Description: application/gzip
Please find attached file "openssl-mscrypto-20070625.tar.gz" with
openssl engine that can use keys from windows key-store. The engine can
work with external keys too.
Source is for openssl version 0.9.8 and mingw build require openssl
source with mingw patch for 0.9.8 from request #1552 ( see
I would like to propose following patch to openssl-0.9.8e source (see
attachment openssl-0.9.8e-mingw.patch.gz).
This patch is intended to create executables compatible with other win32
compilers.
Modifications:
./Makefiles.shared:
- link_o.cygwin(used to build engines): modified use def-files
RFC 2254 : The String Representation of LDAP Search Filters
This patch add support for rfc2254 escaping.
With patched source method
ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags);
, where flags are
XN_FLAG_RFC2253|ASN1_STRFLGS_ESC_2254
can be used in generation of "LDAP sea
Third issue is how to print certificate subject/issuer distinguished
name in UTF-8 in more user friendly way ?
Example from manual page work fine:
$ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
I prefer to use command more compatible to so called compatible format:
$ open
This patch correct options for command line argument -nameopt of x509
application.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
A
This patch correct escape form in ASN1_STRING_print_ex documentation.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List
This ticket is opened to solve issues related to printing of subject
and/or issuer name of a X.509 certificate and related documentation.
Roumen
__
OpenSSL Project http://www.openssl.org
Developm
Proposed patches:
a.) apps-smime.patch : proper eol for To,From and Subject headers in case of
-crlfeol command line option.
b.) crypto-pkcs7-pk7_mime.patch :
- add header in case of binary procesing
- add empty line (mandatory) if procesing type is not specified
(case without -text and with
Hello Bruno,
Please could you defail used software.
During the past weekend I have time to setup a test network:
linux box:
- sendmail 8.12.9
- popa3d 0.6.1
- Mozilla 1.7.13 email client
ms windows me (at last i found a PC with operating system that use CRLF as EOL):
- Mozilla 1.7.13 email clie
evp_md = EVP_get_digestbynid(rkey->type) return:
- DSA key: same as EVP_dss1()
- RSA key: NULL - OBJ_nid2sn(rkey->type) return "rsaEncryption"
Richard Levitte - VMS Whacker wrote:
>In message <[EMAIL PROTECTED]> on Fri, 27 Feb 2004 14:00:24 +0100 (MET), "Stephen
>Henson via RT" <[EMAIL PROTE
56 matches
Mail list logo