Re: [openssl-dev] frequency and size of heartbeat requests

In the particular application where I used both TLS and DTLS, application-layer heartbeats were used, and it gave the app visibility into the connection status. I agree, TLS/DTLS Heartbeats aren’t very useful. -- -Todd Short // tsh...@akamai.com // "One if by land, two i

[openssl-dev] Everything you wanted to know about SSL_OP flags, but were afraid to ask...

New page on the Wiki: https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-

Re: [openssl-dev] X509_cmp_time (possible) bug

o if by sea, three if by the Internet." On Sep 11, 2017, at 10:43 AM, Daniel Kahn Gillmor mailto:d...@fifthhorseman.net>> wrote: On Mon 2017-09-11 14:16:11 +, Short, Todd via openssl-dev wrote: Yes, it’s annoying, but it’s historic. I looked into changing this at one point. I think Di

Re: [openssl-dev] X509_cmp_time (possible) bug

Yes, it’s annoying, but it’s historic. I looked into changing this at one point. I recommend using ASN1_TIME_cmp_time_t() (from the master branch) instead, for the results you are expecting. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if

Re: [openssl-dev] Compiler requirements

I think it’s more a matter of using new features in C11 that preclude compilation on older platforms, rather than the use of a C11 compiler itself. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Jul 4, 2017, at 1:34

Re: [openssl-dev] 90-test_secmem.t hangs the machine for good

MLOCK_ONFAULT is a Linux-only feature (hence the need to include wrapped by OPENSSL_SYS_LINUX. So, you should not be encountering any MLOCK_ONFAULT or issues on MacOS. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." > On May 15, 2017, at 1:51

Re: [openssl-dev] 90-test_secmem.t hangs the machine for good

TLL > wrote: > > My disk is SSD, but computer load is pretty high. Which probably explains > that recovery doesn't take place in 200-400 seconds... > > On a semi-related note, I want able to locate mann.h file either. > > Regards, > Uri > > Sent from my

Re: [openssl-dev] 90-test_secmem.t hangs the machine for good

pitan 10.11.6. I could try it on Sierra 10.12.4, if you really expect it to make a difference. In my case the hang is not for a short time. It lasts for more than 10 minutes, so I’m forced to interfere. For how long did it hang for you? — Regards, Uri On 5/15/17, 11:47 AM, "openssl-dev o

Re: [openssl-dev] 90-test_secmem.t hangs the machine for good

y the Internet." > On May 12, 2017, at 4:50 PM, Short, Todd via openssl-dev > wrote: > > Uri: > > Look at https://github.com/openssl/openssl/pull/3455 > <https://github.com/openssl/openssl/pull/3455> > > I limited the test that hung your machine to Linux.

Re: [openssl-dev] 90-test_secmem.t hangs the machine for good

e if by the Internet." > On May 12, 2017, at 4:46 PM, Short, Todd via openssl-dev > wrote: > > It’s trying to reserve 1<<34 bytes of memory… there goes your 16GB... > -- > -Todd Short > // tsh...@akamai.com <mailto:tsh...@akamai.com> > // "One if by

Re: [openssl-dev] 90-test_secmem.t hangs the machine for good

It’s trying to reserve 1<<34 bytes of memory… there goes your 16GB... -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." > On May 12, 2017, at 4:05 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > Todd> Yes, it’s likely this is due to the amount of

Re: [openssl-dev] 90-test_secmem.t hangs the machine for good

Yes, it’s likely this is due to the amount of memory available in the machine. I tried to use reasonable values, but apparently not reasonable enough. This is certainly a case where we’re trying to stretch the limits of the hardware; so it may not be an appropriate test for all hardware. In the

Re: [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

Ben Kaduk: Do we know the values that are being passed to SSL_CTX_set_Verify_depth() match the -verify_depth argument, or do they differ? If they differ, do identical arguments to the function behave the same in 1.1.0 and 1.0.2? Viktor: What we’re getting at here, is that this appears to be a

Re: [openssl-dev] TLSv1.3 draft 19 support

Thanks Matt! -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Mar 16, 2017, at 10:35 AM, Matt Caswell mailto:m...@openssl.org>> wrote: All, I have just pushed to master the updates necessary for TLSv1.3 draft-19 suppo

Re: [openssl-dev] Participate in Code Health Tuesday (tomorrow, Feb 28th)

I’m not sure us mere mortals can add a label to a PR... -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Feb 27, 2017, at 5:04 AM, Emilia Käsper mailto:emi...@openssl.org>> wrote: Hi OpenSSL developers! We’re always l

Re: [openssl-dev] Integrate EVP Cipher into OpenSSL cli Speed Test

Look at some of the changes to pull in Poly1305 and SipHash in to EVP: https://github.com/openssl/openssl/commit/52ad5b60e3a1fef12a1a5ea01527a90b8f92a34b https://github.com/openssl/openssl/commit/3f5616d734a92fdf99ab827f21e5b6cab85e7194 -- -Todd Short // tsh...@akamai.com

[openssl-dev] PR 2351: Place ticket keys into secure memory

vdukhovi wrote: I don't think this change is useful at present. Most applications run with a single context for the lifetime of the process, so this makes no difference. We (perhaps I) first need to implement automated key rotation, and only then do I think it make sense to worry about attemptin

[openssl-dev] RSA_METHOD_FLAG_NO_CHECK and RSA_FLAG_EXT_PKEY?

Hi, The RSA_METHOD_FLAG_NO_CHECK and RSA_FLAG_EXT_PKEY seem to have similar meanings. These are the definitions in header files: # define RSA_METHOD_FLAG_NO_CHECK0x0001/* don't check pub/private * match */ /* * This flag means the private

Re: [openssl-dev] use SIPhash for OPENSSL_LH_strhash?

tte mailto:levi...@openssl.org>> wrote: Can we look forward to a github PR? In message <97d0be2d-11c6-4d01-9a5d-faccc5b27...@akamai.com<mailto:97d0be2d-11c6-4d01-9a5d-faccc5b27...@akamai.com>> on Tue, 10 Jan 2017 22:42:17 +, "Short, Todd" mailto:tsh...@akamai.com>>

Re: [openssl-dev] use SIPhash for OPENSSL_LH_strhash?

I think I might have an init/update/final version of siphash24 lying around somewhere that would be compatible with OpenSSL’s EVP_PKEY mechanism (similar to Poly1305, in that it needs a key). -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if

Re: [openssl-dev] Add a new algorithm in "crypto" dir, how to add the source code into the build system

Easiest way is to fork the OpenSSL Github repo and then clone it down to your local machine where you can do the work locally. Once you are happy, push it back up to your forked Github repo, and then make a pull request back to the OpenSSL repo. There are lots of places you can get information

Re: [openssl-dev] Still showing openssl 1.0.2 snapshot issue

FYI: The use of -DOPENSSL_NO_BUF_FREELISTS to config or Configure is not recommended, use the proper configuration option: no-buf-freelists -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Nov 27, 2016, at 3:11 AM, Ro

Re: [openssl-dev] Backporting opaque struct getter/setter functions

net." > On Nov 8, 2016, at 7:04 AM, Hubert Kario wrote: > > On Monday, 7 November 2016 21:26:16 CET Short, Todd wrote: >> The file below is LPGL 2.1, and may not be compatible with various projects. >> Can it be changed to use the OpenSSL license or equivalent? > &

Re: [openssl-dev] Backporting opaque struct getter/setter functions

The file below is LPGL 2.1, and may not be compatible with various projects. Can it be changed to use the OpenSSL license or equivalent? -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Nov 3, 2016, at 4:31 PM, Douglas

Re: [openssl-dev] Input on renegotiation behaviour

+1 for making DTLS behavior like TLS in terms of attempting an abbreviated handshake. (2) -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Sep 29, 2016, at 4:40 AM, Matt Caswell mailto:m...@openssl.org>> wrote: On 2

Re: [openssl-dev] Openssl upgrade in debian

You need to do this on your own (get the toolchain), and/or get updates from Debian. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Sep 23, 2016, at 7:21 AM, Shantibhushan Sale mailto:shantibhushan.s...@gmail.com>> w

Re: [openssl-dev] [openssl-users] Building OpenSSL 1.0.1t without tls1.1 support?

1.0.1 is old, and not really supported, except some security fixes. 1.0.x does not provide the ability to compile out TLSv1.0 from 1.1 from 1.2. The upcoming 1.1.x does. If you disable tls1, then you’ve also disabled all later versions, so enable tlsv1 at config time and use the SSL options to en

Re: [openssl-dev] DRBG entropy

See: https://tools.ietf.org/html/rfc4086 Section 4 suggests ways to de-skew. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." > On Jul 28, 2016, at 6:51 AM, Hubert Kario wrote: > > On Wednesday, 27 July 2016 15:23:21 CEST Leon Brits wrote: >> J

Re: [openssl-dev] Auth and cipher ordering in AEAD ciphers

AEAD ciphers within OpenSSL include AES-GCM, AES-CCM and ChaCha20-Poly1305 (among others). AES-128 CBC SHA1-HMAC is not considered AEAD. See https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption for examples. The ciphers as described below are meant for TLS, thus they

Re: [openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

Not strictly necessary; mostly convenience. Decrementing the pointer usually requires doing the corresponding free, which really shouldn’t do anything but decrement the refcount if you just got it. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, t

[openssl-dev] [openssl.org #3882]

Based on discussion, it does not appear as this will be fixed, and requires an unusual set of circumstances for it to happen. It can probably be closed. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: h

[openssl-dev] [openssl.org #3780]

The async changes on master/1.1.0 obsolete this patch. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3780 Please log in as guest with password guest if prom

[openssl-dev] [openssl.org #3722]

This could be closed, as it’s now on GitHub: https://github.com/openssl/openssl/pull/946 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3722 Please log in as

[openssl-dev] [openssl.org #3867]

This could be closed, as it’s now on GitHub: https://github.com/openssl/openssl/pull/941 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3867 Please log in

[openssl-dev] [openssl.org #3877]

This could be closed, as it’s now on GitHub: https://github.com/openssl/openssl/pull/941 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3877 Please log in as

[openssl-dev] [openssl.org #3729]

The changes to master/1.1.0 for pipelining completely break this patch. So, there’s little point in trying to add this. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Displa

[openssl-dev] [openssl.org #3724]

The new async feature in master/1.1.0 makes complete breaks this patch. This can probably be closed. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3724 Plea

Re: [openssl-dev] [openssl.org #4074] [PATCH] Fixes for when PSK, SRP, SRTP and DTLS1 are disabled

This has been resolved master, and can be closed. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4074 Please log in as guest with password guest if prompted

Re: [openssl-dev] [openssl.org #4149] Resolved: [PATCH] ssl_set_pkey() unnecessarily updates certificates

I also closed out GH478 (which was a fix for RT4149). -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On May 31, 2016, at 9:29 AM, Matt Caswell via RT mailto:r...@openssl.org>> wrote: According to our records, your reque

[openssl-dev] master failing unit tests inconsistently?

Hi openssl-dev: I’ve been running the master branch and have been noticing inconsistant unit tests results. It is failing on a number of tests, and has been for several days. I’m using clang-3.6 (3.6.0-2ubuntu1~trust1) or gcc (4.84-2ubuntu1~14.04.01) on Linux 3.13-0-85-generic #129-Ubuntu. Thi

Re: [openssl-dev] [openssl-users] Problems with OpenSSL 1.0.2 h

Have you tried to configure this cipher at the top of your cipher list initially with SSL_OP_SERVER_CIPHER_PREFERENCE? -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On May 4, 2016, at 12:04 PM, Benjamin Kaduk mailto:b

Re: [openssl-dev] [openssl.org #4509] ECC key generation under valgrind reports: impossible has happened

Valgrind does not necessarily support all instructions, if there’s any optimized assembly, you might run into problems. Are you able to compile a non-assembly version of the OpenSSL library? Are you able to update to a newer Valgrind? You also seem to have a version discrepancy in OpenSSL: 1.0.2d

Re: [openssl-dev] need clarification on openssl s_server s_client applications

DTLS standard: DTLS does not permit fragmentation of the data (handshaking has it’s own fragmentation mechanism separate from the record layer). See https://tools.ietf.org/html/rfc4347#section-4.2.3 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea,

Re: [openssl-dev] 1.1.0-pre4: ALPN mismatch terminates connection

The change was actually introduced earlier (see: https://github.com/openssl/openssl/commit/0621786). GH891 (https://github.com/openssl/openssl/commit/817cd0d52f0462039d1fe60462150be7f59d2002) moved the ALPN processing later so that the SSL_CTX determined from SNI can be used, rather than the o

Re: [openssl-dev] make depend issue: if [ Makefile -nt Makefile ]

22a...@akamai.com>> on Tue, 8 Mar 2016 20:57:07 +, "Short, Todd" mailto:tsh...@akamai.com>> said: tshort> Hi, tshort> tshort> I noticed the following oddity in commit f8d9d6e: tshort> tshort> depend: tshort> @catdepends=false; \ tshort> if [ Makefile -nt

[openssl-dev] make depend issue: if [ Makefile -nt Makefile ]

Hi, I noticed the following oddity in commit f8d9d6e: depend: @catdepends=false; \ if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ I’m not sure of the intent or the fix, but it doesn’t seem right to compare the timestamp of a file to itself. -- -Todd Short // ts

Re: [openssl-dev] ALPN and SNI callbacks in 1.0.2

server). https://github.com/openssl/openssl/pull/787 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Mar 3, 2016, at 2:33 PM, Short, Todd wrote: We’ve run into an issue with the ALPN and SNI TLS extension callbacks in 1.0.2. The sam

[openssl-dev] ALPN and SNI callbacks in 1.0.2

We’ve run into an issue with the ALPN and SNI TLS extension callbacks in 1.0.2. The same behavior may be in master, but I have yet to check. In summary, the ALPN selection callback is invoked before the SNI/servername callback, yet the ALPN value returned may be dependent on the server being co

Re: [openssl-dev] [openssl.org #3716] Patch for setting preferred cipher list

Yes, not absolutely necessary. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3716 Please log in as guest with password guest if prompted -- openssl-dev mai

[openssl-dev] RT4265 no-srtp still broken

Configuring the master branch with no-srtp is still broken. This PR: https://github.com/openssl/openssl/pull/582 fixes it. Its a bit out of date, but there shouldn’t be any conflicts. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the

Re: [openssl-dev] 3DES is a HIGH-strength cipher?

So, if it’s “mandatory”, then it should be in the default set of ciphers, not necessarily the “HIGH” set. I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that has subsequently found to be weaker than previously thought. -- -Todd Short // tsh...@akamai.com

[openssl-dev] 3DES is a HIGH-strength cipher?

Hi, In OpenSSL 1.0.2, and 1.0.1i, 3DES-CBC’s bit-strength was changed from 168 to 112, which makes sense. However, it is still considered a HIGH-strength cipher. RC4 is listed as having a bit strength of MEDIUM, and is a 128-bit strength cipher (kinda). This is a bit contradictory. According t

[openssl-dev] Duplicate APIs?

Hi, I know OpenSSL is making 1.1 not ABI compliant to 1.0, so, maybe now is a good time to clean this up? I noticed that: * SSL_cache_hit(SSL*), and * SSL_session_reused(SSL*ssl) --> SSL_ctrl(ssl,SSL_CTRL_GET_SESSION_REUSED,0,NULL) are practically the same thing; both return s->hit. Are both

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

FYI: The rational for why these APIs are deprecated. http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html#tag_03_356_08 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." --

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

OpenSSL is generally able to compile with the musl C library (same idea as uClibc): OpenSSL 1.0.2f: ./config make depend CC=/usr/local/bin/musl-gcc ./config make ./config is run twice, because "make depend" fails since domd can’t find the makedepend command after CC is set to musl-gcc. However,

[openssl-dev] [openssl.org #3885] [BUGFIX] OpenSSL fails to cross-compile on 32-bit->64-bit

I have an available fix: https://github.com/openssl/openssl/pull/597 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." ___ openssl-dev mailing list To unsubscribe: https://mta.o

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

This sounds like RT3885. I have an available fix: https://github.com/openssl/openssl/pull/597 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Jan 29, 2016, at 12:04 PM, Viktor Dukhovni via RT mailto:r...@openssl.org

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

This sounds like RT3885. I have an available fix: https://github.com/openssl/openssl/pull/597 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Jan 29, 2016, at 12:04 PM, Viktor Dukhovni via RT mailto:r...@openssl.org

Re: [openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open

However, we’re talking about botnets. They do bad things, they don’t follow the rules. They can masquerade as the original sender and send additional data. The received data held ought to be limited to the initial window of the connection, AND, since these are all original SYNs (pun intended) th

Re: [openssl-dev] [openssl.org #4272] [BUG/PATCH] Unit tests fail when DTLS is disabled

Pull request for RT4272: https://github.com/openssl/openssl/pull/589 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo

[openssl-dev] [openssl.org #4272] [BUG/PATCH] Unit tests fail when DTLS is disabled

Hello: When DTLS is disabled in master (./config no-dtls) the corresponding unit tests fail. The same thing would happen if TLS were disabled. The issue is in the ’TLS Version min/max tests’ and DTLS Version min/max tests’. The skip function is not called within a SKIP: { } block, causing the t

Re: [openssl-dev] [openssl.org #4265] [BUG/PATCH] OpenSSL does not compile when SRTP is disabled

o if by sea, three if by the Internet." On Jan 22, 2016, at 10:00 AM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Hello, When SRTP is disabled, OpenSSL does not successfully compile due to an error in s_server.c I have a patch for this, I am just waiting for the RT to be c

[openssl-dev] [openssl.org #4265] [BUG/PATCH] OpenSSL does not compile when SRTP is disabled

Hello, When SRTP is disabled, OpenSSL does not successfully compile due to an error in s_server.c I have a patch for this, I am just waiting for the RT to be created first. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet."

Re: [openssl-dev] [openssl.org #4263] store does not compile with opaque data structures

I added a pull request: https://github.com/openssl/openssl/pull/579 -- -Todd Short // tsh...@akamai.com<mailto:tsh...@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Jan 21, 2016, at 4:23 PM, Short, Todd via RT mailto:r...@openssl.org>>

[openssl-dev] [openssl.org #4263] store does not compile with opaque data structures

Hello, When experimental-store is enabled in the master branch, the compile fails, due to structures that are now opaque. I have a patch, but am waiting for the RT to be created first. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by th

Re: [openssl-dev] [openssl.org #4262] Fwd: Configure script warns when no configurations changes occur

Added pull request: https://github.com/openssl/openssl/pull/578 -- -Todd Short // tsh...@akamai.com<mailto:tsh...@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Jan 21, 2016, at 4:11 PM, Short, Todd via RT mailto:r...@openssl.org>> wrote: He

[openssl-dev] [openssl.org #4262] Fwd: Configure script warns when no configurations changes occur

Hello, When ./config is run, the Configure script always complains about 'make depend’ needing to be run because the $default_depflags and $depflags do not match. Recent changes to Configure automatically create $default_depflags, but takes special exceptions for shared, zip, hw and asm, which a

[openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

.@openssl.org> wrote:On Monday 28 December 2015 15:28:26 Kurt Roeckx via RT wrote:On Mon, Dec 28, 2015 at 03:01:28PM +0000, Short, Todd via RT wrote:Hello OpenSSL.org<http://OpenSSL.org>:This is a patch for the master branch. The changes in master to addChaCha20 to OpenSSL do not include a

Re: [openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

Updated patch. Updates documentation (ciphers.pod), and lays some groundwork in case ChaCha20 is used with something other than Poly1305. (Also updates the Camellia cipher alias to use an existing #define.) -- -Todd Short // tsh...@akamai.com // "One if by land, two if

Re: [openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

15 at 03:01:28PM +, Short, Todd via RT wrote: Hello OpenSSL.org<http://OpenSSL.org><http://OpenSSL.org>: This is a patch for the master branch. The changes in master to add ChaCha20 to OpenSSL do not include an alias for the cipher in the "openssl cipher" command, n

Re: [openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

15 at 03:01:28PM +, Short, Todd via RT wrote: Hello OpenSSL.org<http://OpenSSL.org><http://OpenSSL.org>: This is a patch for the master branch. The changes in master to add ChaCha20 to OpenSSL do not include an alias for the cipher in the "openssl cipher" command, n

[openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

Hello OpenSSL.org: This is a patch for the master branch. The changes in master to add ChaCha20 to OpenSSL do not include an alias for the cipher in the “openssl cipher” command, nor in the cipher functions., even though the necessary constants have been defined. The attache

[openssl-dev] [openssl.org #4197] [PATCH] Memory leak in state machine in error path

Hello OpenSSL org: I found the following issue via code inspection. In tls_process_client_key_exchange(), when EC is disabled, and an error occurs in ssl_generate_master_secret() or RAND_bytes(), the error path does not free rsa_decrypt. Note that rsa_decrypt is not conditionally defined by OP

[openssl-dev] [openssl.org #4188] [Patch/Fix] s_server.c does not compile when no-srtp is configured

Hello OpenSSL Organization: When ‘no-srtp’ is configured, the s_server.c application does not successfully compile. The undefined variable srtp_profiles is referenced. This patch fixes the issue. Github link: https://github.com/akamai/openssl/commit/f78119f39621d02bee31c9427b2be3a9d2cff26f --

[openssl-dev] [openssl.org #4187] [Patch] Secure memory subsystem does not report actual size

Hello OpenSSL Organization: This patch updates the secure memory allocator to allow callers to determine the actual size of the secure memory allocation. This can be used by applications to report accurate memory usage. Github link: https://github.com/akamai/openssl/commit/6d0b49bd810e0ae36d934

[openssl-dev] [openssl.org #4186] [Patch] DSA_dup() function missing in master

Hello OpenSSL Organization: With the subsequent changes in master branch to make structures opaque, there is no way to duplicate a DSA object. This patch adds DSA_dup() to OpenSSL. Github link: https://github.com/akamai/openssl/commit/83cf0487d5c673fca96fe8544599032fe08f77f2 -- -Todd Short // t

Re: [openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

int several of us have been trying to get through for some time. Peter -"openssl-dev" mailto:openssl-dev-boun...@openssl.org>> wrote: - To: "openssl-dev@openssl.org<mailto:openssl-dev@openssl.org>" mailto:openssl-dev@openssl.org>> From: "Short,

[openssl-dev] [openssl.org #4149] [PATCH] ssl_set_pkey() unnecessarily updates certificates

Hello OpenSSL.org We have found the following issue in 1.0.2 and master branches of OpenSSL: ssl_set_pkey() unnecessarily updates certificates Some key types types (EC, DSA, DH, but not RSA) have separate parameters that are needed for correct operation. When ssl_set_pkey() is called (via

Re: [openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

While I am all for simplicity, I also think that removing functionality is a “bad idea”. To reduce the support burden, deprecate the ciphers: 1. Under support, indicate that these ciphers will no longer receive fixes. 2. Remove any assembly implementations 3. Disable them by default. I suggest f

Re: [openssl-dev] [BUG] Data race in md_rand.c functions

Do you set any of the locking functions and/or do you configure with no-locking? CRYPTO_set_locking_callback() CRYPTO_set_add_lock_callback() see: https://www.openssl.org/docs/manmaster/crypto/threads.html -- -Todd Short // tsh...@akamai.com // "One if by land, two if

[openssl-dev] 1.0.2e release?

openssl-dev: It’s been almost 4 months, and ~127 commits since 1.0.2d went out the door. Are there plans for an upcoming 1.0.2e release? Thanks, -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." _

Re: [openssl-dev] [openssl.org #4109] Re: Error installing openssl version 1.0.2

This is likely the same as RT3885. Check out this fix: https://github.com/akamai/openssl/commit/15ecb1a4dc4f75d6c33e8cd9089ca5cfc78d28dc You may be running a 32-bit version of Perl on a 64-bit platform. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Interne

Re: [openssl-dev] [openssl.org #4109] Re: Error installing openssl version 1.0.2

This is likely the same as RT3885. Check out this fix: https://github.com/akamai/openssl/commit/15ecb1a4dc4f75d6c33e8cd9089ca5cfc78d28dc You may be running a 32-bit version of Perl on a 64-bit platform. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Interne

[openssl-dev] [openssl.org #4074] [PATCH] Fixes for when PSK, SRP, SRTP and DTLS1 are disabled

Hello OpenSSL Org: While evaluating the master branch, I discovered that the code does not compile, nor do the unit tests pass, when disabling certain features. Specifically, PSK, SRP, SRTP and DTLS1. The following patch for master branch will fix the issues. Thanks, -- -Todd Short // tsh...@

Re: [openssl-dev] [openssl.org #3729] Patch to add support for iovec-based IO in OpenSSL

Hello, We have another update for this patch: updates to documentation and APIs. Github link: https://github.com/akamai/openssl/commit/a6086d9cdde13a8b5ce22cbdcef3fe8733d0e892 And attachment: Thanks, -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Intern

Re: [openssl-dev] [openssl.org #3724] Patch/Feature to add asynchronous processing for some operations

Hello, Again, we have an updated patch for asynchronous processing: unit-tests and copyright. Github link: https://github.com/akamai/openssl/commit/92914accbb54ee085918451468575a5e76baba20 And attached file. Thanks, -- -Todd Short // tsh...@akamai.com // "One if by l

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

Updates to the IPv4/IPv6: port-based client cache patch: Updated documentation, unit-tests and copyright. Github link: https://github.com/akamai/openssl/commit/0a9ec5fc896c0fdc417e60366d03c1d95cc53033 And attached patch. Thank you. -- -Todd Short // tsh...@akamai.com /

[openssl-dev] [openssl.org #3869] [PATCH] Add shared session lists in SSL_CTX

Hello OpenSSL Org: We have an updated patch for RT 3869, which includes a deadlock fix when flushing sessions. Github link: https://github.com/akamai/openssl/commit/6b8c80239d174e7ca55f052b86f942d70ffca29e And attachment. 0017

[openssl-dev] [openssl.org #3885] [BUGFIX] OpenSSL fails to cross-compile on 32-bit->64-bit

Hello OpenSSL Org: We have an updated patch; there were issues with AES-GCM on some platforms, due to multiply operations on immediate constant values. Updated github patch: https://github.com/openssl/openssl/commit/15ecb1a4dc4f75d6c33e8cd9089ca5cfc78d28dc And attached. 0001-RT3885-OpenSSL-f

Re: [openssl-dev] [openssl.org #3874] [PATCH] Add certificate verify data to SSL struct

e if by the Internet." On May 27, 2015, at 4:32 PM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Add certificate verify data to SSL struct Add a

Re: [openssl-dev] [openssl.org #3874] [PATCH] Add certificate verify data to SSL struct

e if by the Internet." On May 27, 2015, at 4:32 PM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Add certificate verify data to SSL struct Add a

Re: [openssl-dev] [openssl.org #3873] [PATCH] Add traffic counters

three if by the Internet." On May 27, 2015, at 4:32 PM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Add traffic counters Add data counters to SSL s

Re: [openssl-dev] [openssl.org #3870] [PATCH] Async TLSEXT servername support.

, two if by sea, three if by the Internet." On May 26, 2015, at 4:29 PM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Async TLSEXT servername supp

Re: [openssl-dev] [openssl.org #3869] [PATCH] Add shared session lists in SSL_CTX

On May 26, 2015, at 4:29 PM, Short, Todd via RT wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Add shared session lists in SSL_CTX Support for shared session lists via SSL_CTX_share_session_cache(). Added lock

Re: [openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

Hello, We have an updated version of the patch that includes updated documentation. GitHub link: https://github.com/akamai/openssl/commit/980d0b6e67dce0088dcb49e6fa66bbb868f43000 And attachment Thanks, -- -Todd Short // tsh...@akamai.com // "One if by land, two if by

Re: [openssl-dev] [openssl.org #3865] [Patch] Add DISALLOW_RENEGOTIATION option

e if by the Internet." On May 26, 2015, at 2:56 PM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Add DISALLOW_RENEGOTIATION option Add support to dis

Re: [openssl-dev] [openssl.org #3875] [PATCH] Add external X509_STORE to SSL_CTX

On May 27, 2015, at 4:32 PM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Hello OpenSSL Org: This is a change that Akamai has made to its implementation of OpenSSL. Version: master branch Description: Add external X509_STORE to SSL_CTX Add SSL_CTX_set_cert_store_ref() API to add an

Re: [openssl-dev] [openssl.org #3881] [PATCH] Instrument OpenSSL buffer heap memory usage

Updates to the buffer heap memory usage patch: Updated documentation. Github link: https://github.com/akamai/openssl/commit/222f0d2d94be8b92c306c062320fd15b59a9000a And attached file. Thank you, -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, thr

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

Yup, we noticed that too. -- -Todd Short // tsh...@akamai.com // Sent from my iPhone // "One if by land, two if by sea, three if by the Internet." > On Jun 5, 2015, at 5:27 PM, Jonathan Larmour via RT wrote: > >> On 01/06/15 15:22, Short, Todd via RT wrote: >> Re:

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

by the Internet." On Jun 1, 2015, at 10:22 AM, Short, Todd via RT mailto:r...@openssl.org>> wrote: Re: copyrights: Planning to copy the (109-line) main copyright from another source file and append to it: /* * Copyrigh

  1   2   >