Duh - thank you Steef, Kurt and Rich - not sure how I could miss that
either... So please only take the key message - your team does a great
job with OpenSSL, thank you all!
Regards,
Henning
On 08/13/2014 01:35 PM, Steef wrote:
> Hi Henning,
>
>> So my question is - would it be reasonable to se
Hi Henning,
> So my question is - would it be reasonable to send an early warning
> (without any details) to one of the OpenSSL lists a few days before
> publishing a version containing fixes for security vulnerabilities?
> Just saying something along the lines of "we plan to release a new
> opens
Hi Henning,
> So my question is - would it be reasonable to send an early warning
> (without any details) to one of the OpenSSL lists a few days before
> publishing a version containing fixes for security vulnerabilities?
> Just saying something along the lines of "we plan to release a new
> opens
On Wed, Aug 13, 2014 at 01:12:12PM -0400, Henning Horst wrote:
> Dear OpenSSL-Team,
>
> First of all, thank you for your great work!
>
> I hope openssl-dev is the right list for the following request:
>
> Many projects rely on OpenSSL of course and whenever a new version is
> published fixing se
Thanks for your kind words. We do post a notice that we're putting out a
security update. Not sure how you missed it...
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz
__
Thanks Steve and Matt. That makes sense.
-Original Message-
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On
Behalf Of Dr. Stephen Henson
Sent: Friday, June 06, 2014 6:11 PM
To: openssl-dev@openssl.org
Subject: Re: Question about SSL/TLS MITM vulnerability
On Fri, Jun 06, 2014, Matt Caswell wrote:
> On 6 June 2014 08:27, Zhong Chen wrote:
> >
> > We are using openssl 1.0.0 as a server. Looking at the diff between 1.0.0m
> > and 1.0.0k, same patch is applied to s3_srvr.c and s3_pkt.c. I want to
> > confirm this is just for precaution, or openssl 1.0
On 6 June 2014 08:27, Zhong Chen wrote:
> Hello,
>
>
>
> In the “OpenSSL Security Advisory [05 Jun 2014]”, regarding “SSL/TLS MITM
> vulnerability (CVE-2014-0224)”, it says:
>
>
>
> Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.
> Usersof OpenSSL servers earlier than 1.0
Are you looking at x,y values or an encoded (external) point?
If the latter, it might be different encoding format, there are 3.
Otherwise, you probably have something wrong, since OpenSSL
successfully interoperates with other EC implementations.
Post details - if you want to keep K secre
On Tue, Oct 29, 2013, Salz, Rich wrote:
> > You don't and shouldn't free it: it will be free when the SSL_CTX it is
> > added to is freed.
>
> In other words, if you want a local copy, bump the refcount for yourself.
> Right?
>
Yes. Unfortunately there isn't a function that does that at pres
On Tue, Oct 29, 2013, Daniel Kahn Gillmor wrote:
> On 10/29/2013 02:03 PM, Dr. Stephen Henson wrote:
> >On Tue, Oct 29, 2013, ?? ??? wrote:
> >
> >> I've noticed that SSL_CTX_add_extra_chain_cert (actually
> >>ss3_ctx_ctrl (..., SSL_CTRL_EXTRA_CHAIN_CERT, ..., ...)) just pushes
> >>X509
On 10/29/2013 02:03 PM, Dr. Stephen Henson wrote:
On Tue, Oct 29, 2013, ?? ??? wrote:
I've noticed that SSL_CTX_add_extra_chain_cert (actually
ss3_ctx_ctrl (..., SSL_CTRL_EXTRA_CHAIN_CERT, ..., ...)) just pushes
X509 cert to context's cert stack. This means that I'm unable to free
or
> You don't and shouldn't free it: it will be free when the SSL_CTX it is added
> to is freed.
In other words, if you want a local copy, bump the refcount for yourself.
Right?
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
On Tue, Oct 29, 2013, ?? ??? wrote:
> Hi all!
> I've noticed that SSL_CTX_add_extra_chain_cert (actually
> ss3_ctx_ctrl (..., SSL_CTRL_EXTRA_CHAIN_CERT, ..., ...)) just pushes
> X509 cert to context's cert stack. This means that I'm unable to free
> original certificate because double me
Hi,
It appears that the code in engines/e_aep.c has an "#ifdef
SIXTY_FOUR_BIT_LONG" to decide on things like BigNumSize (right shift by
3 or by 2, etc.).
However, there is also the macro SIXTY_FOUR_BIT, which is another way to
change BN_BYTES to 8 instead of 4. Should the #ifdefs in
engine
>From: owner-openssl-...@openssl.org On Behalf Of Paul Pazandak
>Sent: Tuesday, 21 May, 2013 21:58
>To: openssl-dev@openssl.org
I don't think this is a -dev question, but not worth changing.
>We want to be able to handle long-lived connections/sessions,
>and we are therefore wondering ab
.org [owner-openssl-...@openssl.org] on
> behalf of Ben Laurie [b...@links.org]
> Sent: Monday, March 11, 2013 14:16
> To: openssl-dev@openssl.org
> Subject: Re: Question on encryption algorithms brittleness
>
> On 11 March 2013 11:09, Ido Regev wrote:
> > Hi,
> >
256-bit.
Good luck.
From: owner-openssl-...@openssl.org [owner-openssl-...@openssl.org] on behalf
of Ben Laurie [b...@links.org]
Sent: Monday, March 11, 2013 14:16
To: openssl-dev@openssl.org
Subject: Re: Question on encryption algorithms brittleness
On 11 March 2
Find an unhappy employee and offer them a couple-hundred thousand Euro for
their password.
The question/requirement as stated is unanswerable, and certainly not by the
well-meaning volunteers who frequent this list.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
_
On Behalf Of Jason Gerfen
> Sent: Wednesday, March 06, 2013 4:29 PM
> To: openssl-dev@openssl.org
> Subject: Re: Question on encryption algorithms brittleness
>
>
>
> NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See
> FIPS 200 (Minimum guidelines), FIPS
safe answer is "go hire an expert".
PG
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On
Behalf Of Ido Regev
Sent: Monday, March 11, 2013 7:09 AM
To: openssl-dev@openssl.org
Subject: RE: Question on encryption algorithms brittleness
Hi,
I hav
l-dev@openssl.org
Subject: Re: Question on encryption algorithms brittleness
NIST has more details. http://csrc.nist.gov/publications/PubsFIPS.html See FIPS
200 (Minimum guidelines), FIPS 198--1 (HMAC), FIPS 197 (AES, symmetric
algorithms) & FIPS 185 (PKI escrow)
On Wed, Mar 6, 2013 at 7:15
This site would be a good place to start:
http://www.keylength.com/
Matt
On 6 March 2013 13:56, Ido Regev wrote:
> We have a requirement from one of our customers regarding the encryption
> algorithms – "Make use of published public encryption algorithms that are
> considered to be practicall
On 10/24/2012 11:03 PM, Munagala Ramanath wrote:
Just downloaded built openssl 1.0.1c on Ubuntu 10.04 x86_64 with the
standard commands:
./config
make
make test
All is well but I noticed that these files from 'engines' are compiled
but the resulting objects are
not put into any library:
e_4
On Sat, Oct 20, 2012 at 11:22 AM, Ben Laurie wrote:
> On Sat, Oct 20, 2012 at 5:08 AM, Joe Pletcher wrote:
>> Hello all,
>>
>> I hope this question is more appropriate for this list. I tried
>> openssl-users with no luck. If not, I apologize in advance.
>>
>> I'm working on an OpenSSL project, a
On Sat, Oct 20, 2012 at 5:08 AM, Joe Pletcher wrote:
> Hello all,
>
> I hope this question is more appropriate for this list. I tried openssl-users
> with no luck. If not, I apologize in advance.
>
> I'm working on an OpenSSL project, and I could use some help. I am writing a
> library which wil
Hello,
You may trace connect/accept progres defining some callback function:
/**
* SSL connection info callback.
*
* @paramssl SSL connection
socket
* @paramtypeconnection type
* @paramval
Hi Steve,
Dr. Stephen Henson wrote:
On Wed, May 09, 2012, Jan Just Keijser wrote:
thank you for the quick reply. The code we currently use is very similar:
254 nid = OBJ_sn2nid(curve_name);
255
256 if (nid == 0)
257 msg(M_SSLERR, "unknown curve name (%s)", curve_name);
258
On Wed, May 09, 2012, Jan Just Keijser wrote:
> thank you for the quick reply. The code we currently use is very similar:
> 254 nid = OBJ_sn2nid(curve_name);
> 255
> 256 if (nid == 0)
> 257 msg(M_SSLERR, "unknown curve name (%s)", curve_name);
> 258 else
> 259 {
> 260 e
Hi ,
Dr. Stephen Henson wrote:
On Tue, May 08, 2012, Jan Just Keijser wrote:
hello list,
we're trying to add ECDH/ECDSA support to OpenVPN and we have run
into a question we cannot easily answer ourselves:
we're using SSL_CTX_set_tmp_ecdh to add an ECDH curve to your
server-side SSL CTX o
On Tue, May 08, 2012, Jan Just Keijser wrote:
> hello list,
>
> we're trying to add ECDH/ECDSA support to OpenVPN and we have run
> into a question we cannot easily answer ourselves:
>
> we're using SSL_CTX_set_tmp_ecdh to add an ECDH curve to your
> server-side SSL CTX object; this is very simi
On 12/08/2011 03:34 PM, Dr. Stephen Henson wrote:
On Thu, Dec 08, 2011, Peter Sylvester wrote:
Hello,
I am actually makeing corrections to the SRP/TLS code. One of them
removes an unnecessary callback. There is a pointer in a SRP_CTX that
is no longer necessary.
I wonder what is the current p
On Thu, Dec 08, 2011, Peter Sylvester wrote:
> Hello,
>
> I am actually makeing corrections to the SRP/TLS code. One of them
> removes an unnecessary callback. There is a pointer in a SRP_CTX that
> is no longer necessary.
>
> I wonder what is the current policy concerning a stable branch and
>
On Mon, 2011-10-17 at 21:18 +, Keith Welter wrote:
> The OpenSSL FIPS 140-2 User Guide says:
> "The FIPS Object Module provides an API for invocation of FIPS approved
> cryptographic functions from calling applications, and is designed for use in
> conjunction with standard OpenSSL 0.9.8 dis
Hi Yogesh,
I have had a look at your modifications. There are some minor mistakes, but I
was also able to find a bug in OpenSSL, for which patch #2555 is submitted.
I have made some small changes to your code, but haven't revised everything.
Most important is the timer handling, which does not
Hi Robin,
I am using DTLSv1_listen() and calling it repeatedly the
difference (I believe) is I am using non-blocking sockets. Please
find attached the sample program from sctp.fh-muenster.de modified for
non-blocking sockets using select that demonstrates this problem.
You can compil
Hi Yogesh,
On 01.07.2011, at 00:59, Yogesh Chopra wrote:
> The setup is same as before (where traffic from server is blocked to
> client). The Server responds only once with a HELLO_VERIFY response
> for a HELLO request and then never sends a HELLO_VERIFY response for
> subsequent CLIENT HELLO me
On Jul 1, 2011, at 12:59 AM, Yogesh Chopra wrote:
> Hi,
> I could only access the patch at the link:
>
> http://sctp.fh-muenster.de/dtls-patches.html
>
> as I do not have login credentials for
> http://rt.openssl.org/Ticket/Display.html?id=2550
I think it is username guest, password guest...
>
Hi,
I could only access the patch at the link:
http://sctp.fh-muenster.de/dtls-patches.html
as I do not have login credentials for
http://rt.openssl.org/Ticket/Display.html?id=2550
So I am not sure if the 2 places above have different patches.
Post applying this patch I acknowledge, I do no
Hi Yogi,
could you try the patch in
http://rt.openssl.org/Ticket/Display.html?id=2550
and report if it fixes your issue?
Best regards
Michael
On Jun 27, 2011, at 10:58 PM, Yogesh Chopra wrote:
> Hi,
> Please look at the debug messages attached to the original message,
> These were printf's add
Hi,
Please look at the debug messages attached to the original message,
These were printf's added in the DTLS code and these were messages
captured on the server. We are seeing the server start a timer when it
sends back a "HelloVerifyRequest". Based on your comments below it
appears that shoul
On Jun 27, 2011, at 11:02 PM, Robin Seggelmann wrote:
> Hi Yogesh,
>
> Yes, I noticed that after I wrote the mail. The server starts a timer after
> sending the HelloVerifyRequest, although it's not supposed to. A patch is
> submitted already, but has not yet appeared on the OpenSSL request tra
Hi Yogesh,
Yes, I noticed that after I wrote the mail. The server starts a timer after
sending the HelloVerifyRequest, although it's not supposed to. A patch is
submitted already, but has not yet appeared on the OpenSSL request tracker.
Best regards
Robin
On 27.06.2011, at 22:58, Yogesh Chopr
Hi Yogesh,
I'm not sure what your problem is. If you drop all messages sent by the server,
then the client keeps repeating its ClientHello until max retransmissions is
reached, that is 12 times. The client starts a timer for every ClientHello it
sends, and if it expires because there is no Hell
On Thu, Apr 15, 2010 at 3:25 PM, Phillip Hellewell wrote:
> Why does PKCS7_decrypt() require the recipient's X509 cert? Doesn't the
> recipient's cert already exist inside the PKCS7 structure? And if there is
> more than one recipient info, can't PKCS7_decrypt() just try the private key
> again
On Thu, Apr 15, 2010 at 3:25 PM, Phillip Hellewell wrote:
> My last question is, what is the difference between PKCS7_decrypt() and
> PKCS7_dataDecode()? I couldn't find any documentation on the latter.
>
Ok, I see now that PKCS7_decrypt() is implemented in terms of
PKCS7_dataDecode(). So I'm
If these questions are better directed at openssl-users, let me know.
Phillip
On Thu, Apr 15, 2010 at 3:25 PM, Phillip Hellewell wrote:
> Why does PKCS7_decrypt() require the recipient's X509 cert? Doesn't the
> recipient's cert already exist inside the PKCS7 structure? And if there is
> more
I think, it could be a bug, not yet noted by others because never used
num_read.
Regards,
M.M.
Ray Satiro schrieb:
> Both BIO_write() and BIO_puts() increment num_write on success. But
> BIO_gets() by all appearances does not increment num_read, only
> BIO_read() does. I don't see why that omissio
Hi Folks,
Would appreciate some responses for the questions below.
Most importantly-
I see the following note in
http://www.openssl.org/docs/apps/pkcs8.html
"The format of PKCS#8 DSA (and other) private keys is not well documented:
it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's defau
Sorry there was a small typo
s/DSA_generate_keys/DSA_generate_key
Could I possibly use EVP_PKEY2PKCS8() api for the encoding?
Regards
-AG
On Fri, Mar 5, 2010 at 11:35 AM, Anand Giriraj wrote:
> Hi Folks.
> If I generate DSA private key using the following commands:
>
> DSA_generate_params()
> D
On Mon, Jan 18, 2010, Roger No-Spam wrote:
>
> I'm currently porting the openssl-0.9.8 fips code to a
> proprietary platform.
As you are probably aware the result would need to be revalidated if you want
it to be FIPS 140-2 compliant.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core develo
> I'm currently porting the openssl-0.9.8 fips code to a proprietary
> platform. There seems to quite a lot of time and effort put into all the
> macros for different OSs and CPUs in FIPS_ref_point() and
> instruction_pointer(). But I fail to see what problem the code in
> fips_canister.c is trying
OpenSSL is used just to provide low level crypto. function and for
providing crypto. function for API's other than SSL.
You don't need to turn off mdc2 now BTW, it was an IBM patent, but it's
expired now.
Peter
Joshi Chandran wrote:
>
> Is it possible to build 64 bit of openssl fips module .please reply it
> is urgent
>
> Thanks
> Joshi Chandran
You didn't give any details on the 64 bit platform(s) of interest. For
the OpenSSL FIPS Object Module v1.1.2 the binary module created
according to the instruct
Hi,
The KDF implementation in ecdhtest.c is based on the IEEE P1363 standard
as the rest of the implementation of ECDH in OpenSSL. It can be regarded
as a generalization of the X9.63 standard. However, the file ecdhtest.c
is not part of the OpenSSL core and thus you can provide your own
implementa
On Tue, Feb 12, 2008, Guenter Knauf wrote:
> Hi Steve,
> just curious why enable-tlsext isnt enabled by default in 0.9.8 branch as it
> is with 0.9.9...
> is it some policy about introducing new features in stable branch?
>
Yes the extension code hasn't been widely tested "in the field" and it
Hi Steve,
> None of text info (including fingerprint) is used during the lookup
> process.
> Omitting it makes the file shorter and makes it slightly quicker to read
> initially but has no effect after that.
thanks for your quick reply!
Guenter.
__
On Mon, Feb 11, 2008, Guenter Knauf wrote:
> Hi,
> there are some recommened methods for creating a ca-bundle.crt
> most use the openssl commandline with something like:
> openssl x509 -fingerprint -text -in infile -inform PEM >> outfile
> which produces a bunch of text info beside the PEM cer
Michael Saladin wrote:
Additional info:
I saw that there is a compiler directive CHARSET_EBCDIC, but this
directive is not used at all locations where something is read from a
certificate.
Is it true that all entries in a certificate are in ASCII?
Unicode, more likely.
If yes, one just
Additional info:
I saw that there is a compiler directive CHARSET_EBCDIC, but this
directive is not used at all locations where something is read from a
certificate.
Is it true that all entries in a certificate are in ASCII?
If yes, one just had to add a couple of #ifdef CHARSET_EBCDIC to the
Does anyone have any experience with porting the implementation of
SHA256 algorithm from 0.9.8 to 0.9.7 ?
Why don't you use 0.9.8?
Any known patch for this one or for similar ones?
SHA256/512 are available in fips tar-ball, which is based on 0.9.7.
Do you know what is the potential risk by
On Wed, May 09, 2007, Nikolay Zapolnov wrote:
> Hello,
>
> My name is Nikolay,
> I am representing the NetUP company.
>
> Currently we are being certified by the KPMG company, Russia
> under the program "AICPA/CICA. WebTrustSM/TM. Program for
> Certification Authorities".
>
> After the successf
On Thu, Jan 11, 2007, Andrews, Rick wrote:
> Thanks, but that doesn't completely answer my question. Let me rephrase:
> As OpenSSL is walking up the chain, it looks at a cert's issuer name and
> then tries to find a cert in the cert store with that name as a subject
> name. In my case, it will fin
gt; Sent: Thursday, January 11, 2007 11:13 AM
> To: openssl-dev@openssl.org
> Subject: Re: Question about ambiguous cert chains
>
> On Thu, Jan 11, 2007, Andrews, Rick wrote:
>
> > If I am cross-certifying a root cert with another root
> cert, and both
> > roots are
On Thu, Jan 11, 2007, Andrews, Rick wrote:
> If I am cross-certifying a root cert with another root cert, and both
> roots are in my cert store, then OpenSSL might see an ambiguous chain
> when it tries to verify. There would be two possible chains instead of
> one. Can OpenSSL handle such a case?
On Wed, Jan 10, 2007, Andrews, Rick wrote:
> We're trying to do client auth to an Apache web server, and we've
> discovered that if the end entity cert's issuing CA cert has an
> extendedKeyUsage extension, but the extension doesn't contain the
> clientAuth and serverAuth values, then the SSL hand
On Thu, 9 Mar 2006, Basavaraj Bendigeri wrote:
> Tim Rice wrote:
> > On Wed, 8 Mar 2006, Basavaraj Bendigeri wrote:
> > > Hi,
> > > I am facing a problem when using openssh-3.9 with
> > > openssl-0.9.7i. Both ssh and sshd are crashing.
> > > I have compiled openssl with fips.
> > > But openssh h
Tim Rice wrote:
On Wed, 8 Mar 2006, Basavaraj Bendigeri wrote:
Hi,
I am facing a problem when using openssh-3.9 with
openssl-0.9.7i. Both ssh and sshd are crashing.
I have compiled openssl with fips.
But openssh has not been changed at all.
Does
On Wed, 8 Mar 2006, Basavaraj Bendigeri wrote:
> Hi,
> I am facing a problem when using openssh-3.9 with
> openssl-0.9.7i. Both ssh and sshd are crashing.
> I have compiled openssl with fips.
> But openssh has not been changed at all.
Does this imply that you
On Thu, Oct 13, 2005 at 01:41:56PM +0200, Peter Sylvester wrote:
> In ssl/ssl_lib.c there is a lot of functionality of get/set implemented
> through a SSL_ctrl or SSL_CTX_ctrl, but some are implemented
> directly as functions.
>
> There may be some logic behind that but I am not sure which one.
>
In message <[EMAIL PROTECTED]> on Mon, 19 Jul 2004 09:20:37 +0200 (CEST), Richard
Levitte - VMS Whacker <[EMAIL PROTECTED]> said:
levitte> Hi again,
levitte>
levitte> In message <[EMAIL PROTECTED]> on Sun, 18 Jul 2004 22:59:41 +0200 (CEST),
Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> said
Hi again,
In message <[EMAIL PROTECTED]> on Sun, 18 Jul 2004 22:59:41 +0200 (CEST), Richard
Levitte - VMS Whacker <[EMAIL PROTECTED]> said:
levitte> This makes me wonder if time() returns local time or GMT
levitte> time.
I just verified. time() returns the number of seconds since
1970-01-01:00
Hi again,
In message <[EMAIL PROTECTED]> on Sun, 18 Jul 2004 22:59:41 +0200 (CEST), Richard
Levitte - VMS Whacker <[EMAIL PROTECTED]> said:
levitte> In message <[EMAIL PROTECTED]> on Sun, 18 Jul 2004 05:48:09 -0400, "Greaney,
Kevin" <[EMAIL PROTECTED]> said:
levitte>
levitte> kevin.greaney>
Hi Kevin,
In message <[EMAIL PROTECTED]> on Sun, 18 Jul 2004 05:48:09 -0400, "Greaney, Kevin"
<[EMAIL PROTECTED]> said:
kevin.greaney> I have been having some problems with the
kevin.greaney> startdate and dnddate in my certificates being skewed
kevin.greaney> since I upgraded from 0
On Monday 05 July 2004 01:24 am, Geoff Thorpe wrote:
> On June 24, 2004 12:49 pm, Kevin Stefanik wrote:
> [snip]
>
> > > However I'm
> > > pretty confident the 0.9.7 use of ERR_get_implementation() is bogus.
>
> [snip]
>
> > Linking the openssl engine to libcrypto.so shared library for 0.9.8
> > wo
On June 24, 2004 12:49 pm, Kevin Stefanik wrote:
[snip]
> > However I'm
> > pretty confident the 0.9.7 use of ERR_get_implementation() is bogus.
[snip]
> Linking the openssl engine to libcrypto.so shared library for 0.9.8
> works fine as far as I've been able to test.
Cool, so this is just an issu
On Thursday 24 June 2004 11:03 am, Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Thu, 24 Jun 2004
> 09:43:48 -0400, Kevin Stefanik <[EMAIL PROTECTED]> said:
>
> kstef> On Wednesday 16 June 2004 12:46 pm, Richard Levitte - VMS Whacker
> wrote: kstef> > In message <[EMAIL P
On Monday 14 June 2004 07:35 pm, Geoff Thorpe wrote:
> On June 14, 2004 12:00 pm, Kevin Stefanik wrote:
> > I just realized that we may not have been discussing the same issue.
> > When I was referring to dynamically or statically linked engines, I was
> > referring to how the engines were linked t
In message <[EMAIL PROTECTED]> on Thu, 24 Jun 2004 09:43:48 -0400, Kevin Stefanik
<[EMAIL PROTECTED]> said:
kstef> On Wednesday 16 June 2004 12:46 pm, Richard Levitte - VMS Whacker wrote:
kstef> > In message <[EMAIL PROTECTED]> on Wed, 16 Jun 2004
kstef> > 12:30:28 -0400, Kevin Stefanik <[EMAIL P
On Wednesday 16 June 2004 12:46 pm, Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Wed, 16 Jun 2004
> 12:30:28 -0400, Kevin Stefanik <[EMAIL PROTECTED]> said:
>
> kstef> I think we can make do with a less involved fix, actually, by
> kstef> just backing out the conditional
On June 16, 2004 07:48 pm, Richard Levitte - VMS Whacker wrote:
> geoff> Indeed. However one problem with merging
> geoff> ENGINE_get_static_state() to 0.9.6-stable is that it requires a
> geoff> new exported API symbol in openssl.
>
> Well, I don't see that as a problem, since we don't have suppor
In message <[EMAIL PROTECTED]> on Wed, 16 Jun 2004 19:27:27 -0400, Geoff Thorpe
<[EMAIL PROTECTED]> said:
geoff> On June 16, 2004 12:46 pm, Richard Levitte - VMS Whacker wrote:
geoff> > kstef> I think we can make do with a less involved fix, actually, by
geoff> > kstef> just backing out the condi
On June 16, 2004 12:46 pm, Richard Levitte - VMS Whacker wrote:
> kstef> I think we can make do with a less involved fix, actually, by
> kstef> just backing out the conditional if the engine still _requires_
> kstef> its own copy of the libcrypto code, or, preferably, just
> kstef> linking to libcr
In message <[EMAIL PROTECTED]> on Wed, 16 Jun 2004 12:30:28 -0400, Kevin Stefanik
<[EMAIL PROTECTED]> said:
kstef> I think we can make do with a less involved fix, actually, by
kstef> just backing out the conditional if the engine still _requires_
kstef> its own copy of the libcrypto code, or, pr
On Wednesday 16 June 2004 12:20 pm, you wrote:
> In message <[EMAIL PROTECTED]> on Mon, 14 Jun 2004
> 19:35:08 -0400, Geoff Thorpe <[EMAIL PROTECTED]> said:
>
> geoff> On June 14, 2004 12:00 pm, Kevin Stefanik wrote:
> geoff> > I just realized that we may not have been discussing the same
> geoff>
In message <[EMAIL PROTECTED]> on Mon, 14 Jun 2004 19:35:08 -0400, Geoff Thorpe
<[EMAIL PROTECTED]> said:
geoff> On June 14, 2004 12:00 pm, Kevin Stefanik wrote:
geoff> > I just realized that we may not have been discussing the same
geoff> > issue. When I was referring to dynamically or statical
On Monday 14 June 2004 07:35 pm, Geoff Thorpe wrote:
> On June 14, 2004 12:00 pm, Kevin Stefanik wrote:
> > I just realized that we may not have been discussing the same issue.
> > When I was referring to dynamically or statically linked engines, I was
> > referring to how the engines were linked t
On June 14, 2004 12:00 pm, Kevin Stefanik wrote:
> I just realized that we may not have been discussing the same issue.
> When I was referring to dynamically or statically linked engines, I was
> referring to how the engines were linked to libcrypto. In all cases,
> we're discussing a dynamic eng
I just realized that we may not have been discussing the same issue. When I
was referring to dynamically or statically linked engines, I was referring to
how the engines were linked to libcrypto. In all cases, we're discussing a
dynamic engine contained in a shared library, so I think we agree
On Monday 14 June 2004 10:54 am, Geoff Thorpe wrote:
> On June 14, 2004 10:20 am, Kevin Stefanik wrote:
> [snip]
>
> > #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
> > int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
> > if (ERR_get_implementation() != fns->err_fns)
On June 14, 2004 10:20 am, Kevin Stefanik wrote:
[snip]
> #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
> int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
> if (ERR_get_implementation() != fns->err_fns) \
> { \
> if(!CR
On Fri, Feb 20, 2004 at 03:52:00PM -0700, Swaminathan P wrote:
> Hi,
> Can someone help me with info on this question?
> Is there some significance to encrypt the MAC along with the message?
> Is there some pitfall in leaving the MAC in the cleartext and encrypt the
> message alone...
>
> thanks,
>
On Wed, Nov 12, 2003, Geoffrey Huang wrote:
> Hi there,
>
> I'm new to using OpenSSL. I've gathered that the EVP* structures are the
> high-level structures that OpenSSL prefers me to use. Specifically, I'm
> using the EVP_PKEY structure to store key pairs in an internal database -
> it's fl
Jeffrey Altman wrote:
>>Jeffrey Altman wrote:
>>
>>>The answer to your questions is 'yes'. As I understand it, the
>>>patches were released as they are "for the time being" because it is
>>>better to crash your application then allow the attacker to compromise
>>>your computer.
>>>
>>>New patches
> Jeffrey Altman wrote:
> > The answer to your questions is 'yes'. As I understand it, the
> > patches were released as they are "for the time being" because it is
> > better to crash your application then allow the attacker to compromise
> > your computer.
> >
> > New patches will have to be re
Jeffrey Altman wrote:
> The answer to your questions is 'yes'. As I understand it, the
> patches were released as they are "for the time being" because it is
> better to crash your application then allow the attacker to compromise
> your computer.
>
> New patches will have to be released to prop
I submitted an analysis of the changes to be made shortly after the
patches were issued. I won't have time to try and work on patches
until the weekend. Perhaps someone from the OpenSSL team will beat me
to it.
>
> Thanks for the reply.
>
> Do you know when a full fix is to be expected?
>
>
The CFB mode only uses the encryption function; AES_set_decrypt_key()
is needed for other modes, such as ECB.
S
Thus spake Louis Lam:
> Hello,
>
> I'm trying to use the AES algorithm of 0.9.7beta in my own program.
>
> For setting the key schedule there are 2 apis:
>
> AES_set_encrypt_key()
On Tue, May 21, 2002, Romberg, Kathy wrote:
> Folks,
>
> I've been looking at this function and have a question about this particular case.
>The first line in the case is to do a file_free, which closes the file if b->shutdown
>is set, yet shutdown is not set until the next line. Is this cor
DL>> I'm not on the dev team or anything, but I don't understand how you could have
*ever* successfully encrypted multiple streams with the same EVP context??? Just the
IV's alone would have been
DL>> screwed up for CBC ciphers and stream ciphers like RC4 would completely break.
PT> ECB won't -
1 - 100 of 158 matches
Mail list logo
