I'm sure I'm missing something obvious, but why isn't the operation
XXX_verify_xxx() idempotent? It seems very weird that two subsequent calls to
verify() wouldn't return exactly the same thing.
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
Original Message
On 2016-03-24 19:12, Viktor Dukhovni wrote:
On Mar 24, 2016, at 2:02 PM, DEXTER wrote:
So let me get this straight.
If someone had a software where they called X509_verify_cert from
SSL_CTX_set_cert_verify_callback callback twice (to verify first with
crls, and maybe
When FIPS is enabled: missed that. We enable it when we load the modules -
we're in a mode where we only have the FIPS libraries installed, and when we
load them, we enable FIPS. In searching for a temporary work-around, I put
different code at that place in x509v3_cache_extensions() -
> On Mar 24, 2016, at 2:02 PM, DEXTER wrote:
>
> So let me get this straight.
> If someone had a software where they called X509_verify_cert from
> SSL_CTX_set_cert_verify_callback callback twice (to verify first with
> crls, and maybe verify again without crls) and it
So let me get this straight.
If someone had a software where they called X509_verify_cert from
SSL_CTX_set_cert_verify_callback callback twice (to verify first with
crls, and maybe verify again without crls) and it worked as expected,
after this patch their software is broken.
Am I right?
And
Hi
Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when
the dialog box was displayed, and that's how I got the call stack.
if (x->ex_flags & EXFLAG_SET)
return;
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
I inspected
On Wed, Mar 23, 2016, Glen Matthews wrote:
> Hi
>
> Right, sorry about the wrong posting - and thanks.
>
> The message is correct - we got this in the 1.0.2f tree and are still getting
> in in the 1.0.2g tree.
>
> I notice that in crypto\x509v3\v3_purp.c there is this:
>
> if
Thank you - employing the pointers (no pun intended :) that you gave, the
code now is doing exactly what’s needed, and utilizes RDRAND (as required
by the specs I have, and my personal preferences as well).
> set the default RAND_method to the engine
This is what I did not do originally -
> On Mar 24, 2016, at 1:09 PM, Szilárd Pfeiffer
> wrote:
>
> I am afraid the patch causes a serious compatibility break. In practice,
> after an OS upgrade (which upgrades OpenSSL to the patched version) each
> and every application, which calls the
On 2016-03-24 16:17, openssl-users at dukhovni.org (Viktor Dukhovni) wrote:
>> On Mar 24, 2016, at 4:21 AM, DEXTER wrote:
>>
>> So this patch:
>> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0
>>
>> magically made itself into ubuntu trusty's
> On Mar 24, 2016, at 4:21 AM, DEXTER wrote:
>
> So this patch:
> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0
>
> magically made itself into ubuntu trusty's version of openssl in a
> security update.
>
> My question
Greetings openssl-users,
We had several segmentation faults, all starting from SHA1_Update() call.
See [1], [2] and [3].
Some details:
We are using libcurl to send HTTPS requests to Amazon S3 service. We are
using "curl_multi" handles to submit and track these HTTPS requests.
The problem
Hi!
So this patch:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0
magically made itself into ubuntu trusty's version of openssl in a
security update.
My question is:
What is the recommended way now to call X509_verify_cert twice or
unlimited
> What type of feedback are you looking for?
If I understood and used the OpenSSL API correctly, with respect to crypto
development best practices (e.g. constant time operations).
I have generic C programming experience, but crypto was new for me. The
important pieces of the new code is there in
> Last year I successfully finished my Master studies at Czech Technical
> University by a thesis defense about implementing a new CAESAR ciphersuite
> (specifically with NORX, but not restricted to it) into OpenSSL. I was
> supervised by prof. Wu Hongjun from Nangyang Technological University,
>
Hi,
Last year I successfully finished my Master studies at Czech Technical
University by a thesis defense about implementing a new CAESAR ciphersuite
(specifically with NORX, but not restricted to it) into OpenSSL. I was
supervised by prof. Wu Hongjun from Nangyang Technological University,
16 matches
Mail list logo