Checking if a key can sign / verify in 3.0

In 3.0 I see this new function in evp.h : int EVP_PKEY_can_sign(const EVP_PKEY *pkey); Is there an equivalent way to check if a key can verify? I'm not seeing an obvious way to do that.  Previously I used EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0. thanks, Norm

SSL_ERROR_WANT_TIME: Pause SSL_connect to fetch intermediate certificates

Hello, TLDR: How can we pause the SSL_connect() progress and return to its caller after the origin certificate is fetched/decrypted, but before OpenSSL starts validating it (so that we can fetch the missing intermediate certificates without threads or blocking I/O)? ASYNC_pause_job() does not

Re: FIPS canister questions

Hello, there is no way to do that. The CentOS OpenSSL build does not allow using the upstream Fips object module. In theory you could replace the CentOS openssl library with upstream 1.0.2 library built in way that it allows using the fipscanister.o however it would require non-trivial patching

FIPS canister questions

Hi everyone. We are running CentOS 7.8 and the OpenSSL that comes with it, 'OpenSSL 1.0.2k-fips'. We have built the latest FOM 2.0 and now we want to incorporate the output of the FOM build into our CentOS 7.8 system. So we have two questions. 1. How do we install the output of the FOM

Re: Testing TLS 1.0 with OpenSSL master

On 17/08/2020 18:55, John Baldwin wrote: > 1) Is 'auth_level' supposed to work for this? The CHANGES.md change >references SSL_CTX_set_security_level and openssl(1) claims that >'-auth_level' changes this? Is the CHANGES.md entry wrong and only >SECLEVEL=0 for the ciphers work by

Re: OpenSSL compliance with Linux distributions

On 18/08/2020 05:10, Jakob Bohm via openssl-users wrote: > The key thing to do is to make those client applications not request the > ssl23-method from OpenSSL 0.9.x . > ssl23 explicitly requests this backward-compatibility feature while > OpenSSL 3.x.x apparently deleted the > ability to

cross compiling on linux for macos

Hi guy, Can somebody give me a hint for the following topic please? I want to cross compile the latest openssl v1.1 on linux (centos 7) as target macos 32/64 bit. Thanks in advance Tobi

Re: Adding support for OS/2 back to Open SSL 1.1.1.

On 17/08/2020 23:55, Roderick Klein wrote: > New to this list. I am looking at compiling OpenSSL 1.1.1. on OS/2 with > GCC. Would OpenSSL be willing to accept patches to re-enable OS/2 in the > OpenSSL ? Such patches are unlikely to be accepted into 1.1.1 since that is a stable release. 3.0