Re: Non-heap based structures

looks like https://linux.die.net/man/3/evp_md_ctx_init initializes a structure that's allocated already. Yes it could be on the stack, or static... (instead of _new) On Wed, Jul 27, 2022 at 1:42 AM Philip Prindeville < philipp_s...@redfish-solutions.com> wrote: > Hi, > > I suspect I already

OpenSSL is looking to hire two full-time positions: Developer, and Manager

OpenSSL is looking to hire two full-time positions: Developer, and Manager. Details of the roles can be found here: https://www.openssl.org/blog/blog/2021/11/24/hiring-manager-and-developer/ To apply please send your cover letter and resume to j...@openssl.org by 9th December 2021 Regards

Openssl aes-256 ctr drbg

Hi, What is the Number of Bytes Returned by aes-256 ctr drbg ? Thanks, Nagarjun

Re: Query regarding openssl-3.0.0 ecdsa self tests

nsistency test as > > > the > > > KAT is impossible to do for regular DSA and ECDSA due to random > > > nonce > > > being input of the signature algorithm and thus the signature > > > always > > > changes. > > > > > > Tomas >

Query regarding openssl-3.0.0 ecdsa self tests

Hi, Does openssl-3.0.0 really does ecdsa KAT ? The post test logs says "ECDSA KAT :PASS. But when i debuged the code it actually doing ECDSA pairwise consistency test. Thanks, Nagarjun

Query regarding ECC

Hi, ECC Partial Public key validation is already supported in openssl-1.0.2l or Openssl-2.0.16 ? Regards Nagarjun

Sp800 56a rev3

Hi, Suppose if any one submitted for FIPS 140-2 certification in Nov 2020 , what is the deadline to meet sp800 56 a rev3 revision requirement to avoid certificate going into historical list. And if we meet requirement before deadline what is the validity of certificate. And do we need to test

SP800 56A rev3 patch

Hi, I am looking to patch FOM for sp800 56 rev3 support . Does openssl-3.0 implements this requirement? Is there any patches available? Regards Nag

FIPS compliance with openssl-1.1.1j

Hi, How to be FIPS compliance with openssl-1.1.1j version , as does not have fips object module, is they any ways? Regards Nagarjun

[no subject]

Hi, I am building Nginx application with openssl-3.0.0, i have added below code in main function of nginx application to load fips provider, OSSL_PROVIDER *fips; OSSL_PROVIDER *base; fips = OSSL_PROVIDER_load(NULL, "fips"); if (fips == NULL) { printf("Failed to

Openssl_3.0.0 stable release

Hi, Any one have idea when openssl-3.0.0 stable version can be expected? -Nagarjun

[no subject]

Hi, How to verify if the application is using fips provider from openssl-3.0.0 ( similar to fips_mode() api in openssl-fips-2.0.16) and does fips provider do run time check and through error if application using non fips ciphers. Regards, Nagarjun

SP800-56A REV3

Hi , What is this SP800-56A REV3 new FIPS requirement, How it affects ECDH , how it is different from openssl-2.0.16 ECDH implication. Which all functions that affects. Regards Nagarjun

Openssl-3.0.0 POST

Hello, Can any one tell , how to run POST tests in openssl-3.0.0. Regards, N

Assembly build issues for UEFI with nasm and RtlVirtualUnwind

Within the TianoCore/EDK2 project for UEFI, the prescribed assembler is NASM. In order build the 64-bit assembly config of OpenSSL with .nasm files, it appears that the Windows API function RtlVirtualUnwind is required. For my current implementation I have provided a stub function to satisfy

Re: Goodbye

Rich, I just want to wish you well on your future endeavors. You've got valuable skills as a software developer. Hopefully whatever negative experiences you've recently encountered won't dissuade you from contributing to open source projects in the future. There are, after all, an infinite

Re: Differently named symbols between OpenSSL and RFC

On Fri, Nov 29, 2019 at 10:16 AM Viktor Dukhovni wrote: > On Thu, Nov 28, 2019 at 04:31:38PM -0800, J Decker wrote: > > > from openssl/tls1.h 1.1.1b > > > > # define TLSEXT_TYPE_psk_kex_modes 45 > > This was added in 1.1.1-dev. > > > pre_sh

Differently named symbols between OpenSSL and RFC

I made this issue on LibreSSL's github... https://github.com/libressl-portable/portable/issues/537 It's about ... TLSEXT_TYPE_psk_kex_modes: from openssl/tls1.h 1.1.1b # define TLSEXT_TYPE_psk_kex_modes 45 from libressl/2.9.2 tls1.h #define TLSEXT_TYPE_psk_key_exchange_modes

RE: OpenSSL compilation errors in Windows

Hi Matt, Thanks for your help. I am able to proceed now. Thanks and regards, Nagalakshmi -Original Message- From: Matt Caswell Sent: Wednesday, October 30, 2019 7:55 PM To: Nagalakshmi V J ; openssl-users@openssl.org Subject: Re: OpenSSL compilation errors in Windows ** This mail has

RE: OpenSSL compilation errors in Windows

Hi Matt, Any inputs on the below query? Thanks and regards, Nagalakshmi From: Nagalakshmi V J Sent: Tuesday, October 29, 2019 5:25 PM To: Matt Caswell ; Nagalakshmi V J ; openssl-users@openssl.org Subject: Re: OpenSSL compilation errors in Windows Hi Matt, Thank you so much for your response

Re: OpenSSL compilation errors in Windows

enssl.org/docs/man1.1.0/man3/SSL_CTX_set_generate_session_id.html Not sure if I can use the above link. Thanks & Regards, Nagalakshmi V J From: Matt Caswell Sent: 29 October 2019 10:47 To: Nagalakshmi V J ; openssl-users@openssl.org Subject: Re: OpenSSL

Re: OpenSSL compilation errors in Windows

Hi All, Appreciate the response for the below query. Anyone faced the same issue? Thanks & Regards, Nagalakshmi V J From: Nagalakshmi V J Sent: 24 October 2019 03:29 To: Nagalakshmi V J ; Matt Caswell ; openssl-users@openssl.org Subject: Re: Ope

Re: OpenSSL compilation errors in Windows

Hi Matt, Kindly provide your inputs for the below mail. Thanks & Regards, Nagalakshmi V J From: Nagalakshmi V J Sent: 22 October 2019 10:41:40 To: Matt Caswell ; openssl-users@openssl.org Cc: Nagalakshmi V J Subject: RE: OpenSSL compilation errors in Win

RE: OpenSSL compilation errors in Windows

, void *p2); } /* EVP_MD */ ; Thanks and regards, Nagalakshmi From: Nagalakshmi V J Sent: Tuesday, October 22, 2019 9:39 AM To: Matt Caswell ; Nagalakshmi V J ; openssl-users@openssl.org Subject: Re: OpenSSL compilation errors in Windows Hi Matt, Yes. Exactly we followed the same and able to resolve e

Re: OpenSSL compilation errors in Windows

Hi Matt, Yes. Exactly we followed the same and able to resolve errors. Thank you so much for the support and guidance. I'll get back if any further errors. Thanks & Regards, Nagalakshmi V J From: Matt Caswell Sent: 21 October 2019 21:26:32 To: Nagalakshmi

Re: OpenSSL compilation errors in Windows

Hi Matt, This link is having few APIS. But for getting master_key_length, I don't find any API. Not sure if we need to use getMasterKey API for that. I will try to use these APIs and get back. Thanks & Regards, Nagalakshmi V J From: Matt Caswell Sent

RE: OpenSSL compilation errors in Windows

Caswell Sent: Thursday, October 3, 2019 6:51 PM To: openssl-users@openssl.org Subject: Re: OpenSSL compilation errors in Windows ** This mail has been sent from an external source ** On 03/10/2019 11:10, Nagalakshmi V J wrote: > Hi Matthias, > > > > Please find my response for your queri

Blake2b with key

Hello, I'm trying to create a blake2b512 digest with a key. I've made an attempt to follow the source code and I'm assuming the algorithm's name for blake2b MAC is blake2bmac, though I have tried different values. I don't seem to be able to create a valid checksum: $ openssl version; echo -n

RE: OpenSSL compilation errors in Windows

. [Nagalakshmi]: In our product code, we are using the structures 'ssl_st' and 'ssl_session_st' which were defined in ssl.h file in Openssl 1.0.2.j version. Since the structure definitions are made opaque in openssl 1.1.1c, we used ssl_locl.h where the structure definitions are available. Please note

RE: OpenSSL compilation errors in Windows

Hi Salz, I am working on that only. I will try to not use those internal files as per the suggestions. Thanks and regards, Nagalakshmi From: Salz, Rich Sent: Tuesday, October 1, 2019 6:30 PM To: Nagalakshmi V J ; Sergio NNX ; Dr. Matthias St. Pierre ; Michael Mueller Cc: openssl-users

RE: OpenSSL compilation errors in Windows

. Pierre Sent: Tuesday, October 1, 2019 4:43 PM To: Nagalakshmi V J Cc: openssl-users@openssl.org; Umamaheswari Nagarajan Subject: AW: OpenSSL compilation errors in Windows ** This mail has been sent from an external source ** > We are using OpenSSL APIs in our product code. We are not mak

RE: OpenSSL compilation errors in Windows

option to get the compilation successful. Thanks and regards, Nagalakshmi From: Sergio NNX Sent: Monday, September 30, 2019 9:06 PM To: Dr. Matthias St. Pierre ; Nagalakshmi V J ; Michael Mueller Cc: openssl-users@openssl.org; Umamaheswari Nagarajan Subject: Re: OpenSSL compilation errors

RE: OpenSSL compilation errors in Windows

Mueller Sent: Monday, September 30, 2019 4:05 PM To: Nagalakshmi V J Cc: openssl-users@openssl.org; Umamaheswari Nagarajan Subject: Re: OpenSSL compilation errors in Windows ** This mail has been sent from an external source ** We compile using Visual Studio. We don't use 'warnings as errors

RE: OpenSSL compilation errors in Windows

To: Nagalakshmi V J ; openssl-users@openssl.org Cc: Umamaheswari Nagarajan Subject: AW: OpenSSL compilation errors in Windows ** This mail has been sent from an external source ** > Getting the errors like below. ssl/packet_locl.h(429) : error C2440: > '=' : cannot convert from 'void *' to 'un

OpenSSL compilation errors in Windows

Hi, I am using openssl 1.1.c from our product code. While compiling the code, I am getting the errors which can be suppressed as warnings using -fpermissive flag in Linux (gcc/g++). In windows, I am getting the same compilation errors in visual studio (2005). Would like to know the alternative

How to set "e" in RSA structure ?

quot;e" inside rsa? Pls suggest me corresponding API Thanks and Regards, SWAMY J S

Re: Information on Build.info

*     to * DEPEND[libssl]=libcrypto.a* please let me know Thanks and Regards Shivakumar -- J. J. Farrell Not speaking for Oracle

Requesting information regarding OpenSSL upgrade

Hi All, We are currently using OpenSSL version 1.0.2j. Since OpenSSL 1.0.2 support is going to be stopped by end of this year, we are planning to upgrade to 1.1.1c version. We are using Compiler GCC 3.4.3 in Linux and vc6 in Windows. Can we go ahead with these compiler versions while

Re: BIO in memory usage....

On Sun, Jun 16, 2019 at 3:17 AM Tobias Wolf wrote: > I`d like to understand how a memory bio can be reseted with the internal > read counter back to zero for further reusage. > > > > e.g. > > I want to try to read first der and then pem > > > > d2i_X509

Re: Query related to SSL_CTX_set_msg_callback_arg

any other way to do it. -- J. J. Farrell Not speaking for Oracle

Issue with EVP_sha256 and Tspi_Context_CreateObject

Hi, Earlier with openssl 1.0.2n version, I was using EVP_sha256 for creating Certificate Signing Request and "TSS_HASH_OTHER" flag in Tspi_Context_CreateObject. Recently I upgraded openssl to 1.1.0g version and now am getting "Signature Verify Failure" in my CSR. I have attached the

Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users < openssl-users@openssl.org> wrote: > Re: openssl-1.0.2r > > Re: openssl-fips-2.0.16 > > OS: Linux Mint 19.1 (Ubuntu) > > > > I have added a shared library initializer function to cryptlib.c to force > OpenSSL into FIPS mode, without

Re: Reg missing rc4-ia64.pl in openssl 1.1.1

On 31/05/2019 16:23, Jakob Bohm via openssl-users wrote: On 30/05/2019 02:10, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of J. J. Farrell On 29/05/2019 18:39, ramakrushna mishra wrote: In Openssl 1.1.1,  the file "rc4-ia64.pl"

c2i_ASN1_INTEGER function in Openssl 1.1.0

Hi, I recently updated openssl from 1.0.2n to 1.1.0g in linux system. Earlier I was using "ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, long len) " function. As this function is removed in openssl 1.1.0, now i replaced this with "ASN1_INTEGER

Re: Reg missing rc4-ia64.pl in openssl 1.1.1

2; I'm surprised that a degradation of performance on it matters to anyone. -- J. J. Farrell Not speaking for Oracle

Re: Building OpenSSL with Emscripten

https://stackoverflow.com/questions/52327290/linking-openssl-with-webassembly Looks very similar... 'target_link_libraries(mainTest crypto) after that it all worked without warnings.' On Mon, May 20, 2019 at 1:56 AM Richard Levitte wrote: > The issue isn't with any defined or not so defined

Re: EVP_aes_128_cbc_hmac_sha256() not working on arm64 architecture

Thank you Matt. You have been very helpful. On Tue, May 7, 2019 at 6:40 PM Matt Caswell wrote: > > > On 07/05/2019 20:47, Mirko J. Ploch wrote: > > Thank you for your response. You answered my question. It is not > available on my > > target platform architecture (a

Re: EVP_aes_128_cbc_hmac_sha256() not working on arm64 architecture

encryption algorithm. https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-31#appendix-B Best Regards, Mirko On Tue, May 7, 2019 at 11:45 AM Matt Caswell wrote: > > > On 06/05/2019 16:41, Mirko J. Ploch wrote: > > Hello, > > > > I'm trying to use

EVP_aes_128_cbc_hmac_sha256() not working on arm64 architecture

at the code for EVP_aes_128_cbc_hmac_sha256, it does not look like it. I'm hoping that there is a way to get it working. https://github.com/openssl/openssl/blob/OpenSSL_1_1_1b/crypto/evp/e_aes_cbc_hmac_sha256.c Thank you, Mirko J. Ploch

RE: Where to copy custom openssl engine library in openssl 1.1.0

added “export OPENSSL_CONF=path_to_config” in /etc/environment file. And ran the command “openssl engine store -t -c”. Still am getting same error as store not found when I run my application. Thanks and Regards, SWAMY J S From: Dmitry Belyavsky Sent: Thursday, April 25, 2019 1:44 PM To: Swamy J

Where to copy custom openssl engine library in openssl 1.1.0

application the it says Store Engine not found. There is path issue here, am i copying the library in right path? I copied my library in /lib/x86_64-linux-gnu still am getting same error. Please let me know the right path where i have to copy this engine? Thanks and Regards, SWAMY J S

Error in M_ASN1_New_of function in openssl 1.1.0g

dding "_it" to CertInfo unnecessarily**. Thanks and Regards, SWAMY J S

CRYPTO_LOCK_X509_STORE in OpenSSL 1.1.0

Hi All, I updated openssl from 1.0.2n to 1.1.0g recently and facing some errors in building my application because many functions and structures are opaque now in 1.1.0g. Errors am getting are as below : error: ‘CRYPTO_LOCK_X509_STORE’ undeclared (first use in this function); did you mean

ASN1_CTX usage in openssl 1.1.0

error as /usr/include/openssl/asn1_mac.h:10:2: error: #error "This file is obsolete; please update your software." Thanks and Regards, SWAMY J S

How to disable TLS 1.3 in OpenSSL 1.1.1

while building openssl 1.1.1 to disable TLS 1.3 or can i get any package from ubuntu to disable TLS 1.3 ? Thanks and Regards, SWAMY J S

RE: cURL with openSSL 1.1.1 version

?? Thanks and Regards, SWAMY J S From: Nicola Sent: Tuesday, March 19, 2019 2:22 PM To: Swamy J-S Cc: openssl-users@openssl.org Subject: Re: cURL with openSSL 1.1.1 version CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize

cURL with openSSL 1.1.1 version

. Regards, SWAMY J S

Re: In-memory SSL_CTX_use_certificate_chain_file?

On Sun, Mar 17, 2019 at 5:17 PM Felipe Gasper wrote: > > > On Mar 17, 2019, at 7:55 PM, J Decker wrote: > > > On Sun, Mar 17, 2019 at 4:46 PM Felipe Gasper > wrote: > >> Buffer, not buffet. Silly autocorrect! >> >> -F >> >>

Re: In-memory SSL_CTX_use_certificate_chain_file?

On Sun, Mar 17, 2019 at 4:46 PM Felipe Gasper wrote: > Buffer, not buffet. Silly autocorrect! > > -F > > > On Mar 17, 2019, at 7:21 PM, Felipe Gasper > wrote: > > > > Hello, > > > > Is there any equivalent to SSL_CTX_use_certificate_chain_file for a PEM > buffet that’s already in memory? >

Re: AW: OpenSSL version 1.1.1b published

On 2/26/2019 10:05 PM, Dr. Matthias St. Pierre wrote: Hi Thomas, Unlike previous releases, this tar-gzipped file contains a 52 byte file called 'pax_global_header'. The contents of the file contain a single line of text: 52 comment=50eaac9f3337667259de725451f201e784599687 my extracted

Re: OpenSSL version 1.1.1b published

On 2/26/2019 7:54 AM, OpenSSL wrote: The distribution file name is: o openssl-1.1.1b.tar.gz Size: 8213737 SHA1 checksum: e9710abf5e95c48ebf47991b10cbb48c09dae102 SHA256 checksum: 5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b Unlike previous

Re: [openssl-users] when should client stop calling SSL_read to get TLS1.3 session tickets after the close_notify?

On Mon, Feb 18, 2019 at 2:18 PM Jakob Bohm via openssl-users < openssl-users@openssl.org> wrote: > On 17/02/2019 14:26, Matt Caswell wrote: > > On 16/02/2019 05:04, Sam Roberts wrote: > >> On Fri, Feb 15, 2019 at 3:35 PM Matt Caswell wrote: > >>> On 15/02/2019 20:32, Viktor Dukhovni wrote: >

Re: [openssl-users] Authentication over ECDHE

On 29/12/2018 17:18, C.Wehrmeyer wrote: On 29.12.18 17:21, J. J. Farrell wrote:> So instead of correct portable code which derives obviously and > straightforwardly from the specification, you'd write arrays of a > different length from the original, the first 48 bytes of which wou

Re: [openssl-users] Authentication over ECDHE

ronments, and even in the cases where those 48 bytes end up correct they have no obvious relationship to the specification they are implementing (your obfuscation making the code much more difficult to review). How are these changes improvements? I'd walk you out of an interview if y

Re: [openssl-users] openssl 1.1.1 manuals

://www.openssl.org/docs/man1.1.1 redirect to https://www.openssl.org/docs/man1.1.0? (I think that 1.1.1 ought to be generated) -- J. J. Farrell Not speaking for Oracle -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Celebrating 20 Years of OpenSSL

Just about 20 years ago we released the first OpenSSL, but that wasn't the original name for the project. Read more in the blog post at https://www.openssl.org/blog/blog/2018/12/20/20years/ Regards, Mark J Cox -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman

Re: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate

It was my interpretation that 0 pathlen on the root self signed meant infinite. The pathlen only applies on the certs between root and the leaf (which obviously can be 0, and CA true or not, but bad form to say true I'd imagine.) On Mon, Oct 8, 2018 at 1:57 AM Peter Magnusson <

Re: [openssl-users] NMAKE fatal error, 32-bit time_t

On 9/12/2018 7:03 AM, Viktor Dukhovni wrote: On Sep 12, 2018, at 9:53 AM, Thomas J. Hruska wrote: Casting to time_t appears to correct the issue and the build completes successfully: const time_t default_time = (time_t)CT_POLICY_EVAL_CTX_get_time(ct_policy_ctx

[openssl-users] NMAKE fatal error, 32-bit time_t

cl /Z7 /Fdapp.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 /WX /I "include" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"OPENSSL_USE_APPLINK" -D"NDEBUG" -D_USE_32BIT_TIME_T

Re: [openssl-users] Using Windows system certficate store for server authentication

On Fri, Sep 7, 2018 at 11:55 PM Juan Isoza wrote: > > It's a good idea using openssl under windows (with new openssl 1.1.1, we > will be able to use TLS 1.3 under Windows, from 7/2008 to 10/2016) instead > internal windows crypto.. > > But, by example, curl build for windows with openssl need a

Re: [openssl-users] passing CA bundle as buffer, instead of file path, to X509_STORE_CTX_ functions

You can use a BIO_new( BIO_s_mem() ) to feed the memory through BIO_writeand PEM_read_bio_X509 something like ... https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L780 On Tue, Sep 4, 2018 at 8:07 AM Eli Golosovsky wrote: > Is there an option, in *OpenSSL 1.1.1*, to load a CA

[openssl-users] Problem in Building openssl_1.0.2p in Visual Studio 2015

YPTO ms\version32.rc 'rc' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error V1077: 'rc' : return code '0x1' Stop. 1 dir(s) moved. 1 dir(s) moved." I have attached screenshot too. Thanks and Regards, SWAMY J S -- o

Re: [openssl-users] OpenSSL version 1.1.0i published

I notice the release distribution for 1.1.0i includes a preconfigured makefile whereas 1.1.0h and earlier do not. -- Thomas Hruska Shining Light Productions Home of BMP2AVI and Win32 OpenSSL. http://www.slproweb.com/ -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] How to prove a Certificate is Signed or not

a root cert is the self signed cert. On Thu, May 3, 2018 at 2:50 AM, morthalan wrote: > But In my case, I do not have any root certificate. I have only one signed > certificate (SignedCertificate.pem) and one certificate signing request > (certReq.pem) . So when I

Re: [openssl-users] How to prove a Certificate is Signed or not

Or using the javascript interface https://www.npmjs.com/package/sack.vfs#interface https://github.com/d3x0r/sack.vfs/blob/master/tests/tlsTest.js#L28 if( vfs.TLS.validate( {cert:signedCert3, chain:signedCert2+cert} ) ) console.log( "Chain is valid." ); On Thu, May 3, 2018 at 1

Re: [openssl-users] How to prove a Certificate is Signed or not

https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538 this routine does cert validation but I don't thkn that's what you want this verified on a connection https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274 which boils down to

Re: [openssl-users] Has client validated successfully?

; In other words, you can only know if the client's applied policy > > allows the connection to continue. You cannot know if the policy that > > was applied was specifically related to the certificate chain > > presented. > > > > -Kyle H > > > > On Mon, Feb 12,

[openssl-users] Has client validated successfully?

Is there a way for a server to know if the client verified the cert chain successfully or not? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Correct way to free SSL_CTX* ?

On Sun, Jan 28, 2018 at 7:05 PM, pratyush parimal < pratyush.pari...@gmail.com> wrote: > Hi all, > > I'm trying to write an application in which I create an instance of > SSL_CTX* using SSL_CTX_new(), and set the following things in it: > > (1) An EVP_PKEY* : > 1a> created with

[openssl-users] Fwd: Simplifying the security policy

At our face to face we took a look at the security policy and noticed that it contained a lot of background details of why we decided on the policy that we did (in light mostly of the issues back in 2014) as well as a bit of repeated and redundant information. We've taken some time to simplify

Re: [openssl-users] Fwd: Information to detach a BIO from fd

I'm not 100% sure what you're doing I'd imagine that if SSL was managing the fd's you wouldn't have this issue. You hvae to call accept() to get a new FD... and you'll only get that once, so when you accept() you should attach the bio and call ssl_accept(), no? On Fri, Jan 12, 2018 at 5:52 PM,

Re: [openssl-users] cert chain file ordering question

The certs are built into a stack... they are pushed... so element 0 is the last thing in the list. The chain starts with 0, and then can search the rest. On Tue, Jan 9, 2018 at 2:55 PM, Norm Green wrote: > On 1/9/2018 6:03 AM, Benjamin Kaduk wrote: > >> Did you

Re: [openssl-users] Sudden control data sent during large transfer.

( result < amount_to_send ) { /* sent less than full packet */ } so I ended up backing up the send offset by 1 byte instead of 0 bytes... this was then injecting 1 extra byte into the TCP layer. On Mon, Dec 25, 2017 at 1:38 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 23/12/2

Re: [openssl-users] Evaluation of OpenSSL stack software

On Fri, Dec 22, 2017 at 8:40 PM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote: > > > > On Dec 22, 2017, at 11:33 PM, J Decker <d3c...@gmail.com> wrote: > > > > Very similar to OpenSSL 1.0.2, plus its own extensions. That's not > exactly > >

Re: [openssl-users] Evaluation of OpenSSL stack software

On Fri, Dec 22, 2017 at 7:23 PM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote: > > > > On Dec 22, 2017, at 10:21 PM, J Decker <d3c...@gmail.com> wrote: > > > > I would also suggest check out LibreSSL which uses the same API as > OpenSSL > >

Re: [openssl-users] Evaluation of OpenSSL stack software

On Fri, Dec 22, 2017 at 4:44 AM, Jan Graczyk wrote: > Hello OpenSSL-Users, > > > > I am actually evaluating OpenSSL stack software to be possibly used in my > company next generation products. We would like to have a secure connection > between our device TCP/IP stack and web

[openssl-users] Sudden control data sent during large transfer.

How can I know what/why openssl is sending control data? I have this Node addon that uses TLS 1.2 to communicate. I'm sending a large file transfer (100M), which is chunked into 8100 byte blocks and sent on websocket protocol. It's additionally chunked into 4327 byte blocks (which after encoding

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

I'm pretty sure you need the root also, not just the intermedia ca... I use a custom generated chain... I encode the root cert in the application, and then pass it when inintializing the client socket. This bit of code takes the root cert and adds it to the SSL_CTX the client socket is created

[openssl-users] How to know maximum sendable fragment size?

I've been developing this NodeJS plugin, it implements HTTPS server and now client. I was having an issue with HTTPS request getting ECONNRESET for no apparent reason; so I implemented my own request, and ran into the same sort of issue. What I was requesting was some .js files from the server,

[openssl-users] Latest releases missing from website

I still only see 1.0.2l and 1.1.0f at: https://www.openssl.org/source/ Tried multiple browsers, flushed caches, etc. The problem does not appear to be on my end of things. -- Thomas Hruska Shining Light Productions Home of BMP2AVI and Win32 OpenSSL. http://www.slproweb.com/ --

Re: [openssl-users] Graceful shutdown of TLS connection for blocking sockets

On 10/9/2017 7:49 AM, Jakob Bohm wrote: On 09/10/2017 16:43, Thomas J. Hruska wrote: On 10/9/2017 7:29 AM, Jakob Bohm wrote: I suggest you find a good authoritative source for your claim that select() should not be used with blocking sockets. http://man7.org/linux/man-pages/man2/select.2

Re: [openssl-users] Graceful shutdown of TLS connection for blocking sockets

On 10/9/2017 7:29 AM, Jakob Bohm wrote: I suggest you find a good authoritative source for your claim that select() should not be used with blocking sockets. http://man7.org/linux/man-pages/man2/select.2.html Section BUGS: "Under Linux, select() may report a socket file descriptor as "ready

Re: [openssl-users] Graceful shutdown of TLS connection for blocking sockets

On 10/9/2017 1:32 AM, Michel wrote: With blocking sockets, you just loop back around and repeat the same call if either of those messages are returned by SSL_get_error(). No select() required. Yes, you have to repeat the same call, but select() is still usefull, especially with blocking

Re: [openssl-users] Graceful shutdown of TLS connection for blocking sockets

On 10/8/2017 5:58 PM, Kyle Hamilton wrote: Do you have a reference to what should be done instead? My understanding of what happens with blocking sockets is that SSL_read() will return SSL_ERROR_WANT_READ if it needs additional data read from a socket that doesn't have it available (and will

Re: [openssl-users] Graceful shutdown of TLS connection for blocking sockets

On 10/8/2017 7:28 AM, Michel wrote: While I understand that using non-blocking descriptors is a better practice, I still do not see why select() should NEVER be used for blocking sockets (except when combined/interfered with the internal OpenSSL state machine or equivalent mechanism). Could you

Re: [openssl-users] Graceful shutdown of TLS connection for blocking sockets

On 10/8/2017 4:17 AM, Kyle Hamilton wrote: The way to handle this situation is simply to never enter SSL_read() if there isn't anything to read on the socket. select() or pselect() are your friends, here, because they'll tell you if there's data to read from the underlying file descriptor. I

Re: [openssl-users] Considering C# OpenSSL openssl-net-master

g from version 1.2 and all the cipher suites". Perhaps he's found his first bug, since the client isn't offering all the TLS 1.2 cipher suites ... -- J. J. Farrell Not speaking for Oracle -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Open ssl & Freeradius

On 7/25/2017 4:15 AM, Seniha S. ÖZTEMİZ TULGAR wrote: Hello, I installed the new version of freeradius and trying to configure it. My windows10 clients gets authenticated but windows7 clients gets the following errors. It seems that it is about openssl. Can you help me regarding this problem.

Re: [openssl-users] ECDSA_SIG_new and ECDSA_SIG_free details

ll pointer was not all-bits-zero, but it's decades since I heard of such a machine at large in the real world. -- J. J. Farrell Not speaking for Oracle -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Signing an XML file

On 12/14/2016 3:28 AM, Dr. Stephen Henson wrote: On Wed, Dec 14, 2016, Salz, Rich wrote: Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++ users? Look at the apps/pkcs7.c file as a starting point. Get the command line doing what you want, and then work through the

  1   2   3   4   5   6   >