Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

To close off this thread: OpenSSL will not be making any changes. The team voted on moving a set of algorithms to maintenance mode, and removing the corresponding assembly implementations from libcrypto, but the vote did not pass. Emilia On Fri, Nov 27, 2015 at 10:19 AM, Tim Hudson

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On Tue, Nov 17, 2015 at 11:12 AM, Jeffrey Walton wrote: > > MD2 - (The argument that someone somewhere may want to keep verifying old > > MD2 signatures on self-signed certs doesn't seem like a compelling enough > > reason to me. It's been disabled by default since OpenSSL

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

n, Nov 16, 2015 at 2:21 PM, Hubert Kario <hka...@redhat.com> wrote: > On Friday 13 November 2015 14:40:33 Emilia Käsper wrote: > > Hi all, > > > > We are considering removing from OpenSSL 1.1 known broken or outdated > > cryptographic primitives. As you may know the

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

or any of the other algorithms, please let us know! Thanks, Emilia On Mon, Nov 16, 2015 at 7:25 PM, Hubert Kario <hka...@redhat.com> wrote: > On Monday 16 November 2015 16:51:10 Emilia Käsper wrote: > > IDEA, MD2, MDC2, RC5, RIPEMD, SEED, Whirlpool, binary curves > > >

[openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Hi all, We are considering removing from OpenSSL 1.1 known broken or outdated cryptographic primitives. As you may know the forks have already done this but I'd like to seek careful feedback for OpenSSL first to ensure we won't be breaking any major applications. These algorithms are currently

Re: openssl sends alert to a ServerHello that contains empty server_name

The server is sending back a servername extension where the extension_data has length 2, and the data consists of two 0-bytes. An empty extension, as required by the RFC, would have length 0, and empty data. That'd mean the problem is on their end, I think. Cheers, Emilia On Fri, Oct 24, 2014

Re: FIPS 1.2.4 and OpenSSL 0.9.8zc Fails 'make test'

Yes, I think that's a reasonable solution. The new test was added together with the bugfix as a regression test. Disabling it would bring you back to the earlier state without any further regression. Cheers, Emilia On Thu, Oct 16, 2014 at 5:37 PM, Russell Selph rse...@tibco.com wrote: Thanks.

Re: compile prob with xlc/aix 0.9.8zc

Does applying the following two patches fix your build? http://git.openssl.org/gitweb/?p=openssl.gita=commith=8202802fadf7f70c656b92f3697da39c9c4271d7 http://git.openssl.org/gitweb/?p=openssl.gita=commith=e2e5326e5b068411999f62b4ba67835d64764ca5 These are build fixes that we appear to have

Re: compile prob with xlc/aix 0.9.8zc

' gmake: *** [build_crypto] Error 1 I was wrong in my original note, this fails at the same spot on hpux parisc and ia64, 11iv1 to v3 *From:* owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] *On Behalf Of *Emilia Käsper *Sent:* Thursday, October 16, 2014 12:37

Re: compile prob with xlc/aix 0.9.8zc

works Trying this without the patches to see if it builds as well. *From:* owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] *On Behalf Of *Emilia Käsper *Sent:* Thursday, October 16, 2014 1:39 PM *To:* openssl-users@openssl.org *Subject:* Re: compile prob

Re: clarification regarding CVE-2014-3510

Hi, CVE-2014-3510 affects anonymous DH and ECDH ciphersuites only. The additional modification for RSA key exchange is just us being pedantic: we added an internal error for an impossible-to-reach condition. It is a safety net to avoid regression, should something change in the surrounding code.