On 2022-11-15 21:36, Phillip Susi wrote:
Jakob Bohm via openssl-users writes:
Performance wise, using a newer compiler that implements int64_t etc. via
frequent library calls, while technically correct, is going to run
unnecessarily slow compared to having algorithms that actually use
ually use the
optimal integral sizes for the hardware/compiler combination.
I seem to recall using at least one bignum library (not sure if OpenSSL
or not) that could be configured to use uint32_t and uint16_t using the
same C code that combines uint64_t and uint32_t on newer hardware.
Enjoy
Jak
ct.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
t provider should get first chance to
find/provide thekey.
Enjoy,
Jakob Bohm
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
eal the
exact group parameters or public key, that would be different (but still
needed)
APIs/parameters. For example, it would return 4096 for RSA4096, 384 for
the
NIST P-384 curve etc.
Enjoy,
Jakob Bohm
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformerv
PS : This question is for knowledge purpose only, I don't use RSA keys
anymore (except with GPG), I prefer ECC :)
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may c
use OpenSSL in
an application originally designed around another open
cryptographic API. Where the application included such things as
optional use of a different AES mode, and security rules for when/if
to restore algorithm states in error/trial decryption scenarios.
Enjoy
Jakob
--
Jakob
, such as Google's
own tracking code.
On 2021-12-03 13:04, Matt Caswell wrote:
Please see my blog post on starting the QUIC design here:
https://www.openssl.org/blog/blog/2021/12/03/starting-the-quic-design/
Matt
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
99.1.1
RedFishBazQux=1.3.6.1.4.1.999.1.2
From there, you should be able to use the new OID names in relevant
sections and options, using the generic syntax that explicitly
states how each value needs to beencoded.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tran
neither of them use an external entropy/seed source.
Are there better examples of what I am looking for?
Thanks,
Kory
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
eed more than 256 independent random bits to satisfy
their
security design. Some of the newer RNGs in OpenSSL presume otherwise in
their
government design.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16
or justification) for this excessive footprint?
Thanks,
Reinier
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Se
use to a non-blocking socket due
to platform and application limitation
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo
a special higher level
local namespace or "??" for another special namespace.
share is the first level below machine, in particular it is the exported
name of a remote file system or object.
ordinary\path is whatever else needs to be added to the path for a
specific use
--
Jako
_initialize in http_tcpip_inbound.c.o
"_X509_free", referenced from:
_http_tcpip_outbound_get_url_using_string_type_tls in
http_tcpip_outbound.c.o ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see
invocation) gmake[3]:
in this file, which I can not
decipher. What I have tried with openssl's rsautl and smime does not
seem to work for me.
May be someone of you can push me in the right direction, thanks!
Try the "openssl cms" command, or its older sibling "openssl smime" .
Enjoy
Jako
),
keyCertSign (5),
cRLSign (6),
encipherOnly(7),
decipherOnly(8) }
There are OIDs in the extendedKeyUsage:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
Enjoy
Jakob
--
Jakob
identities for posting to such
public lists, using a different disclaimer in the sig-block.
I hope this can inspire other sysadmins to set up something similar.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 3
On 2021-06-18 17:07, Viktor Dukhovni wrote:
On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
Now the client simply works backwards through that list, checking if
each certificate signed the next one or claims to be signed by a
certificate in /etc/certs
On 2021-06-18 16:23, Michael Wojcik wrote:
From: openssl-users On Behalf Of Jakob
Bohm via openssl-users
Sent: Friday, 18 June, 2021 07:10
To: openssl-users@openssl.org
Subject: Re: reg: question about SSL server cert verification
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I'm
about trust errors.
OpenSSL documentation tends to bury its handling of all
this way too deep inside the programmer documentation
rather than explaining things clearly in the end user
documentation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 286
that.
Defining a sufficiently narrow exception is left as an exercise
for implementors.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo
for reporting
issues/bugs in the backport work.
3. The README.fixes document should, if possible, be made available to
the upstream project
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
r bureaucratic reasons etc. Or
as quoted by Michael, a rule that all roots must be universal roots with
the no-EKU implicit wildcard.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public dis
': No such file or directory
$ ls -alF /usr/local/bin/openssl
ls -alF /usr/local/bin/openssl
ls: cannot access '/usr/local/bin/openssl': No such file or directory
$ /usr/local/bin/openssl version -a
/usr/local/bin/openssl version -a
-bash: /usr/local/bin/openssl: No such file or directory
*
ssl-dev
$ dpkg --status openssl
$ type openssl
$ openssl version -a
$ ls -alF /usr/lib/x86_64-linux-gnu/libssl*
$ ls -alF /usr/locallib/libssl*
$ ls -alF /usr/local/bin/openssl
$ /usr/local/bin/openssl version -a
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transforme
ere.
Try linking libcrypto.so.1.1 with debug symbols included (not
stripped). This should make the error message point to the
function, maybe even show the call stack.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31
const char *address, unsigned int flags);
Just out of curiousity: What is the recommended way to check
the authenticated e-mail and/or DN of the client certificate,
given that those are the most common identities in such
certificates (except in server-to-server scenarios).
Enjoy
Jakob
--
Jako
: *openssl-users-bounce on
behalf of openssl-users
*Organization: *WiseMo A/S
*Reply-To: *Jakob Bohm
*Date: *Thursday, January 28, 2021 at 21:10
*To: *openssl-users
*Subject: *Re: Encoding of AlgorithmIdentifier with NULL parameters
Also note that the official ASN.1 declaration
clear if NULL parameters can be completely omitted or if it should
still have NULL encoding.
Is this a too stringent check in the third-party s/w or a miss in
openss-3.0.0-alpha10?
Thanks,
Thulasi.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29
. Because it can
be used only with obsolete encryption algorithms anyway - the best one
being 3DES for the encryption and SHA1 for the KDF.
Tomas
On Thu, 2021-01-28 at 11:08 +0100, Jakob Bohm via openssl-users wrote:
If the context does not limit the use of higher level compositions,
then
OpenSSL
ntext.
Anyway OpenSSL 3.0 gives you all the flexibility needed.
Tomas
On Thu, 2021-01-28 at 10:24 +0100, Jakob Bohm via openssl-users wrote:
Does FIPS 140 or the related legal requirements limit the use of
higher
level compositions such as PKCS12KDF, when using only validated
cryptography for the und
ule with legacy
algorithms it only shows that the "true" FIPS mode was not as "true" as
you might think. There were some crypto algorithms like the KDFs
outside of the FIPS module boundary.
Tomas Mraz
On Thu, 2021-01-28 at 09:26 +0100, Jakob Bohm via openssl-users wrote:
Does that mean
, it doesn't belong in the FIPS provider.
Pauli
On 26/1/21 10:48 pm, Tomas Mraz wrote:
On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote:
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote:
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_pa
ng) to run
provider-independent code that invokes the provider implementation
of a FIPS-unapproved algorithm.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindi
es like IBM/RedHat that
can purchase support plans, resulting in further popularity of OpenSSL
forks.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and
ers an empty cipher list?
error: 'SSL_R_NO_CERTIFICATE_RETURNED' was not declared in this scope
This reason code existed in 1.0.2 but was never used by anything.
Matt
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31
nks otherwise.
> Note that the normal behavior of my application is : client
connects, server
> daemon forks a new instance,
Does the server parent process close its copy of the conversation
socket?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformer
"busy"
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
exclusive, but the notBefore field is inclusive.
PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012)
says
nothing about this aspect of the interpretation of the validity structure.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformerve
, but failing to
pass that job to the CAPI engine. I was commenting on how that might be
made to work.
On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users
mailto:openssl-users@openssl.org>> wrote:
On 2020-10-23 15:45, Matt Caswell wrote:
>
> On 23/10/2020
use a compatible stronger CAPI "provider" (their engines) to do
stronger hashes etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain er
On 2020-09-10 09:03, Tomas Mraz wrote:
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
Wouldn't a more reasonable response for 1.0.2 users have been to
force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
cipher
suites
and telling affected people
ssifications please see:
https://www.openssl.org/policies/secpolicy.html
Wouldn't a more reasonable response for 1.0.2 users have been to force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected cipher
suites
and telling affected people to recompile with the fix off?
Enjoy
Jakob
--
an AWS hosted server, and
would be seriously inconvenienced if they got generally banned by mail
recipients.
And we did check that they were not in bad standing at spamhaus.org
before choosing them to host that server. Some of their competitors
failed those checks.
Enjoy
Jakob
--
Jakob Bohm
(21 Mar 2017), in Taiwan (5 Aug
2019) and Australia (25 Dec 2019 to 9 Jan 2020):
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-END EMAIL SIGNATURE-
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo
places, and
here's just no way to know that it won't be used indefinitely.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
On 2020-09-01 04:26, Viktor Dukhovni wrote:
On Aug 31, 2020, at 10:57 PM, Jakob Bohm via openssl-users
wrote:
Given the practical imposibility of managing atomic changes to a single
POSIX file of variable-length data, it will often be more practical to
create a complete replacement file
ileges and/or enters a chroot jail, as will already be the case
for hashed certificate/crl directories.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may co
) and Australia (25 Dec 2019 to 9 Jan 2020):
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-END EMAIL SIGNATURE-
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
compliant with all Linux Debian
distribution ?
Thank you in advance for your answer.
Best Regards,
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
ttp://www.symas.com>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 2020-07-26 01:56, Jan Just Keijser wrote:
On 23/07/20 02:35, Jakob Bohm via openssl-users wrote:
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Thanks, I somehow missed that document as I was grepping the code
in
bignum implementations"
As there is an external interface for changing the variable via an
environment
var, the lack of documentation makes that useless except for "cargo-cult"
copying of values from old mailing list posts.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
ted it.)
The site is https://jnior.com if
anyone wants to hit it. For me the digital signature in the
server_key_exchange does not verify.
I just tried openssl s_client, and it didn't complain about anything.
Negotiated a TLSv1.2 session with ECDHE-RSA-AES256-GCM-SHA384 and verified the
chain.
bytes)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
* without __COUNTER__ */
/* If assertion fails, compiler will complain about invalid array size */
/* If assertion is not a const expression, compiler will complain
about that */
typedef char OSSL_const_assert_##fudge##__LINE__##_##__COUNTER__[
(BN_BYTES <= sizeof(BN_ULONG))
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 12/05/2020 16:01, Matt Caswell wrote:
On 12/05/2020 14:50, Jakob Bohm via openssl-users wrote:
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
Looking at the code here:
https://
figure options (other
than endless trial and error)?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 2020-04-22 15:22, Hubert Kario wrote:
On Tuesday, 21 April 2020 21:29:58 CEST, Jakob Bohm via openssl-users
wrote:
That link shows whatever anyone's browser is configured to handle
when clicking
the link.
The important thing is which browsers you need to support, like the
ones on
https
n PKCS7 mode until you receive a CMS message from the
peer, and then upgrade to CMS. But this winds up in a bid-down attack if
both parties run this algorithm, so you'd want to insert some extension that
said: "I can do CMS" into your PKCS7 messages.
Enjoy
Jakob
--
Jakob Bohm, CIO, Part
Non-zero exit status: 1
Files=1, Tests=6, 12 wallclock secs ( 0.04 usr 0.06 sys + 1.77 cusr 9.78
csys = 11.65 CPU)
Result: FAIL
*** Error 1 in . (Makefile:217 '_tests')
*** Error 1 in /home/ca/pd/security/openssl-1.1.1g (Makefile:205 'tests')
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, Wis
people cargo-culting poorly thought cipher lists
from
> some random HOWTO. Over optimising your cipherlist is subject to
> rapid bitrot, resist the temptation...
Yeah, I should have probably suggested just: CipherString = DEFAULT
There is not much point in being as close to
specifically because the certificate is not issued by an
already trusted issuer.
is this an expected behavior in OpenSSL 1.1.1?
Yes.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion me
in finish message.
Which RFC/section explains this in detail?
For TLS 1.2, this is RFC5246 Section 6.2.3.2
Note that each version of TLS makes arbitrary changes to the record
encryption.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
1.2 inadvisable.
With the removal of general FFDH from TLS 1.3, it has now become
advisable to implement for TLS 1.3 session but ignore for TLS 1.2
and below sessions, as if not implemented for those, at least as a
default-on compatibility option.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo
command "ADDLIB" inside
the provided MRI-style linker script. For more details see the
"ar scripts" part of the full GNU BinUtils TexInfo manual.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
t; between you code and
the ssl dynamic library. In the second case, even if you
properly statically link with this lib, you will still need
the dll to execute your program.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
;
} SHA_CTX;
Thanks,,
Read the specification of the SHA-1 algorithm (either in the FIPS 180-1
standard or in a textbook).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.
On Tue, 2019-10-15 at 17:24 +0200, Jakob Bohm via openssl
, so no trusted CA can
support it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones
characters
are "fetchmail: OpenSSL reported: err", the remaining 81 are not
shown above.
The hashed name ending in ".1" is OpenSSL looking to see if you
have more than one cert with the hash value 4a6481c9, which does
happen for some users. If you had such a second cert, OpenS
ile a tool to set up initial private keys at first
boot would need to wait for the stronger entropy source (which may
in fact get initial randomness over such an encrypted early
connection!).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
ers
have to ignore that extension and use heuristic guesses to choose the
DH strength.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain erro
, they are essentially black boxes and could
contain anything. It is extremely difficult, if not impossible, to
tell if the hardware RNG is good or not. This doesn’t mean that they
should not be used, it just means that using them involves another
risk assessment.
On 16 Aug 2019, at 8:42 pm, Jakob Bohm
embedded platforms?
Thanks,
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PC
-shelf CAs is nil.
Note to consumed with things in your stomach:
https://tools.ietf.org/html/draft-ietf-anima-autonomic-control-plane-20#section-6.1.2
Jakob Bohm via openssl-users wrote:
> As the author of a proposal in this area, could you define a
notation
> for IPv6 D
/64 in an end cert.
P.S. 2001:db8::/32 is the official prefix for use in examples.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wi
tes certificates for
devices as they are manufactured.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
application data.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
=
Windows builds with insecure path defaults (CVE-2019-1552)
======
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindin
s).
I’d also be interested to know what is wrong with the policy page?
Only that it states the policy of stopping 1.0.2 support at end of
2019, which would be fine if a FIPS-capable replacement had been
ready by now (as is fortunately the case for non-FIPS).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partn
.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
of OpenSSL-1.0.2 on top of FOM 2.x , thus no new
validation required.
The point is that some people may soon be in a desperate need to find a
FIPS-capable replacement for OpenSSL 1.0.x.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?
Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the
defined in RFC
5289 [0xc030] ECDHE-RSA-AES256-GCM-SHA384
How would I configure openssl-fips to force this precise compliance,
eliminating all other cipher suites?
Thank you.
--Larry
C++ Developer
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transforme
smartcard) is
"away from terminal".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
with only one certificate available, the OpenSSL sends the
(untrusted, and in this case inappropriate) certificate, just in
case the server was somehow configured to make a special exception
for this particular case.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
assembler
optimizations enabled is especially advantageous on such systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remo
ore likely
successor for low cost low power router hardware.
(OK, somewhere someone probably has one of the other AIX variants running -
AIX/390 might be the last non-POWER AIX to die, if I had to bet. But probably
not AIX IA64.)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.
removed such a widely used
interface, can you point out when that was removed from the Linux
kernel?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may conta
mbedded and portable applications most likely to lack floating point
support.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remot
On Linux x86, test programs that avoid all floating
point can be checked via the PF_USED_MATH flag or its
upcoming Linux 5.x replacement. This may be useful
in the test suite.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Di
to OpenSSL 1.0.x . 1.1.x will not have FIPS
support, and 4.y.x may lack this agility.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain erro
A product existed, but
until then, disciplined use of the OpenSSL ca "sample" command seems to be
the best there is.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
01-test_abort.t ok
../test/recipes/01-test_sanity.t ... Dubious, test
returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16
t;/etc/pki/tls"
engines: dynamic
Please let me know if you need any further details from my end.
Thanks, in advance.
Chandu
--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
This message is only for its inte
1 - 100 of 1144 matches
Mail list logo
