m wondering if there is any version of OpenSSL that
does not require compiling assembly code.
Or, if there is anyone who experienced the similar problem, please
share your experience.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 S
ness even in a TLS stack is somewhat limited these days
since it is
not relevant for TLSv1.3 and does not get used if encrypt-then-mac
is negotiated
(which recent versions of OpenSSL will try to negotiate by default).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://
ld system already
contains the needed dependencies anyway.
Also, Borland C/C++ used to stick to the old OMF object file format,
not the COFF format used by Microsoft tools.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Dire
so openssl can
more easily find them).
3. If your system generates/maintains a big file with all the
trusted certs concatenated, concatenate your extra cert to the
end of that file.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, D
ch parts
of the documentation someone read, they could get told to use the old
interface, the new interface or not get told either way.
Personally, I just gave up and didn't use that part of OpenSSL.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS"
-D"OPENSSL_USE_APPLINK" -D"NDEBUG" -c
/Foapps\libapps-lib-app_rand.obj "apps\app_rand.c"*
*app_rand.c*
*C:\Users\hello\_DEV\3di\openssl\e_os.h(129): fatal error C1083:
Cannot open include file
g
stateful firewalls.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
rithm.
I don't know if an older PKCS#1 document (before 1.5) actually specified
this
format, only that is was present in the wild.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discu
instead of it's own version 1.1.1
libraries.
If so, try testing withthe command
LD_LIBRARY_PATH=/home/your/openssl-1.1.1-build-dir/somewhere openssl version
to force use of your not-yet-installed OpenSSL 1.1.1 libraries.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisem
tions, perhaps
on the same, perhaps on another machine.
P.S.
I don't known if the Solaris loader lets LD_LIBRARY_PATH override
RUNPATH as
presumed by the above answer.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
ch is why using the reference count already kept by the OS
loader is such a nice solution.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain e
509" and "openssl validate"
commands) to warn when a certificate is outside the
standards for public certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
sted cleanup.
About 25 years ago I struggled with another library that did
the same kind of unload-blocking that OpenSSL 1.1.x does. It
was sad to see a big project like OpenSSL repeat that mistake.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
ork apart from
updating GLIBC.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
On 27/02/2019 22:18, Richard Levitte wrote:
On Wed, 27 Feb 2019 21:55:29 +0100,
Jakob Bohm via openssl-users wrote:
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL
validated modules.
A hypothetical US gov example would be using a certificate on a FIPS
validated FIPS 201 PIV ID card.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
source should somehow tie themselves to the
exact shared library versions used, e.g. by linking to
versioned .so file names (such as libssl.so.3.0.2), however
this does not protect recompiling and/or debugging with an
unchanged .so name.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S
s
that would be highly unusual.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Thanks, the document wording made it look like the OpenSSL 3 FIPS RNG would
only accept the system entropy source.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bind
thus makes a lot of sense for
callbacks to request that the connection is ended as soon as
allowed by the risk of creating an attack side channel.
Other OpenSSL callbacks represent the one place to do certain
complex tasks, such as choosing among different certificates,
checking against outside
in mailing list traffic
(such as having Sender and From with different domains). Because
the plugins may not have been tested for that.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussio
On 15/02/2019 12:23, Matt Caswell wrote:
On 15/02/2019 03:55, Jakob Bohm via openssl-users wrote:
These comments are on the version of the specification released on
Monday 2019-02-11 at https://www.openssl.org/docs/OpenSSL300Design.html
General notes on this release:
- The release was not
ords indicate if a sending domain wants to restrict
header-From (etc.) pointing to that domain to only be used with
at least one of DKIM and SPF passing for header-From. Rule 5
applies, but so does rule C.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transf
gorithms should
be available in addition to the fixed sets of well-known
group parameters. In FIPS 800-56A rev 3, these are the
DH primes specified using a SEED value. Other versions of
SP 800-56A, and/or supplemental NIST documents may allow
other such group parameters.
- If permitted by th
On 13/02/2019 20:12, Matt Caswell wrote:
On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
On 13/02/2019 12:26, Matt Caswell wrote:
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
Given this announcement, a
all the API changes from OpenSSL 1.0.x to OpenSSL
3.0.x . OS distributions will also need some time to roll out the
resulting feature updates to end users.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
create a custom BIO
that buffers the socket data and lets you look at it before passing
it to the SSL/TLS layer or directly to your code according to the
contents. This way you don't depend on the ability to make the OS
socket API do this for you.
I don't know if this ability is also in Op
fter a private key breach, but that's no different
from the basic RSA suites.
Public CAs no longer issue DH certificates, so these will not be
found in public services that rely on the browser/mail/OS
certificate trusts, but they may still exist in private trust
contexts not constrained by browse
ossible (including constraints and extensions).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Managemen
services, as those tend to be buried in weird
corners of CA sites or overly entangled with specific services
such as citizen ID for specific countries (typically allowing only
one non-secret e-mail address per person). To clarify, I have found
at least one useful service, but it was by no means easy.
En
actual serial port handles once the user has
been authenticated. Some SSH libraries may even be able to
do things like BREAK via standard SSH mechanisms.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
Thi
a company whose
main source of income is to spy on the world population for profit.
Regarding Corey's original note: SSL/TLS does not have a "username" concept
because it would be redundant or inconsistent. A certificate is a peer identifier; it
takes the place of a usernam
On 07/01/2019 22:26, Jordan Brown wrote:
[ Off topic for OpenSSL... ]
On 1/7/2019 8:06 AM, Jakob Bohm via openssl-users wrote:
A chroot with no other reason to open /dev/null should not contain that
file name, even on unix-like platforms (least privilege chroot design).
There's alw
On 07/01/2019 22:31, Steffen Nurpmeso wrote:
> Good evening.
>
> Jakob Bohm via openssl-users wrote in <95bceb59-b299-015a-f9c2-e2487a699\
> 8...@wisemo.com>:
> |Small corrections below:
> | ...
Note that I do not represent the project at all, I am just another user
. 31, no. 10, October 1988,
p. 1195 (a_aux_rand_weak()). This is the code:
Note that since that ancient article, ARC4 was not only
invented,
but also found too insecure for modern use.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tr
g if:
- Running TLS1.3 s_client with -ignoreeof and no stdin actually fails
earlier than with stdin == /dev/null
- If this is triggered by a code bug.
P.S.
On some Debian systems, cron runs scripts with stdout and stderr piped
(directly or indirectly) to a mail program that times out if a cr
valid stdin if -ignoreeof is set.
In particular, this avoids dealing with OS specific names of /dev/null,
as well as chroot jails without that character device.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
On 03/01/2019 12:52, Neil Craig wrote:
Thanks for the quick reply Matt. I tried -ign_eof but it had no effect,
sadly.
If anyone has any further suggestions, I¹d appreciate it very much as this
is in aid of our automated released testing for TLS1.3 on our production
traffic management service.
C
On 02/01/2019 11:18, Dennis Clarke wrote:
On 1/2/19 5:14 AM, Jakob Bohm via openssl-users wrote:
On 02/01/2019 10:41, Matt Caswell wrote:
On 27/12/2018 08:37, Dmitry Belyavsky wrote:
Hello,
Am I right supposing that local variables tmp1, tmp2, iv1, and iv2
are unused in
this function
piled code.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-use
Meh...
It still inserts NUL bytes at the end of each array, changing
sizeof(array) as well as cache access patterns (and thus side
channel effects).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
, no. I don't trust anyone. Especially not this mess of a code.
Well, these two latter arrays look like a stray copy of the HMAC
constants "ipad" and "opad", which (while looking like ASCII), are
defined as exact hex constants even on a non-ASCII machine, such
as PDP-11
f fixed length, only use that many bytes from
the decryption output. If they're of variable length, then the
sender will have to tell the receiver how long they are. There are
many ways of doing that; you haven't told us enough about your
protocol to know which would be approp
upport for that
yet, or in whatever version of nginx you're running.
It's also possible that there's some issue with the Firefox build
you're running and its 0-RTT support. My suspicion though is that
nginx is not enabling 0-RTT in nginx.
Enjoy
Jakob
--
Jako
b server.
And I agree with you that static web pages are not of much help, it could
be better, more searchable.
Consider at least including the one-line manpage summaries on the index
pages (the ones displayed by the apropos command on POSIX systems).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner,
the trustworthiness of OpenSSL, the
great reformatting a while back was a major mistake in this
regard.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and
ther functionality requiring chunking, such as recovery from
lost/corrupted data "blocks" (where each block is much much larger than
a 1K "disk block").
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 3
uot; point to that
key.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
ies of the jurisdiction is what is supposed to prevent
homographs in the O field. For example, using Cyrillic letters in a
de jure company name is unlikely to be allowed outside the Cyrillic
using jurisdictions (former USSR, Serbia, maybe Bosnia and Montenegro).
If displayed, users should readily
ion of the inner
loops in the encryption block function. It is highly likely
the assembler implementation for any given processor uses a
different inner loop, and thus a different expanded key data
layout, than the generic C code.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://
V, it turned out that displaying the business
name
was also subject to abuse, and the security gain proved elusive.
https://www.troyhunt.com/extended-validation-certificates-are-dead/
A traveling salesman for a cloud provider.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://
On 06/12/2018 11:48, Michael Ströder wrote:
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security
On 05/12/2018 00:50, Viktor Dukhovni wrote:
On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote:
Care to create a PR against the "master" branch? Something
along the lines of:
"Provided chain ends with untrusted self-signed certificate&quo
angover
from the set of badly thought out UI changes made to initially
promote EV certificates, just like the hiding of company names
from non-EV certificates that actually contain them (so called OV
certificates).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transform
a self-signed
root when no other certificate is provided is also left
as an exercise).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may conta
not packaged by
those systems can use that specific version of OpenSSL.
That said, I also would have liked something that is GPLv2-compatible in
addition to GPLv3-compatible.
Yes, that would have made things unambiguous.
Jifl
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www
For other OpenSSL library 'libssl32.dll', GSCheck passes for both
32bit and 64bit.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may cont
unique
numbers for fast lookup during application load.
There is a source file in OpenSSL giving the assigned numbers.
You will need to add numbers for you additional exports, and
deal with the risk that a future OpenSSL release uses that
number for something else.
Enjoy
Jakob
--
Jakob Bohm, CIO
On 26/11/2018 20:04, Viktor Dukhovni wrote:
On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users
wrote:
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TL
S 1.3 also affects the matching TLS < 1.3 functionality, and is
separated from the APIs that control the TLS server sending a list
of client certificate CAs to clients.
This aspect was somehow missed in a recent discussion of this TLS 1.3
behavior (which I cannot find right now).
Enjoy
Jakob
aming code) for when a FIPS module for 1.1.x is provided,
while leaving the blocking of accidental miscompilation in a clear
location having no other effects.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA
Enc=AES(128) Mac=SHA1
There isn't a cipherlist property that
specifically selects CBC, so to
get *only* CBC, you need to exclude AESGCM
(and perhaps a
ed to create symbolic link '/usr/bin/openssl': File exists
but then when I use openssl version
/usr/bin/openssl: No such file or directory
how can I correct this?
Paul
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
ame crypto system.
There are other subcommands of the openssl command line utility
which are similarly respected high level operations rather than
the low level primitive operations also available such as "enc".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.co
web server
operators wanting to check that everything will work in all browsers.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
for some other expression type.
Thus for constants used in array initialization, it may be better to
use compiler specific command line options for each picky compiler.
For other compilers maybe there is a common OpenSSL internal macro that
appends ull or ui64 or ul as appropriate to the compiler+arc
test assumes the other test does it.
On Fri, 2 Nov 2018 at 16:53, Jakob Bohm via openssl-users
wrote:
On 02/11/2018 08:50, Thulasi Goriparthi wrote:
Hi,
I am going through the checks done by EC_KEY_check_key method. I see
the following checks in order.
1. Is point at infinity? - reject.
2. Is
) available, then check if scalar * G != point.
If so, reject.
If priv key is available and we do step 4, isn't step 3 redundant? Can
we change this to something like this?
if (priv key)
step 4
else
step 3
For such tests, it's always better safe than sorry.
Enjoy
Jakob
--
Jakob
joy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users maili
k if you really have all
those disabled and decide which one (if any) you are willing to enable
to serve those clients.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-
r APIs with a reference
to newer enum values introduced in Windows 5.01 SP3 or 5.02 SP2+Hotfix.
Put another way, Microsoft forked their crypto source tree sometime in
2004 or 2005, and anything added later was implemented differently in
the 5.0x and 6.0x code bases.
Enjoy
Jakob
--
Jakob Bohm, CIO, Part
) header.
So do:
gcc -E your-program.c | grep opensslconf.h
Then check whether the one it picks up is the right one and has
the macro defined.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This
ctly using ciphers in CBC
mode, however some TLS protocol versions happen to use CBC cipher
suites in a problematic way, while having no secure non-CBC cipher
suites. More recent TLS versions (such as TLS 1.2) have less
problematic (but not perfect) CBC usage and also offers some
overhyped US gover
fe for SAFESEH image.
Creating library out32dll/MSVC14.0\libeay32.lib and object
out32dll/MSVC14.0\
libeay32.exp
out32dll/MSVC14.0\libeay32.dll : fatal error LNK1281: Unable to generate
SAFESEH
image.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual St
String class will truncate at the first byte with
the value zero, and/or do some other text-specific thing that is bad
for binary data.
Result.resize(SignatureLength);
EVP_DigestSignFinal(Ctx, reinterpret_cast*>(const_cast(Result.data())), &SignatureLength);
// Saving to file...
Enjoy
s different from the OpenSSL 1.0.x API?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs,
enssl cms) signature
verify commands do not have an option to verify signatures as of some
past date (such as the date a backup was made) my restore scripts have
to run openssl under the "faketime" utility to make openssl think it is
being run on the day the backup was made.
Enjoy
Jakob
sponse would often differ).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
ly
reviewed and was later found to contain a likely backdoor in one of its
other suggested RNG designs, making the entire document highly dubious.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This pub
L RNG other
than not being an NSA/NIST design?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management fo
ment has a serious
flaw:
The users who delay or block automatic updates tend to greatly overlap
with the users who actively block remote telemetry of their update
habits, thus skewing such statistics of "get almost full coverage within
a month or two".
Enjoy
Jakob
--
Jakob Bohm, CIO,
On 15/09/2018 10:46, Kurt Roeckx wrote:
On Thu, Sep 13, 2018 at 08:13:41PM +0200, Jakob Bohm wrote:
On 13/09/2018 09:57, Klaus Keppler wrote:
Hi,
thank you for all your responses.
I've just tested with Firefox Nightly 64.0a1, and both s_server and our
own app (using OpenSSL 1.1.1-re
, the only change between draft-28 and
final was supposedly the version number. Given all the talk of
testing of the protocol design, it would seem out of character for
the WG to have mechanisms that were disabled in all the drafts and
thus untested.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseM
it be unproblematic from a real world perspective to just keep
TLS 1.3 non-functional for draft-28 browsers?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding an
On 13/09/2018 03:24, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Jakob Bohm
Sent: Wednesday, September 12, 2018 17:18
Testing your OpenSSL download with the HTTPS security bites its
own tail, especially if your download tool uses an (older
e web PKI, it's pretty
easy to fool a lot of people with a counterfeit server.)
So do the work now to set yourself up for verifying the signature, and
inculcate a good habit.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denma
with
the changelog (NEWS) in the OpenSSL 1.1.1 tarball:
- Does OpenSSL 1.1.1 include SSL3.0 support or not?
Note that some real world clients are permanently stuck at SSL 3.0
due to the vendor refusing to release updates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wis
#x27;s Enterprise CA
software. This is wholy internal to that non-OpenSSL CA software,
although some of that data (such as revocation checking) may be
available via LDAP.
Rule of thumb: Active Directory ~ Microsoft LDAP Directory
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://ww
have misunderstood her at the time.
Ok, she (if anyone) should know.
I expect the papers, sample code etc. by Bernstein, Lange et al to
provide all the details of this.
On 09/04/2018 10:19 AM, Jakob Bohm wrote:
On 04/09/2018 15:43, Robert Moskowitz wrote:
And I seem to recall that one bit i
er Temp Key: X25519, 253 bits
---
I thought Curve25519 is using 256 bit keys.
Why 253 instead of 256?
with regards,
Saravanan
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This publ
t for static ones.
Regards,
Please note that the OP is apparently asking how to specify
-lsomelib using the OpenSSL-specific build system, not the
general meaning of using shared libraries on POSIX systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformerv
ses a
more modern "form Y" value even if the application code no longer
supports TLS libraries not offering "form Y").
(As usual, X and Y are placeholders).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.
On 09/08/2018 23:23, Kurt Roeckx wrote:
On Mon, Aug 06, 2018 at 04:30:54PM +0200, Jakob Bohm wrote:
The patch below works around this, porting this to OpenSSL 1.1.x
is left as an exercise for the reader:
Can you please open a pull request on github for that?
Kurt
This may be some extra
_num_bits_word
+#pragma optimize("", on)
+#endif
+
void BN_clear_free(BIGNUM *a)
{
int i;
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindin
re stack to
see decrypted output before the integrity check has been completed.
OpenSSL should be an open toolkit, not a bondage-and-discipline
programming environment like NaCl.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Dire
able to upgrade those plugins on the fly without
restarting the long-lived container, with all the other state it
holds.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
e the indefinite BER encoding of
some of the outer length fields to cope with unknown input length and
variably sized fields after the data.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
need the plaintext if you are
not going to use it, or at least create it).
For example, the attacker may measure the memory access patterns of
the spell checker used when inputting the plain text, or the line
break and character width calculations in code that outputs the
plain text to an otherwis
e file is in BER format, as is often the case with PKCS#7
files.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
101 - 200 of 1153 matches
Mail list logo