So the actual decision to use
libmcrypt, libcrypto or any other library would probably be
up to the maintainer of that lower system layer.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public dis
On 20/06/2018 23:07, Viktor Dukhovni wrote:
On Jun 20, 2018, at 3:44 PM, Jakob Bohm wrote:
I believe there is a fundamental concern, impossible to handle sanely
at the CA policy level, that a CA may reasonably have certificate
hierarchies targeting people with different maximum security
are found or otherwise become viable.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones a
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To
dstone 4
Thus your 1.1.0 build runs on NT6.02 but not NT6.01, possibly due to
references to NT6.02-only APIs
Any suggestion on getting this to work on Windows 7?
Has anyone else encountered this issue?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transform
if FIPS-enabled OpenSSL 0.9.8 forwarded those calls to the
old FIPS validated implementation or just left the non-FIPS implementation
available by accident.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
Thi
ty bits" of an algorithm according to
table
2 in this doc:
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf
<https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
the ability to have one added
locally.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, P
quot;. However, squeezing available
entropy out of various less-than-predictable hardware and OS states is
what *all* non-hardware entropy gatherers ultimately do, from the Linux
kernel's /dev/random mechanisms to haveged to what-have-you.
Regards,
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseM
software.
Also note that unless a special setting is included (I forget where),
the openssl ca database will be in a different (older) format that
only remembers the most recently issued certificate for a given
subject distinguished name.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, Wis
should you set up a way to use SSLv3 on your web server.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
IN64I is for Itanium processors (supported only
on Windows Server 2008 and 2008 R2, with some historic support on old
versions of Windows Server 2003 and Windows XP).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31
library via the BIO interface if the
application already has its own library for that (as many, but not all,
network applications are likely to anyway).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16
d to doing
encryption/decryption, thus completely shielding the keys (long term and
short term) from any vulnerabilities in the data handling process.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
local/share/ca-certificates/
are trusted unconditionally, no questions asked. Due to bugs, you may
have to run the command twice, with the same selections.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
:
First allocate an empty STACK_OF X509 certificates
Then loop over your in-memory CA certificates, passing each to d2i_X509,
then adding the resulting X509 object to the stack.
Finally pass that stack as the CA collection to an appropriate SSL_CTX
function.
Enjoy
Jakob
--
Jakob Bohm, CIO
the
encrypted private key could be kept without decrypting the private
key, the password for the private key is still needed to encrypt
the certificates with the same password.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Di
joy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users maili
: https://mta.openssl.org/mailman/listinfo/openssl-users
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Managem
normal memcmp() is wrong
because it will reply quicker if the first byte(s) are wrong than
if they are right). The OpenSSL provides the a function
CRYPTO_memcmp() that is good for this job.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg
oceed.
I cannot use SSL_CTX_set_tmp_dh as this api is used for ephemeral Diffie
Hellman key exchange.
Please let me know where I am going wrong. I need to enable static DH in my
application.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
preserving
the timestamps of files (similar to GNU "cp --preserve=timestamps" ).
This sometimes confuses build systems that assume file timestamps
get updated when a file is copied into a build directory.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tran
the later 31 byte
packets (including their order of occurrence and direction of
transmission)?
Can you see what the "packets" are?
For example, are they TLS alert messages?
Are they TLS HelloRequest messages?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.
-newkey:rsa:2048 -nodes -keyout server.key
-out server.pem -subj /CN=computer.example.com/O=test/C=US
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may
-d3f6-7271-181c627a0...@stroeder.com>>
mailto:x0wk8nfh32vxpu...@mail.gmail.com>>
<mailto:ab11b9d2-20bd-6bf7-0055-1c8e90112...@wisemo.com>>
<8wh3p9Qvu3kgKaTWc0uo7JaeJhni2eXJkUZoYwcRBZH2lsXnHj-M_WDMWmpOyx8oqX85oqzuLG6TPTSRY4taeg==@protonmail.ch>
From: Jak
you send me the full headers, so I can debug?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management
r issue falls into the less serious tier of:
Possible misuse if other things go wrong first, upgrade when ready as
a defense in depth.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discu
On 07/12/2017 15:05, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Jakob Bohm
Sent: Thursday, December 07, 2017 08:41
To: openssl-users@openssl.org
And I would still say that "consult a lawyer" is a useless answer,
especially as mo
will be in the same legal situation,
and lawyers opinions on patent matters are frequently found by courts
to be wrong anyway.
Saying "in the distribution and website" is also quite vague and
thus another example of a non-answer.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. ht
ck can
still be useful by examining the SSL session argument to
heuristically identify likely client side DH size capability and
thus choose between modernDH parameter sizes.
P.S. Forcing use of common DH parameters in TLS 1.3 would directly
make all TLS 1.3 implementations vulnerable to LogJam. Tha
r invocation
of the regular OpenSSL ECC code in other scenarios, if so when and which.
- Does CC/BB demand or not an additional patent license for use of the
regular OpenSSL ECC code for curves and or algorithms not standardized
in the NIST FIPS documents?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner
he file
contents daily or weekly (overwriting the old parameters only after
the new ones are ready). The exim mail server does this if you
follow the instructions.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45
public mailing lists.
One really has to wonder if this is still OpenSSL that the world has
known and loved for 20 years, or just some expensive imitation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16
those are used in the CE procedure).
Regression testing is desired as I have done some fairly extensive
patching to make the library code build for the targets.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
Cert_Class_1_VA.pem .
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
LLC, ST=California,
C=US/emailAddress=charl...@mcn.org, O=CZAGENT_Nov2017
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
While we’re at it, why doesn’t my –days 3650 seem to have any effect?
Thanks!
/Charles /
Enj
he references to internal structures
is internal to the inline implementation, not part of the interface.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and
like it is debug output. Did you by any chance
configure or run curl with options to print lots of debug traces?
Perhaps such an option is causing something to print each trusted CA cert
as it is loaded into memory or checked.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://ww
rl command
from my host machine)
Please clarify:
- Is it being output to the network or to the terminal window where
curl is used?
- Is it being output as shown (Base64 text with ending "=" signs and
a newline after each cert) or is it being output in another form
that you jus
Identifier,
maskGenAlgorithm mgf1SHA512Identifier,
saltLength 20,
trailerField 1 }
-- Note: The saltLength should be 64, not 20, for
-- rSSASSA-PSS-SHA512-param, see RFC4055 section 3.1
Enjoy
Jakob
--
Jakob Bohm, CI
, contrary to what would
have been best security practice without this firmware bug.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo
etc.
The x25519 public key has no certificate, it is randomly
generated for each connection and signed with the RSA key
from the certificate.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
ing anyway.
Matt
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
vel
in the
> API so that we support it for the connections. Kindly provide
your comments.
You can set the security level via the cipher string using the special
cipher string command "@SECLEVEL". For example to set all default
ciphersuites at security level 2 or
On 09/10/2017 16:43, Thomas J. Hruska wrote:
On 10/9/2017 7:29 AM, Jakob Bohm wrote:
I suggest you find a good authoritative source for your claim
that select() should not be used with blocking sockets.
http://man7.org/linux/man-pages/man2/select.2.html
Section BUGS:
"Under Linux, s
d with blocking sockets.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
-
nother
algorithm that isn't used by many people yet to a FIPS module that is only
used by the OpenSSL 1.0.x library that they are trying to discontinue.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This
27;t need to know or care about where that is.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management
hardware doesn't silently nullify a key hardware security feature.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Rem
you tried clearing SSL_MODE_SEND_FALLBACK_SCSV (in a program),
or (not) using the -fallback_scsv option to s_client?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is n
AES(128)
Mac=SHA1
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(256) Mac=AEAD
but, after SSL_CTX_set_cipher_list(ctx,
"RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it
didn't work, the first choice is still ECDHE-RSA-AE
non-https OCSP responders is one
of the few attacks that will reveal this without wiretapping the
actual connection.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-b
c
decisions that seem misguided in retrospect.
The problem is that the information in OCSP requests is potentially
very valuable to an attacker who lacks the ability to fully wiretap
the connections between the OCSP client and the ultimate source of
the checked certificate.
Enjoy
Jakob
--
Jakob Bo
before 1.0.2 initial
release.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and
rejects all such certificate chains.
Why?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs
Like your own OS
repo...
Also nice would be index.txt in SQL.
Bob
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - R
ke test
make install
Now debug the program in openssl-1.something-x86_64/bin/openssl
(Sorry, I don't know how to tell XCode to debug a program already
compiled with the XCode command line clang)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
On 07/09/2017 07:58, "Georg Höllrigl" wrote:
*Gesendet:* Mittwoch, 06. September 2017 um 18:06 Uhr
*Von:* "Jakob Bohm"
*An:* openssl-users@openssl.org
*Betreff:* Re: [openssl-users] openssl -check
On 06/09/2017 16:18, "Georg Höllrigl" wrote:
> Hello,
> Is
gs), "ecu" (has crl and ocsp, plus different
settings again), etc. etc.
Very different certificate purposes should ideally have their own
SubCA's that can be managed differently, and have the CA cert
restricted.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.
o it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-u
us Caesar: Worst case
year is 367 days, divide equally among 12 months, restart about 20
days before spring equinox, use a historic rounding rule represented
by Y. Of cause with Roman numerals, they would have used (month - 2)).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wis
binary code are run.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
-
bugs prevent use of DER for a file, it can be converted
on the fly, storing the converted file in RAM (using tmpfs or similar).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion messa
ately be a trade off
between code size (to do the conversion) and data size (to store the
certificate).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may co
nd the one that has ENV in
it. I DO have an example of one such to use...
Given all these problems with the Distinguished Name prompting
mechanism, just add the -subject option to the req command line
(using appropriate environment variables in the shell script).
Enjoy
Jakob
--
Jakob Bohm, CI
m
export FORUSER="Moe Madman"
export CERTFN=moe
openssl req -config /etc/cacfg/ca2017-mail.conf -newkey rsa:3072 -keyout
${CERTFN}.key -out ${CERTFN}.csr
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31
o also implement traditional CRLs, since for
smaller CAs
it is a better solution for browsers and servers that support it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
On 14/08/2017 21:38, Robert Moskowitz wrote:
On 08/14/2017 03:28 PM, Jakob Bohm wrote:
On 14/08/2017 20:55, Robert Moskowitz wrote:
On 08/14/2017 02:04 PM, Salz, Rich via openssl-users wrote:
➢ Is there anyway to display the basic ASN.1 structure here so I can
see
what was stored in
tures. However it requires that
you convert from Base64 to binary before calling it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
W
On 02/08/2017 09:47, Jeffrey Walton wrote:
On Wed, Aug 2, 2017 at 12:38 AM, Jakob Bohm wrote:
On 02/08/2017 04:21, Jeffrey Walton wrote:
I'm trying to extract the low-order byte or word from a BIGNUM in
OpenSSL 1.1. We were told to use BN_bn2binpad, but its not clear to me
how to specif
x27;s friends) always give you *all* the bytes
in the number in a buffer of you own. You can then extract the
bytes from there.
If you care mostly about the least significant bytes, using
BN_bn2lebinpad may be easier than BN_bn2binpad, as the least
significant bytes will be first, not last, in the
joy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users maili
here is no default other than what the application
(in this case OpenVPN) sets.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseM
testing of the resulting
program/dll to make sure there are no other C runtime differences
causing trouble.
P.S.
I kind of wonder what in the fips canister uses wcsstr(), but since
that cannot be changed while retaining the FIPS validation status,
that's just curiousness.
Enjoy
Jakob
--
J
aded elsewhere in the process?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones a
h. Of cause
adding this in OpenSSL itself would have to be configurable for
situations partially outside the public trust environment, such
as talking to IoT devices with old crypto libraries and
rechecking/decrypting S/MIME mails received years ago.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, Wis
On 12/07/2017 07:23, Viktor Dukhovni wrote:
On Wed, Jul 12, 2017 at 02:02:31AM +0200, Jakob Bohm wrote:
I don't think a state is really needed for this, if the callback
simply checks if the certificate is in the loaded trust collection,
and/or if it is self-signed (depending o
te is in the loaded trust collection,
and/or if it is self-signed (depending on the application's chosen
root CA trust model).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
) for the different versions are not on the same
machines, only the compiled binaries.
For this simplified scenario (only one set of headers etc. per system),
self-compiled OpenSSL simply goes in /usr/local with no use of Rpath.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
On 08/06/2017 20:26, Ludwig, Mark wrote:
From: Jakob Bohm, Thursday, June 08, 2017 12:32 PM
On 08/06/2017 18:48, Baojun Wang wrote:
Also on Windows (64-bit), openssl produces libssl-1_1-x64.dll as well
as libcrypto-1_1-x64.dll, this could be painful for application who
has to specify openssl
a 64 bit, Itanium, AMD x86_64, 64 bit ARM).
Microsoft did some crazy experiments with a directory scheme
called SxS for versioned DLLs, its badly done and should be
avoided if possible.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Den
5 SomeCity, ST=SomeState, C=US)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
is the whole point of the versioned .so file names.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Manag
256_ASM" flag is present for the 102l build. Is there an additional,
specific flag required to enable the higher bit-depth digests for v102l that I've missed.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45
grams
compiled against version 1.0.1t headers), then you may also need a
special SO name or RPATH to link locally compiled software against the
latest 1.0.x release, rather than 1.0.1 .
RPATH support is nice for corner cases, but it should not be the
default, ever.
Enjoy
Jakob
--
Jakob Bohm
LetsEncrypt code is open source.
I think he wants the server side, and maybe not for DV certs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors
ut of sha256sum.
So openssl cms/gpgsm compute the sha256sum differently in the detached case.
Is there a hidden flag to make either tool behave like the other?
Look at the documentation of the openssl cms "-inform SMIME",
"-outform SMIME" and "-binary" options.
En
3 ECDH-ECDSA-DES-CBC3-SHA
192.18 ECDHE-RSA-DES-CBC3-SHA
192.8 ECDHE-ECDSA-DES-CBC3-SHA
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and
Make that N processes, and understand why this should be a FAQ.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Se
one expires
and saws off the branch you're adminning from.
(*) Of course, there *are* other techniques to work around the problem,
but.)
Not as much "defeat", as setting the relevant option by adding the
following command during CA (and SubCA) setup:
echo "unique_subject = no&
han using a key based on a
password.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phon
assword when using
SSL_connect()?
You don't. That stuff is at the protocol level about TLS/SSL.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
utes the abort flag.
Similarly if the protocol is waiting for a handshake record from the
other end,
it would continue that wait, then abort just before processing either a
received
handshake or a protocol error (such as lost connection).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. htt
o purposes: To make the "SSL_shutdown" call "just work"
from an application perspective, and to minimize security exposure
after the call has been made (e.g. in case some application level
code decides the other end is probably malicious).
Enjoy
Jakob
--
Jakob Bohm, CIO, Part
sions.
In other words, returning appropriate errors/alerts to the other end
according to the handshake step.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindi
vulnerabilities in the particular ways that SSL3
and current TLS versions handle padding and IV management, not
issues with CBC itself.
Also note that GCM is very much a "marginal" design, operating at the
very edge of what is safe to do and furthermore putting all the
cryptographic "
ow do i use the available openssl source code
which is present in C language to implement the OCSP responder function.
Please help me with this as i am very new to openssl and OCSP concepts.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
approach
I feel like verifying the signature would be a big challenge. Any
ideas on how I can tackle these problems?
--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
This message is only for its intende
not
anything OpenSSL is doing.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phone
201 - 300 of 1153 matches
Mail list logo
