f
etc.
So for a chain with 3 certificates, 2 is the root.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Mana
ed
process from accessing / changing data it is not
supposed to change during normal operations).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contai
On 06/05/2016 15:26, Steve Marquess wrote:
On 05/06/2016 09:14 AM, Jakob Bohm wrote:
On 06/05/2016 13:45, Salz, Rich wrote:
Consider having the non-U.S. person do the account setup too.
Banks are as scared of US jurisdiction as crypto engineers.
Yeah, we've done that. Even to the
r
when the person is an existing customer and the bank is
nearby.
Each non-US team member presumably has at least one existing
bank relationship and presumably knowledge and/or easy access
to information on how to set up an independent legal entity
in his/her own country.
Enjoy
Jakob
--
Jakob
ny months they remain bankless.
Consider having the non-U.S. person do the account setup too.
Banks are as scared of US jurisdiction as crypto engineers.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 1
So it should be possible to find a similar service in the
country where the OpenSSL is legally based, but please
avoid services that make users set up accounts or
otherwise complicate the transaction, such as
"Money Bookers" or PayPal.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S
above mentioned
error.
3. I am using openssl verson 1.0.2f(client side). radius
server(3.0.11) . Server is running in ubuntu 14.04
Is your RSA key too short (FIPS mode imposes a minimum key
length by refusing to use shorter keys).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To
n going via a file, just to double check the
following:
1. Does parsing the same data also take 10 minutes when
from a file?
2. Is the signed data encoded in some inefficient way (such
as indefinite or chunked BER), which may slow down the
BER/DER parser?
Enjoy
Jakob
--
Jakob Bohm, CIO,
f topic as this is also the
mailing list for the Apache mod_ssl module, which seems to
be closely involved with this inefficient behavior.
One could of cause speculate if the missing coalescing of
SSL records is a bug in mod_ssl or in some other part of
Apache httpd.
Enjoy
Jakob
--
Jako
.
: B0 A3 99 DF E5 3B A4 8F.;..
: DE 04 50 A8 E6 D0 00 6D..Pm
: 61 21 B1 A9 A9 D6 05 79a!.y
: 0A 00 FA D5 1D A6 D6 F8
: 6A 22 07 E5 BC 01 C1 E0j"..
probably refuses to use.
I am assuming that this 1.0.1f is from an Ubuntu package with all
the later security fixes merged back in, similar to the 1.0.1e
package in Debian Wheezy.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.
On 19/04/2016 16:31, Steve Marquess wrote:
On 04/19/2016 09:16 AM, Jakob Bohm wrote:
On 19/04/2016 13:44, Leaky wrote:
Thanks, but I am still scratching my head as to if that is even
possible on
Windows, which would mean you can't actually compile the FIPS canister on
Windows and mee
lf or crlf at the end of the
line!), save this as gunzip.cmd somewhere on your PATH.
@x:\SOMEPATH\CYGWIN\bin\gzip.exe -d %*
(x:\DOMEPATH\CYGWIN is obviously whereever you installed CYGWIN)
Similarly create tar.cmd
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisem
d be to dump SHA.sha.tsr using
Peter Gutmann's dumpasn1.c program, something like
openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
dumpasn1 -v SHA.sha.tsr.bin
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direc
doesn't make sense, from the
software engineering viewpoint, but is what the FIPS 140-2 validation
bureaucracy insists on.
-Steve M.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public d
.
Then using two different files will make a lot of sense.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
ts rooted in one of
their main CA's and I presume for me to verify I need the
intermediaries or atleast the sign cert's ca.
I have looked on symantecs site to no available
and I am working on guess work here
On 8 April 2016 at 16:26, Jakob Bohm wrote:
Try something like
$OP
Try something like
$OPENSSL ts -reply -in ${FL}.tsr -text -noout
(Not sure if it accepts the -noout option or not).
On 08/04/2016 08:01, Alex Samad wrote:
Okay, how do I dump the intermediaries then ?
On 8 April 2016 at 15:49, Jakob Bohm wrote:
On 08/04/2016 07:39, Alex Samad wrote:
Hi
bal sign and similar issue, find the cert
what am i missing
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service M
rypto/evp/e_rc4_hmac_md5.c:188:
undefined reference to `rc4_md5_enc'
collect2: error: ld returned 1 exit status
ie. the make fails because nowhere in any library or object file is
that function defined -
I have checked this with nm .
I guess my answer is that ! should be building 1.0.1s ?
On 05/04/2016 04:21, PGNet Dev wrote:
On 04/04/2016 07:08 PM, Jakob Bohm wrote:
On 05/04/2016 02:57, PGNet Dev wrote:
Sorry to post this here, but you failed to provide any
address of said SPAM-L, nor yourself. Try again.
http://bfy.tw/565B
Troll!
I didn't ask what things in the e
failed to provide any
address of said SPAM-L, nor yourself. Try again.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote
failing to correctly
authenticate submissions by their own users, which no
amount of 3rd party automation (other than blacklisting
the failing provider, in this case gmail) could stop.
Yeah, I'm guessing there was a vulnerability in one of the other
Google services, and that Google service wa
can point out a clause in the "CMS" format RFCs
that allow use without X.509 certificates, there is no reason
why the "CMS" part of the OpenSSL library should be able to
any such thing.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej
of 3rd party automation (other than blacklisting
the failing provider, in this case gmail) could stop.
Yeah, I'm guessing there was a vulnerability in one of the other
Google services, and that Google service was allowed to make web-based
email submissions on behalf of the user. Classic injection an
penssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
This message is only for its intended recipient, delete if misaddressed
On 01/04/2016 00:36, Ben Humpert wrote:
2016-03-31 18:09 GMT+02:00 Jakob Bohm :
On 31/03/2016 17:16, warron.french wrote:
3. Then create new server certificates for the 2 servers again.
Yep, and give the new ones a slightly different "full"
distinguished name (important for C
l CAs do this
daily, but that's too much work for a tiny company CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wi
x27;
make: *** [build_crypto] Error 1
It looks as though the "no-idea" removes some of the header files from
the build, but then the make tries to compile the .c files anyway.
Has anyone else encountered this problem?
Make sure you have run "make depend", i.e.
$ ./config
+mmfHgmQTTQWg7GiZ0a9VAjmnom9CxUNBzYVAdL4SYrk4z
jf78Hj1qn1w+4dVLo/o1
=O2sR
-END PGP SIGNATURE-
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo
&& make clean && make
Or is there something else you would recommend?
As far as not configuring because stddef.h, that sounds like a bug.
Jeff
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.
s good, I want to make sure that the
.so was indeed built with these versions of fipscanister.o and
fips_premain.
Is there a way to do this ? I am on centos 6.6 x86_64 and linking to
object module 2.0.11 from openssl 1.0.1e with patches.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/
On 11/03/2016 03:27, Viktor Dukhovni wrote:
On Fri, Mar 11, 2016 at 02:44:59AM +0100, Jakob Bohm wrote:
Well, no, 1.0.2 uses the trust store not only for trust-anchors,
but also as a capricious source of intermediate certificates, whose
behaviour varies depending on whether the peer supplied
On 11/03/2016 02:23, Viktor Dukhovni wrote:
On Fri, Mar 11, 2016 at 01:51:32AM +0100, Jakob Bohm wrote:
I am arguing that:
- 1.0.x behavior should not be changed, as it would violate the
principle of least surprise for a "security update" to change
semantics.
The odd 1.0.x
On 11/03/2016 01:18, Viktor Dukhovni wrote:
On Fri, Mar 11, 2016 at 12:56:04AM +0100, Jakob Bohm wrote:
Your reply below is a perfect illustration of the expected confusion.
Sorry, I disagree. The 1.1.0 changes fix various shortcomings that
may well also be addressed in a future 1.0.2 update
On 10/03/2016 23:41, Viktor Dukhovni wrote:
On Thu, Mar 10, 2016 at 11:29:12PM +0100, Jakob Bohm wrote:
This is changing in OpenSSL 1.1.0, and may yet change in a future
OpenSSL 1.0.2 update. Only the trust-anchor (top-most certificate
>from the trust-store) is not checked for expiration
On 10/03/2016 23:06, Viktor Dukhovni wrote:
On Thu, Mar 10, 2016 at 10:41:28PM +0100, Jakob Bohm wrote:
Any ideas what i could be doing wrong?
Make sure the intermediary is not included in the "CA storage"
(hashed or single file) used by the client. Anything in that
storage is
ngle file) used by the client. Anything in that
storage is considered valid and not checked for revocation or
validity.
I am on version OpenSSL 1.0.1f 6 Jan 2014
That's a bit old.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
recognize the large sequences of identical
bytes.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Managemen
Over the last many months, I have received a constant flow of
"newsletters" from databreachtoday.com to my OpenSSL posting
address.
I am wondering if this is specific to me, or if they are
sending to most other subscribers too.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A
0.0 or the program you ran)
was relocated to a different memory address this time
than back when you ran fipsld to set the checksum
(fingerprint).
3. (sometimes): You forgot to run fipsld to set the
checksum (fingerprint).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.
Someone picked up an old dead thread, but I'll make some brief
responses.
On 11/02/2016 20:49, Valerie Anne Fenwick wrote:
Hi Jakob -
On 11/22/15 08:17 PM, Jakob Bohm wrote:
On 20/11/2015 23:26, Short, Todd wrote:
While I am all for simplicity, I also think that removing
functionality
e the same situations in which credit
cards or a door keys might be revoked (mechanical door keys
are revoked by changing the locks).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
ot
accidentally pick up the standard non-FIPS OpenSSL.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service M
crashed a few lines earlier in SSL_shutdown(), so can't
reach the if statement anyway.
I have attached the reduced patch, but I still think the real
cause must be elsewhere.
On 02/02/2016 12:34, Matt Caswell wrote:
On 02/02/16 11:24, Jakob Bohm wrote:
On 02/02/2016 11:40, Matt Caswell
likely free fixed load address is needed.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
On 02/02/2016 11:40, Matt Caswell wrote:
On 02/02/16 07:52, Jakob Bohm wrote:
I am trying to upgrade an existing 3rd party multithreaded server
from OpenSSL 1.0.2c to 1.0.2f . However when I do so, it starts
mishandling the close_notify "alert".
1.0.2f seems to send the close_no
80 [0x10f0d63] (37 bytes => 37 (0x25))
- 15 03 01 00 20 db 1d f3-2e 24 a6 ae 93 27 05 67 $...'.g
0010 - b2 0e 61 5f 11 32 83 32-3e 55 d9 e9 0b c2 39 34 ..a_.2.2>U94
0020 - f0 46 70 8f 16 .Fp..
>>> TLS 1.0 Alert [length 0002], warning close_notify
01 00
Enjo
(which would be a security bug in 1.0.x), or is
it simply that the EVP interface does not expose certain lower
level APIs that can be accidentally invoked without side channel
protection options?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
,
Imran
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: 27 January 2016 15:54
To: openssl-users@openssl.org
Subject: Re: [openssl-users] FIPS Certification
On 27/01/2016 16:24, Imran Ali wrote:
All,
Looking at the website
http
a FIPS compliant Open SSL again?**
**
According to yesterday's post by Steve Marquess,
the platforms listed under validation #1747 and
#2473 are OK (for now), but the platforms listed
under validation #2398 are still at risk unless
#2398 too gets updated before January 31.
Enjoy
Jakob
--
@openssl.com>
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mai
a."
Adapt as applicable (e.g. if this only applies to some modes of
the pkeyutl command etc.).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may
TH
team at INRIA had given specific names and CVE ids for
each of the issues in their report, such that one might say
"SLOTH-1: Never vulnerable, SLOTH-2: Fixed in 1.0.1f, SLOTH-3:
hypothetical for now, can be fixed with a cipher string
setting, etc. etc." But no such names exist.
Enjoy
96 bit truncated HMAC values: Probably not.
Does FIPS mode prevent use of the insecurely designed
'tls-unique' feature: Probably not.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
T
ead do a strong hash (SHA-256 or
better) of the complete handshake (all handshake
messages in both directions, including record headers).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public d
uestion throws away a different
arithmetic operation elsewhere in the code and ends up
producing the wrong result. Changing from the portable
implementation to the old non-portable implementation
happens to avoid that compiler bug, by pure chance.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S
shable from the OP's test scenario?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for
.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phon
at OpenSSL would need to do for
that future "version 3" FIPS module?
Enjoy and Merry Christmas
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain e
c knowledge to optimize allocation
and system call patterns, such as keeping all the
small allocations for a decoded X.509 certificate or
all the intermediaries for an RSA calculation
together.
Enjoy and Merry Christmas
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tra
larger and smaller. For SQL there
is no natural limit however, unless your SQL parser
happens to fail on statements above some arbitrary size.
Enjoy and Merry Christmas
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
e is not a part of a
commercial grade full featured SSL/TLS and general purpose
crypto library, it is just a means to do quality assurance
on said library.
Enjoy and Merry Christmas
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Dir
the hashed directory layout produced by
c_rehash from OpenSSL 1.0.x, while OpenSSL 0.9.8 can do the
same with the similar but different layout produced by
c_rehash from OpenSSL 0.9.8, either OpenSSL version can
alternatively use a concatenation of all the certs in PEM
format).
Enjoy
Jakob
--
Jako
request matches the signature/
/Signature ok/
/The stateOrProvinceName field needed to be the same in the/
/CA certificate (HK) and the request (HK)/
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45
8 bit. But I think there is various code that assumes that
char is 8 bit, and I doubt you can get OpenSSL working on such a
system.
Target in question is traditional 32 bit ARM with 32 bit
instructions and 8 bit char.
Looks like a hard to fix compiler bug to me.
Enjoy
Jakob
--
Jakob Bohm
On 10/12/2015 19:13, Benjamin Kaduk wrote:
On 12/10/2015 12:09 PM, openssl-us...@dukhovni.org wrote:
On Dec 10, 2015, at 12:45 PM, Jakob Bohm wrote:
On 10/12/2015 18:33, Viktor Dukhovni wrote:
On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
static inline unsigned int
tten by a fanatic who put
the "right shift of negative signed values is
undefined" rule above common sense.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bin
forgets to mask the result down to 8 bits after inlining
in test_is_zero_8(). The missing mask with FF occurs
in multiple functions in the disassembly.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 1
On 08/12/15 17:27, Jakob Bohm wrote:
> On 08/12/2015 11:57, Matt Caswell wrote:
>> On 07/12/15 05:18, Jayalakshmi bhat wrote:
>>> Hi All,
>>>
>>> Is there inputs or suggestions.
>> Have you run the tests on this platform? i.e. "ma
s not a self-hosting platform,
everything is done by cross-compiling on a PC.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
On 07/12/2015 11:52, zosrothko wrote:
Hi Jacob
Le 18/09/2015 19:34, Jakob Bohm a écrit :
On 18/09/2015 18:05, zosrothko wrote:
Hi
is there a way to know the supported TLS protocols from the
OPENSSL_VERSION_NUMBER (specifically, the TLSv1_1 and TLSv1_2?
For exemple, I have a code that is
/S is this on?
Matt
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/
push and get objects out of it using https.
âIf network is fully isolated you could use plain text. Using 'https'
and null encryption is basically just pretending to do security.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 286
bypass the proxy.
That's assuming stunnel doesn't also play silly buggers with the cipher suite
list.
Wouldn't that extra hop via stunnel cost performance
(noting that Ron is apparently running at faster than
gigabit speed).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S
ket.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones
?
Any help will be greatly appreciated !
One solution (if all else fails) is to implement the
calculations direcly using the bigint functions in
version 1.0.2 and older of OpenSSL.
This has worked very well for me in code that didn't
need FIPS certification.
Enjoy
Jakob
--
Jakob Bohm, CIO, Pa
On 23/11/2015 21:36, Karl Vogel wrote:
On Mon, 23 Nov 2015 05:17:33 +0100,
Jakob Bohm said:
J> You all seem to misunderstand the fundamental release engineering issues
J> involved.
Actually, we don't.
J> 1. Very shortly after you release OpenSSL 1.1.0, many distributions
borative effort to develop a robust,
commercial-grade, *full-featured*, and Open Source toolkit
implementing the Transport Layer Security (TLS) and Secure Sockets
Layer (SSL) protocols as well as a full-strength *general purpose*
*cryptography library* .
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, Wise
country.
6. All of this requires a lot more caution and a lot less
arrogance from the people making decisions about changes
in the OpenSSL library and project.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +4
e. So are the other public key
exchange algorithms in TLS, but not the PSK algorithms
without PFS.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
? Also the root certificate you are using.
It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
least want to verify the hostname through a call to
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like
this?
Enjoy
Jakob
--
Jakob Bohm, C
ot mandatory to set X509_VERIFY_PARAMs (but typically you at
least want to verify the hostname through a call to
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like
this?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transforme
re such obsolete algorithms.
But this concious decision MUST NOT require recompilation of the
package. Few if any distributions support recompiled packages. For
many
end-users this is also a hurdle they simply can't cross.
And this also allows openssl to change the cryp
On 13/11/2015 18:00, Benjamin Kaduk wrote:
On 11/13/2015 09:31 AM, Jakob Bohm wrote:
On 13/11/2015 14:40, Emilia Käsper wrote:
Hi all,
We are considering removing from OpenSSL 1.1 known broken or
outdated cryptographic primitives. As you may know the forks have
already done this but I
or the RIPEMD hash
function family (at this time).
RC5 may be a patent problem and would probably be
disabled in most OpenSSL builds anyway.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This pub
SSL_get_ciphers() or similar can be used
to determine if the current copy has been compiled without
IDEA, ECC or other optional cipher suites.
This is what happens in the real world when end users run your
compiled program on various Linux distributions, such as Red
Hat vs. OpenSUSE vs. Ubuntu...
hout some SSL/TLS versions supported in
the source code of that version).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo -
eys as the best
current solution where possible.
The (non-classified) current official advice can be read at
https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmar
eys in favor of AEAD suites that are
designed very close to the margins of being secure.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain err
that myself.
Could you point me to where this (non-obvious) relationship
between options ostensibly doing something else and the
desired effect is documented? The 1.0.1* man-page of s_server
certainly doesn't say that.
On 2 November 2015 at 13:37, Jakob Bohm <mailto:jb-open...@wisem
uot;-binary" mode, no byte value or sequence of byte value
is special, except that explicit use of the "-crlf" option
still works.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
On 28/10/2015 21:58, Walter H. wrote:
On 28.10.2015 18:34, Jakob Bohm wrote:
On 28/10/2015 17:36, Walter H. wrote:
On 28.10.2015 16:44, Jakob Bohm wrote:
On 27/10/2015 21:21, Walter H. wrote:
On 26.10.2015 21:42, rosect...@yahoo.com
<mailto:rosect...@yahoo.com> wrote:
Hi, I need som
On 28/10/2015 17:36, Walter H. wrote:
On 28.10.2015 16:44, Jakob Bohm wrote:
On 27/10/2015 21:21, Walter H. wrote:
On 26.10.2015 21:42, rosect...@yahoo.com wrote:
Hi, I need some help on this call.
I am building an OCSP client following guide in openssl and compile
the code in Cygwin
igner certificate? That is my question.
Obvious first check is to see if it is the CA certificate
that issued thecertificate you are checking.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discu
ot to use HTTPS for CRL and OCSP access
as long as infinite recursion is avoided, preferably
through the choice of server certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discu
On 27/10/2015 03:42, Viktor Dukhovni wrote:
On Tue, Oct 27, 2015 at 02:21:13AM +0100, Jakob Bohm wrote:
More specifically, the issue is that the currently
recommended command "openssl pkey", allegedly silently
omits the encryption when told not to Base64 encode the
encrypted key.
I
e possible to change the
default to encrypted, confident that adding explicit "-nodes"
to scripts and examples will not fail on any reasonably
maintained systems (including systems where openssl is built
by some upstream OS maker).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http:/
).
P.S.
On most existing OpenWrt installs, there is actually
plenty of RAM, but a shortage of flash storage space,
though exceptions have occurred.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public
401 - 500 of 1153 matches
Mail list logo