On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
>> wrote:
>> > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>> >
>> >>
On Tue, Mar 4, 2014 at 10:03 AM, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
> wrote:
>> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>>...
>> What is in the (non-extended) keyUsage extension of the certificate?
>>
On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>
>> I've got a server that can't negotiate a cipher suite with a client
>> when using ECDSA certificates. When using ECDSA, the server reports
>
I've got a server that can't negotiate a cipher suite with a client
when using ECDSA certificates. When using ECDSA, the server reports
0x1408a0c1 (no shared cipher).
The same server can consume RSA and DSA certificates. (In fact, all
the public key and certificate routines are generic and only di
Is there a list of EC curves to NIDs?
http://www.openssl.org/docs/crypto/EC_KEY_new.html and
http://www.openssl.org/docs/crypto/EC_GROUP_new.html discuss the
curves and the NIDs, but don't provide a list.
Or better, is there a function like EC_CURVE_by_name that returns a
nid given a curve like "
I'm trying to add some key and certificate validation code to help
diagnose potential issues.
X509_verify allows me to verify an X509 and EVP_PKEY pair.
verify.c has certificate validation code, but it appears to work from
the file system (X509_STORE_add_lookup(), X509_LOOKUP_file(),
X509_LOOKUP_
On Sat, Mar 1, 2014 at 7:29 AM, Dr. Stephen Henson wrote:
> On Sat, Mar 01, 2014, Jeffrey Walton wrote:
>
>> I'm building a ca cert following .../demos/mkcert.c. The program is failing
>> at:
>>
>> X509_EXTENSION* ex4 =
>> X509V3_EXT_conf_nid(NULL
On Sat, Mar 1, 2014 at 1:14 AM, Viktor Dukhovni
wrote:
> On Sat, Mar 01, 2014 at 01:02:28AM -0500, Jeffrey Walton wrote:
>
>> X509_EXTENSION* ex4 =
>> X509V3_EXT_conf_nid(NULL, NULL, NID_subject_key_identifier, "hash");
>> err = ERR_get_error();
>&g
I'm building a ca cert following .../demos/mkcert.c. The program is failing at:
X509_EXTENSION* ex4 =
X509V3_EXT_conf_nid(NULL, NULL, NID_subject_key_identifier, "hash");
err = ERR_get_error();
...
$ openssl errstr 0x22073072
error:22073072:X509 V3 routines:S2I_SKEY_ID:no public key
The publ
What are the limits on PEM_write_RSAPrivateKey and EVP_CIPHER? Is it
possible to use 256-bit security levels with authentication tags?
I could not get "AES-256-HMAC-SHA-256" or "AES-256-CBC-HMAC-SHA1" to
work, and I could not get "AES-256-GCM" to work.
"AES-256-HMAC-SHA-256" and "AES-256-HMAC-SHA
On Wed, Feb 26, 2014 at 5:23 PM, Viktor Dukhovni
wrote:
> On Wed, Feb 26, 2014 at 04:41:33PM -0500, Jeffrey Walton wrote:
>
>> This worked well under Linux with GCC. It cleared the Valgrind squawks.
>
> Why is anyone obsessed about freeing memory that is assigned to
> static
(ssl_comp_methods);
ssl_comp_methods = NULL;
}
}
#endif
On Mon, Feb 24, 2014 at 9:40 PM, Jeffrey Walton wrote:
> ssl/ssl_ciphr.c has the following:
>
> static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
>
> ssl_comp_methods is allocated with SSL_library_init, but it does
ssl/ssl_ciphr.c has the following:
static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
ssl_comp_methods is allocated with SSL_library_init, but it does not
appear to be freed with any of the cleanup functions (ENGINE_cleanup,
CONF_modules_unload, EVP_cleanup, CRYPTO_cleanup_all_ex_data,
ERR_remove
d? Does order matter?
Jeff
On Mon, Feb 10, 2014 at 7:50 PM, Jeffrey Walton wrote:
> I'm trying to remediate a couple of memory leaks on shutdown. I'm
> having trouble: (1) locating a definitive guide that lists what should
> be called during cleanup; and (2) what order
I'm trying to remediate a couple of memory leaks on shutdown. I'm
having trouble: (1) locating a definitive guide that lists what should
be called during cleanup; and (2) what order they should be called in.
The closest I've find to answering the questions are (1) OpenSSL
source code; and (2)
http
OpenSSL has the following defined in thl1.h. They are used in
s_server.c for the SNI callback.
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_WARNING 1
#define SSL_TLSEXT_ERR_ALERT_FATAL 2
#define SSL_TLSEXT_ERR_NOACK 3
SSL_TLSEXT_ERR_OK 0 is self explanatory. It appears
SSL_TLS
I've set a servername callback using SSL_CTX_set_tlsext_servername_callback.
SSL_CTX_set_tmp_dh_callback(ctx, edh_cb);
SSL_CTX_set_tlsext_servername_callback(ctx, servername_cb);
I verified the callback was set in the context object:
gdb> p *server_ctx
...
client_cert_engine
I know OpenSLL has DH_check and RSA_check_key.
Does OpenSSL have a generic key verification routine that can be used
for, say, any key in a EVP_PKEY?
Thanks in advance.
__
OpenSSL Project http://ww
On Wed, Jan 29, 2014 at 12:51 AM, Devchandra L Meetei wrote:
> when I run ./config, The final lines says following things
>
> "Since you've disabled or enabled at least one algorithm, you need to do
> the following before building:
>
> make depend
> "
> is there any way to check which algo
I can create a CSR with the following:
$ openssl req -out ./test.csr -new -newkey rsa:2048 -nodes -keyout
./test.key -subj "/emailAddress=j...@example.com/CN=John Does/C=US"
However, the custom subject causes the CSR to lack other fields, like
State, Locality and Organization.
Is there a way to
> ... for >= TLSv1.2, protocol should be selected as SSLv23_method()?
Yes, but as Viktor pointed out, you also need:
options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2
Jeff
On Sat, Jan 25, 2014 at 10:40 AM, Devchandra L Meetei wrote:
> Just one more thing, for >= TLSv1.2,
>
> Protoco
What is the name of the function to set the callback described below?
*) Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
su
On Fri, Jan 24, 2014 at 1:18 PM, Jakob Bohm wrote:
> On 1/24/2014 6:54 PM, Jeffrey Walton wrote:
>>
>> I don't see a dumb mistake with this one
>>
>> ...
>> [ signing_req ]
>> subjectKeyIdentifier=hash
>> authorityKeyIdentifier=keyid
I don't see a dumb mistake with this one
First, the CSR has multiple SANs:
$ openssl req -text -noout -verify -in servercert.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=XX, ST=XX, L=XX, CN=Test Server/emailAddress=t...@example.com
Subject P
On Fri, Jan 24, 2014 at 12:02 PM, Dr. Stephen Henson wrote:
> On Fri, Jan 24, 2014, Jeffrey Walton wrote:
>
>> I'm having a heck of a time getting the SAN into a server's CSR.
>>
>> ...
>> Any ideas what I'm doing wrong?
>
> Hmm... it isn'
I'm having a heck of a time getting the SAN into a server's CSR.
I believe the relevant sections are:
[ req ]
req_extensions= server_req_extensions
[ server_req_extensions ]
subjectKeyIdentifier= hash
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, dig
I'm having trouble retrieving the random method being used after a
call to FIPS_mode_set.
ENGINE_get_default_RAND is returning NULL, so I can't use ENGINE_get_name.
RAND_get_rand_method is returning a pointer, but its not supposed to
be used and it has not way to fetch a name.
There is a RAND_se
On Fri, Jan 17, 2014 at 11:16 AM, Viktor Dukhovni
wrote:
> On Fri, Jan 17, 2014 at 09:57:00AM -0500, Jeffrey Walton wrote:
>
>> > BN_CTX_init() (deprecated) initializes an existing uninitialized
>> > BN_CTX. This should not be used for new programs. Use BN_CTX_new()
>
n the source code.
Jeff
>
> From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on
> behalf of Jeffrey Walton [noloa...@gmail.com]
> Sent: 16 January 2014 20:28
> To: OpenSSL Users List
> Subject: Declare BN_CTX on stack (not BN_CTX*)
>
> I
I'm trying to declare a BN_CTX on the stack (with a subsequent call to
BN_CTX_init) to stay out of the memory manager.
When I do, I get an error:
aggregate ‘BN_CTX’ has incomplete type and cannot be defined
I've included , so I'm kind of surprised I can't
compile. ( has some typedefs and com
On Tue, Jan 7, 2014 at 12:58 AM, Jeffrey Walton wrote:
> On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
> wrote:
>> On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
>>
>>> I can't seem to find information on using the hostname and emai
On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
wrote:
> On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
>
>> I can't seem to find information on using the hostname and email
>> verification functionality.
>>
>> * SSL_CTX_set_verify does not
I can't seem to find information on using the hostname and email
verification functionality.
* SSL_CTX_set_verify does not discuss it
* www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
* No mention if it was rolled into SSL_VERIFY_PEER
* s_client does not have any new switches
* no
Can anyone confirm that ENGINE_rdrand is no longer a default engine
(if available).
The change log does not mention it.
http://www.openssl.org/news/changelog.html (the ENGINE is not
mentioned anywhere, including the change from 1.0.1e).
Thanks in advance.
_
*) Integrate hostname, email address and IP address checking with certificate
verification. New verify options supporting checking in opensl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
functions. Add manual page.
[Florian
On Sat, Jan 4, 2014 at 2:42 PM, Viktor Dukhovni
wrote:
> ... A substantive comment that argues that DANE adds
> nothing new to SMTP would begin by explaining in detail how SMTP
> to MX TLS security is possible without DNS data integrity (thus
> making it possible to not trust the root zone signatu
How does one verify use of AES-NI at runtime?
I know I can get 'capability' with:
crypto/evp/e_aes.c:#define AESNI_CAPABLE \
(OPENSSL_ia32cap_P[1]&(1<<(57-32)))
But grepping the sources for a runtime test does not produce anything
that looks useful:
$ grep -R -i AESNI *
and
, Jeffrey Walton wrote:
> I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a
> master process which calls:
>
> SSL_library_init();
> SSL_load_error_strings();
> OpenSSL_add_all_algorithms();
>
> The master then starts a number of child proce
I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a
master process which calls:
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
The master then starts a number of child processes. It does so by
forking without an exec (if I am reading the
y works in real life? Or
is it more undocumented, broken cruft lying around?
Jeff
On Wed, Oct 2, 2013 at 4:56 PM, Jeffrey Walton wrote:
> Hi All,
>
> I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
> then connected to api.pagepeeker.com, which uses StartCom
supported
SSL-Session:
Protocol : TLSv1
Cipher: AES256-SHA
Session-ID:
Start Time: 1380749054
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
On Wed, Oct 2, 2013 at 4:56 PM, Jeffrey Walton wrote:
> Hi All,
>
> I
Hi All,
I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
then connected to api.pagepeeker.com, which uses StartCom.
When I use s_client and -CAfile, the verification completes
successfully. When I use c_client and SSL_CERT_FILE, verification
fails with "Verify return code: 19
Hi All,
I'm trying to run OpenSSL through Clang's scan-build
(http://clang-analyzer.llvm.org/scan-build.html). According to the
page, I should be configuring and building a debug configuration (both
through scan-build).
Does OpenSSL supply a 'generic' debug configuration? Or should I use
Ben Laur
e the
makefile does not specify full pathnames:
sudo -E make install \
CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc \
RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib \
On Tue, Jun 25, 2013 at 8:46 PM, Jeffrey Walton wrote:
> Hi All,
>
> When linking to the FIPS
Hi All,
When linking to the FIPS Capable shared object, the program fails its
fingerprint check:
$ arm-linux-androideabi-gcc --sysroot="$ANDROID_SYSROOT"
-I/usr/local/ssl/android-14/include fips_hmac.c -o fips_hmac.exe
/usr/local/ssl/android-14/lib/libcrypto.so.1.0.0
$ adb push /usr/local/ssl/and
On Sat, Jun 22, 2013 at 4:24 PM, Dr. Stephen Henson wrote:
> On Sat, Jun 22, 2013, Jeffrey Walton wrote:
>
>> On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson
>> wrote:
>> > On Sat, Jun 22, 2013, Jeffrey Walton wrote:
>> >
>> >> Hi All,
>
On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson wrote:
> On Sat, Jun 22, 2013, Jeffrey Walton wrote:
>
>> Hi All,
>>
>> I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
>> Android environment with cross compilation. Both the FIPS O
Hi All,
I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
Android environment with cross compilation. Both the FIPS Object
Module and FIPS Capable library built and installed without much
effort.
I'm trying to build a simple command line application which statically
links to the
On Mon, Mar 4, 2013 at 11:19 PM, Jeffrey Walton wrote:
> Hi All,
>
> OpenSSL 1.0.1e is not loading Intel's hardware random number
> generator. ENGINE_load_rdrand() silently fails:
>
> /*** eng_rand.c ***/
> void ENGINE_load_rdrand (void)
> {
> exter
Hi All,
OpenSSL 1.0.1e is not loading Intel's hardware random number
generator. ENGINE_load_rdrand() silently fails:
/*** eng_rand.c ***/
void ENGINE_load_rdrand (void)
{
extern unsigned int OPENSSL_ia32cap_P[];
if (OPENSSL_ia32cap_P[1] & (1<<(62-32)))
{
ENGINE *toadd = ENGIN
On Fri, Feb 15, 2013 at 9:25 AM, Ashok C wrote:
> On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton wrote:
>> On Thu, Feb 14, 2013 at 5:58 AM, Ashok C wrote:
>> >
>> > As part of implementing certificate expiry related alarms for my SSL
>> > application, I woul
On Wed, Feb 20, 2013 at 4:10 PM, Andreas Mattheiss
wrote:
>
> s_client doesn't like pipes
This works well for me:
$ echo "GET / HTTP1.0" | openssl s_client -connect example.com:443
It looks like you need something more like a response file.
Jeff
___
On Thu, Feb 21, 2013 at 1:37 AM, Nick wrote:
> On Mon, 2013-02-18 at 08:56 -0500, Jeffrey Walton wrote:
>> > g++-4.7.2 -g -Wall -Wextra -Weffc++ -Wno-missing-field-initializers
>> > -Wctor-dtor-privacy -Wnon-virtual-dtor -Wreorder -Wold-style-cast
>> > -Woverloa
On Mon, Feb 18, 2013 at 2:38 PM, Jeffrey Walton wrote:
> Hi All,
>
> $ uname -a
> Linux ubuntu-12-x64 3.2.0-37-generic #58-Ubuntu SMP Thu Jan 24
> 15:28:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
>
> Any ideas?
>
> jeffrey@ubuntu-12-x64:~/openssl-1.0.1e$ ./Configure l
On Sun, Feb 17, 2013 at 10:02 AM, Jeremy Harris wrote:
> On 02/16/2013 10:51 PM, Dr. Stephen Henson wrote:
>>
>> So you could supply an application defined callback that just calls
>> X509_verify_cert too which keeps the current behaviour. If that call is
>> successful you can then note the chain
On Mon, Feb 18, 2013 at 8:31 AM, Nick wrote:
> On Mon, 2013-02-18 at 08:12 -0500, Jeffrey Walton wrote:
>> It looks like the GCC tool chain has let you down: "C/C++ Option to
>> Initialize Variables?",
>> http://gcc.gnu.org/ml/gcc/2013-02/msg00207.html.
>>
&
On Mon, Feb 18, 2013 at 7:58 AM, Nick wrote:
> On Mon, 2013-02-18 at 13:22 +0100, Dr. Stephen Henson wrote:
>> Here's what's happening in detail. If you pass a non-NULL pointer for
>> the
>> second parameter it will attempt to reuse the structure.
>>
>> In the case of the RSA structure the outer (
On Mon, Feb 18, 2013 at 3:04 AM, Nick wrote:
> On Mon, 2013-02-18 at 00:37 +0100, Dr. Stephen Henson wrote:
>> That's because it is attempting to free up parts of a pointer that
>> haven't
>> been allocated with OPENSSL_malloc. See:
>>
>> http://www.openssl.org/docs/crypto/d2i_X509.html#WARNINGS
>
Hi wenxue,
> Get hash failure
http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/1025761add9b41dc?
> NMAKE : fatal error U1077: 'c:\Perl\bin\perl.EXE' : return code '0x2'
> Stop.
On Windows, ERROR_FILE_NOT_FOUND is 0x0002.
Jeff
On Fri, Feb 15, 2013 at 7:21 PM, nys2013
On Thu, Feb 14, 2013 at 5:58 AM, Ashok C wrote:
> Hi,
>
> As part of implementing certificate expiry related alarms for my SSL
> application, I would kindly require few suggestions and clarifications from
> the community.
Does that include OSCP checking? On a continuous basis? The CA will
not warr
On Thu, Feb 14, 2013 at 5:12 AM, Gayathri Manoj
wrote:
> Hi All,
>
> Please let me know if openssl version 1.0.0 is fips compliant?
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
__
OpenSSL Project
I was missing "Add Trust External CA Root",
https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=9&nav=0,1.
On Tue, Feb 12, 2013 at 3:16 AM, Jeffrey Walton wrote:
> Hi All,
>
> I'm probably doing something wrong here, but I d
On Tue, Feb 12, 2013 at 3:16 AM, Jeffrey Walton wrote:
> ...
>
> I've used `openssl x509 -text -in "AddTrust External CA Root.pem"`
> (copied out directly from s_client), and everything looks OK. CA is
> TRUE, AKI is present, KU includes "Certificate Sign, CRL S
Hi All,
I'm probably doing something wrong here, but I don't see what it is.
I'm calling SSL_CTX_load_verify_locations() with a CAT of PEM files.
I'm not calling SSL_CTX_set_default_verify_paths():
/* http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html */
/* I've also tried with a
On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
>> Sent: Monday, 11 February, 2013 00:41
>
>> On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
>>
>> > &
On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
>> Sent: Monday, 11 February, 2013 01:12
>
>> I'm trying to memory map a file. Does OpenSSL BIO's allow this?
>>
>> I seem to be f
On Mon, Feb 11, 2013 at 12:41 AM, Viktor Dukhovni
wrote:
> On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
>
>> >> I'm trying to extract a public key (subjectPublicKeyInfo) form an X509
>> >> certificate.
>> >
>> > from apps/x50
Hi All,
I'm trying to memory map a file. Does OpenSSL BIO's allow this?
I seem to be failing on BIO_read_filename with a `ret` of 0. The docs
state I should expect `ret` of 1. When I look for the problem, I'm
getting an error code of 0 (`err`, success).
I ask because the doc's appear to be incor
On Sun, Feb 10, 2013 at 11:31 PM, Daniel Black
wrote:
> On 11/02/13 14:12, Jeffrey Walton wrote:
>> Hi All,
>>
>> I'm trying to extract a public key (subjectPublicKeyInfo) form an X509
>> certificate.
>>
>
> from apps/x509.c in the openssl source:
&g
On Wed, Feb 6, 2013 at 2:40 PM, Memmott, Lester
wrote:
> Jon,
>
> I’m having trouble with fipslink as well and thought it might help to compare
> notes. These are the linker errors I’m getting using Visual Studio 2008:
> fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char
Hi All,
This relates to 'OpenSSL Security Advisory [05 Feb 2013]' and the
accompanying CVEs. The bulletin did not address combinations of FIPS
Object Module and FIPS Capable Library Combinations.
Please forgive my ignorance. I don't like to take a lot of latitude or
license on these things. I'm t
On Mon, Jan 28, 2013 at 8:24 AM, René Klomp wrote:
> Could someone tell me how i could disable *only* the EAS-NI instructions
> when compiling openssl?
I don't believe AES-NI can be disable at compile time. `./config -t`
might offer some useful options (I can't check at the moment because I
am on
On Tue, Jan 29, 2013 at 6:37 AM, Joseandro Luiz
wrote:
> Hello everyone,
> I am using the OpenSSL user guide from
> http://www.openssl.org/docs/fips/UserGuide-2.0.pdf in order to create a FIPS
> 140-2 compliant iOS app.
> So far I've successfully built the Incore utility and the FIPS Object Module
On Mon, Jan 28, 2013 at 7:18 AM, Rahul Godbole wrote:
>
> When I call the function FIPS_mode_set() from my code, the function returns
> 0. It returns 0 because the flag OPENSSL_FIPS is not set during compilation.
> What option should I pass to the Configure or config script so that it gets
> set d
Hi All,
I just made a recommendation for Thomas Wu's Secure Remote Password (SRP).
I know Thomas Wu submitted patches some time ago
(http://rt.openssl.org/Ticket/Display.html?id=1794&user=guest&pass=guest).
What is the status of SRP in OpenSSL? Is it in mainline? Or does it
need to be pulled fro
On Wed, Jan 23, 2013 at 1:20 PM, Smith, Russell (Shane), Contractor
wrote:
> I am looking for a way to disable weak ciphers in openssl.
> I have a legacy program that uses the "default" SSL ciphers and is not
> configurable like apache and httpd.conf etc.
> Is there any way I can change the a
On Wed, Jan 23, 2013 at 3:02 PM, John A. Wallace wrote:
> I also have questions about this issue. Am I correct in saying that IDEA,
> which is a patented algorithm, has legal restrictions from our implementing
I believe IDEA is no longer encumbered in the US. I seem to recall it
expired around 201
On Wed, Jan 23, 2013 at 9:42 AM, Viktor Dukhovni
wrote:
> On Wed, Jan 23, 2013 at 09:12:41AM -0500, Ken Goldman wrote:
>
>> My experience is that you should not expect binary compatibility.
>> Since errors will often be in little used corner cases, it's safer
>> to always recompile.
>
> Please do
On Sat, Jan 19, 2013 at 11:42 AM, Ben Laurie wrote:
> On 19 January 2013 16:31, Jeffrey Walton wrote:
>> On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie wrote:
>>> On 26 December 2012 20:07, Jeffrey Walton wrote:
>>>> On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wro
On Sun, Jan 20, 2013 at 6:51 PM, wrote:
> On 18-01-2013 20:26, Jeffrey Walton wrote:
>>
>> On Fri, Jan 18, 2013 at 11:01 AM, Memmott, Lester
>> wrote:
>>>>
>>>> All modern Versions of Microsoft's C Runtime are thread safe. That
>&g
On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie wrote:
> On 26 December 2012 20:07, Jeffrey Walton wrote:
>> On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wrote:
>>> On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton wrote:
>>>> I fetched `makedepend` f
On Fri, Jan 18, 2013 at 5:53 PM, Hazrat Shah wrote:
>
> I am having problem with server certificate verification the
> SSL_get_verify_result() returns
>
> Error code 20.
>From http://www.openssl.org/docs/apps/verify.html, that is
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
> I add a (xx.cert) f
On Fri, Jan 18, 2013 at 11:01 AM, Memmott, Lester
wrote:
>>All modern Versions of Microsoft's C Runtime are thread safe. That occurred
>>around Visual Studio 6.0 (circa 2000 or so).
> >From http://msdn.microsoft.com/en-us/library/abx4dbyh.aspx: "The
> >single-threaded CRT (libc.lib, libcd.lib) (
On Fri, Jan 18, 2013 at 10:21 AM, Memmott, Lester
wrote:
> I'm in the process of incorporating FIPS enabled OpenSSL into an application
> when I realized that by default the FIPS module is built by dynamically
> linking the C runtime, not statically linking. In my case, for Windows using
> Mic
On Thu, Jan 17, 2013 at 9:17 PM, ask wrote:
> How can I print out result string from return code of
> SSL_get_verify_result?
> For example, for my test, I got 18,
> ERR_error_string( return_code) does not yield any thing?
http://www.openssl.org/docs/ssl/SSL_get_verify_result.html
_
On Thu, Jan 17, 2013 at 4:21 PM, MauMau wrote:
> Hello,
>
> I'm using OpenSSL 1.0.1c on Linux and Windows to implement encryption
> feature of my software. I need to compare performance of cases where AES-NI
> is enabled and where it is disabled on the same computer. If possible, I
> want to avo
On 1/17/13, Memmott, Lester wrote:
> I've gone through the FIPS User Guide and have built OpenSSL 1.0.1c with the
> FIPS module 2.0.2. From a practical perspective I'm trying to sort out in
> my mind the following:
Be careful - its a bit dated and some information is not correct. I
understand its
On Wed, Jan 16, 2013 at 9:02 AM, Bruce Cran wrote:
> On http://www.openssl.org/support/community.html the mailing list
> subscription feature is broken - clicking "Send to Majordomo" just displays
> the majordomo.cgi script.
It also looks like its injectable:
$query_string = $ENV{'QUERY_STRING'
Hi Dr. Henson,
On Mon, Jan 14, 2013 at 10:04 AM, Dr. Stephen Henson wrote:
> On Mon, Jan 14, 2013, Rahul Godbole wrote:
>
>> Hi
>>
>> Can someone please help me on the following 2 issues? I am using FIPS 2.0
>>
>> 1) I am trying to build OpenSSL for FIPS. When I link to the below
>> functions fr
On Mon, Jan 14, 2013 at 7:24 AM, Rahul Godbole wrote:
> Thanks Jeff. Please see inline.
>
Did you build the FIPS Object Module first?
$ rm -rf openssl-fips-2.0.1/
$ tar xzf openssl-fips-2.0.1.tar.gz
$ cd openssl-fips-2.0.1/
$ ./config
$ make
$ sudo make install
After you build the FI
On Mon, Jan 14, 2013 at 5:52 AM, Rahul Godbole wrote:
>
> 1) I am trying to build OpenSSL for FIPS. When I link to the below
> functions from an external program linking to libcrypto.a, I get a linking
> error for them. When I grepped for the below functions in libcrypto.a and
> aes_core.o ( aes_
On Fri, Jan 11, 2013 at 7:45 AM, Ribhi Kamal wrote:
> I guess the next time I see a linker complain about _ I'll know what's
> wrong :)
Absolutely. I've done the same many times, and that's why I knew :)
> On Fri, Jan 11, 2013 at 6:07 AM, Michel wrote:
>>
>>
>> Found interresting related article
U _FIPS_set_locking_callbacks
U _FIPS_set_malloc_callbacks
U _RAND_init_fips
...
Jeff
> On Thu, Jan 10, 2013 at 6:09 PM, Jeffrey Walton wrote:
>>
>> On Thu, Jan 10, 2013 at 5:50 PM, Ribhi Kamal wrote:
>> > Never mind, the application (virtualbo
On Thu, Jan 10, 2013 at 5:50 PM, Ribhi Kamal wrote:
> Never mind, the application (virtualbox) was incorrectly trying to use the
> 32bit version of openssl. But I still don't understand why a 32bit version
> has different symbols that the 64bit one.
The message is probably similar to "Symbol not f
)
283-bit Elliptic Curves (Binary Fields)
AES-128
SHA-256
So, you have to plug in the required parameters.
Jeff
> From: Jeffrey Walton
> To: openssl-users@openssl.org
> Date: 01/10/2013 04:01 PM
> Subject:Re: How to link openssl FIPS 140-2 object module with op
On Thu, Jan 10, 2013 at 9:01 AM, Tayade, Nilesh
wrote:
>> -Original Message-
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> us...@openssl.org] On Behalf Of Jakob Bohm
>> Sent: Thursday, January 10, 2013 6:56 PM
>> To: openssl-users@openssl.org
>> Subject: Re: RSA_privat
On Thu, Jan 10, 2013 at 6:13 AM, Tayade, Nilesh
wrote:
>> -Original Message-
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> us...@openssl.org] On Behalf Of Jakob Bohm
>> Sent: Friday, December 21, 2012 8:23 PM
>> To: openssl-users@openssl.org
>> Subject: Re: RSA_private
On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain wrote:
>
> Hi,
>
> I want to use FIPS compliant algorithms and keys. For that I understand, I
> need to have Openssl FIPS object library along with default openssl.
>
> However, I am not understanding how to install them. My questions are :
>
> 1. Both a
On Wed, Jan 9, 2013 at 10:42 AM, Jakob Bohm wrote:
> On 1/8/2013 7:59 PM, Jeffrey Walton wrote:
>>
>> On Tue, Jan 8, 2013 at 1:14 PM, Carson Gaspar wrote:
>>>
>>> On 1/8/13 9:52 AM, Jeffrey Walton wrote:
>>>>
>>>> ...
>>
>&
On Wed, Jan 9, 2013 at 7:02 AM, Serhiy Ivanov
wrote:
> Tried to turn off one cipher via:
> #!/bin/bash
> make clean && ./config -no-CAMELLIA-128-CBC && make depend && make
Try make dclean
Jeff
__
OpenSSL Project
401 - 500 of 760 matches
Mail list logo