OpenSSL 3.0 has recently been designated as a Long Term Support (LTS)
release. This means that it will now be supported until 7th September
2026 (5 years after its initial release).
Our previous LTS release (1.1.1) will continue to be supported until
11th September 2023.
We encourage all
On 25/02/2022 22:07, William Roberts wrote:
Hello,
In openssl 3.0.1 the following code hits the ctx->keymgt is null check
and thus returns -2
in pmeth_gn.c:
static int fromdata_init(EVP_PKEY_CTX *ctx, int operation)
{
if (ctx == NULL || ctx->keytype == NULL)
goto not_supported;
3DES is in the default provider - only normal DES is in the legacy
provider. So you should not need to load the legacy provider for this to
work.
Matt
On 23/02/2022 06:20, pa...@openssl.org wrote:
Have you loaded the legacy provider before trying this?
Pauli
On 23/2/22 5:03 pm, Srinivas,
On 22/02/2022 07:54, pa...@openssl.org wrote:
There is a define to allow this: STATIC_LEGACY but I don't remember how
to specify it on the configuration command line.
We should probably turn this on in a no-shared build.
Configure with "no-module".
Matt
Pauli
On 22/2/22 5:37 pm,
2022 at 1:50 AM Matt Caswell <mailto:m...@openssl.org>> wrote:
On 18/02/2022 19:53, Brian Pilati wrote:
> I am receiving this error
>
> Error: write EPROTO 000660120100:error:0A000152:SSL
> routines:final_renegotiate:unsafe legacy renegotia
On 18/02/2022 19:53, Brian Pilati wrote:
I am receiving this error
Error: write EPROTO 000660120100:error:0A000152:SSL
routines:final_renegotiate:unsafe legacy renegotiation
disabled:ssl/statem/extensions.c:880
after upgrading to macOS Monterey v12.2.1
I am running Nodejs v16.13.2
There is an ongoing OMC vote (started earlier today) to answer this
question. The proposal is that 3.0 will be made the LTS. You can track
the vote here:
https://github.com/openssl/general-policies/issues/9
Matt
On 16/02/2022 12:06, Chenxinping via openssl-users wrote:
3.0 is not LTS
On 15/02/2022 12:13, Srinivas, Saketh (c) wrote:
Hi,
i am trying to get the block size of EVP_des_ede3_cbc cipher using the
below function but it's not returning anything.
EVP_CIPHER_get_block_size(EVP_des_ede3_cbc())
This code looks fine to me, and I just tested this and it returned
There is a demo echo client and server currently nearing the end of
review here:
https://github.com/openssl/openssl/pull/17260
Matt
On 11/02/2022 21:13, Joseph Chen via openssl-users wrote:
Hello,
Could someone point me to some good reads or C coed examples for
creating a TLS
On 09/02/2022 21:49, Tal Dery wrote:
Hi,
SSL_set_info_callbacknot accepting any argument, is there an elegant
solution to get an argumentin the callback?
You can set arbitrary application data on the SSL object using
`SSL_set_app_data` and retrieve it again using `SSL_get_app_data`.
failed with error ", ssl_error);
throw eSSL_ERROR;
}
ShowCerts();
}
As mentioned before this code works fine when called by another
application. So the certificates are all valid. I also tried this on
different machines but it did not work- I get the same error.
Thanks
Kamala
On Fri,
buf, len);
BIO_free(bio);
return ret;
}
*Kamala Ayyar*
502 Claremont Ave.
Teaneck NJ 07666-2563
Tel: (201)530-0861
On Fri, Feb 4, 2022 at 10:54 AM Matt Caswell <mailto:m...@openssl.org>> wrote:
On 04/02/2022 15:17, Kamala Ayyar wrote:
>
> Hello,
>
>
On 04/02/2022 15:17, Kamala Ayyar wrote:
Hello,
We are facing a strange handshake failure issue with a test server and
client application using OpenSSL in Windows. We have tried with both
1.1.1g and 3.0.1 versions- same problem. We created a Dll to handle the
OpenSSL functions- where
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [28 January 2022]
===
BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160)
Severity: Moderate
There is
On 27/01/2022 06:00, Glen Huang wrote:
Hi,
I’m trying to create a signed certificate from a CA certificate without
creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out
leaf.crt
```
However,
```
You might want to dump out the OpenSSL error queue to see if there are
any hints.
For example:
ERR_print_errors_fp(stdout);
Matt
On 26/01/2022 16:11, Gregory Letaille wrote:
Hi
I retrieved and compiled official openssl 3 version from openssl site
configure the project with such command
On 26/01/2022 11:27, Jan Lana wrote:
Hi,
When I run
openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256
it shows this non complain cipher is available.
This looks correct behaviour to me. Your openssl.cnf file is explicitly
activating the default provider. The
On 24/01/2022 12:58, Srinivas, Saketh (c) wrote:
HI,
I am using Openssl3. while Run a TLS call, call connected successfully,
but at the end of the call i got the error message:
SSL3 alert write:fatal:decode error
SSL error (a000126): unexpected eof while reading
This is a new error
On 05/01/2022 10:11, Wolf wrote:
On 2022-01-05 09:45:14 +0100, Tomas Mraz wrote:
How does one know (without going through
EVP_PKEY_gettable_params(EVP_PKEY *pkey) and
EVP_PKEY_get_params(const EVP_PKEY *pkey, OSSL_PARAM params[])) what
method to use to retrieve what parameter?
So you're
On 21/12/2021 15:09, Lee Staniforth wrote:
./Configure linux-x86_64 no-shared -m64 -fPIC -fvisibility=hidden
Try dropping "-fvisibility=hidden". I can replicate this problem when
using no-shared and -fvisibility=hidden. If I drop the
"-fvisibility=hidden" the problem goes away.
Matt
On 16/12/2021 15:13, Jeremy Harris wrote:
On 16/12/2021 11:48, Matt Caswell wrote:
What you are describing is not a resumption. A TLS resumption has a
specific meaning. It involves both a client and a server creating a
new connection based on an abbreviated handshake using parameters from
On 16/12/2021 11:57, Jesper Pedersen wrote:
Hi Matt,
On 12/16/21 06:48, Matt Caswell wrote:
On 16/12/2021 11:42, Jesper Pedersen wrote:
So, a resume on the client side linking up against the existing
server side.
What you are describing is not a resumption. A TLS resumption has
On 16/12/2021 11:42, Jesper Pedersen wrote:
So, a resume on the client side linking up against the existing server
side.
What you are describing is not a resumption. A TLS resumption has a
specific meaning. It involves both a client and a server creating a new
connection based on an
On 16/12/2021 11:23, Jesper Pedersen wrote:
Hi Matt,
On 12/16/21 06:16, Matt Caswell wrote:
After the SSL_connect call SSL_pending [3] will show 19 0-bytes in
the buffer which leads to
AFTER CONNECT: 19
00
???
SSL_ERROR_SSL: FD 15
error
On 16/12/2021 08:58, Jesper Pedersen wrote:
Hi,
I have a use-case where I need to reuse the SSL session in another
process that created it. So, it looks like
Process 1:
* Create SSL_CTX
* Create SSL
* Use SSL
* i2d_SSL_SESSION into shared memory [1] -- this works
* Free SSL (no
. Users of this version
should upgrade to OpenSSL 3.0.1.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
This issue was reported to OpenSSL on 29th November 2021 by Tobias Nießen. The
fix was developed by Matt Caswell and Tobias Nießen.
Note
OpenSSL 1.0.2 is out of support
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.1 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.1 of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1m released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1m of our open
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 1.1.1m and 3.0.1.
These releases will be made available on Tuesday 14th December 2021
between 1300-1700 UTC.
OpenSSL 3.0.1 is a security and bug fix release. The highest severity
issue fixed in this
On 06/12/2021 15:49, Cristian Andrei Sandu wrote:
Hi guys,
Is there any way I can re-load the FIPS provider after it reached its
error state? I’d like to do it without restarting the process. (If it
matters, I’m already using a non-default library context with a separate
configuration
On 06/12/2021 12:26, Shivakumar Poojari wrote:
Hi All,
We are upgrading our code to openssl 3.0.
Need Replacement for below Deprecated function.
DSE:
DES_set_key();
DES_ecb_encrypt();
AES:
AES_set_encrypt_key();
AES_set_decrypt_key();
AES_wrap_key();
AES_unwrap_key();--- perivously i
Event Loop Design
https://github.com/openssl/pull/17185
-Original Message-
From: openssl-users On Behalf Of Matt
Caswell
Sent: Friday, December 3, 2021 1:05 PM
To: openssl-proj...@openssl.org; openssl-users@openssl.org
Subject: Starting the QUIC Design
Please see my blog post
Please see my blog post on starting the QUIC design here:
https://www.openssl.org/blog/blog/2021/12/03/starting-the-quic-design/
Matt
On 01/12/2021 16:19, Jeremy Harris wrote:
Hmmm..maybe we can change the wording to remove that confusion, e.g.
something like "The following functions have been deprecated since
OpenSSL 3.0..."
Yes, that would be good.
I created a PR for this:
On 01/12/2021 19:07, Jeremy Harris wrote:
Another DH problem: I have a PEM for which DH_bits() says 512.
https://www.openssl.org/docs/man3.0/man3/DH_bits.html has
EVP_PKEY_get_bits() as a see-also, but that returns 4096.
Is it more likely I've mis-loaded the file (via a BIO),
or is
On 01/12/2021 16:35, Viktor Dukhovni wrote:
I've reworked the DH support in Postfix for OpenSSL 3.x compatibility,
without use of any deprecated interfaces. I now prefer/recommend the
use "auto" DH parameter selection:
As do I. Going back to my comment earlier in this thread:
>
On 01/12/2021 16:13, Jeremy Harris wrote:
On 01/12/2021 16:06, Matt Caswell wrote:
On 01/12/2021 15:54, Jeremy Harris wrote:
On 29/11/2021 15:10, Matt Caswell wrote:
SSL_CTX_set0_tmp_dh_pkey()
"Deprecated since OpenSSL 3.0"
Where are you seeing that? That is not correc
On 01/12/2021 15:54, Jeremy Harris wrote:
On 29/11/2021 15:10, Matt Caswell wrote:
SSL_CTX_set0_tmp_dh_pkey()
"Deprecated since OpenSSL 3.0"
Where are you seeing that? That is not correct.
The similarly named macro SSL_CTX_set_tmp_dh() *is* deprecated, but the
pke
}
break;
}
#endif /* !OPENSSL_NO_DSA */
if (dh == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
"'%s'", dh_file);
return -1;
////////
On 30/11/2021 13:16, pepone.onrez wrote:
Getting some problems with OpenSSL 3.0, I have passwordError function,
to check if the last error was due to an invalid password and allow the
user to retry.
bool
passwordError()
{
unsigned long error = ERR_peek_error();
unsigned long lib
On 29/11/2021 12:35, Shivakumar Poojari wrote:
Hi All,
We are upgrading our code to openssl 3.0.
Need Replacement for below Deprecated function.
SSL_use_RSAPrivateKey_ASN1();
Use SSL_use_PrivateKey_ASN1();
PEM_read_bio_DHparams();
PEM_read_bio_DSAparams();
Use
Please see the new blog post by Tim Hudson giving an update on the
OpenSSL Project.
https://www.openssl.org/blog/blog/2021/11/25/openssl-update/
Matt
On 23/11/2021 10:49, Lynch, Andrew via openssl-users wrote:
An external code review has now pointed out to us that we should set the
tag before the IV, according to OpenSSL documentation.
https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_CTX_ctrl.html#GCM-and-OCB-Modes
There was a reorg of some of how some of the website works recently...I
guess it broke something.
Matt
On 18/11/2021 23:16, Dr. Matthias St. Pierre wrote:
More strangeness: the side bar for the master and 1.1.1 manpage displays the text
"[an error occurred while processing this directive]"
On 17/11/2021 21:49, Michael Wojcik wrote:
Further on this, I'd like to know where the OP got a file with a "BEGIN EC PUBLIC
KEY" header. Various discussions elsewhere (including one from this list in 2017)
cast doubt on the existence of any such beast.
AFAIK no such format exists. At
On 17/11/2021 08:25, M K Saravanan wrote:
Hi,
Do I need to do any config to enable DHE based ciphers in openssl for
command line usage?
$ openssl s_client -cipher 'DHE_RSA_WITH_AES_128_GCM_SHA256' -connect
10.10.16.100:443
You have the wrong name for this ciphersuite. OpenSSL uses its own
So the obvious question is how are you linking? Do you link in libssl?
Matt
On 10/11/2021 09:29, Kumar Mishra, Sanjeev wrote:
Hi,
I have used SSL_SESSION_new() and SSL_SESSION_free() API of OpenSSL3.0
while upgrading my code from 1.0.1 to 3.0. But I am getting following
linking error.I
the OID is an OCTET
STRING. So you really need to understand what the actual type is for
innerContextToken in order to correctly encode/decode it.
Matt
Best regards
Max
*From: *openssl-users on behalf of
Matt Caswell
*Date: *Thursday, 4. November 2021 at 17:14
*To: *openssl-users
On 04/11/2021 13:58, Max Larsson wrote:
i2d_GSSAPI_CONTEXTTOKEN( negToken, );
You can tell i2d to encode using "application" tagging like this:
ASN1_item_ex_i2d((const ASN1_VALUE **), ,
ASN1_ITEM_rptr(GSSAPI_CONTEXTTOKEN), 0,
Going back to the original email in this thread:
On 02/11/2021 19:42, Jason Schultz wrote:
mycert = PEM_read_X509(fp, NULL, 0, NULL);
pkey = X509_get_pubkey(mycert);
All functions return good statuses or non-NULL pointers until the last
one, X509_get_pubkey() returns NULL.
The
n't know about and get it to work.
It should work just fine for RSA keys though since libssl knows what to
do with those.
Matt
But it was
planned so and maybe we will see it in the future.
If ENGINE is now deprecated (is it?), what HSM vendors should do?
--
Alex Dankow
On Fr
On 29/10/2021 16:40, Cristian Andrei Sandu wrote:
Hi all,
I’m currently updating an application from OpenSSL 1.0.2d to OpenSSL
3.0.0 in preparation for a FIPS 140-2 submission and I’m not sure how to
approach the issue of induced failures for the power on self tests.
In OpenSSL 1.0.2d we
Hi Alex,
On 29/10/2021 14:32, Alex Dankow wrote:
Hi OpenSSL team!
I wrote a provider for Windows certificates and implemented "openssl ca".
Now, I think it would be fun to see a HTTPS server using certificates
installed in Windows storage.
Nice!
Certificate is loaded using load_cert_pass
On 28/10/2021 22:46, Kory Hamzeh wrote:
Hi Matt,
I am making the changes that you suggested, I think I can get the X and Y by
using
EVP_PKEY_get_bn_param() with OSSL_PKEY_PARAM_EC_PUB_X and _PUB_Y.
Yes. Correct.
What I cannot figure out is how to get R and S. If I had an ECDSA_SIG, I
ks,
Jason
----
*From:* Matt Caswell
*Sent:* Thursday, October 28, 2021 2:00 PM
*To:* Jason Schultz ; Dr Paul Dale
; openssl-users@openssl.org
*Subject:* Re: OpenSSL 3.0 FIPS questions
On 28/10/2021 14:49, Jason Schultz wrote:
A call to OSSL_PROVIDER_availa
for their help with this, things are starting to make
more sense now.
--------
*From:* Matt Caswell
*Sent:* Thursday, October 28, 2021 7:39 AM
*To:* Jason Schultz ; Dr Paul Dale
; openssl-users@openssl.org
*Subject:* Re: OpenSSL 3
On 28/10/2021 14:16, Felipe Gasper wrote:
On Oct 28, 2021, at 03:52, Matt Caswell wrote:
On 27/10/2021 18:53, Felipe Gasper wrote:
Support for secure renegotiation is a “good thing”, right? That being
the case, why would the newer OpenSSL version report no support
On 28/10/2021 10:06, Patrice Guérin wrote:
Hi all,
The output of pkcs12 command differs between release 1.0.2 and 1.1.1.
The command used is
openssl pkcs12 -passin pass: -nokeys -in signedcert.bin
In the bag attributes, if the subject (and probably the issuer) contains
bytes
.html
Matt
Please let me know the Openssl 3.0 API's for the same.
Thanks and Regards,
Sunil
-Original Message-
From: Matt Caswell
Sent: Monday, October 25, 2021 3:03 PM
To: Paramashivaiah, Sunil ;
openssl-users@openssl.org
Cc: Kumar Mishra, Sanjeev
Subject: Re: [EXTERNAL] R
On 27/10/2021 19:04, Kory Hamzeh wrote:
Hi,
I am upgrading some 3RD party code which performs FIPS ECDSA AVS testing for
FIPS 140-2 certification. The code uses FIPS_escda_sign(), which in
Openssl-fips-2.0.5 is define as:
ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
On 27/10/2021 18:53, Felipe Gasper wrote:
Support for secure renegotiation is a “good thing”, right? That being
the case, why would the newer OpenSSL version report no support for it while
the older one supports it?
Probably TLSv1.3 is being negotiated with the newer version. In
On 27/10/2021 17:28, Jason Schultz wrote:
With these config files and the code above, the
OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the
messages from the ERR_print_errors_fp() call:
2097C692B57F:error:1C8000D5:Provider routines:(unknown
function):missing config
On 26/10/2021 20:17, Jason Schultz wrote:
Thanks for all of the help so far. Unfortunately, I'm still struggling
with this. There could be a number of issues, starting with the
installation of OpenSSL. I basically followed the documentation and did
the following:
./Configure enable-fips
On 22/10/2021 21:02, Ken Goldman wrote:
I have X and Y as bignums. I create EVP_PKEY with this.
I suspect that I have to do another step to indicate that I supplied X
and Y and not a compressed
public key.
Unfortunately supplying x and y separately is not supported for import.
You have
On 25/10/2021 10:51, Alex Dankow wrote:
Hi everyone,
I'm writing a provider for Windows certificates.
It generally works like this
openssl x509 -in "myuri .." -provider mytest -text
OpenSSL fetches a DER encoded certificate from my STORE and prints it.
However it doesn't print the
ecGrpId = EC_GROUP_get_curve_name(evpKey->pkey.ec->group);
/* some code follows*/
Thanks and Regards,
Sunil
-Original Message-
From: Matt Caswell
Sent: Monday, October 25, 2021 2:23 PM
To: Paramashivaiah, Sunil ;
openssl-users@openssl.org
Subject:
On 25/10/2021 05:45, Paramashivaiah, Sunil wrote:
Hi All,
I need get APIs for accessing the members of EVP_PKEY. Please
suggest APIs to get following members of EVP_PKEY
evpkey->type , evpkey->pkey.rsa , pubKey->pkey.ec->group.
EVP_PKEY_get_id() will get you the `evpkey->type`
On 21/10/2021 09:48, Paramashivaiah, Sunil wrote:
Hi All,
Please let me know how I can replace the below 1.0.2 code to 3.0
* SSL_SESSION data;*
* SSL_SESSION *ret=NULL;*
**
* data.ssl_version = sessVersion;*
* data.session_id_length= sessIdLen;*
**
*
Your scenario is still not quite clear to me.
It sounds like you are using a BIO_f_buffer() BIO to buffer data. This
is on the server side right? Are you encountering this problem for
server writes? Since you are talking about the certificate chain, I
assume you are referring to the server
On 20/10/2021 11:41, Paramashivaiah, Sunil wrote:
Hi All,
Please let me know APIs to get members(ssl_version, session_id,
references and session_id_length) of SSL_SESSION structure variable.
For ssl_version you can use SSL_SESSION_get_protocol_version.
For
On 20/10/2021 10:57, Kumar Mishra, Sanjeev wrote:
Hi,
I am upgrading the code from OpenSSL 1.0.1 to 3.0. I am getting
following compilation errors. Could you please suggest appropriate
changes for following-
1. X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); error:
On 20/10/2021 10:56, Vishal Sinha wrote:
We are using openssl 1.1.1c version on our client and server. Client and
Server are doing EAP-TLS authentication using certificates which are
more than 4k in size (using 1 root CA and 2 intermediate CAs). We
noticed that the server is not able to
Instead of:
make install
Do:
make install_sw install_ssldirs
Matt
On 15/10/2021 12:56, Armin Novak wrote:
Hi,
I need to deploy custom builds for OpenSSL for some packages I maintain
(flatpak/snap/windows/mac/...)
Most of the build/install time is spent installing the /usr/share/doc
On 13/10/2021 21:12, Ken Goldman wrote:
I tried
irc = EVP_PKEY_get_octet_string_param(eccKey,
OSSL_PKEY_PARAM_PRIV_KEY,
*priv, 256, (size_t *)privLen);
which failed.
In your original email you were attempting to access
OSSL_PKEY_PARAM_PUB_KEY as a
On 12/10/2021 23:37, Ken Goldman wrote:
In pre-3.0.0, I used this, omitting the error checking, malloc, ...
ecPoint = EC_KEY_get0_public_key(ecKey);
ecGroup = EC_KEY_get0_group(ecKey);
EC_POINT_point2oct(ecGroup, ecPoint,
POINT_CONVERSION_UNCOMPRESSED,
nks,
shivakumar
*From:* Matt Caswell
*Sent:* Tuesday, October 5, 2021 1:20 PM
*To:* Shivakumar Poojari ;
openssl-users@openssl.org
*Cc:* Paramashivaiah, Sunil ; Kumar
Mishra, Sanjeev ; Bhattacharjee,
Debapriyo (c)
*Subj
.
*From:* Matt Caswell
*Sent:* Monday, September 27, 2021 3:05 PM
*To:* Shivakumar Poojari ;
openssl-users@openssl.org
*Cc:* Paramashivaiah, Sunil
*Subject:* [EXTERNAL] Re: Replacement for BIO_get_port(), BIO_get_host_ip()
On 24/09/2021 07:05, Shivakumar Poojari wrote:
Hi
On 06/10/2021 14:08, Paramashivaiah, Sunil wrote:
Can we use the same lib.so which we were using for ENGINE to
replace it as provider
No. The OpenSSL <-> Engine interface is completely different to the
OpenSSL <-> Provider interface. You need to ask the supplier of your
ENGINE to
On 06/10/2021 06:46, Suji wrote:
Hi,
I am getting an issue with EVP_PKEY_new_CMAC_key while using Engine as
an argument. It was a negative test case, passed an invalid key length.
It hits the error, and when the application exits , it gets a
segmentation fault.
From my analysis, the
On 05/10/2021 05:24, Shivakumar Poojari wrote:
:error: invalid use of incomplete type 'X509' {aka 'struct x509_st'}
if (x->ocsp && x->ocsp->ocsp_url)
Strangely there is no ocsp field in an x509_st even in 1.0.2 that I can see.
:error: invalid use of incomplete type 'X509' {aka
Please raise a github issue for this.
Matt
On 02/10/2021 17:19, Arran Cudbard-Bell wrote:
In current master HEAD and 3.0.0 calling ERR_GET_REASON throws the following
warning:
src/lib/tls/session.c:1323:43: warning: 'ERR_GET_REASON' was marked unused but
was used
See:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Matt
On 30/09/2021 17:43, nate wrote:
Hello there
I support an app stack over here and a short time ago one of the devs
contacted me saying
that they were getting some SSL cert errors connecting to a server.
On 25/09/2021 06:06, SIMON BABY wrote:
Hi Team,
I have a query. I see the below API is used to write the private key in
encrypted PKCS#8 format.
/
/
/
PEM_write_bio_PKCS8PrivateKey()/ and /PEM_write_PKCS8PrivateKey()/ write
a private key in an EVP_PKEY structure in PKCS#8
d not use the default provider.
Matt
Thank you
On Fri, 24 Sep 2021, 15:02 Matt Caswell, <mailto:m...@openssl.org>> wrote:
On 24/09/2021 14:49, Antonio Santagiuliana wrote:
> Hello , thank you all for the replies. Very useful.
> I have seen in Openssl/crypto/RSA/rs
On 24/09/2021 07:05, Shivakumar Poojari wrote:
Hi
BIO_get_port(), BIO_get_host_ip(), were deprecated in OpenSSL 1.1.0.
Trying for replacement for OpenSSl 3.0
Gone through the below man page, but not found alternative function.
https://www.openssl.org/docs/manmaster/man3/BIO_connect.html
://www.openssl.org/docs/man3.0/man7/provider.html
https://www.openssl.org/docs/man3.0/man7/provider-signature.html
https://www.openssl.org/docs/man3.0/man7/provider-keymgmt.html
Matt
Thank you
On Fri, 24 Sep 2021, 12:22 Matt Caswell, <mailto:m...@openssl.org>> wrote:
On 24/09/2021
On 24/09/2021 12:17, Dr Paul Dale wrote:
What about: apps/rsa.c, apps/rsautl.c and apps/genrsa.c
3.0 doesn't use the RSA structure in the non-deprecated public API.
You probably want the EVP_PKEY_fromdata call.
An example of building an RSA key from its constituent parts is
available on
On 24/09/2021 11:55, Antonio Santagiuliana wrote:
Hello
Is there any app or command in the current Openssl master repository
that initialises and uses the new RSA provider?
I would like to see how the RSA* context parameter is filled in and
used, but I can't find an example using the RSA
On 23/09/2021 18:24, Zeke Evans wrote:
I noticed the OpenSSL FIPS Provider is not listed on the CMVP Modules
In Process List. Assuming this is the 3.0 FIPS module that was just
released. Nice work on getting to this point. Which platforms is the
module being validated on? I haven’t seen
On 20/09/2021 14:59, Shivakumar Poojari wrote:
But how do i manage "f" paramater which is highlighted in #define
You don't. We no longer use F codes. Just drop that value.
Matt
please suggest,
thanks,
shiva kumar
Notice: This e-mail together with any attachments may contain
On 16/09/2021 09:58, Jaya Muthiah wrote:
TLSv1.3 does not require the server to send any tickets if it decides not to.
What makes it decide NO TO. Here I am particularly interested in
OpenSSL implementation only.
In OpenSSL it is possible to configure the server to set the number of
On 16/09/2021 07:19, Jaya Muthiah wrote:
As I can read from the documents mentioned below, "or not at all"
worries me. Is there a situation when a session ticket is not sent at
all (other than when reused)?
TLSv1.3 does not require the server to send any tickets if it decides
not to. By
On 15/09/2021 16:57, Matt Caswell wrote:
On 15/09/2021 16:50, Kris Kwiatkowski wrote:
Can you point to instructions on how to load provider
it into OpenSSL?
Is there something similar to "[engine_section]",
that can be used to configure loading from openssl.conf?
Yes. See t
www.openssl.org/docs/man3.0/man5/config.html
In particular look at the section "Provider Configuration"
You can also load providers through the API. See:
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER_load.html
Matt
BR,
Kris
On 9/15/21 4:39 PM, Matt Caswell wrote:
Anot
Another, slightly more complicated, but fully self contained provider is
here:
https://github.com/openssl/openssl/blob/master/test/tls-provider.c
And another one here:
https://github.com/openssl/openssl/blob/master/test/p_test.c
A minimal bare bones provider is here:
Was the original connection that you obtained the session from cleanly
closed down? From the man pages:
"A session will be automatically removed from the session cache and
marked as non-resumable if the connection is not closed down cleanly,
e.g. if a fatal error occurs on the connection or L
On 15/09/2021 00:19, Ken Goldman wrote:
I am doing the following, but the EVP_PKEY->pkey->rsa is null.
Am I misusing the API or missing a step?
Neither. This is normal. EVP_PKEY->pkey->rsa is only used if you have a
legacy key.
Matt
(error checking removed)
EVP_PKEY
tation is called
Racoon2, a successor of Racoon, which was developed by the KA...
github.com
please suggest the replacement,
thanks,
shiva kumar
--------
*From:* Matt Caswell
*Sent:* Friday, September 3, 2021 1:25 PM
*To:* Shiv
p 3, 2021 at 7:55 AM Matt Caswell <mailto:m...@openssl.org>> wrote:
On 03/09/2021 14:49, Billy Brumley wrote:
>>> Hello,
>>> Is there any command-line tool to get the plain text rsa
private key
>>> like the following format from .pe
On 03/09/2021 14:49, Billy Brumley wrote:
Hello,
Is there any command-line tool to get the plain text rsa private key
like the following format from .pem file?
openssl rsa -in mykey.pem -noout -text
It would in fact be much more educational to advocate pkey, which is
cryptosystem agnostic
101 - 200 of 1432 matches
Mail list logo