Re: [openssl-users] Wanted details on ./config or Configure options

On 24/10/17 07:06, Jayalakshmi bhat wrote: > Hi All, > > I am looking for details on options used to disable or remove unwanted > ciphers, components while openssl building. This is for OpenSSL 1.0.2h. > I am seeing many things on internet. But most of them have minimum > explanation, please

Re: [openssl-users] Early data based on SNI with OpenSSL 1.1.1

On 23/10/17 16:16, Olivier Houchard wrote: > Hi, > > I'm trying to use OpenSSL 1.1.1 to accept or reject early data based on > the SNI, and I'm a bit confused on how to do so. > The problem I have is, I don't know the SNI before the client hello > callback is called, and at that time it seems

Re: [openssl-users] SSL_shutdown:shutdown while in init

On 17/10/17 21:27, Chris Bare wrote: > I have the following code: > > setup_ssl (char *server_name, char *port, SSL_CTX *ctx) > { >     BIO *output = BIO_new_ssl_connect (ctx); >     if (!output) >     { >         return (NULL); >     } >     BIO_get_ssl (output, ); >     SSL_set_mode (ssl,

Re: [openssl-users] Query on API availability for openssl versions

an individual ciphersuite is excluded completely by a security level, or it might mean it just has restrictions on the key lengths that are acceptable to use with it. Matt > > Thanks, > Grace > > On Tue, Oct 17, 2017 at 2:25 PM, Matt Caswell <m...@openssl.org > <mailto:m...@o

Re: [openssl-users] Query on API availability for openssl versions

On 17/10/17 09:21, Grace Priscilla Jero wrote: > Hi All, > > 1) > The below APIs used to set the maximum and minimum versions are > available in 1.1.0f version of OPENSSL. > >  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); >  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int

Re: [openssl-users] troubleshooting ssl errors

On 11/10/17 03:57, Paul Greene wrote: > [root@hostname ~]# wget https://domain.name.com:8443 > --secure-protocol=SSLv3 --debug > DEBUG output created by Wget 1.14 on linux-gnu. The "--secure-protocol=SSLv3" bit looks suspect. According to the wget man page this forces only SSLv3 to be

Re: [openssl-users] Why wasn't the fix for IP name restrictions included in 1.0.2 ?

On 15/09/17 00:05, Salz, Rich via openssl-users wrote: > > ➢ But the patch was put in git almost 10 months before 1.0.2 initial > release. > > We weren’t using git back then. So maybe it’s a bad/confusing import. Maybe > matt can explain. > Actually I think we were using git at

Re: [openssl-users] ASN1_TIME to time_t

On 06/09/17 09:20, Dmitry Belyavsky wrote: > Dear Matt, > > On Wed, Sep 6, 2017 at 11:16 AM, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > > > On 06/09/17 09:12, Dmitry Belyavsky wrote: > > Hello, > > >

Re: [openssl-users] ASN1_TIME to time_t

On 06/09/17 09:12, Dmitry Belyavsky wrote: > Hello, > > Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick > googling does not show good results. In master you can use ASN1_TIME_to_tm() which will give you a struct tm. Not available in released versions yet though. Matt

Re: [openssl-users] session resumption tls1.2/tls1.3

On 31/07/17 20:37, Neetish Pathak wrote: > On 26/07/17 00:05, Neetish Pathak wrote: > >> *Pseudocode for server* > >> * > >> * > >> tcp_accept > >> * > >> * > >> read_early{ > >> > >> if(read_early_success){ > >>

Re: [openssl-users] session resumption tls1.2/tls1.3

On 31/07/17 17:43, Matt Caswell wrote: > It could be the NewSessionTicket message going from the server to the > client. But if so that is a little strange. The NST message is only sent > after the handshake is complete (so no more early data is possible). At > this point SSL_rea

Re: [openssl-users] session resumption tls1.2/tls1.3

Apologies for the delayed response - I've been away on holiday. Comments inserted below. Matt On 26/07/17 00:05, Neetish Pathak wrote: >> *Pseudocode for server* >> * >> * >> tcp_accept >> * >> * >> read_early{ >> >> if(read_early_success){ >>

Re: [openssl-users] Openssl 1.1 RSA_get0_key() documentation -> needs-cla

On 31/07/17 15:31, Kenneth Goldman wrote: > "openssl-users" <openssl-users-boun...@openssl.org> wrote on 07/31/2017 > 09:20:59 AM: > >> From: Matt Caswell <m...@openssl.org> >> To: openssl-users@openssl.org >> Date: 07/31/2017 09:21 AM

Re: [openssl-users] Openssl 1.1 RSA_get0_key() documentation

On 28/07/17 21:15, Ken Goldman wrote: > On 7/28/2017 4:05 PM, Salz, Rich via openssl-users wrote: >>> The __current__ code for this function returns values if the **BIGNUM is >>> not NULL. Thus, it appears safe to pass in NULL for values not needed. >> >>> >>> If this behavior is guaranteed, it

Re: [openssl-users] session resumption tls1.2/tls1.3

On 18/07/17 22:27, Neetish Pathak wrote: > Hi , > thanks Matt, this is helpful > > > One more query on how I can enable 0.5 RTT data from the server side. It > is mentioned in TLS 1.3 specification. I thought it can be implemented > by sending early data from server side after reading the

Re: [openssl-users] session resumption tls1.2/tls1.3

On 14/07/17 20:18, Neetish Pathak wrote: > > > On Fri, Jul 14, 2017 at 2:54 AM, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > > > On 13/07/17 23:52, Neetish Pathak wrote: > > Hi All, > > Help with these q

Re: [openssl-users] nmake win32 failure

On 14/07/17 16:41, Andrea Smith wrote: > I have successfully gotten a setup for win64 and am trying to get one > for win32 now. I am using version 1.1.0f. I ran the following configure > command successfully: > > perl Configure VC-WIN32 -no-asm > > However, when I run the nmake command, I get

Re: [openssl-users] session resumption tls1.2/tls1.3

On 13/07/17 23:52, Neetish Pathak wrote: > Hi All, > Help with these queries please, > > 1) Is it possible to use external session files (with session info as > identifiers or tickets for out of band resumption) for session > resumption in TLS 1.2. Does it need some kind of callback like the

Re: [openssl-users] Issue with TLS1.3 and s_time

On 12/07/17 19:43, Roelof Du Toit wrote: > This seems to be a bug in how s_time handles the TLS 1.3 post-handshake > NewSessionTicket message; more specifically: not handling the retry when > SSL_read() returns -1. > > > > The following diff (in tls1.3-draft-19 branch) appears to resolve the

Re: [openssl-users] PSK generation for TLS 1.3

> (encryption) is causing the added delay. Could someone please provide > any explanation or point me in the right direction. It is not very clear > to me right now even after seeing the RFC > > Thanks > > > > > On Thu, Jul 6, 2017 at 11:40 AM, Neetish Pathak <

Re: [openssl-users] PSK generation for TLS 1.3

On 03/07/17 22:24, Neetish Pathak wrote: > Thanks Matt. This is quite useful. > Just to clarify my understanding based on your comments, OpenSSL code > and Draft for TLS 1.3/RFC for TLS1.2, please help me with following queries > > 1) So, when using external PSK (by creating the new session

Re: [openssl-users] PSK generation for TLS 1.3

On 30/06/17 22:18, Neetish Pathak wrote: > Hi All, > Can anyone provide me pointers on how can we generate external PSK to be > used inTLS 1.3. > > When I save a a session using SSL_CTX_sess_set_new_cb(), it provides an > in-band PSK for next resumption connection. > I use

Re: [openssl-users] How to define EVP_EncryptUpdate and EVP_EncryptFinal functions for an AES engine? (and a separate question re: padding).

On 26/06/17 15:21, Brett R. Nicholas wrote: > Hi there, > > > I'm building a dynamic engine to support a custom AES hardware module > that I've implemented in FPGA logic, but after reading all available > documentation, and pouring over the source code, I'm still very confused > about the

Re: [openssl-users] (no subject)

> Are you planning to integrate false start in OpenSSL any time. Thanks I am not aware of anyone working on this. Matt > > Thanks > > > Best Regards, > Neetish > > On Wed, Jun 21, 2017 at 3:17 PM, Neetish Pathak <npath...@ncsu.edu > <mailto:npath...@ncsu

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

pport false start. As an aside please note that false start only applies to <= TLSv1.2. Matt > > Thanks > Best regards, > Neetish > > On Tue, Jun 20, 2017 at 11:52 AM, Neetish Pathak <npath...@ncsu.edu > <mailto:npath...@ncsu.edu>> wrote: > >

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

ter they return should be fine. Or are you looking for a breakdown of where the time is going? Matt > > Thanks > Best Regards, > Neetish > > On Mon, Jun 19, 2017 at 5:49 AM, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > >

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

On 16/06/17 23:51, Neetish Pathak wrote: > Thanks Matt, Appreciate ur response and tips > > On Fri, Jun 16, 2017 at 3:36 PM, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > > > On 16/06/17 20:08, Benjamin Kaduk via openssl-user

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

On 16/06/17 20:08, Benjamin Kaduk via openssl-users wrote: > On 06/16/2017 01:58 PM, Neetish Pathak wrote: >> Hello >> Thanks >> I tried reading some content from the server side and I observed the >> new_session_cb getting invoked in that case on the client side. I >> understand that may be

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

On 14/06/17 18:36, Neetish Pathak wrote: > > My calling sequence is : > > client.connectToServer(); > > client.sslTcpConnect(); > > client.sslTcpClosure(); Does your client at any point attempt to read application data (i.e. through a call to SSL_read()/SSL_read_ex()?). It is not sufficient

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

On 14/06/17 01:38, Salz, Rich via openssl-users wrote: > It’s disabled by default. Servers that want to use server-side session > caching have to call an API to turn it on Err, no, that's not correct. Server side caching is on by default. Client side caching is off by default. On 14/06/17

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

4/tlsv1.3/ Session ids are not used in TLSv1.3 and session tickets work very differently. Session resumption should work just fine but there are some things to be aware of (discussed in the blog post). Matt > > Thanks > Best Regards, > Neetish > > On Thu, Jun 8, 2017

Re: [openssl-users] Session Ticket Support in Openssl TLS 1.2

On 08/06/17 01:26, Neetish Pathak wrote: > Hello All, > > I am new to the Openssl community. > I am using the latest version of Openssl (with TLS 1.3 enabled) for > performance benchmarking. I wanted to know if the session ticket support > for session resumption enabled;ed by default for

Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

nd not some other previous compilation of 1.1.0e? Matt > > However, after I change SSL_CTX_set_XXX function > orders, TLS_RSA_WITH_RC4_128_MD5 do appear in client hello cipher list. > > SSL_CTX_set_security_level(ctx, 0); > SSL_CTX_set_cipher_list(ctx, "ALL:RC4-MD5&qu

Re: [openssl-users] OpenSSL version 1.0.2l published

On 01/06/17 15:32, Dennis Clarke wrote: > >> They are easily obtainable even if you do not have git. The list for >> 1.0.2l is here: >> >> https://github.com/openssl/openssl/commits/OpenSSL_1_0_2l > > ( point missed ) > > The issue is that the CHANGES file simply isn't. The most recent for >

Re: [openssl-users] OpenSSL version 1.0.2l published

On 01/06/17 15:17, Dennis Clarke wrote: > On 06/01/2017 09:53 AM, Salz, Rich via openssl-users wrote: >>> So the CHANGES file isn't really "changes". >> >> The full list of everything that has changed can be found via git >> logs. As Matt said, we only put particularly significant items

Re: [openssl-users] OpenSSL version 1.0.2l published

On 25/05/17 15:29, Dennis Clarke wrote: > > So this is exclusively a change to support mingw64 ? Sorry, I missed this email somehow. This release rolls up numerous bug fixes that have been implemented since the last release. We only put particularly significant items in CHANGES. Matt > >

Re: [openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

On 31/05/17 21:22, Siyuan Xiang wrote: > Hi all, > > I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher. > > I have a client using openssl 1.1.0e. It doesn't include > TLS_RSA_WITH_RC4_128_MD5. > I have recompiled the openssl using enable-weak-ssl-ciphers, but it > doesn't

Re: [openssl-users] SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV

On 01/06/17 02:58, Florin Andrei wrote: > It's a little puzzling because the exchange of crypto messages uses TLS > 1.0 which the server definitely supports, and the client should be very > likely to support too. > > I've seen discussions online saying that the presence of the >

Re: [openssl-users] Build Fails with Error: CMP_CERTREPMESSAGE_PKIFailureInfoString_get0 does not have a number assigned

On 24/05/17 11:31, Nierhauve Guido wrote: > Dear all, > > > > I tried to compile the latest cmpforopenssl snapshot with the following > result: This is a problem with the cmpforopenssl patch - not a problem with OpenSSL itself (although possibly a simple "make update" will fix it). Please

[openssl-users] Forthcoming OpenSSL releases

Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2l and 1.1.0f. These releases will be made available on 25th May 2017 between approximately 1200-1600 UTC. Note: These are bug-fix only

Re: [openssl-users] OpenSSL 1.1.1 release timeframe

On 18/05/17 06:32, Jayalakshmi bhat wrote: > Please can any one let me know the release date or time line for OpenSSL > 1.1.1? We have not set a date as yet. At the very least we will not be able to release until the IETF takes TLSv1.3 out of draft status - which is not in our control. Matt

Re: [openssl-users] Using TLS1.3 with OpenSSL

es. Matt > > Thanks > Sandeep > > > Inactive hide details for Matt Caswell ---05/04/2017 06:52:28 PM---Hi > all OpenSSL 1.1.1, when it is released, will support TLSvMatt Caswell > ---05/04/2017 06:52:28 PM---Hi all OpenSSL 1.1.1, when it is released, > will support TL

Re: [openssl-users] Doubt regarding ExtendedMasterSecret

On 07/05/17 19:10, Stiju Easo wrote: > On Tue, May 2, 2017 at 2:10 PM, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > > > On 30/04/17 19:51, Stiju Easo wrote: > > Hi , > > > >I got the answe

[openssl-users] Using TLS1.3 with OpenSSL

Hi all OpenSSL 1.1.1, when it is released, will support TLSv1.3 and it will be binary and source compatible with OpenSSL 1.1.0. If your application already supports 1.1.0 then, in theory, all you need to do to support TLSv1.3 is to drop in the new OpenSSL version. However there are various issues

Re: [openssl-users] Problem compiling EVP_aes_128_gcm()

although it too is very old. Both versions are out of support from an OpenSSL Project perspective - although your OS vendor may still be supporting them. Matt > > On 3 May 2017 at 18:20, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > >

Re: [openssl-users] Problem compiling EVP_aes_128_gcm()

ssl version" report? Matt > > On 3 May 2017 at 18:13, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > > > On 03/05/17 16:10, Lior Koskas wrote: > > I checked the evp.h file in the path /usr/local/include and indee

Re: [openssl-users] Problem compiling EVP_aes_128_gcm()

NULL); > > > > EVP_EncryptInit_ex(_ctx, NULL, NULL, _key, _iv); > > You need a call to EVP_CIPHER_CTX_free(_ctx) at the end too...plus check > the return values from these function calls for errors. > > Matt > > > > > } > > > > W

Re: [openssl-users] Problem compiling EVP_aes_128_gcm()

EVP_CIPHER_CTX_ctrl(_ctx, EVP_CTRL_GCM_SET_IVLEN, ivSizeBytes, NULL); > > EVP_EncryptInit_ex(_ctx, NULL, NULL, _key, _iv); You need a call to EVP_CIPHER_CTX_free(_ctx) at the end too...plus check the return values from these function calls for errors. Matt > > } >

Re: [openssl-users] Problem compiling EVP_aes_128_gcm()

After the change I got this error : expected initializer before ‘evp_gcm’ > > What am I doing wrong? > > On 3 May 2017 at 12:07, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > > > On 03/05/17 09:43, Lior Koskas wrote: > >

Re: [openssl-users] Problem compiling EVP_aes_128_gcm()

On 03/05/17 09:43, Lior Koskas wrote: > Hi, > > I'm using EVP_aes_128_gcm and have problem with compiling it with > OpenSSL 1.1.0 (earlier versions are compiling). > Although I included I got this error : error: > ‘EVP_aes_128_gcm’ was not declared in this scope. > > I'm using CentOS 7.3. >

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

e own socket handling. Could you use pthread_sigmask() to only block SIGPIPE for the current thread (perhaps unblocking it again before returning control back to the caller of your library)? Matt > > Thanks, > Mahesh G S > > On Thu, Apr 27, 2017 at 4:36 PM, Matt Caswell <m...

Re: [openssl-users] Doubt regarding ExtendedMasterSecret

On 30/04/17 19:51, Stiju Easo wrote: > Hi , > >I got the answer to this, and now the question looks bit stupid. >Generation of master key is different in case of "Extended Master > Secret" , > >I still have a doubt, what would be the contents in SSL* > s->s3->handshake_buffer?

Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How to free?

On 28/04/17 20:29, Blumenthal, Uri - 0553 - MITLL wrote: > I’m playing with RSA-PSS signatures, and stumbled upon a few problems. I > tried the OpenSSL manual pages, but still coming short of complete > understanding. :-) > > > > This is how I initialize the contexts (error handlers removed

Re: [openssl-users] Problem with DH key derivation

On 28/04/17 08:07, Josh Shamir wrote: > Dear all, > > I am trying DH key derivation by using OpenSSL commands. However, I got > the following problem: > > "140343063295640:error:0609B099:digital envelope > routines:EVP_PKEY_derive_set_peer:different parameters:pmeth_fn.c:314: > Public Key

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On 27/04/17 15:53, Viktor Dukhovni wrote: > On Thu, Apr 27, 2017 at 12:32:42PM +, Salz, Rich via openssl-users wrote: > >>> Does openssl provide any way to set MSG_NOSIGNAL on sendmsg (Underlying >>> TCP/IP socket layer) ? >> >> No. You will have to modify the code yourself. > >

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On 27/04/17 11:56, mahesh gs wrote: > Hi, > > We are using Openssl for establish a secure communications for both > TCP/SCTP connections. > > In our application it is possible that remote end forcefully disconnect > the connection due to which > > SSL_Write raises a SIGPIPE which we want to

Re: [openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

On 25/04/17 22:37, craig_we...@trendmicro.com wrote: > We have recently upgraded our product to 1.0.2k. We are getting this > error on a packet sent to us from our browser-based user interface. I > really need some suggestions as to how to debug this problem. I know it > is in our code rather

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

On 24/04/17 22:18, Blumenthal, Uri - 0553 - MITLL wrote: > I use a 3rd-party application that is trying to update itself (so > it’s trying to “call home”). Naturally, I’m behind a corporate > firewall and Web proxy. The app has been configured to use that > proxy. It fails to connect. Packet

Re: [openssl-users] How do I connect to this server

On 24/04/17 13:52, Jeff Archer wrote: >>> https://username:passw...@server.com >>> How do I specify this username and password when using SSL_connect()? >> >>You don't. That stuff is at the protocol level about TLS/SSL. > > OK. Let me try to rephrase my

Re: [openssl-users] Query regarding DTLS handshake

On 20/04/17 14:19, Martin Brejcha wrote: > > > Matt Caswell wrote on 04/20/2017 01:29 PM: >> >> >> On 20/04/17 12:26, mahesh gs wrote: >>> Hi Matt, >>> >>> Yes I raised github case for the same issue. I also tried running this >>>

Re: [openssl-users] Query regarding DTLS handshake

n 1.1.1) and won't be backported to the 1.1.0 branch. I can see why that commit might help things, but probably a different solution is more appropriate for 1.1.0. I'm looking at this issue at the moment. Matt > > > Thanks, > Mahesh G S > > On Wed, Apr 19, 2017 at 6

Re: [openssl-users] Query regarding DTLS handshake

For those following this discussion Mahesh has created a github issue with much more detail (at least I am assuming this is the same issue): https://github.com/openssl/openssl/issues/3251 Matt On 18/04/17 21:17, Michael Tuexen wrote: >> On 13. Apr 2017, at 11:11, mahesh gs

Re: [openssl-users] Segmentation fault ssl23_connect()

On 16/04/17 20:17, Sanjaya Joshi wrote: > Hello, > > I use openldap_2.3.39 to initiate secure LDAP connection (starttls) to > external LDAP server. The used openssl version is 1.0.2k. > > While establishing the secure connection from client, i observe the > following segmentation fault

Re: [openssl-users] Query regarding DTLS handshake

On 13/04/17 18:26, Martin Brejcha wrote: > > > Matt Caswell wrote on 04/13/2017 03:45 PM: >> >> >> On 13/04/17 10:11, mahesh gs wrote: >>> Hi, >>> >>> We are running SCTP connections with DTLS enabled in our application. We >>> ha

Re: [openssl-users] Query regarding DTLS handshake

On 13/04/17 10:11, mahesh gs wrote: > Hi, > > We are running SCTP connections with DTLS enabled in our application. We > have adapted openssl version (openssl-1.1.0e) to achieve the same. > > We have generated the self signed root and node certificates for > testing. We have a strange problem

Re: [openssl-users] Integrating New Cipher Suite

On 08/04/17 18:56, Schmicker, Robert wrote: > Hello, > > I'm attempting to integrate a customized cipher suite for TLS 1.2, > however no matter what I try I always seem to end up with this error > (client side): > > SSL routines:ssl_cipher_list_to_bytes:no ciphers >

Re: [openssl-users] TLS 1.3

On 04/04/17 12:55, Thiago Arrais wrote: > I'm interested in contributing to TLS 1.3 support. Is it "done" yet? > Where do I start? Can anyone point me in the right direction? > > (BTW, total newbie here. Never contributed to OpenSSL.) Mostly TLSv1.3 support is already done. You can try it out

Re: [openssl-users] install libcrypto.so.1.1 -> /usr/local//usr/local/lib64/libcrypto.so.1.1 ?

On 29/03/17 09:43, Jeffrey Walton wrote: > Any ideas how to get OpenSSL to use /usr/local as a prefix, but place > its libraries in /usr/local/lib64? libdir is relative to prefix, to just use "--libdir=lib64" >From INSTALL: --libdir=DIR The name of the directory under the

Re: [openssl-users] openssl-users Digest, Vol 28, Issue 21

On 23/03/17 03:47, Kane Huang wrote: > Hi guys, > > I want to use "multiblock" introduced from 1.0.2 to improve performance > of ipsec packet process, which use aes_cbc_hmac_sha as main algorithm. > > I have try openssl speed test with ‘-mb’ and I observe that the test > code use big buffer

Re: [openssl-users] One question about RSA decrypt with private key

On 23/03/17 05:29, Yu Wei wrote: > After commented out the line "EVP_PKEY_CTX_set_rsa_padding(ctx, > RSA_NO_PADDING)", it worked well. > > > However, I still quite understand the usage of "RSA_NO_PADDING". > > > Who could kindly explain this? > RSA_NO_PADDING gives you "raw" RSA

Re: [openssl-users] unsigned char * public key to evp_pkey o ec_key

E_ECDSA_WITH_AES_256_CCM??? 0x0300C0AD > And modifing the file? ssl_ciph.c the functions??? ssl_load_ciphers() > ... And modifing the file evp_cipher.c and sssl_locl.cand finaly ssl_algs.c. > There are no way to make it works. It continue to give me? error: > ssl3_get_client_hello:

Re: [openssl-users] Request for adding new ciphers

On 15/03/17 18:03, Christian Adja via openssl-users wrote: > Hi everyone, > > Someone can help for adding the ciphersuite " > ECDHE_ECDSA_WITH_AES_128_CCM " and "ECDHE_ECDSA_WITH_AES_256_CCM " in > openssl? > I tried adding in the file tls1.h > # define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM

Re: [openssl-users] mingw 64-bit build of 1.1.0e

On 12/03/17 07:57, sisyph...@optusnet.com.au wrote: >> But where did it find libz ? > > Heh ... this compiler ships with libz.a (x86_64-w64-mingw32/lib/libz.a). > I don't know how long they've been doing that - probably for years. > Remove (or rename) that file and 'make' fails because -lz

Re: [openssl-users] mingw 64-bit build of 1.1.0e

On 12/03/17 00:06, sisyph...@optusnet.com.au wrote: > -Original Message- From: sisyph...@optusnet.com.au > Sent: Saturday, March 11, 2017 10:21 PM > To: openssl-users@openssl.org > Subject: [openssl-users] mingw 64-bit build of 1.1.0e > >> In the msys2 shell, I run: >> >> ./config

Re: [openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

On 11/03/17 18:38, Ethan Rahn wrote: >size_t sharedSecretLen = 0; Set this to sizeof(sharedSecret). > >// Now derive the Shared Secret >EVP_PKEY_CTX *ctx; > >ctx = EVP_PKEY_CTX_new(pkey, NULL); >if (!ctx){ > fprintf( stderr, "Failed to make EVP_PKEY ctx\n" ); >

Re: [openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

On 10/03/17 20:58, Ethan Rahn wrote: > Hello Openssl-users, > > I'm trying to write some code that derives the shared secret for 2 > elliptic curve keys ( i.e. does ECDH ) > > I am doing the following to load up both the local and remote EC key ( > code shown for local side ): > > EC_KEY*

Re: [openssl-users] error making Private RSA

On 02/03/17 00:47, william estrada wrote: > Hello group, > I am attempting to create a Private RSA structure with the following code: > BIO* > PEM = BIO_new_mem_buf( Key, Key_Len ); > > if( Type == 1 ) > PEM_write_bio_RSAPrivateKey( PEM, RSA, NULL, NULL, 0, NULL, NULL ); > else >

Re: [openssl-users] DTLS handshake in WebRTC

phersuite selection is limited by the available server certificate(s). That is different to the client certificate which is independent of the ciphersuite. Matt > > Suman > >> On Mar 1, 2017, at 1:51 AM, Matt Caswell <m...@openssl.org >> <mailto:m...@openssl.org

Re: [openssl-users] DTLS handshake in WebRTC

gt; > Suman >> On Mar 1, 2017, at 1:33 AM, Matt Caswell <m...@openssl.org >> <mailto:m...@openssl.org>> wrote: >> >> >> >> On 01/03/17 05:55, Suman Paul wrote: >>> I have been looking at WebRTC DTLS handshake and don’t understand the >&

Re: [openssl-users] DTLS handshake in WebRTC

On 01/03/17 05:55, Suman Paul wrote: > I have been looking at WebRTC DTLS handshake and don’t understand the > logic of how it works. > > My Firefox client has support for both RSA and ECDSA ciphers while my > DTLS server only supports DHE-RSA-AES128-SHA and has a RSA key. I see > that Firefox

Re: [openssl-users] POODLE attack on TLS1.2

On 27/02/17 12:03, Akshar Kanak wrote: > Dear Team >In https://en.wikipedia.org/wiki/POODLE , It is mentioned that > POODLE attack is possible aganist *TLS *also . has this issue been > alredy addressed in openssl . This was never an issue in OpenSSL - so there is nothing to address.

Re: [openssl-users] Help with "tlsv1 alert insufficient security"

On 24/02/17 16:15, Joseph Southwell wrote: > We upgraded from 0.9.8 to 1.0.2 and now we are seeing that message when > we try connecting to a server that previously worked. What does it mean > and how can I figure out how to work around it? I can’t get the server > to change anything and I need

Re: [openssl-users] DTLS Handshake fails with DTLSv1_listen

On 23/02/17 18:02, Vijayakumar Kaliaperumal wrote: > Hi, > > While writing a DTLS server using DTLSv1_listen(), I found that > when I receive a fragmented clienthello from the client, DTLS handshake > fails. DTLSv1_listen stuck in the while loop (in the app). > When I checked the man

Re: [openssl-users] Compiling OpenSSL 1.1.0e with AF_ALG engine

On 22/02/17 20:20, Richard Weinberger wrote: > Am 22.02.2017 um 12:24 schrieb David Oberhollenzer: >> Sorry, never mind. After taking a closer look at the source code I saw >> that there are further compile time and run-time kernel version >> checks in e_afalg.c. I adjusted the version number

Re: [openssl-users] Compiling OpenSSL 1.1.0e with AF_ALG engine

On 22/02/17 09:11, David Oberhollenzer wrote: > Running readelf on afalg.so confirms that the symbol is indeed not > in the binary. Am I missing some magic configure options or is there > some other problem? I just tried the exact same Configure line as you on 1.1.0e and it all works fine: $

Re: [openssl-users] openssl client v1.1.0 can not connect: handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40

On 17/02/17 07:46, Matthias Apitz wrote: > New, TLSv1/SSLv3, Cipher is DHE-DSS-AES128-GCM-SHA256 Your server appears to be configured with a DSA certificate. OpenSSL 1.1.0 made changes to the default ciphersuites that get sent. See this CHANGES entry: *) Changes to the DEFAULT cipherlist:

Re: [openssl-users] Forthcoming OpenSSL release

On 16/02/17 19:54, Nounou Dadoun wrote: > Sorry I haven't been following the discussion on this vulnerability > if there is one. The advisory says that " this can cause OpenSSL to > crash (dependent on ciphersuite) "; is there any indication about > which cipher suites are affected? So that we

[openssl-users] OpenSSL Project Bylaws

I am pleased to be able to announce the publication of our new Project Bylaws. I have written a short blog post about what we are hoping to achieve and some of the thinking that went into these here: https://www.openssl.org/blog/blog/2017/02/13/bylaws/ The bylaws themselves are available here:

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

On 08/02/17 14:12, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On >> Behalf Of Mike Mohr Sent: Tuesday, February 07, 2017 22:21 > >> Licensing issues are indeed thorny. Why can't openssl perform a >> dynamic link? The soversion should handle any ABI

Re: [openssl-users] How to disable the DTLS stuff in openssl 1.0.2k

On 06/02/17 09:58, Devang Kubavat wrote: > Hi, > I am trying to configure the OpenSSL 1.0.2k for windows. > Can anyone help me How to disable the DTLS? I guess this email got stuck somewhere because I only just got this. See my answer to this on your stackoverflow question:

Re: [openssl-users] Interoperating with a legacy client.

On 07/02/17 09:46, Tim Kirby wrote: > On 2/6/2017 2:55 AM, Matt Caswell wrote: >> This does look like the client is misbehaving for some reason. It's not >> behaviour I can reproduce with a 1.0.1j version of s_client. >> >> The second ClientHello should have a TLS1

Re: [openssl-users] DTLS Server with support for both EC and RSA keys

On 04/02/17 22:23, Suman Paul wrote: > Hi, > > I have a server that implements DTLS using OpenSSL 1.0.1 but supports > only RSA keys as of today. I want to add support to this server to > accept EC keys to be able to implement the newer ECDHE-ECDSA cipher > suites while retaining support for

Re: [openssl-users] Interoperating with a legacy client.

On 04/02/17 04:56, Tim Kirby wrote: > > I'm writing a server to support a legacy client that uses OpenSSL to > secure its communication. The client is using OpenSSL 1.0.1j, and I > have no control over that. I'm using the 1.0.1 version of OpenSSL > supplied with my > OS for the server side,

Re: [openssl-users] FW: problem with missing STDINT.H file

On 30/01/17 20:44, Carter, James M. (MSFC-ES34) wrote: > > > > > The attached text file is a snippet from attempting to install > openssl-1.1.0c on a Solaris 8 machine. As can be seen, failed when > could not be found. Do you have inttypes.h instead? As Jeff pointed out in another email

Re: [openssl-users] OpenSSL handshake failure in ssl3_get_client_hello() routine

On 26/01/17 15:53, Senthil Raja Velu wrote: > Hi Matt, > One other quick question, Is there a openssl utility code to just check > PRNG is initialized or NOT_SEEDED. See RAND_status(). Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL handshake failure in ssl3_get_client_hello() routine

On 26/01/17 04:38, Senthil Raja Velu wrote: > Hi, > I have a setup where the handshake between openssl server and client > fails at times but not always. And when it does, the client keeps > retrying and all of trials fail. Only way to recover is to restart the > server. > > Currently on the

[openssl-users] Fwd: [openssl-announce] Forthcoming OpenSSL releases

In case anyone on these lists missed this on the openssl-announce list: Forwarded Message Subject: [openssl-announce] Forthcoming OpenSSL releases Date: Mon, 23 Jan 2017 21:08:50 + (GMT) From: OpenSSL Reply-To: openssl-users@openssl.org To:

Re: [openssl-users] How to enable RC4 in OpenSSL 1.1.0c

On 19/01/17 17:59, Chris Clark wrote: > On Wed, Jan 18, 2017 at 7:01 PM, Viktor Dukhovni > wrote: > >> Sadly this does not shed much light on the build options. > > Here is more info, and now I added the "enable-ssl3" and > "enable-ssl3-method" options: If all you

Re: [openssl-users] Disable ETM in OpenSSL 1.1.0+

lt;david.woodho...@intel.com> AuthorDate: Fri Oct 14 00:26:38 2016 +0100 Commit: Matt Caswell <m...@openssl.org> CommitDate: Mon Oct 17 23:17:39 2016 +0100 Add SSL_OP_NO_ENCRYPT_THEN_MAC Reviewed-by: Tim Hudson <t...@openssl.org> Reviewed-by: Matt Caswell <m...@open

Re: [openssl-users] Encrypting using EC public key

On 15/01/17 03:47, Norm Green wrote: > Is there a way to encrypt a file using the openssl command with an > elliptic curve public key? Here's what I get when I try using OpenSSL > 1.1.0c : OpenSSL only supports ECDH (for key exchange) and ECDSA (for digital signatures) for elliptic curve keys,

<    5   6   7   8   9   10   11   12   13   14   >