Sorry I haven't been following the discussion on this vulnerability if there is
one.
The advisory says that " this can cause OpenSSL to crash (dependent on
ciphersuite) "; is there any indication about which cipher suites are affected?
So that we know whether we should upgrade now or catch
There was a suite of test scripts posted to the dev list (I set them up and
used them very quickly), see below
Nou Dadoun
Senior Firmware Developer, Security Specialist
Office: 604.629.5182 ext 2632
-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On
Exactly the same results, failed as before. Viktor is correct - 1.0.2d
Thanks; let me know if a dump trace would be useful .. N
Nou Dadoun
Senior Firmware Developer, Security Specialist
Office: 604.629.5182 ext 2632
-Original Message-
From: openssl-users
] On Behalf Of
Kurt Roeckx
Sent: Tuesday, March 01, 2016 12:16 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signature
On Tue, Mar 01, 2016 at 12:38:20AM +, Nounou Dadoun wrote:
> Is it sufficient to change
] On Behalf Of
Kurt Roeckx
Sent: Monday, February 29, 2016 3:47 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signature
On Mon, Feb 29, 2016 at 10:48:22PM +, Nounou Dadoun wrote:
> But this demonstrates that
the issue, just let me know, thanks again ... N
Nou Dadoun
Senior Firmware Developer, Security Specialist
Office: 604.629.5182 ext 2632
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Nounou Dadoun
Sent: Monday, February 29, 2016 1:41 PM
T
of the client certificate. I think we've already pointed out how
to disable that.
Kurt
On Mon, Feb 29, 2016 at 08:55:34PM +, Nounou Dadoun wrote:
> And I should add a reminder that the negotiated cipher that's failing
> is actually TLS_RSA_WITH_AES_256_CBC_SHA256
>
> Which does s
Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Nounou Dadoun
Sent: Monday, February 29, 2016 12:41 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signature
Sorry, that may
Sorry, that may be the name of one of the associated libraries, in any event
it's a Linaro arm toolchain version 4.9.1 running on a linux x-64 vm ... N
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Nounou Dadoun
Sent: Monday, February 29
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signature
Which compiler and version are you using?
Kurt
On Mon, Feb 29, 2016 at 08:12:10PM +, Nounou Dadoun wrote:
> For the record, I added no-asm to the config options and
worldwide.
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Nounou Dadoun
Sent: Monday, February 29, 2016 11:39 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signa
-users-boun...@openssl.org] On Behalf Of Dr.
Stephen Henson
Sent: Sunday, February 28, 2016 4:58 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signature
On Sun, Feb 28, 2016, Nounou Dadoun wrote:
>
> We're
-boun...@openssl.org] on behalf of Viktor
Dukhovni [openssl-us...@dukhovni.org]
Sent: February 27, 2016 1:28 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with
error 67702888--bad signature
> On Feb 27, 2016, at 4:25 PM, Nounou Dad
> On Feb 27, 2016, at 3:49 PM, Kurt Roeckx <k...@roeckx.be> wrote:
>
> On Sat, Feb 27, 2016 at 07:45:18PM +, Nounou Dadoun wrote:
>> PLATFORM=VC-WIN64A
>
> Can you try a build with no-asm?
Or perhaps with 1.0.1r, why stick with 1.0.1h???
--
Viktor.
--
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signature
On Sat, Feb 27, 2016 at 07:45:18PM +, Nounou Dadoun wrote:
> PLATFORM=VC-WIN64A
Can you try a build with no-asm?
Kurt
--
openssl-users mailing l
ssl.org]
Sent: February 27, 2016 10:23 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error
67702888--bad signature
On Sat, Feb 27, 2016, Nounou Dadoun wrote:
> Thanks for the response,
>
> I'm not sure what you're saying here other th
888--bad signature
On Fri, Feb 26, 2016, Nounou Dadoun wrote:
> I've extracted the certificates from the exchange to verify that the (tlsv1)
> successful handshake and the (tlsv1.2) failed handshake certificates are
> identical (they are) and I've also checked to make sure
On Behalf Of Nounou
Dadoun
Sent: Friday, February 26, 2016 9:34 AM
To: openssl-...@openssl.org
Subject: [openssl-dev] Failed TLSv1.2 handshake with error 67702888--bad
signature
Trying to upgrade from TLSv1 to TLSv1.1 and 1.2 has been more problematic than
I might have suspected.
I have a TLS se
st
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Nounou Dadoun
Sent: Thursday, February 25, 2016 2:42 PM
To: openssl-users@openssl.org
Subject: [openssl-users] Failed TLSv1.2 handshake with error 67702888--bad
signature
I'm trying to troubles
I'm trying to troubleshoot some development code which is enabling TLSv1.1
and 1.2 and failing. Have an odd tls handshake failure, with an error number
that I can find any documentation about (is there any?) that indicates
"67702888--bad signature" which is being logged on the server side;
I've just been reading about recommended and deprecated encryption and tripped
over a nist document
(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf)
that distinguishes between 2key and 3key 3DES saying that the former is
deprecated after 2015 but the latter is
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Wednesday, January 20, 2016 8:55 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Using TCP Fast Open with OpenSSL
> On Jan 20, 2016, at 9:27 AM, Sara
The TCP first-flight data will be the TLS ClientHello message. This saves one
round-trip on repeat visits:
C: SYN + TFO-COOKIE + TLS ClientHello
S: SYN-ACK
S: ACK + TLS Server Hello ...
...
--
Viktor.
That makes sense, thanks ... N
Nou Dadoun
Senior Firmware
.
Stephen Henson
Sent: Monday, January 18, 2016 2:51 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] How to access some simple conversion functions -
asn1_time_to_tm
On Mon, Jan 18, 2016, Nounou Dadoun wrote:
> Hi folks,
>
> I'm trying to do some simple conversions (
Hi folks,
I'm trying to do some simple conversions (I need to push some certificate data
across a soap interface).
I'm trying to do an ASN1 time conversion to tm (and eventually time_t but tm
would be fine).
Earlier mailing list entries said that this was not available but I've now
found:
why they're not exposed?
Nou Dadoun
Senior Firmware Developer, Security Specialist
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Nounou Dadoun
Sent: Monday, January 18, 2016 12:43 PM
To: openssl-users@openssl.org
Subject: [openssl-users] How
Update: after I disabled aes-gcm the server selected
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) and the connection succeeded
(disabling aes-gcm also disabled the available ciphers with SHA384 so it's not
clear whether that was the culprit or not).
So things are working again but still not sure
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Failed TLSv1.2 handshake
On Mon, Dec 07, 2015 at 10:46:26PM +, Nounou Dadoun wrote:
> The cipher setting on the server is:
> SSL_CTX_set_cipher_list(pSslContext->GetNativeRef().impl(),
> "ALL:SEED:!EXPORT:!LOW:!DES:!RC4"
sed herein are the
registered and/or unregistered trademarks of Avigilon Corporation and/or its
affiliates in Canada and other jurisdictions worldwide.
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Nounou Dadoun
Sent: Tuesday, December 08,
Hi folks, running into a failed handshake problem -
Although we upgraded to openssl 1.0.2d last summer, we had never changed our
context setup from accepting any version other than TLSv1, i.e. (in boost)
m_context(pIoService->GetNative(), boost::asio::ssl::context::tlsv1)
When we recently
I have to do some testing tomorrow and I'll post my results and a packet
capture .. N
From: openssl-users [openssl-users-boun...@openssl.org] on behalf of
Jayalakshmi bhat [bhat.jayalaks...@gmail.com]
Sent: December 6, 2015 9:18 PM
To: openssl-users@openssl.org
Just coincidentally we may have an issue in a pending release that looks much
like this scenario as well;
In our case, the server is 1.0.2d and the client is not.
I'll update details as I get them .. N
Nou Dadoun
Senior Firmware Developer, Security Specialist
Office: 604.629.5182 ext 2632
Calling
X509_STORE_CTX_set_error(ctx, X509_V_OK);
Is actually what I'm doing already but I was worried that it would then ignore
any other errors (e.g. bad signature etc.); I'd actually thought the errors
might be ORed together but that doesn't look like the case.
So does it invoke the
, December 03, 2015 9:08 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Verify callback to ignore certificate expiry
On Thu, Dec 03, 2015 at 05:00:12PM +0000, Nounou Dadoun wrote:
> Calling
> X509_STORE_CTX_set_error(ctx, X509_V_OK); Is actually what I'm doing
Another quick question, I'm setting up a server ssl handshake on a device on
which the certificate verification will sometimes fail not because the
certificate is bad but because the time is not set properly on the device.
I'm doing an ssl verify callback that is almost identical to one of the
Getting an unexpected result, does the no_tls1 option for s_client mean "don't
use tls1" (and everything else is ok) or does it mean "don't use tls1 or tls1.1
or tls1.2"? I expected the former but I'm observing the latter! (The man page
doesn't go into that much detail.) ... N
Nou Dadoun
: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Benjamin Kaduk
Sent: Tuesday, December 01, 2015 3:34 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] s_client -no_tls1 option
On 12/01/2015 05:28 PM, Nounou Dadoun wrote:
> Getting an unexpected result, d
I also like this page for the best conceptual explanation for how EC crypto
works that I've seen:
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
Nou Dadoun
Senior Firmware Developer, Security Specialist
Office: 604.629.5182 ext 2632
Quick question, modifying context options on an openssl server (disabling SSLv2
and SSLv3, enabling TLSv1 (for compatibility for now), TLSv1.1 and TLSv1.2) and
I had a question about which version is chosen in practice in a TLS connection.
I've read that in general the client proposes the
users-boun...@openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Friday, November 06, 2015 1:32 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Does openssl server always choose highest TLS
version offered?
On Fri, Nov 06, 2015 at 08:59:58PM +0000, Nounou Dadoun wrote:
> Quick questi
40 matches
Mail list logo