[openssl-users] We're working on license changes

2015-07-31 Thread Salz, Rich
Please see https://www.openssl.org/blog/blog/2015/08/01/cla/ for some more details. Summary: Moving to Apache 2, CLA's coming, it will take time. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mail

Re: [openssl-users] Sending files in SSL communication

2015-07-22 Thread Salz, Rich
> But there is a way in which the server sends a test( for example a random > number) and the client signs it with his private key right? It's called mutual (or client-side) authentication and is part of the TLS protocol. The client must have an X.509-style certificate.

Re: [openssl-users] Sending files in SSL communication

2015-07-22 Thread Salz, Rich
> But is there a way to send text files through SSL_write()? No. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Sending files in SSL communication

2015-07-22 Thread Salz, Rich
What you want is application-specific, not part of the TLS protocol. So you have to use SSL_read/SSL_write and pull the data out as needed. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Salz, Rich
> Actually that isn't quite right.  A properly configured and tuned RBAC  > policy, when combined with PaX, can very effectively limit all userspace > activity (including root access!).  How do you know that the module is installed and actually doing things? How do you know what kernel is actua

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-21 Thread Salz, Rich
> For the stragglers, I don't think its a stretch to ask C99 in 2015. We agreed to support Netware; does it have C99? Anyone know? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-21 Thread Salz, Rich
If it's a simple matter of adding "=0" in the declaration, we should just fix the darn thing. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mai

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Salz, Rich
> If some one build their own openssl and add few lines to print the keys > during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, may > result in compromising the security of the keys. Can anyone other than root do this? You have to trust root. They could just cat your key

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

2015-07-14 Thread Salz, Rich
>if ASN1_TINE_set_string() avoids that limitation, despite Victor's suggestion >to never use it. It does avoid the limitation, using only |struct tm| to hold parsed fields, and not building a |time_t| from it. Not sure why Viktor doesn't like it. It seems to me it's the only portable thing t

Re: [openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

2015-07-14 Thread Salz, Rich
> This is important when creating root certs with expiry dates after 2038 Not an issue for openssl. As long as you use ASN1_TIME values, it's okay. Might be an issue if converting to time_t on 32-bit platforms. ___ openssl-users mailing list To unsubs

Re: [openssl-users] Vulnerability Disclosures

2015-07-11 Thread Salz, Rich
> > I wanted to suggest that when notifying of new vulnerabilities, in addition > to the severity level, information is also provided about how widespread the > issue is expected to be. I'd be concerned about doing that. While this one seemed pretty rare -- only folks running a release less tha

Re: [openssl-users] -Wconversion

2015-07-10 Thread Salz, Rich
> Is it planned to tackle the warnings, for example by checking the involved > code lines and (carefully) replace them by explicit casting to achieve clean > compiles when using stricter warnings? Yes. Timetable TBD. ___ openssl-users mailing list To un

Re: [openssl-users] OpenSSL Security Advisory - CVE-2015-1793

2015-07-10 Thread Salz, Rich
>How deep does the certificate chain have to be? It does not matter. >If I have 2 self-signed CA certificates, and a non-CA certificate is received >for verification, will this hit the problem? >Also, is it a condition of the bug that both CA certificates have to have the >same subject names an

Re: [openssl-users] Old "RSA_NET" key format

2015-07-09 Thread Salz, Rich
> Because both methods confirm your prior decisions, you therefore conclude > that you were always right in the first place. Provably wrong. I wanted to get rid of Netware support as the first example that comes to mind. As the second, I want to move all uses of RC4 and MD5 to LOW strength ci

Re: [openssl-users] Old "RSA_NET" key format

2015-07-09 Thread Salz, Rich
>> OpenSSL is a critical part of security in too many places for us to take on >> any unnecessary technical debt. >>This is a somewhat empty argument as long as no one bothers to properly >>determine if a piece of code is a debt or an asset. I claim that we are being careful and doing the prop

Re: [openssl-users] [openssl-dev] OpenSSL Security Advisory

2015-07-09 Thread Salz, Rich
> This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. In other words, if you are not using those specific releases -- i.e., the ones that came out less than 30 days ago -- you do not need to upgrade. ___ openssl-users mailing list

Re: [openssl-users] Old "RSA_NET" key format

2015-07-08 Thread Salz, Rich
> That's an overly general criteria, and may be the source of your mysterious > marauding of the APIs. Well there was no intent to be mysterious although I like the alliteration. We did mention it in the roadmap (https://openssl.org/about/roadmap.html) . Things are evaluated on a case-by-case

Re: [openssl-users] Old "RSA_NET" key format

2015-07-08 Thread Salz, Rich
> 1. Is there any good reason to remove this code? Yes. If it's not tested, reviewed, or in general use, then it's more likely to be harmful (source of bugs) than useful. > 2. Is this the OpenSSL name for the private key format >used by older Microsoft Authenticate tools (and thus >some

Re: [openssl-users] SSL_CTX_load_verify_locations only with CAPath

2015-07-07 Thread Salz, Rich
Is "surprising" a better word than sub-optimal? If you and Dave didn't know about it (nor did I) then it's surprising. And therefore probably not a good thing. Yes it can be useful. But the openssl "rehash" program only read one PEM block per file. So we need to fix one of those things. ___

Re: [openssl-users] SSL_CTX_load_verify_locations only with CAPath

2015-07-07 Thread Salz, Rich
> I thought, as the doc has (always? long?) said, that CApath must have each > cert (or CRL) in a separate file. But on checking I see that by_dir.c > actually calls > X509_load_{cert,crl}_file from by_file.c, which for PEM loads all certs (or > crls) > in a file to the working context. Thus a ha

Re: [openssl-users] SSL_CTX_load_verify_locations only with CAPath

2015-07-06 Thread Salz, Rich
> For some reason, the X509_NAME_hash function calculates a very different > hash for the server certificate: Ah. Have you mixed openssl versions? At one point the hashing changed from md5 to sha1. That would explain why specifying a directory works, but a specific file doesn't. _

Re: [openssl-users] Certificate serialnumber?

2015-07-05 Thread Salz, Rich
> Unless I'm misreading the code an absent serial number file is an error. I was looking at load_serial() in apps.c, with the |create| parameter. /r$ ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/open

Re: [openssl-users] Certificate serialnumber?

2015-07-05 Thread Salz, Rich
> > the question: where does the serial number for this certificate come from? > > is it random by default when nothing is said about it? It will be random if (a) the serial file does not exist; and (b) you specify the -create_serial flag. Otherwise it opens the file, reads the number (default

[openssl-users] Old "RSA_NET" key format

2015-07-02 Thread Salz, Rich
We are thinking about removing the old "RSA_NET" format for private keys. This is used by very old Netscape and IIS. This would remove the d2i/i2d RSA_NET API's, and the "nss" format flag from the openssl program. It would not remove the SPKI stuff. If this would cause a problem for you, please

Re: [openssl-users] regarding the vulnerability CVE-2015-1788

2015-07-02 Thread Salz, Rich
The link you posted, and quoted from, says which versions are vulnerable and which ones are fixed. You could run a diff between them to isolate the fix. Or you could just upgrade. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/m

Re: [openssl-users] Minor portability fix for Solaris-11.1

2015-07-02 Thread Salz, Rich
> ./testssl[149]: local: not found [No such file or directory] > ./testssl[150]: local: not found [No such file or directory] This is marked in RT 3907 and was fixed last week; it will be in the next releases. Thanks. ___ openssl-users mailin

Re: [openssl-users] libtlssep

2015-07-01 Thread Salz, Rich
> I am writing to introduce a new TLS library which presently makes use of > OpenSSL: libtlssep. Libtlssep has two aims: (1) to provide a simpler API to > application developers and (2) to encourage the decomposition of > applications into at least two processes, one of which isolates access to > s

Re: [openssl-users] Query on TLS1.2 and use of DES ciphers

2015-06-28 Thread Salz, Rich
Deprecated means discouraged, not disallowed. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Suggested way to add option to both SSL_CTX* and SSL*?

2015-06-21 Thread Salz, Rich
> I looked at how SSL_CTX_set_cipher_list and SSL_set_cipher_list operate, > but they don't use SSL_{CTX}_ctrl. That API probably predates the ctrl. It's a trade-off; you lose type-safety but have less to document :) > What is the suggested way to control the functionality through a flag? Pro

Re: [openssl-users] Cygwin untar of 1.0.1n gives "tar: A lone zero block at 46120"

2015-06-12 Thread Salz, Rich
> $ tar zxf openssl-1.0.1n.tar.gz > tar: A lone zero block at 46120 Perhaps this? http://askubuntu.com/questions/169223/tar-a-lone-zero-block-at-343398 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-use

Re: [openssl-users] The behavior change of command line utility -- 'openssl'

2015-06-11 Thread Salz, Rich
> I wonder if this is an expected behavior change or it is a bug. As Dave Thompson said, you haven't yet shown that there is a "bug" or change. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL.cnf File path

2015-06-04 Thread Salz, Rich
> > WARNING: can't open config file: /usr/local/ssl/openssl.cnf Set OPENSSL_CONF in your environment. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Do you use EGD or PRNGD?

2015-06-01 Thread Salz, Rich
Thanks for the info! > it should be noted that a networked variant of the EGD protocol has been > used by at least one hardware RNG vendor, though I am unsure if the builtin > EGD code in OpenSSL could ever talk directly to that variant anyway. I don't think so, since all the code does is open

Re: [openssl-users] [openssl-dev] Do you use EGD or PRNGD?

2015-06-01 Thread Salz, Rich
> While HP NonStop is not officially supported, I have been helping to maintain > a fork for the platform since December and are current through 1.0.2a. We > do use prngd. I am looking for ways to get back on the official platform list, > looking for alternatives to prngd for that platform, and try

[openssl-users] Do you use EGD or PRNGD?

2015-06-01 Thread Salz, Rich
We are thinking of removing support for EGD (entropy-gathering daemon) in the next release. None of our supported platforms have needed it for some time. If this will cause an issue for you, please reply soon. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz _

Re: [openssl-users] OpenSSL Behaviour under low bandwidth

2015-05-15 Thread Salz, Rich
“It does” Does that mean you have the same behavior? If so, it is possible that your simulator is, well, not great. But this doesn’t seem an openssl issue. Not sure where to suggest you go for help. ___ openssl-users mailing list To unsubscribe: htt

Re: [openssl-users] OpenSSL Behaviour under low bandwidth

2015-05-15 Thread Salz, Rich
>I've tested with s_client between my PC and an AWS EC2 instance. I've also >tried using s_tunnel and nmap/ncat. The results appear the same. Using >wireshark I see a lot of TCP retransmissions. That sounds like a network issue. Try testing using something like netcat and see if you also get T

Re: [openssl-users] Testing OpenSSL based solution

2015-05-12 Thread Salz, Rich
> What Mr. Salz refers to by "Verification should be okay" is probably this: Yes and Mr. Salz greatly appreciates Mr. Bohm's elaboration. :) Lest the humor be misunderstood: yes, you're right, thanks for explaining. ___ openssl-users mailing list To u

Re: [openssl-users] Testing OpenSSL based solution

2015-05-12 Thread Salz, Rich
You can't easily have test vectors for DSA signatures since they include a random. Any test vector would have to include the random, and any API would have to be able to accept the random as part of the "sign" API. Verification should be okay. ___ o

[openssl-users] statistics in COMP_CTX

2015-05-09 Thread Salz, Rich
Is anyone using the counters maintained in COMP_CTX? unsigned long compress_in; unsigned long compress_out; unsigned long expand_in; unsigned long expand_out; We're making that structure opaque in 1.1, and are wondering if we need an API (two, probably) to make those numbers avail

Re: [openssl-users] minor documentation errors

2015-05-09 Thread Salz, Rich
> After getting into building and especially configuring my own CA again I'm > nearly at the end and I've noticed some errors in the documentation I want > to report. I like the "again" :) > 3) On https://www.openssl.org/docs/apps/req.html the option -subj is listed > twice with a slightly diff

Re: [openssl-users] Performance problems with OpenSSL and threading

2015-05-08 Thread Salz, Rich
> I will just grab master then. Will this change be in the next 1.0.2 release? No. Released branches only get bug-fixes. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Performance problems with OpenSSL and threading

2015-05-08 Thread Salz, Rich
> You can private message me the patch and I can benchmark it for you. > Please let me know what release version or hash on git that it will cleanly > apply. Do you know what release this will be going in? It is this commit 3e47caff4830d2a117eda15b57a5feab89b846ae on master. A quick check sho

Re: [openssl-users] Regarding the Support for TLS 1.3

2015-05-04 Thread Salz, Rich
> I would like to know whether OpenSSL supports TLS 1.3, if supported from > which version of OpenSSL the implementation started. Since TLS 1.3 is not even done yet, no. If I had to guess, I'd say it won't be "done" for at least six months. /r$, IETF TLS WG member

Re: [openssl-users] [openssl-dev] openssl 20150503 SNAP issue

2015-05-03 Thread Salz, Rich
SNAP releases are just that, snapshots. If you see the same problem twice, say, it is worth reporting. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Performance problems with OpenSSL and threading

2015-05-01 Thread Salz, Rich
>Lock #1 is CRYPTO_LOCK_ERR, which I believe is used for logging errors.  It >appears your application is generating a lot of errors for some reason.  Never >tried it myself, but you probably can't disable this lock with multiple >threads running.  You should take a look at the error log to iden

Re: [openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?

2015-04-30 Thread Salz, Rich
> My webserver is getting flooded with queries like: > > ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] "GET > /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbt > FVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D > %3D > HTTP/1.1" 301 184 "-" "ocspd/1.0.3"

Re: [openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?

2015-04-29 Thread Salz, Rich
> But once I showed my work to people in my company, one of them asked me why > did I choose not to add the client hostname to the Client Certificate, thus > making it usable only by that specific client. You put to put the client name or ipaddr in the subjectAltName extension field. Then you'

Re: [openssl-users] How do I uninitialize OpenSSL properly?

2015-04-28 Thread Salz, Rich
> Unfortunately this didn't solve my problem, but at least I narrowed it down. > The leaks are caused by my call to "SSL_CTX_load_verify_locations", which is > essentially "X509_STORE_load_locations". Doesn't freeing the SSL_CTX_free release that data? If not, please file an RT ticket. _

Re: [openssl-users] Generating RSA PrivateKey and PublicKey programmaticallly

2015-04-28 Thread Salz, Rich
A pair means two. An RSA keypair is two keys, the public key and the private key. You cannot have one without the other, and you cannot generate them separately. You can, of course, store and use them separately, and must do so. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread Salz, Rich
> If they have counterparts in TLS that could be used, why wouldn't > the TLS version show up instead ? Because they are *the same* TLS did not take old ciphers and renumber or rename them. ___ openssl-users mailing list To unsubscribe: https://mta.o

Re: [openssl-users] Certificate template information

2015-04-27 Thread Salz, Rich
> I have need to identify a Microsoft generated certificate's template name, I > believe as part of oid 1.3.6.1.4.1.311.21.7 Where, in a cert OtherName field? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openss

Re: [openssl-users] Can't connect to site, OpenSSL returns error

2015-04-27 Thread Salz, Rich
> So why does it work for me? Well, who knows when the remote server wants to see SNI? It could be based on url, ipaddress, etc. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can't connect to site, OpenSSL returns error

2015-04-27 Thread Salz, Rich
> It is weird that it worked for you. Anyway I found a way how to fix it (if I > can > call it "a fix"). The key is to provide a flag "-servername" > to enable SNI (Server Name Indication). It's not wrong to call it a fix. The server you are talking to is configured to require SNI, apparently.

Re: [openssl-users] [openss-users] How to correctly shutdown for connection to avoid memory leak

2015-04-27 Thread Salz, Rich
If you used BIO_NOCLOSE then you have to close the BIO. Yes, after shutdown is done, call SSL_free() ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can't connect to site, OpenSSL returns error

2015-04-26 Thread Salz, Rich
> And it returns this kind of error > error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal > error > > The site uses TLS 1.1, AES_128_CBC_SHA1, ECDHE-ECDSA. Perhaps there is a middlebox in the way that gets version negotiation wrong. Try adding the -tls1 flag. __

Re: [openssl-users] How do I uninitialize OpenSSL properly?

2015-04-26 Thread Salz, Rich
This isn't paid support; two days isn't a long time to wait :) Is this on process exit? If so, does it really matter? You might look at the apps_startup and apps_shutdown functions in apps/openssl.c on the master branch. /r$ -- Senior Architect, Akamai Technologies IM: richs...@jabb

Re: [openssl-users] Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)” Signature Value

2015-04-24 Thread Salz, Rich
WS-Security? Blast from the past … ☺ To fill in the BinarySecurityToken field, take the PEM version of the cert, strip off the leading and trailing marker lines ---BEGIN… and output that. To generate the signature look at the pkeyutl app. (Sorry, don’t remember any other details) -- Senior A

Re: [openssl-users] How to find patches for a particular OpenSSL version?

2015-04-22 Thread Salz, Rich
> I am currently using openssl 1.0.1e (compiling from source), and I was > wondering whether I needed to put in any patch files with it as well. Does > anybody know? Let's assume I can't just use a later version's tarball. There are no patch files. Letter releases, 1.0.1f, 1.0.1g, etc., are onl

Re: [openssl-users] Delete a post to openssl-user mailing list

2015-04-22 Thread Salz, Rich
> Can a message be removed by the system administrator of the openssl-user > email forum? There are several places that archive openssl mailing lists. > My original post about " NULL EVP_PKEY" was flag by my company as a security > risk. That seems erroneous to me. > I have been directed to re

Re: [openssl-users] Compiling for multiple platforms?

2015-04-21 Thread Salz, Rich
> Is there a way to specify where objects and binaries go? Or, alternatively, > where the source lives (rather like OpenSSH's --srcdir option)? Not currently. This might change as the make "system" is being reviewed and overhauled. Until then, rsync is your best option, as long as all your p

Re: [openssl-users] NULL EVP_PKEY

2015-04-20 Thread Salz, Rich
> I am having a problem reading a password protected private key file (.pem) > using the OpenSSL library (programmatically). Can you read it using the openssl command-line tool? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz __

Re: [openssl-users] How to add CT Precertificate SCTs to a server certificate?

2015-04-20 Thread Salz, Rich
> https://www.openssl.org/docs/apps/x509v3_config.html#ARBITRARY- > EXTENSIONS Oops. I on ly looked at asn1_generate. Should there be a cross-link? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to add CT Precertificate SCTs to a server certificate?

2015-04-20 Thread Salz, Rich
> > A patch to let you specify the DER directly would be useful. > > No patch required: Looks like a doc bug then. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to add CT Precertificate SCTs to a server certificate?

2015-04-20 Thread Salz, Rich
> How do we use `openssl req` and a CONF file to add the information > (assuming we already have the certified timestamps)? Ouch, that's gonna be nasty. Look at ASN1_generate_nconf.pod Most likely have to use the SEQUENCE type, recursively. Ouch indeed. A patch to let you specify the DER dire

Re: [openssl-users] CTX_free crash

2015-04-19 Thread Salz, Rich
> Sometimes, the program crashes when doing an SSL_CTX_free; before the > crash, ctx is an invalid pointer, that's why I can get a valid value from > SSL_CTX_get_max_cert_list (ctx), so it's not a double free problem. You mean it's a VALID pointer? We'll need a more detailed backtrace. __

Re: [openssl-users] OpenSSL 1.0.2 Solaris 32 bit build is broken

2015-04-14 Thread Salz, Rich
You could mail it to RT and then it will at least be logged and not forgotten. But no response within four days isn't surprising. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS mode restrictions and DES

2015-04-13 Thread Salz, Rich
> If I may, I'd like to ask about including the Linux kernel in the validation. As the old joke goes, "if you have to ask, you can't afford it." ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS mode restrictions and DES

2015-04-13 Thread Salz, Rich
> In other words, is the only > practical and viable option regarding this to re-implement crypt() using EVP > methods ? - thanks. Yes. That would be so much easier than anything you can imagine. ___ openssl-users mailing list To unsubscribe: https://m

Re: [openssl-users] removing compression?

2015-04-07 Thread Salz, Rich
> I'm not sure if/how SPDY differs from HTTP/2 (other than I know they are > different but aligned). I Google just turned off spdy for "official" http/2. http://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html ___ openssl-users maili

Re: [openssl-users] removing compression?

2015-04-07 Thread Salz, Rich
Yes, some others have spoken up so compression at the TLS layer will stay. The ability to add new compression methods at run-time is likely to go away. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] AES-GCM processing time

2015-04-07 Thread Salz, Rich
> At the > very least, you need to measure many encryptions and take the average. +1 Also look at the openssl speed app. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe

Re: [openssl-users] removing compression?

2015-04-07 Thread Salz, Rich
Jakob, Thanks very much for the detailed response! I'm still not convinced that tls-layer compression is a good thing. You seem to be saying it could possibly be made to work, but ... do I have that view right? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichS

Re: [openssl-users] updating list of server account password

2015-04-06 Thread Salz, Rich
Perhaps you don't want to post this kind of thing to a global mailing list for all users of openssl? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz > -Original Message- > From: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT > [mailto:andreas.magana..

Re: [openssl-users] removing compression?

2015-04-04 Thread Salz, Rich
> by randomly interspersing flush commands into the data stream (description > and example implementation https://github.com/wnyc/breach_buster)? > It's not perfect but for some use cases better than having no compression at > all. Flushing the stream seems like an application-level thing to do, a

Re: [openssl-users] Modulus field in text display of a certificate

2015-04-04 Thread Salz, Rich
> > Modulus: > > 00:9a:18:ca:4b:94:0d:00:2d:af:03:29:8a:f0:0f: The leading zero is so that you don't confuse it with a sign bit. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/o

Re: [openssl-users] HTTP / HTTPS on same port

2015-04-03 Thread Salz, Rich
It is a hack. Most people do it the other way and look for a G or P as the first letter. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] removing compression?

2015-04-03 Thread Salz, Rich
I am thinking about removing compression and would like to know what the community thinks. At a minimum, I am going to remove the ability to add compression at run-time. This was never really documented. Moving forward, if someone wants to add a new compression scheme they will need to modify

Re: [openssl-users] Certification Path Building / non-hierachical PKI

2015-03-29 Thread Salz, Rich
> Are there any plans or patches for such a feature? We have no plans for this. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo

Re: [openssl-users] Is RC4-MD5 disabled on Openssl-1.0.1h

2015-03-26 Thread Salz, Rich
> I am wondering is this newly introduced?. No it's not new. > Application compiled with openssl-0.9.8d used to work when Cipher string has > '+'.or ':' That release is nearly 10 years old (Sep 2006) And are you sure it worked? + tended to mean add, so :+ worked... -- Senior Architect

Re: [openssl-users] ChaCha20/Poly1305 in OpenSSL?

2015-03-25 Thread Salz, Rich
> I see Adam Langley's patch here: > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a8646510b > > Any ideas why it was not accepted or not merged? (I'm assuming it was not > merged because it was rejected for some reason). I thought his patch came before the IETF final doc, which c

Re: [openssl-users] What global object I use in application lifetime

2015-03-24 Thread Salz, Rich
> From document, I think CTX can be initialize only once. But I do not know > g_ssl can be initialize only once? I can reuse g_ssl for 1000 differnt URLs? > Please correct me if anything. Thanks! You need to create a new SSL object every time you want to do a connect. /r$ -- Senior Ar

Re: [openssl-users] ChaCha20/Poly1305 in OpenSSL?

2015-03-23 Thread Salz, Rich
It's unlikely to appear in 1.0.2 as it's a new feature. CloudFlare has posted patches that seem like they would drop in easily, for folks that want to do it; see https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/ -- Senior Architect, Akamai Technologies IM:

Re: [openssl-users] [openssl-announce] Forthcoming OpenSSL releases

2015-03-18 Thread Salz, Rich
> The extra work is also documented (in a place not linked from the wiki) for > those who maintain a git fork of the OpenSSL repository. I just tossed together https://wiki.openssl.org/index.php/Code_reformatting Found off the main page, https://wiki.openssl.org/index.php/Main_Page#Internals_and_

Re: [openssl-users] TLS 1.2 message hiding.

2015-03-17 Thread Salz, Rich
> Ok, so TLS does not handle this. The current draft of the TLS 1.3 specification includes a field to pad every data record. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS 1.2 message hiding.

2015-03-13 Thread Salz, Rich
> I'm using TLS 1.2 with compression and was wondering if OpenSSL > implements ways to hide the exact length of the message (may be using RFC > 6066). No. What in 6066 were you thinking of trying to use? ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] How to make a rehandshake(renegotiation)?

2015-03-11 Thread Salz, Rich
Many servers have disabled client-initiated renegotation. I thought you were testing your client/server. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Delay of email delivery for the list

2015-03-11 Thread Salz, Rich
> Guess I'll mention this here. After the mailing list changes, MARC stopped > archiving the OpenSSL lists, e.g. Thanks, I'll get in touch with them. -- Senior Architect, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz ___ openssl-users ma

Re: [openssl-users] Delay of email delivery for the list

2015-03-10 Thread Salz, Rich
> I see some delay about 30-40 min for my emails. They arrive and I see them > in the incoming messages in the list only after 30-40 min. And one email was > delivered for 2 hours. Is it normal for the openssl-users@openssl.org? It happens sometimes. > Some time ago I see an email with message:

Re: [openssl-users] How to make a rehandshake(renegotiation)?

2015-03-10 Thread Salz, Rich
> Does OpenSSL support renegotiation? Yes. You probably need more than that. :) Take a look at the apps/s_client and look for the 'R' constant to see how to do client-initiated reneg. ___ openssl-users mailing list To unsubscribe: https://mta.openssl

Re: [openssl-users] How to disable all EXPORT Ciphers?

2015-03-09 Thread Salz, Rich
>How to I disable all EXPORT Ciphers from OpenSSL? > Will the use of string "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH" ; openssl ciphers -v kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH | grep EXP ; Yes. But really, SSLv2? Really? You have clients that haven't been u

Re: [openssl-users] SSL_read preserving message boundaries.

2015-03-07 Thread Salz, Rich
> As far as I know SSL_read will only return data from 1 record. But there is no requirement that each write translates into one record. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_read preserving message boundaries.

2015-03-07 Thread Salz, Rich
> So this is preserving message boundaries. How do I get the complete > message just like with TCP? No, it just happened that way. TLS does not preserve message boundaries. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/

Re: [openssl-users] OpenSSL and detecting whether bugs have been patched

2015-03-05 Thread Salz, Rich
> if (!openssl_is_patched("CVE-2014-0160”)) { >complain_vociferously(); > } That's an interesting idea. Of course the CVE list would grow, so perhaps arrays of ints are better Int OPENSSL_cve_fixed(int year, int vuln);; ? ___ openssl-use

Re: [openssl-users] Openssl upgrade

2015-03-04 Thread Salz, Rich
> I am facing unknown digest error from ASN1 while verifying certificate from > client using PKCS7_verify. Is this a cert you generated with the old openssl code? I believe there is an issue with OID's, but am not sure. Maybe somebody else can recall.

Re: [openssl-users] has anyone developed a standalone test for CVE-2014-8730?

2015-02-28 Thread Salz, Rich
> I've found one on-line tester for CVE-2014-8730 here: You sure that's the one you want? That is only for F5. See https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html ___ openssl-users mailing list To unsubscribe: https://mta.ope

Re: [openssl-users] Getting General SSL Help

2015-02-27 Thread Salz, Rich
I like https://www.feistyduck.com/ -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Salz, Rich
> > As there is no documentation and as noone seems to know the meaning of > > the -no_explicit for "openssl ocsp", should I file a documentation > > defect in RT for that? > > yes, please. Never mind, Stephen already fixed the doc in master :) ___ ope

Re: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

2015-02-24 Thread Salz, Rich
> As there is no documentation and as noone seems to know the meaning of > the -no_explicit for "openssl ocsp", should I file a documentation defect in > RT > for that? yes, please. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/

Re: [openssl-users] FIPS, continuous tests, and error reporting

2015-02-19 Thread Salz, Rich
> For instance, any of the void DES_*_encrypt().  This cursory observation is > also supported by a vendor application code such as: Ah, okay. Those functions are 'just math' They depend on no external state. They can't fail. It's shifts and masking, etc. > This is basically why I'm wonderin

<    3   4   5   6   7   8   9   10   11   12   >