Thank you, Bodo.
This is a crucial point that was not clear to me when I was investigating the
use of TLS_FALLBACK_SCSV the first time.
If my application uses SSLv23_method() when constructing the SSL context, and
then explicitly disables SSLv2 and SSLv3 using SSL_CTX_set_options(), then
OpenS
It appears that the NIST NVD entry for CVE-2010-5298 may be incorrect. This
issue seems to affect 1.0.0+. Nothing earlier - specifically 0.9.8, correct?
Thanks for the sanity check.
__
OpenSSL Project
Dr. Henson,
Can you give me any information with regards to how the exploitation of
CVE-2013-6450 against 0.9.8y may manifest itself? If not a DoS, could it cause
a process using libssl to core, cause libssl to return an "okay" when it should
returned an error status, leak sensitive informatio
Oh, okay. Thank you for that tidbit.
If not a DoS, how does the issue manifest itself in 0.9.8 if an adversary
uses/attempts to use the flaw?
Thanks.
- Original Message -
> From: Dr. Stephen Henson
> To: openssl-users@openssl.org
> Cc:
> Sent: Thursday, January 16, 2014 12:22 PM
>
It is my understanding that 0.9.8y contains the DTLS retransmission flaw
described in CVE-2013-6450.
I thought I read somewhere that OpenSSL.org is working on a 0.9.8za release to
address this issue (and other bug fixes).
Is that correct? If so, what is the release schedule?
Thanks.
I'm going to try this questions again because it seems like there are some
anomalies in the OpenSSL implementation: which cipher suites are available in
which versions of SSL/TLS?
Using Appendix A.5 from the TLS 1.0, 1.1, and 1.2 RFCs, it looks to me as
though there are some cipher suites in T
# openssl rand 16 -out ./junk.bin
unable to write 'random state'
I have made some changes to code in the openssl-fips-ecp-2.0.2 distribution
(yes, I know I cannot use the OpenSSL FIPS 140-2, Level 1 accreditation). It's
likely that I have screwed something up, huh?
>># echo $OPENSSL_FIPS
>>
> echo $OPENSSL_FIPS
1
> openssl genrsa -out /home/user/key -des3 2048
error:FIPS routines:FIPS_drbg_generate:not
instantiated:openssl-fips-ecp-2.0/fips/rand/fips_drbg_lib.c:459
error:rsa routines:RSA_BUILTIN_KEYGEN:BN
lib:openssl-fips-ecp-2.0/crypto/rsa/rsa_gen.c:338
What am I doing wrong?
Tha
Ahhh, it looks like Appendix A.5 answers my questions more easily than Appendix
C.
I believe these are the answers:
In fact, TLS 1.1 does prohibit the use of the export cipher suites in TLS 1.0.
So there are effectively a few (9 by my count) cipher suites that supported in
TLS 1.0 that are pr
I'm a little confused about which cipher suites are supported by which SSL/TLS
protocol versions.
I'm using Appendix C of the TLS 1.0, 1.1, and 1.2 RFCs, respectively, as a
starting point for which cipher suites are supported in which version of the
protocol, but I'm not sure how to parse the f
My understanding is that 2048-bit DSA keys (with |q|=256) are currently
supported - at least they seem to be in 1.0.1e and fips-2.0.2. And "by
supported" I mean that they can be 1) generated and 2) used with TLS provided
the signature_algorithms extension is used so that SHA256 can be specified
Can one use HMAC through EVP? If so, can someone point me to an example?
It seems that when the OpenSSL module is in FIPS mode, it doesn't like programs
using HMAC_*() functions directly:
"OpenSSL internal error, assertion failed: Low level API call to digest SHA1
forbidden in FIPS mode!"
Tha
1) I'm wondering why the FIPS_selftest_dsa() function in fips_dsa_selftest.c
uses EVP_sha384 with a 2048-bit DSA key during the fips_pkey_signature_test()?
If I'm reading the NIST standards (FIPS 186-3 and SP 800-57 Part 1) correctly,
it looks like it is more usual for 2048-bit DSA keys to be pa
I'm wondering why the FIPS_selftest_dsa() function in fips_dsa_selftest.c uses
EVP_sha384 with a 2048-bit DSA key during the fips_pkey_signature_test()?
If I'm reading the NIST standards (FIPS 186-3 and SP 800-57 Part 1) correctly,
it looks like it is more usual for 2048-bit DSA keys to be paire
Must non-CA, self-signed certificates have the "keyCertSign" bit set in the
keyUsage extension to be "valid?"
If I don't have the bit set and execute the following command:
openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem
I get the following error:
error 20 at 0 depth look
Second try...
The FIPS_rand_set_key and FIPS_rand_seed functions in 0.9.8 appear to have been
removed in newer OpenSSL FIPS Object Module v2.0.
Are there replacements? Or are they not needed anymore? If an application is
in FIPS mode (i.e. the OpenSSL FIPS Object Module is in FIPS mode), can
It seems that the 0.9.8-era FIPS_rand_set_key() and FIPS_rand_seed() APIs have
been removed from the 1.0.1-era FIPS Object Module. Are there replacements for
these APIs? If so, what are they?
I used to use them after my FIPS-mode application forked to reset the entropy
state in the child proc
I want to build the OpenSSL 1.0.1e distribution with the FIPS code from OpenSSL
FIPS 2.0.2 distribution WITHOUT using the FIPS canister method and in-core
fingerprint method described in the User Guide for the OpenSSL FIPS Object
Module v2.0 document.
Maybe to say it another way, I would like t
EXP-RC2-CBC-MD5 does not appear to work in 0.9.8y. It does in 0.9.8x.
system:user/openssl-0.9.8y/apps 27% ./openssl s_client -connect 10.1.1.1:443
-tls1 -cipher EXP-RC2-CBC-MD5
CONNECTED(0003)
95776:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
record mac:s3_pkt.c:4
The SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option only affects how the OUTBOUND
(i.e. SSL_write) records are split (or not), correct? It doesn't define any
behavior for how the INBOUND records (i.e. SSL_read) should be split (or not),
correct?
So, it's possible that different sides of an SSL conne
Thank you for the information and links.
> [stuff deleted]
>
>> I'm probably missing something in the OpenSSL implementation. The
> documentation for SSL_CTX_set_tmp_dh_callback() says that the
> "tmp_dh_callback is called with the keylength needed..." But surely
> this can't be only 512 o
Is there a correlation between the strength (size) of the asymmetric keys used
to do the authentication and the strength (size) of the ephemeral DH keys
generated/used to protect the session key (during the key exchange)?
On first glance, in s3_srvr.c, it seems like the tmp_dh_callback() functio
I built the intel-accel-1.4 engine under a FreeBSD variant. However, when I
specify its use on the command:
env OPENSSL_ENGINES=`pwd` openssl speed -evp rc4 -engine intel-accel
gdb shows me that the RC4 function from libcrypto.so is getting used - not the
one from the libintel-accel.so. If I
I think, perhaps, two different things are being confused here:
1) RedHat's use of the term "OpenSSL Module v1.0" and
2) James' use of the term "OpenSSL 1.0.0."
Looking through RedHat's Security Policy and Certificate posted on NIST's site,
it certainly looks to me that their "OpenSSL Module v1
Hello.
I've browsed through about a year's worth of the openssl-users and openssl-dev
mail list archives in search of some information. I think I found most of what
I'm looking for, but I want to summarize my questions and my understanding of
the current situation for your review:
1) I've see
25 matches
Mail list logo
