Fwd: [.] ssl update needs rebuilds

Hello. non-grata posting, but i think a fix would be a widely appreciated clarification. I think noloader is on this list, so i do not bcc him. --- Forwarded from Steffen Nurpmeso --- Date: Sun, 09 Jun 2024 01:58:54 +0200 Author: Steffen Nurpmeso .. |>|> Jun 7 23:41:16 outwall/smtpd[19222]

Re: Fwd: Proper API usage with DTLS over custom net transport

On 20/10/2022 20:33, Павел Балашов wrote: So now the questions: (1) If we receive some dtls data at the line above with '' what should we do in terms of OpenSSL API calls ?  I assume this dtls data could be a client's retransmission due to server's last flight was lost or this could be

Fwd: Proper API usage with DTLS over custom net transport

Hello, I would be really grateful if someone can point me in the right direction with proper OpenSSL API usage in the following scenario. I have a custom network transport - ICE (essentially UDP socket, as a part of typical WebRTC stack) and I need to implement a DTLS connection over it. So given

Fwd: Need Help for iOS and MacOS Build of OpenSSL

Hi Everyone, I am working on a project where I have to build OpenSSL "3.0.5" version for multiple targets related to MacOS and iOS. I am able to successfully build the OpenSSL "1.1.1x" version by using targets mentioned in "20-ios-tvos-cross.conf". I used to give commands like the below: > ./Con

Fwd: Getting make warning for Openssl 1.0.2x on MacOS

While building OpenSSL 1.0.2x library I am configuring with following options on macos: For Macosx-32: ./Configure --openssldir=/path/to/openssl/dir shared -mtune=generic -march=i386 -m32 -fPIC darwin-i386-cc no-asm -D_GNU_SOURCE no-rc5 enable-tlsext no-ssl2 For Macosx-64: ./Configure --openssldir

Re: Fwd: Trying to generate a RSA private key

Hi Victor, Thanks for advising me and for the links. I'm learning a lot, despite the bad news Thanks. Kind regards loredana Il giorno mer 16 feb 2022 alle ore 15:30 Viktor Dukhovni < openssl-us...@dukhovni.org> ha scritto: > On Wed, Feb 16, 2022 at 11:16:03AM +0100, mary mary wrote: >

Re: Fwd: Trying to generate a RSA private key

On Wed, Feb 16, 2022 at 11:16:03AM +0100, mary mary wrote: > But now the issue would become different, and I'll try to share it > possibly even if the subject changes, in case i could get advice. I > needed the private key for adding it in wireshark for decoding some > encrypted messages exchange

Re: Fwd: Trying to generate a RSA private key

Hello Mark, Thank you so much for your input. Indeed there is not an entry for the private key, and that let me understand why i could not extract it. But now the issue would become different, and I'll try to share it possibly even if the subject changes, in case i could get advice. I needed the p

Re: Fwd: Trying to generate a RSA private key

Use keytool -list -v to ensure that the original store actually contains a private key If there is no entry of Entry type: PrivateKeyEntry then the store has no private key Mark Hack On Tue, 2022-02-15 at 18:30 +0100, mary mary wrote:Hello community, > A beginner here. > > I would need to extr

Fwd: Trying to generate a RSA private key

Hello community, A beginner here. I would need to extract a private key, PEM or RSA format, from a keystore file ("server.keystore") which I have. I've executed: keytool -importkeystore -srcstorepass 123456 -srckeystore server.keystore -deststorepass 123456 -destkeystore server.p12 -deststoretype

Fwd: Utility of self-signed certs - Re: Questions about legacy apps/req.c code

Yeah, self-signed certs are absolutely useful - you just need to be very careful which ones you trust for what. Such certs are widely used to provide trust anchor information, typically of root CAs, but conceptually and pragmatically, as Jordan also stated below, they can make much sense even

Fwd: Utility of self-signed certs - Re: Questions about legacy apps/req.c code

Yeah, self-signed certs are absolutely useful - you just need to be very careful which ones you trust for what. Such certs are widely used to provide trust anchor information, typically of root CAs, but conceptually and pragmatically, as Jordan also stated below, they can make much sense even

Re: Fwd: Question about RSA key access mechanism

Hi there, Thank you very much for your email. As I was suspecting, I was making a mistake, after following the lead you provided (the function rsa_ossl_mod_exp in the file crypto/rsa/rsa_ossl.c) I started observing hits. I was basically making a mistake with the addresses to watch. Best regards,

Re: Fwd: Question about RSA key access mechanism

On 12/04/2021 09:57, Danis Ozdemir wrote: When I define a watchpoint for that address to verify that it has been accessed when a new client connects to the server and make the server continue, I can't see a hit which means this address hasn't been accessed. *I'm attaching the s_client output

Re: Fwd: Question about RSA key access mechanism

Hi all, Just to see if I can help prompt a response... :-) Danış is working with me to try see how hard it is to reproduce meltdown and snarf a private key. Problem-N of many in doing that is knowing where private key bits are used in OpenSSL - so far gdb seems to be showing no accesses to p,q

Fwd: Question about RSA key access mechanism

Hi all, I hope all is good. My name is Danis Ozdemir, I'm a PhD student in Trinity College (Ireland) and I'm studying computer security. I'm trying to reproduce the meltdown attack as an effort to dive deep into the known attack types with some specific scenarios and "trying to see whether Meltdow

Fwd: Nginx Server : fatal Error from Server

Nginx Team, Creating Nginx server in local setup. *Versions we use : * *nginx version:* nginx/1.18.0 (Ubuntu) *OpenSSL* 1.1.1f 31 Mar 2020 *OS Version * No LSB modules are available. Distributor ID:Ubuntu Description:Ubuntu 20.04.1 LTS Release: 20.04 Co

Fwd: Openssl - 1.1.1g disconnection and reconnection

Hi, I have been trying to implement TLS using OpenSSL libraries in C++. I was able to successfully connect to a TLS server. But our software requires it to disconnect and reconnect if i use the reconnect option . It doesn't reconnect well after the 2nd attempt . Is there any generalised code avai

Re: Fwd: Requesting to share OpenSSL commands to increase G Pramaeter length in DHE Cipher.

On Wed, Mar 03, 2021 at 04:14:17PM +0530, Vadivel P wrote: > Hi OpenSSL team, > > We are looking for the command line option or any other way to increase the > DHE G Parameter length to 256 bytes, by default it's 2 now, we need to > modify it as 256 byte on the server side for our testing either b

Re: Fwd: Requesting to share OpenSSL commands to increase G Pramaeter length in DHE Cipher.

On Wednesday, 3 March 2021 11:44:17 CET, Vadivel P wrote: Hi OpenSSL team, We are looking for the command line option or any other way to increase the DHE G Parameter length to 256 bytes, by default it's 2 now, we need to modify it as 256 byte on the server side for our testing either by command

Fwd: Requesting to share OpenSSL commands to increase G Pramaeter length in DHE Cipher.

Hi OpenSSL team, We are looking for the command line option or any other way to increase the DHE G Parameter length to 256 bytes, by default it's 2 now, we need to modify it as 256 byte on the server side for our testing either by command line or with any other option.we need it for our local serv

Re: Fwd: channel binding

On Mon, Jan 11, 2021 at 10:31:01PM +, Jeremy Harris wrote: > On 11/01/2021 22:07, Benjamin Kaduk wrote: > > > Looking at the implementation, SSL_export_keying_material() only > > > functions for TLS 1.3 . This is not documented. Is this a bug? > > Are you looking at SSL_export_keying_material

Re: Fwd: channel binding

On 11/01/2021 22:07, Benjamin Kaduk wrote: Looking at the implementation, SSL_export_keying_material() only functions for TLS 1.3 . This is not documented. Is this a bug? Are you looking at SSL_export_keying_material() or SSL_export_keying_material_early()? Doh. I was looking at the wrong

Re: Fwd: channel binding

On Mon, Jan 11, 2021 at 09:26:30PM +, Jeremy Harris wrote: > On 11/01/2021 08:20, Benjamin Kaduk wrote: > > Current recommendations are not to use the finished message as the channel > > binding but instead to define key exporter label for the given usage > > (see > > https://urldefense.com/v3

Re: Fwd: channel binding

On 11/01/2021 08:20, Benjamin Kaduk wrote: Current recommendations are not to use the finished message as the channel binding but instead to define key exporter label for the given usage (see https://tools.ietf.org/html/rfc8446#section-7.5), using SSL_export_keying_material(). Follow-on questi

Re: Fwd: channel binding

On 11/01/2021 08:20, Benjamin Kaduk wrote: What is the status of SSL_get_finidhed() / SSL_get_peer_finished() ? I do not find them documented at https://urldefense.com/v3/__https://www.openssl.org/docs/manmaster/man3/__;!!GjvTz_vk!FUYwEktTkE4ZmFeJKSFeBQe32kr0I0dcFxh_MkPMjns_JZ71rpQTYGbTm08g6

Re: Fwd: channel binding

On Sun, Jan 10, 2021 at 02:44:38PM +, Jeremy Harris wrote: > Hi, > > What is the status of SSL_get_finidhed() / SSL_get_peer_finished() ? > > I do not find them documented at > > https://urldefense.com/v3/__https://www.openssl.org/docs/manmaster/man3/__;!!GjvTz_vk!FUYwEktTkE4ZmFeJKSFeBQe32

Fwd: channel binding

Hi, What is the status of SSL_get_finidhed() / SSL_get_peer_finished() ? I do not find them documented at https://www.openssl.org/docs/manmaster/man3/ but they are exported by the library and seem to be required, for application channel-binding. -- Cheers, Jeremy

Fwd: Forthcoming OpenSSL Release

FYI Forwarded Message Subject: Forthcoming OpenSSL Release Date: Tue, 1 Dec 2020 04:15:51 -0600 From: Paul Nelson Reply-To: openssl-users@openssl.org To: openssl-annou...@openssl.org The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1

Fwd: Re: openssl s_client connection fails

Hi All, Sorry, send to missing. Patrice. Message transféré Sujet : Re: openssl s_client connection fails Date : Wed, 18 Nov 2020 14:46:45 + De :Matt Caswell Pour : Patrice Guérin On 18/11/2020 14:33, Patrice Guérin wrote: Hello Matt, Thank you for you

Fwd: Re: openssl s_client connection fails

Hi All, Sorry, send to missing. Patrice. Message transféré Sujet : Re: openssl s_client connection fails Date : Wed, 18 Nov 2020 11:40:33 + De :Matt Caswell Pour : openssl-users@openssl.org On 18/11/2020 11:24, Patrice Guérin wrote: 3072988928:error:1409

Re: Fwd: openssl support for PQUIC

On 23/07/2020 08:21, Samath Lokuge wrote: > Hello, > I am trying to install PQUIC set up for some testing. > https://pquic.org/  > > it says I need  "openssl-dev" but I could not find that package. > So I installed "openssl-1.1.1g" instead but it does not work. > I have 2 questions . > 1 .Where

Fwd: openssl support for PQUIC

Hello, I am trying to install PQUIC set up for some testing. https://pquic.org/ it says I need "openssl-dev" but I could not find that package. So I installed "openssl-1.1.1g" instead but it does not work. I have 2 questions . 1 .Where I can find "openssl-dev" package for Ubuntu ? 2. Does "open

Fwd: Disabling SSL Issue Date Validation

I am trying to disable Server's Certificate Issue Date Validation in libcurl. For that, I have registered a own_verify_callback function by calling SSL_CTX_set_verify in sslContextVerify callback (set via curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslContextVerify)). The "own_verify_callback

Re: Fwd: ASN1_generate_nconf - incorrect integer encoding?

On 01/10/2019 16:30, Rafał Arciszewski wrote: > Hi all, > I am trying to use OpenSSL libraries (libssl-dev 1.0.2 or 1.1.1)  to encode > integers into DER format.I am using ASN1_generate_nconf but it seems that this > function incorrectly encodes integers. It should encode in two's complement > f

Fwd: ASN1_generate_nconf - incorrect integer encoding?

Hi all, I am trying to use OpenSSL libraries (libssl-dev 1.0.2 or 1.1.1) to encode integers into DER format.I am using ASN1_generate_nconf but it seems that this function incorrectly encodes integers. It should encode in two's complement format and should prepend 0x00 byte if the first byte of enc

Fwd: static link segmentation fault

* Hi:* *I static compile opensslv1.1.1 on Ubuntu18.04 as follow :* $./config no-shared *and then:* $make $make install *after that, I write a test.c like this:* #include #include #include #include #include #include #include #include #include #include #include int generate_key(int

Fwd: RE: OpenSSL 1.1.1b tests fail on Solaris - solution and possible fix

And now, to openssl-users. Oops... Originalmeddelande Från: Richard Levitte Skickat: 16 maj 2019 08:34:06 GMT-07:00 Till: John Unsworth Ämne: RE: OpenSSL 1.1.1b tests fail on Solaris - solution and possible fix The actual problem is the call of DEFINE macros in safestack.h.

[openssl-users] Fwd: Can't build openssl with VS2005 on Windows

Hi team, Please help about my case ! I want build openssl version 1.1.1a witch VS2005 on windows 7 I installed ActivePerl-5.24.3.2404-MSWin32-x64-404865.exe, nasm-2.14.03rc2-installer-x86 and download source nasm-2.14.03rc2-installer-x86. I run cmd with permission Admin and added localtion of Activ

[openssl-users] Fwd: SSL_free Segmentation Fault

Hi, I am using openssl for ARM based target and I have cross compiled OpenSSLv1.0.2l from sources with FIPS. I have implemented the DTLSv1.2 based Server using OpenSSL APIs and able to run it on my target. Issue I am facing is when there is network failure I try to clean up the current DTLS sessi

Re: [openssl-users] Fwd: Openssl api for signature verification using digest

All on my phone Pada 29 Aug 2018, at 17:53, Linta Maria menulis: > Hi Viktor, > > As you suggested, signature wasn't correct. > With below input also it's not working. > > Pubkey is read to evp_PKEY format > > EVP_PKEY * vkey; > char PubKey [] ="-BEGIN PUBLIC KEY-""\n" >

Re: [openssl-users] Fwd: Openssl api for signature verification using digest

> On Aug 29, 2018, at 5:53 AM, Linta Maria wrote: > > As you suggested, signature wasn't correct. > With below input also it's not working. Once again, the code is working correct, the key below did not produce the posted signature. Please use "openssl rsautl" as shown in my previous message

[openssl-users] Fwd: Openssl api for signature verification using digest

Hi Viktor, As you suggested, signature wasn't correct. With below input also it's not working. Pubkey is read to evp_PKEY format EVP_PKEY * vkey; char PubKey [] ="-BEGIN PUBLIC KEY-""\n" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxEZo8DRHBFBN0w1YYw3w" "\n" "C/C/IxCH3WSDCBTZgPux+/Cm

Re: [openssl-users] Fwd: Re: command passwd

Thank you Thomas. Thomas J. Hruska schrieb am So., 22. Juli 2018, 16:08: > On 7/21/2018 1:49 PM, Carl-Valentin Schmitt wrote: > > Are you Captain Kidd? > > Kidding the rest of your Staff? > > > > After your break you can write a howto, or I am finish when all goes > well. > > > > Salz, Rich sch

Re: [openssl-users] Fwd: Re: command passwd

; *From: *SchmiTTT > *Date: *Friday, July 20, 2018 at 11:36 PM > *To: *Rich Salz , openssl-users < > openssl-users@openssl.org> > *Subject: *Re: [openssl-users] Fwd: Re: command passwd > > > > > > Is this correct? > > This concerns ANSI C Crypto Library ? &g

Re: [openssl-users] Fwd: Re: command passwd

Is this correct? This concerns ANSI C Crypto Library ? I would have to edit libcrypt, when I want to change some sizes for libcrypto.a and for libcrypto.so ? Then compile it and merge it into Linux installation ? Am 20.07.2018 um 02:53 schrieb Salz, Rich: libcrypto.a and libcrypto.s

Re: [openssl-users] Fwd: Re: command passwd

>libcrypto.a and libcrypto.so are files which are built by linux-compiler? but somewhere has to be the source code for them ? The files in the crypto directory are compiled to build the libraries. I think you will find some intro material on building C software useful. This is pr

Re: [openssl-users] Fwd: Re: command passwd

This is tricky to dig for the source code. I guess I would need the source code for libcrypto.a and for libcrypto.so, but so they are not part of openssl-package ... libcrypto.a and libcrypto.so are files which are built by linux-compiler? but somewhere has to be the source code for them ? A

Re: [openssl-users] Fwd: Re: command passwd

>where is file "libcrypto" ? In which directory of OpenSSL-1.1.1pre8 ? It is not distributed. It is a library built as part of the compile process. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: Re: command passwd

Hello Wim and Rich, where is file "libcrypto" ? In which directory of OpenSSL-1.1.1pre8 ? thx. Greetz. Val. Am Di, 17. Jul, 2018 um 5:49 P. M. schrieb SchmiTTT : Hello Wim, I did not mean "OpenSSL passwd" - I meant the normal passwd command in bash. Up to recent time this passwd com

Re: [openssl-users] Fwd: basic constraints check

1.0.2j On Fri, Jun 1, 2018, 3:52 AM Viktor Dukhovni wrote: > > > > On May 31, 2018, at 6:08 PM, Sandeep Deshpande > wrote: > > > > Hi Rich.. Thanks.. > > We want to add a check in our openssl library on client side to reject > such server certificate which are generated by the intermediate CA w

Re: [openssl-users] Fwd: basic constraints check

> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote: > > We want to add a check in our openssl library on client side to reject such > server certificate which are generated by the intermediate CA with missing > extensions like basic constraints.. > How do we go about it? > > I looked at

Re: [openssl-users] Fwd: basic constraints check

I don’t recall the details of 1.0.2, sorry. Maybe someone else on this list knows the best place to insert your checks. From: Sandeep Deshpande Date: Thursday, May 31, 2018 at 6:08 PM To: Rich Salz , openssl-users Subject: Re: [openssl-users] Fwd: basic constraints check Hi Rich.. Thanks

Re: [openssl-users] Fwd: basic constraints check

> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote: > > Hi Rich.. Thanks.. > We want to add a check in our openssl library on client side to reject such > server certificate which are generated by the intermediate CA with missing > extensions like basic constraints.. > How do we go about

Re: [openssl-users] Fwd: basic constraints check

Hi Rich.. Thanks.. We want to add a check in our openssl library on client side to reject such server certificate which are generated by the intermediate CA with missing extensions like basic constraints.. How do we go about it? I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca

Re: [openssl-users] Fwd: basic constraints check

* We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server certificate. If those extensions, which are *optional,* are not present, then there is no limit on how the keys may be used, or how long the

[openssl-users] Fwd: basic constraints check

Hi , We are using openssl 1.0.2j and have 3 level certificates like this. root CA --> intermediate 01 CA-->intermediate02 CA -->Server certificate. We generated intermediate02 such that it has "basicConstraints" extension and "keyUsage" missing. Now we used this intermediate 02 CA to sign server

[openssl-users] Fwd: DTLS over UDP

Hi Michael, Please ignore the previous mail. By mistankely it got sent. I have provided my comments below. Thanks in advance. Regards, Nivedita On Wed, Feb 14, 2018 at 10:22 AM, Nivedita wrote: > Hi Michael, > > Thanks for the reply. > > I have mentioned the answers below. > > > On Wed

[openssl-users] Fwd: Simplifying the security policy

At our face to face we took a look at the security policy and noticed that it contained a lot of background details of why we decided on the policy that we did (in light mostly of the issues back in 2014) as well as a bit of repeated and redundant information. We've taken some time to simplify it,

Re: [openssl-users] Fwd: Information to detach a BIO from fd

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Michael Richardson > Sent: Saturday, January 13, 2018 16:34 > > > On 12-Jan-2018, at 6:45 PM, Michael Wojcik > > wrote: > >> Don't create the BIO immediately. Use getpeername on the socket > >> descript

Re: [openssl-users] Fwd: Information to detach a BIO from fd

Priscilla Hero wrote: > Hi Michael, Without doing ssl_accept on the ssl will getpeername work? ssl_accept() processes the packets on the socket. getpeername() on a (Unix) socket will always work. However, getpeername() on a UDP socket won't produce anything unless the socket was connect(2)'

Re: [openssl-users] Fwd: Information to detach a BIO from fd

J Decker wrote: > I'm not 100% sure what you're doing I'd imagine that if SSL was > managing the fd's you wouldn't have this issue. You hvae to call > accept() to get a new FD... and you'll only get that once, so when you > accept() you should attach the bio and call ssl_accept()

Re: [openssl-users] Fwd: Information to detach a BIO from fd

I'm not 100% sure what you're doing I'd imagine that if SSL was managing the fd's you wouldn't have this issue. You hvae to call accept() to get a new FD... and you'll only get that once, so when you accept() you should attach the bio and call ssl_accept(), no? On Fri, Jan 12, 2018 at 5:52 PM, Pri

Re: [openssl-users] Fwd: Information to detach a BIO from fd

Hi Michael, Without doing ssl_accept on the ssl will getpeername work? Also using the existing ssl with ssl_accept for the first connection we don’t get the information of second peer. Thus we ended up creating new bio/ssl each time we get a request. Any suggestions? Thanks, Grace On 12-Jan

Re: [openssl-users] Fwd: Information to detach a BIO from fd

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Grace Priscilla Jero > Sent: Friday, January 12, 2018 07:04 > Whenever a connect is initiated from any client we need to know if it is > already connected client or a new client. > We are doing this by  > • creatin

[openssl-users] Fwd: Information to detach a BIO from fd

Hi All, Below is our scenario on DTLS. We have multiple connections to the same server. We have mapped one fd to the ssl in the server to receive all connections. Whenever a connect is initiated from any client we need to know if it is already connected client or a new client. We are doing this

[openssl-users] Fwd: Padding for RSA signatures

Hi all, I am playing around with RSA signatures with different padding options and I have some questions. I am trying to define different padding options and so am defining and using a EVP_PKEY_CTX . However I am not sure if this padding is getting used in the signature since my Verify outputs O

[openssl-users] Fwd: Create a signed file from detached signature and clear file content

Hi, assuming I have the following: - data.txt - data.p7s (the detached signature) Can I generate the bundled (p7m) signed file ? I tried: content = BIO_new_file("data.txt", "rb"); signature = BIO_new_file("data.p7s", "rb"); p7 = d2i_PKCS7_bio(signature, NULL); PKCS7_set_detached(p7, 0); bundled

[openssl-users] Fwd: Build OpenSSL for Intel Xeon Phi

Hi, please, post my question. -- С уважением, Александр Дорошенко Тел.: моб. +7(951)3326360 --- Begin Message --- Hi, I try build OpenSSl for Intel Xeon Phi coprocessor. So far as I understand this problem reduced to building O

Re: [openssl-users] Fwd: SSL_get_certificate()

> On Nov 4, 2017, at 8:12 PM, Jeremy Harris wrote: > >>> After SSL_accept(), call SSL_get_certificate() to see what >>> cert was presented. >> >> The negotiated certificate is only populated in the server SSL >> handle when you've registered a TLS status callback. See >> >> SSL_CTX_set_tls

Re: [openssl-users] Fwd: SSL_get_certificate()

> On Nov 4, 2017, at 7:11 PM, Jeremy Harris wrote: > > 1.0.2k fips. I hope you're not enabling, or at least not voluntarily enabling FIPS mode, but that's off-topic... > Server, having loaded two certs (one rsa, one ecdsa) using > SSL_CTX_use_certificate_chain_file(). > > After SSL_accept(),

[openssl-users] Fwd: SSL_get_certificate()

1.0.2k fips. Server, having loaded two certs (one rsa, one ecdsa) using SSL_CTX_use_certificate_chain_file(). After SSL_accept(), call SSL_get_certificate() to see what cert was presented. The actual on-the-wire does what I'm expecting - the presented server cert varies according to the server c

[openssl-users] Fwd: [openssl-dev] QUIC

FYI: Matt Caswell realized how critical TLSv1.3 (and subsequently OpenSSL) is to QUIC. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." Begin forwarded message: From: Benjamin Kaduk via openssl-dev mailto:openssl-...@op

Re: [openssl-users] Fwd: Error in Opening SSL Certificate

On Thu, Aug 10, 2017 at 06:27:41PM +0530, Amiya Das wrote: > I have written an application for connecting to AzureIOT hub using AMQP > protocol. > When i run the application it fails because of SSL issue stating *14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed.* This

[openssl-users] Fwd: Error in Opening SSL Certificate

Hi, I have written an application for connecting to AzureIOT hub using AMQP protocol. When i run the application it fails because of SSL issue stating *14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.* Any help would be appreciate.. Below are the details for the OS Yoc

Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

> May be my email subject is a little confusing. I'll put my question directly. > > If I configure my server with the string "HIGH+TLSv1.2:!MD5:!SHA1", will it > support 3DES? No, as I showed. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

May be my email subject is a little confusing. I'll put my question directly. If I configure my server with the string "HIGH+TLSv1.2:!MD5:!SHA1", will it support 3DES? On Wed, Aug 9, 2017 at 11:45 PM, Viktor Dukhovni wrote: > On Wed, Aug 09, 2017 at 04:07:30PM +, Salz, Rich via openssl-users

Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

On Wed, Aug 09, 2017 at 04:07:30PM +, Salz, Rich via openssl-users wrote: > > From [this][1] link I can see that TLS1.2 does not have 3DES in their > > available > > cipher list. So I guess it does not support? > > Right: > > ; ./apps/openssl ciphers -v HIGH+TLSv1.2:!MD5:!SHA1 | grep DES >

Re: [openssl-users] Fwd: Does TLSv1.2 support 3DES

> From [this][1] link I can see that TLS1.2 does not have 3DES in their > available > cipher list. So I guess it does not support? Right: ; ./apps/openssl ciphers -v HIGH+TLSv1.2:!MD5:!SHA1 | grep DES ; ./apps/openssl ciphers -v TLSv1.2:!MD5:!SHA1 | grep DES ; ./apps/openssl ciphers -v TLSv1.2 |

[openssl-users] Fwd: Does TLSv1.2 support 3DES

Hi, I wanted to know if I configure my openssl server to explicitly use TLSv1.2, the do I have to also mention not to use 3DES (by adding "!3DES" to the string), or the expicit use of TLSv1.2 remove the support of 3DES. >From [this][1] link I can see that TLS1.2 does not have 3DES in their availa

Re: [openssl-users] Fwd: CAVP fips_rsastest.c not producing the correct signature?

On Fri, Jul 28, 2017 at 12:15 AM, Swetha Hariharan wrote: > > > I am trying test the rsa 186-2 openssl fips module 2.0.16 implementation > using the NIST Testvectors. Using the fips_rsastest.c file the > FIPS_rsa_x931_generate_key_ex(rsa, keylen, bn_e, NULL) function called to > generate the modu

[openssl-users] Fwd: CAVP fips_rsastest.c not producing the correct signature?

I am trying test the rsa 186-2 openssl fips module 2.0.16 implementation using the NIST Testvectors. Using the fips_rsastest.c file the FIPS_rsa_x931_generate_key_ex(rsa, keylen, bn_e, NULL) function called to generate the modulus n as the output and taking modulus size as the input i,e [mod=1024]

[openssl-users] Fwd: PSK generation for TLS 1.3

I have a query regarding the TLS 1.3 handshake message exchange. Please provide your comments. With TLS 1.3, I see that Application Data Protocol message is sent from the server side and client side (using wireshark) during the handshake. I am only performing handshake and not doing any read writ

Re: [openssl-users] Fwd: Makefile.org in openSSL 1.1.0d

With 1.1.0 and on, the build system is of the "configure first" model, unconditionally. You will get a working Makefile as a result, and will find more information in README and INSTALL. Cheers, Richard In message on Tue, 14 Feb 2017 12:21:05 +0530, murugesh pitchaiah said: murugesh.pitchai

Re: [openssl-users] Fwd: Makefile.org in openSSL 1.1.0d

> Can you please share if any thread, details on new build system, how to use > that? Look at the README file. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Fwd: Makefile.org in openSSL 1.1.0d

Thank you Rich. I was using 1.0.2.h earlier. It was using Makefile.org and then Configure script was run to generate the Makefile. The template available in Makefile.org was used to prepare the Makefile. Can you please share if any thread, details on new build system, how to use that? Thanks, Mu

Re: [openssl-users] Fwd: Makefile.org in openSSL 1.1.0d

> Can someone explain why 'Makefile.org' is removed now and how to tackle it > ? The whole build system changed; there is no Makefile.org any more. What were you trying to do? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: Makefile.org in openSSL 1.1.0d

Team, I downloaded the openSSL 1.1.0d now and was trying to use that. Previously I was using openSSL 1.0.2.h. I do not see the 'Makefile.org' in the new 1.1.0d. In my application I was using this file. Now as it is not present in 1.1.0d, could not complete the upgrade. Can someone explain why 'M

[openssl-users] Fwd: [openssl-announce] Forthcoming OpenSSL releases

In case anyone on these lists missed this on the openssl-announce list: Forwarded Message Subject: [openssl-announce] Forthcoming OpenSSL releases Date: Mon, 23 Jan 2017 21:08:50 + (GMT) From: OpenSSL Reply-To: openssl-users@openssl.org To: openssl-annou...@openssl.org For

[openssl-users] Fwd: CMS_NOATTR and CMS_SignerInfo_sign

Hello, I have been unable to prevent CMS_SignerInfo_sign() to add a signing time attribute even though I used CMS_NOATTR. I think the issue is here: if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) { if (!cms_add1_signingTime(si, NULL)) goto err; } This is around line 648 of cr

[openssl-users] Fwd: downgrade openssl

Yes you are right, it is under develop version. thanks :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: Re: Duplicating const X509_NAME

Dear OpenSSL developer team, following up on the discussion quoted below on the openssl-users ML I would like to ask your opinions on adding a OCSP_resp_get1_id() function: int OCSP_resp_get1_id(const OCSP_BASICRESP *bs, ASN1_OCTET_STRING **pid, X509_NA

[openssl-users] Fwd: osf-contact SignatureValue

-- Forwarded message -- From: Salz, Rich Date: Thu, Oct 27, 2016 at 10:27 PM Subject: RE: osf-contact SignatureValue To: "Hugo N.Barretto" , "i...@opensslfoundation.org" Probably more useful to ask your questions on the openssl-users mailing list; see https://mta.openssl.org

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

On Sun, Jun 19, 2016 at 10:10 AM, Blumenthal, Uri - 0553 - MITLL wrote: > I'm also speaking out of turn, but having both ends trying to be both server > and client *on the same connection* just does not make sense, TLS or DTLS. > Yeah, I was having trouble envisioning the use case. But I did not

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

ne 19, 2016 09:59 To: OpenSSL Users Reply To: noloa...@gmail.com Subject: Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q On Sun, Jun 19, 2016 at 9:47 AM, Test ssl wrote: > Hi Matt, > > This is a DTLSv1.0 connection, so the hosts on both sides w

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

On 19/06/16 14:47, Test ssl wrote: > Hi Matt, > > This is a DTLSv1.0 connection, so the hosts on both sides will connect > to each other acting as both TLS client and TLS server. That makes no sense at all - it isn't the way DTLS works. DTLS has a single client role and a single server role in

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

On Sun, Jun 19, 2016 at 9:47 AM, Test ssl wrote: > Hi Matt, > > This is a DTLSv1.0 connection, so the hosts on both sides will connect to > each other acting as both TLS client and TLS server. > > We think the dtls failure is due to cipher suites. But we are not able to > understand why it works f

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

Hi Matt, This is a DTLSv1.0 connection, so the hosts on both sides will connect to each other acting as both TLS client and TLS server. We think the dtls failure is due to cipher suites. But we are not able to understand why it works for 1.0.1m with same certificate. Please help us. Regards, O

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

On 17/06/16 17:29, Test ssl wrote: > Hi Matt, > > With same application code and openssl1.0.1m we are not facing "Alert > (Handshake Failure)" but in case of 1.0.1q we are facing it. > > That is what we are not able to understand that what is the reason for > this "Alert (Handshake Failure)". >

Re: [openssl-users] Fwd: issue with dtls failure during openssl upgrade from 1.0.1m to q

Hi Matt, With same application code and openssl1.0.1m we are not facing "Alert (Handshake Failure)" but in case of 1.0.1q we are facing it. That is what we are not able to understand that what is the reason for this "Alert (Handshake Failure)". Please help us on this, which part of functionality

  1   2   3   4   5   >