=C
> echo $LANG
C
export CC=/opt/aCC/bin/aCC
export CFLAGS="+DD64 -mt"
export CPPFLAGS="+DD64 -mt"
export LDFLAGS="-L/usr/lib/hpux64/"
export PATH=/usr/local/bin:/usr/contrib/imake/bin:$PATH
#./config --prefix=/opt/openssl/3.0.2 --openssldir=/opt/openssl/3.0.2 --shar
Hi,
I am using openssl engine with nginx.
openssl: OpenSSL_1_1_1f
If the engine does not include rsa, everythings works well
If the engine retister rsa, even the empty
IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
bind_fn
ENGINE_set_destroy_function(e, destroy_fn);
ENGINE_set_RSA(e, RSA_meth_new(&quo
> From: openssl-users On Behalf Of Gaurav
> Mittal11
> Sent: Wednesday, 20 April, 2022 06:52
> ...
> as: "crypto/aes/aes-ia64.s", catgets_failed 2: catgets_failed 1052:
> catgets_failed - IDENT
A web search isn't turning anything up, but you probably
Hi,
I am using HP-UX B.11.31 U server.
While compiling openssl 3.0.2, I am getting below error along with warnings,
any help would be appreciated.
Warning 67: "include/openssl/txt_db.h", line 12 # Invalid pragma name: 'once'
(ignored).
# pragma once
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.3 and 1.1.1o.
These releases will be made available on Tuesday 26th April 2022
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue
fixed in these releases is MODERATE
Hello,
I have a custom OpenSSL engine and it is working fine with pthread. I was
trying to use a third-party thread library
<https://github.com/stonebuddha/uthread> by linking this library with my
engine. However, upon linking and running the engine, I'm getting a
Segmentation fault. I
On 11/04/2022 16:53, Alon Bar-Lev wrote:
On Mon, Apr 11, 2022 at 11:52 AM Matt Caswell wrote:
On 10/04/2022 19:18, Alon Bar-Lev wrote:
Hello,
I am trying to migrate to openssl-3.0 API, it seems to be very
complicated to hook primitive private key usage to a custom function.
This is
On Mon, Apr 11, 2022 at 11:52 AM Matt Caswell wrote:
>
>
>
> On 10/04/2022 19:18, Alon Bar-Lev wrote:
> > Hello,
> >
> > I am trying to migrate to openssl-3.0 API, it seems to be very
> > complicated to hook primitive private key usage to a custom function.
&
On 10/04/2022 19:18, Alon Bar-Lev wrote:
Hello,
I am trying to migrate to openssl-3.0 API, it seems to be very
complicated to hook primitive private key usage to a custom function.
This is required, for example, to use private keys that reside on
hardware devices or when an application
Hello,
I am trying to migrate to openssl-3.0 API, it seems to be very
complicated to hook primitive private key usage to a custom function.
This is required, for example, to use private keys that reside on
hardware devices or when an application wishes to externalize private
key operations to
Any chance of running your server under valgrind or similar?
This should make the leaks more concrete.
Pauli
On 10/4/22 6:07 pm, Ram Chandra via openssl-users wrote:
Hi,
I have recently started developing using OpenSSL and i am
confused/unclear about below topic.
Request you to help me
Hi,
I have recently started developing using OpenSSL and i am confused/unclear
about below topic.
Request you to help me.
I am running a DTLS Server which handles more than 1000 connections.The problem
i am facing is every time I close connections and also connect again I see
there is some
* test suite works, with the only difference
> being that the failing suite uses the DH group 14, which is 2048bits,
> whereas the one that passes uses the group 1, which the Internet tells
> me is 768bits.
DH groups of 768bits are considered too weak.
I wonder if openssl
Hi,
I'm working on migrating the Ruby net-ssh package to OpenSSL 3.0 as part
of our larger transition in Ubuntu, but there's an issue that I can't
figure out.
This test suite fails several times with a failed call to
EVP_PKEY_derive_set_peer, without much more details:
https://git
and
certificate files.
Tomas Mraz
On Fri, 2022-04-01 at 18:14 +, vchiliquinga--- via openssl-users
wrote:
> Hello,
>
> Connection between a Openssl 3.0.2 server and a 1.1.1g client is
> proving to be unsuccessful.
>
> According to the logs collected we seem to be having a
Hello,
Seems our email system scrubbed the response to my question because it was a
link.
Could I ask the response be sent to the follow email instead,
chiliquing...@outlook.com
Thanks!
Message: 3
Date: Fri, 1 Apr 2022 18:14:38 +
From:
To:
Cc:
Subject: OpenSSL 3.0.2 PKCS12_parse
> From: Michael Richardson
> Sent: Friday, 1 April, 2022 07:40
>
> Michael Wojcik wrote:
> > Actually, in the context of #if expressions, unrecognized tokens
> expand to 0 anyway:
>
> > After all replacements due to macro expansion and the defined unary
> > operator have been perfor
Hello,
Connection between a Openssl 3.0.2 server and a 1.1.1g client is proving to be
unsuccessful.
According to the logs collected we seem to be having an issue with the loading
of the legacy providers.
We are loading both the default and legacy providers programmatically as per
the steps
Michael Wojcik wrote:
> Actually, in the context of #if expressions, unrecognized tokens expand
to 0 anyway:
> After all replacements due to macro expansion and the defined unary
> operator have been performed, all remaining identifiers are replaced
> with the pp-number 0...
> From: Michael Richardson
> Sent: Thursday, 31 March, 2022 14:18
>
> Michael Wojcik wrote:
> > #if defined OPENSSL_SYS_WINDOWS
> > # include
> > #else
> > # include
> > #endif
>
> But, don't all the OPENSSL_* macros expand to 0/1, anyway, so we actually
> just want #if OP
> From: openssl-users On Behalf Of
> Michael Richardson
> Sent: Thursday, 31 March, 2022 14:19
>
> The clang-9 test fails with:
>
> # ERROR: @ test/bio_dgram_test_helpers.c:150
> # failed to v6 bind s
The clang-9 test fails with:
# ERROR: @ test/bio_dgram_test_helpers.c:150
# failed to v6 bind socket: Permission denied
#
#
# OPENSSL_TEST_RAND_ORDER=1648577511
not ok 2 - iteration 1
https://github.com/mcr/openssl/runs/5741887864
Michael Wojcik wrote:
> #if defined OPENSSL_SYS_WINDOWS
> # include
> #else
> # include
> #endif
But, don't all the OPENSSL_* macros expand to 0/1, anyway, so we actually
just want #if OPENSSL_SYS_WINDOWS?
> (Note C does not require the argument of the operator "defined
Hi Todd,
Thanks for the information.
I've looked at compiling. I'm assuming this is the file you're referring to?
/usr/local/src/openssl-1.1.1m/configdata.pm
What am I looking for in that file? There is no mention of malloc?
Do I alter this file before running
make clean
mak
Hi All,
Experienced an issue with Kamailio which presented with the below error
tls_pre_init(): Unable to set the memory allocation functions
I have two servers CentOS8 and RHEL8. CentOS8 runs as expected, RHEL8 shows
the errors
This forum suggested this was related to an OpenSSL
> From: openssl-users On Behalf Of Matt
> Caswell
> Sent: Tuesday, 22 March, 2022 10:31
>
> There is already code in bss_dgram.c that is conditionally compiled on
> OPENSSL_USE_IPV6. Is it reasonable to assume that if AF_INET6 is defined
> then ip6.h exists?
I meant to l
Matt Caswell wrote:
> There is already code in bss_dgram.c that is conditionally compiled on
> OPENSSL_USE_IPV6. Is it reasonable to assume that if AF_INET6 is
> defined then ip6.h exists?
I think so, so I changed that code, and also made it consistently use
OPENSSL_USE_IPV6, rather
Hi team,
I using the openssl-1.0.2u.tar.gz and downloading from below link
https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
And I am observing that the *test script* is missing in*
"openssl-1.0.2u/crypto/des/t/" *location from openssl-1.0.2e.tar.gz onward.
Is there an
Got it, thank you Matt.
On Mon, Mar 28, 2022 at 6:29 PM Matt Caswell wrote:
>
>
> On 28/03/2022 13:11, Brahmaji K wrote:
> > Hi Team,
> >
> > I'm trying to store the invalid EC certificate as a negative test for my
> > application. My application calls the X509_STORE_load_locations() to
> > load
On 28/03/2022 13:11, Brahmaji K wrote:
Hi Team,
I'm trying to store the invalid EC certificate as a negative test for my
application. My application calls the X509_STORE_load_locations() to
load the certificate from a specific path. For invalid EC certificate it
is expected to FAIL but it
Hi Team,
I'm trying to store the invalid EC certificate as a negative test for my
application. My application calls the X509_STORE_load_locations() to load
the certificate from a specific path. For invalid EC certificate it is
expected to FAIL but it is returning the SUCCESS.
I have done some deb
This will be very interesting and risky for server, will try it.
Thank you for information.
Regards,
Gaurav Mittal
-Original Message-
From: Tomas Mraz
Sent: 25 March 2022 03:30 PM
To: Gaurav Mittal11 ; openssl-users@openssl.org
Subject: [EXTERNAL] Re: Openssl 0.9.8 to 1.0.2u - HP-UX
was a deliberate day 1 design decision.
Matt
-Original Message-
*From*: Matt Caswell <mailto:matt%20caswell%20%3cm...@openssl.org%3e>>
*To*: openssl-users@openssl.org <mailto:openssl-users@openssl.org>
*Subject*: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS
*Date*: F
%3cm...@openssl.org%3e>>
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS
Date: Fri, 25 Mar 2022 20:22:02 +
On 25/03/2022 18:33, Paul Spencer wrote:
Q: Is it possible to have a static (.a) OpenSSL 3 libra
On 25/03/2022 18:33, Paul Spencer wrote:
Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support?
This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and
special linking in the Makefile). However, with SSL3, if I go
Configure no-module enable-fips
then it
Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support?
This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special
linking in the Makefile). However, with SSL3, if I go
Configure no-module enable-fips
then it silently disables FIPS. Is there any way to do
we need new certs and
> private keys.
> Please help on same or share any documentation on it.
>
> Note – 3.0.2 openssl version gives lot of compilation error, this
> 1.0.2u openssl version I have got from HP-UX website.
> http://hpux.connect.org.uk/hppd/hpux/Development/Li
- 3.0.2 openssl version gives lot of compilation error, this 1.0.2u
openssl version I have got from HP-UX website.
http://hpux.connect.org.uk/hppd/hpux/Development/Libraries/openssl-1.0.2u/
Server details -
HP-UX hvdnd73a B.11.31 U ia64 1869095592 unlimited-user license
dr-xr-xr-x 2 binbin
On Thu, 2022-03-24 at 22:19 -0600, Philip Prindeville wrote:
> Hi,
>
> I'm incrementally trying to port asterisk to Openssl 3.0.
>
> First thing I'm trying to do is wean the code off of the RSA_*
> functions, and use generic EVP_PKEY_* functions instead.
>
> Mo
Hi,
I'm incrementally trying to port asterisk to Openssl 3.0.
First thing I'm trying to do is wean the code off of the RSA_* functions, and
use generic EVP_PKEY_* functions instead.
Most of it is fairly straightforward (it seems), but I've been looking for
examples of reading
> 3542 is only Informational, but I'd expect most or all platforms with
> IPv6 support to conform to it.
The issue isn't whether we can expect it to be standard.
The issue is what we can use as a signal that the header exists.
To date, I don't think that openssl has had
Matt Caswell wrote:
>> Matt Caswell wrote: > Nit; We insert an
>> extra space when enclosed within a "#if", i.e.
>>
>> I assume that this applies recursively?
> Yes.
>> I think that in some cases the indent could be quite deep.
> It hasn't been a major issue so far
or all platforms with
> IPv6 support to conform to it.
The issue isn't whether we can expect it to be standard.
The issue is what we can use as a signal that the header exists.
To date, I don't think that openssl has had to know if IPv6 existed or not on
a particular platform.
> From: openssl-users On Behalf Of Matt
> Caswell
> Sent: Monday, 21 March, 2022 05:33
>
> Given that OpenSSL already supports IPv6 but we've never needed to
> include [netinet/ip6.h], I am wondering what is in that header that needs to
> be used?
netinet/ip6.h is for
On 19/03/2022 13:28, Michael Richardson wrote:
I'm working on dealing with Matt's detailed review.
This issue seems bigger than the github issue.
https://github.com/openssl/openssl/pull/5257
about: #include
matt> This remains an issue. It's unclear to me whether al
I'm working on dealing with Matt's detailed review.
This issue seems bigger than the github issue.
https://github.com/openssl/openssl/pull/5257
about: #include
matt> This remains an issue. It's unclear to me whether all of these headers
will
matt> be available on al
On Thu, Mar 17, 2022 at 07:51:43PM +0100, egoitz--- via openssl-users wrote:
> I think that is the problem, the sha1.
That's the specific issue being reported.
> So... I have built Openssl 3.0.2
There's no reason for OpenSSL 3.0.2, that might just tighten the
restrictions f
> From: openssl-users On Behalf Of
> egoitz--- via openssl-users
> Sent: Thursday, 17 March, 2022 12:52
> 1 - Is it possible to update a whole CA with 2048 bit public and private keys
> (I used in req section of openssl.conf, the default_bits to 2048) to a
> Signature
>
blem comes with the signature algorithm : "Signature
Algorithm: sha1WithRSAEncryption".
I think that is the problem, the sha1. So... I have built Openssl 3.0.2
and now was planning and thinking which could be the following steps. I
have seen that the own CA uses sha1WithRSAEncryption si
Good luck, the 2.0.16 FOM is nowhere near being 140-3 ready.
The Oracle version is much closer but still not quite there:
https://github.com/oracle/solaris-openssl-fips
Pauli
On 17/3/22 19:19, Dhananjay kumar wrote:
Hi All,
We are looking to go through FIPS 140-3 certification for one of
Hi All,
We are looking to go through FIPS 140-3 certification for one of our
products which still runs on openssl 1.0.2(fips object module 2.0.16)
version due to some software dependencies.
in FIPS 140-3, we are asked to explicitly implement KATs(known answer
tests) for below algorithms since
Hi,
Le 15/03/2022 à 23:49, Matt Caswell a écrit :
Those 2 links should be ok now. A problem with our scripts to flush
the CDN cache.
https://www.openssl.org/news/openssl-1.1.1-notes.html is updated, thanks !
but https://www.openssl.org/news/changelog.html#openssl-111 still shows
OpenSSL
On your build machine, create a staging directory, for example:
mkdir /tmp/staging
Then run make install like this:
make DESTDIR=/tmp/staging install
Then copy the files in /tmp/staging to your other machine. Note that you will
have to copy the files relative to your —prefix and —openssldir d
Hi all,
I have the need for compiling version 3.0 source code which I have
downloaded and compiling on a Centos 7 system and I'm able to compile just
fine.
For using it, however, I need to install it on another Centos 7 machine
which does not have the compiler tools and required toolchain. So, I
On 15/03/2022 21:03, Michael Wojcik wrote:
From: openssl-users On Behalf Of Yann
Droneaud
Sent: Tuesday, 15 March, 2022 14:19
At the time of writing neither
https://www.openssl.org/news/openssl-1.1.1-notes.html nor
https://www.openssl.org/news/changelog.html#openssl-111 are updated to
match
Those 2 links should be ok now. A problem with our scripts to flush the
CDN cache.
Matt
On 15/03/2022 20:18, Yann Droneaud wrote:
Hi,
Le 15/03/2022 à 17:34, Matt Caswell a écrit :
OpenSSL version 1.1.1n released
===
OpenSSL - The Open Source toolkit
> From: openssl-users On Behalf Of Yann
> Droneaud
> Sent: Tuesday, 15 March, 2022 14:19
>
> At the time of writing neither
> https://www.openssl.org/news/openssl-1.1.1-notes.html nor
> https://www.openssl.org/news/changelog.html#openssl-111 are updated to
> match 1.1.1
Hi,
Le 15/03/2022 à 17:34, Matt Caswell a écrit :
OpenSSL version 1.1.1n released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1n of our
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [15 March 2022]
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1n released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1n of our open
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0.2 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.2 of our open source
On Mon, Mar 14, 2022 at 12:47:26PM -0700, Edward Tsang via openssl-users wrote:
> I guess I need to explicitly set X509_STORE_CTX_set_error(ctx,
> X509_V_OK) before return 1 in the example if I need caller
> SSL_get_verify_result to return X509_V_OK?
Yes, but I'd like to strongl
ed to explicitly set X509_STORE_CTX_set_error(ctx, X509_V_OK)
before return 1 in the example if I need caller SSL_get_verify_result to
return
X509_V_OK?
On Mon, Mar 14, 2022 at 12:38 PM wrote:
> [ External sender. Exercise caution. ]
>
> Send openssl-users mailing list submissions to
>
On Mon, Mar 14, 2022 at 11:25:51AM -0700, Edward Tsang via openssl-users wrote:
> https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
>
> I am trying to figure out how this example works but it does not seem to
> bypass the (use the secon
link:
https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
I am trying to figure out how this example works but it does not seem to
bypass the (use the second example of X509_V_ERR_CERT_HAS_EXPIRED)
However the caller code ll
long res = SSL_get_verify_result( sslCtx ); still
t; bit unsigned integers, in network byte order, as required by SSH and
> > described in section 6.6 of RFC 4253 (dss_signature_blob)[1]. To do
> > this encoding I am calling BN_bn2bin() twice to write 'r' followed by
> > 's' at the appropriate locations i
) twice to write 'r' followed by
> 's' at the appropriate locations in a 40-byte buffer. By any chance,
> does OpenSSL 3.0 provide any support for encoding a DSA signature
> like this from a DSA_SIG (i.e. without having to extract 'r' and 's'
> fi
te order, as required by SSH and described
in section 6.6 of RFC 4253 (dss_signature_blob)[1]. To do this encoding I
am calling BN_bn2bin() twice to write 'r' followed by 's' at the
appropriate locations in a 40-byte buffer. By any chance, does OpenSSL 3.0
provide any support for en
On Fri, 2022-03-11 at 15:21 -0400, Richard Dymond wrote:
> Hi
>
> I recently migrated an application from OpenSSL 1.1.1 to OpenSSL 3.0,
> and I'm wondering how best to handle DSA signatures - specifically,
> the 'r' and 's' values - in OpenSSL 3.0.
&
On Fri, Mar 11, 2022 at 04:40:24PM -0800, Edward Tsang via openssl-users wrote:
> Does verify_ip supports leftmost wildcard?
I am not aware of any RFC specifying wildcard matching in iPAddress
X.509 SANs, and no such feature is implemented in OpenSSL.
The SAN syntax is raw binary data
Hi
Does verify_ip supports leftmost wildcard?
I know that hostname does for SAN and CN. But ip address seems to only
support exact match including the port?
Is that observation correct?
What does it take for verify_ip to support leftmost wildcard matching just
like DNS hostname?
Thanks
Hi
I recently migrated an application from OpenSSL 1.1.1 to OpenSSL 3.0, and
I'm wondering how best to handle DSA signatures - specifically, the 'r' and
's' values - in OpenSSL 3.0.
In OpenSSL 1.1.1, it was pretty easy:
DSA_do_sign() - gets you a DSA_SIG
DSA_SIG_get0()
> From: edr
> Sent: Friday, 11 March, 2022 03:59
>
> On 10.03.2022 20:27, Michael Wojcik wrote:
> > Personally, I'd be leery of using openssl ca for anything other than
> dev/test purposes, in which case frequent CRL generation seems unlikely to
> be a requirement.
On 10.03.2022 20:17, Michael Ströder via openssl-users wrote:
>
> Are you 100% sure all the software used by your relying participants is
> capable of handling the X509v3 extensions involved?
>
> In practice I saw software miserably fail validating such certs and CRLs. Or
>
> From: openssl-users On Behalf Of
> Michael Ströder via openssl-users
> Sent: Thursday, 10 March, 2022 12:17
>
> On 3/10/22 14:06, edr dr wrote:
> > At the same time, I do not want to store passwords used for
> > certificate creation in cleartext anywhere.
Person
that there is not something like an OpenSSL key agent
(similar to ssh-agent) for interactively loading the CA's private key
into memory during service start.
My current approach to achieve this is a separate CA only responsible for
revocation.
My understanding is that such a CA is called an
Dear all,
I am building a private PKI using the openssl "ca" functionality.
My setup includes a root CA that issues intermediate certificates and
intermediate CAs issuing endpoint certificates.
I would like to be able to automate the process of updating CRLs in order to be
able to ke
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL versions 3.0.2 and 1.1.1n.
These releases will be made available on Tuesday 15th March 2022
between 1300-1700 UTC.
These are security-fix releases. The highest severity issue
fixed in these releases is HIGH
The following wiki page might serve as a starting point:
https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
HTH,
Matthias
> -Original Message-
> From: openssl-users On Behalf Of Yan, Bob
> via openssl-users
> Sent: Tuesday, March 8, 2022 5:48 PM
> To: openssl-us
Hi All,
Is there any guideline for upgrading openssl version from 1.0.2 to 1.1.1?
Thanks
Bob
On Sun, Mar 06, 2022 at 02:39:55AM +, loic nicolas wrote:
> Hello,
>
> I can't figure out how OpenSSL connections work.
>
> I would like to use 2 bios (rbio, wbio) which will be shared for all my
> connections.
I'm not sure why you would want to do this. Why wo
Hello,
I can't figure out how OpenSSL connections work.
I would like to use 2 bios (rbio, wbio) which will be shared for all my
connections.
The problem is that I really don't understand the error messages.
I never get an SSL_ERROR_WANT_WRITE error code, I only get SSL_ERROR_WANT_
On Fri, Mar 04, 2022 at 02:31:01PM +, Short, Todd wrote:
> Apple uses LibreSSL, not OpenSSL, in their recent OSes:
>
> ~$ openssl version -a
> LibreSSL 2.8.3
> built on: date not available
> platform: information not available
> options: bn(64,64) rc4(16x,int) des(idx,
Apple uses LibreSSL, not OpenSSL, in their recent OSes:
~$ openssl version -a
LibreSSL 2.8.3
built on: date not available
platform: information not available
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/et
On Fri, Mar 04, 2022 at 11:04:00AM +, Matt Caswell wrote:
> OpenSSL 3.0 has recently been designated as a Long Term Support (LTS)
> release. This means that it will now be supported until 7th September
> 2026 (5 years after its initial release).
>
> Our previous LTS relea
OpenSSL 3.0 has recently been designated as a Long Term Support (LTS)
release. This means that it will now be supported until 7th September
2026 (5 years after its initial release).
Our previous LTS release (1.1.1) will continue to be supported until
11th September 2023.
We encourage all
Thank you very much for your quick and great replies, Pauli, Richard and Matt!!
> ./config --prefix=$HOME/local/openssl-3.0.1 no-shared no-module
With this options, it works perfectly!
Thanks again,
Shino
2022年2月22日(火) 17:46 Richard Levitte :
>
> 'no-module' will d
3DES is in the default provider - only normal DES is in the legacy
provider. So you should not need to load the legacy provider for this to
work.
Matt
On 23/02/2022 06:20, pa...@openssl.org wrote:
Have you loaded the legacy provider before trying this?
Pauli
On 23/2/22 5:03 pm, Srinivas, S
Have you loaded the legacy provider before trying this?
Pauli
On 23/2/22 5:03 pm, Srinivas, Saketh (c) wrote:
Hi
I am trying to encrypt and decrypt using EVP_des_ede3_cbc() type. iam
using openssl3.0
_
_
the functions i am using are
encryption side:
EVP_EncryptIni
Hi
I am trying to encrypt and decrypt using EVP_des_ede3_cbc() type. iam using
openssl3.0
the functions i am using are
encryption side:
EVP_EncryptInit_ex -> EVP_EncryptUpdate -> EVP_EncryptFinal_ex
decryption side:
--
EVP_DecryptInit_ex -> EVP_
22/2/22 5:37 pm, Shunichi Shinohara wrote:
Hi List,
I have a question about OpenSSL 3.0 and static linking.
Short version: Is it possible to include the legacy provider in
libcrypt.a?
Somewhat long version below.
As a background of the question I'm using OpenSSL with Erlang/OTP [1]
on Linu
'no-module' will do what you want. I noticed, though, that the
documentation in INSTALL.md isn't entirely clear on what that does.
./config --prefix=$HOME/local/openssl-3.0.1 no-shared no-module
Cheers,
Richard
On Tue, 22 Feb 2022 07:37:03 +0100,
Shunichi Shinohara wrot
There is a define to allow this: STATIC_LEGACY but I don't remember how
to specify it on the configuration command line.
We should probably turn this on in a no-shared build.
Pauli
On 22/2/22 5:37 pm, Shunichi Shinohara wrote:
Hi List,
I have a question about OpenSSL 3.0 and static li
Hi List,
I have a question about OpenSSL 3.0 and static linking.
Short version: Is it possible to include the legacy provider in libcrypt.a?
Somewhat long version below.
As a background of the question I'm using OpenSSL with Erlang/OTP [1] on Linux
and want to static link OpenSSL library.
onfiguration checksum - that means the selftest will be
> always run when the FIPS module (i.e., the fips provider) is loaded.
>
Thanks for the info! I was wondering whether there was a FIPS-compliant way
to use fips.dll on a machine without first having to run 'openssl
fipsinstall' on tha
li
>
>
> On 15/2/22 02:25, Richard Dymond wrote:
>
> >
> > Hi
> >
> > Probably a dumb question, but why must the FIPS module
> > configuration file for OpenSSL 3.0 be generated on every machine
> > that it is to be used on (i.e. must not be copied from on
b question, but why must the FIPS module configuration
file for OpenSSL 3.0 be generated on every machine that it is to be
used on (i.e. must not be copied from one machine to another)?
I just ran 'openssl fipsinstall' on two different machines with the
same FIPS module and it produce
opying the configuration file across avoids the self
tests and therefore isn't compliant.
Pauli
On 15/2/22 02:25, Richard Dymond wrote:
Hi
Probably a dumb question, but why must the FIPS module
configuration file for OpenSSL 3.0 be generated on every machine
that it is to
ote:
>
> Hi
>
> Probably a dumb question, but why must the FIPS module configuration file
> for OpenSSL 3.0 be generated on every machine that it is to be used on
> (i.e. must not be copied from one machine to another)?
>
> I just ran 'openssl fipsinstall' on tw
cross avoids the self tests
and therefore isn't compliant.
Pauli
On 15/2/22 02:25, Richard Dymond wrote:
Hi
Probably a dumb question, but why must the FIPS module configuration
file for OpenSSL 3.0 be generated on every machine that it is to be
used on (i.e. must not be copied from one
301 - 400 of 6721 matches
Mail list logo
