> On 30 Sep 2021, at 3:34 pm, nate wrote:
>
>> $ openssl s_client -showcerts \
>>-connect bad_server_name:443 \
>>-servername bad_server_name 2>/dev/null |
>>openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
>>openssl pkcs7 -prin
On 2021-09-30 11:36, Viktor Dukhovni wrote:
Ah, you also need to add "-showcerts" to s_client and best to separate
stdout and stderr in order to avoid confusion due to error text leaking
through, sender stderr to /dev/null:
$ openssl s_client -showcerts \
-connect bad_serve
On Thu, Sep 30, 2021 at 11:26:14AM -0700, nate wrote:
> > This is *not* the correct way to see all the expiration dates in the
> > chain. It will show only the leaf certificate dates. The right
> > incantation is:
> >
> > $ openssl s_client -connect b
On 2021-09-30 10:51, Viktor Dukhovni wrote:
I get at the end a clear: Verify return code: 10 (certificate has
expired)
This is because OpenSSL 1.0.2 looks at the peer's certificate chain
before looking in the trust store.
Ok, good to know, thanks!
If I run on the same OpenSSL:
op
On Thu, Sep 30, 2021 at 09:43:54AM -0700, nate wrote:
> If I run this on OpenSSL 1.0.2g (Ubuntu 16.04)
>
> openssl s_client -connect bad_server_name:443 -servername bad_server_name
>
> I get at the end a clear: Verify return code: 10 (certificate has expired)
This is becaus
On 2021-09-30 10:12, nate wrote:
That is interesting and explains some things. One more Q for you, this
app
Oops sorry no more Qs, I was going to write one then I realized that
OpenSSL
appends the OS certs on top of the custom CA cert file which I wasn't
expecting, updated my email f
after further testing even when telling openssl s_client
to look at a specific CA file it looks at it, and also looks at the OS
stuff as well if there is a CA with the OS and not in the custom CA file
(which has about 113 CAs in it).
Not a big deal will all be fixed when they update the cert.
t
.
Investigating things it turns out to be the Let's encrypt CA cert
expiration that
happened recently, that server is managed by someone else so they are
trying to
get them to fix it.
While investigating I saw some strange behavioral differences between
OpenSSL 1.0 and
1.1 specifically rega
er is managed by someone else so they are
trying to
get them to fix it.
While investigating I saw some strange behavioral differences between
OpenSSL 1.0 and
1.1 specifically regarding checking of the CA cert.
If I run this on OpenSSL 1.0.2g (Ubuntu 16.04)
openssl s_client -connect bad_server_nam
But i do not understand a jingle word of what you both
> talk about in the issues you referenced.
No worries, It appears that in posts upthread I misunderstood the
intent of the new code in 3.0.0. The "openssl { | }"
commands are not after all deprecated in 3.0.0, it was just
Viktor Dukhovni wrote in
:
|On Wed, Sep 29, 2021 at 10:30:29PM +0200, Steffen Nurpmeso wrote:
...
|> #?1|kent:$ ~/usr-kent-crux-linux-x86_64/opt/.ossl3/bin/openssl chacha20
|> Segmentation fault
Thanks for fixing this so fast.
...
|You should open an issue on Github. The imm
Great work!
Pauli
On 30/9/21 4:13 am, Petr Gotthard wrote:
Hello,
I just released a first version of the tpm2-openssl provider.
TPM is a hardware crypto-processor, which can generate, store, and use
cryptographic keys. The tpm2-openssl is a provider for integration of TPM 2.0
to OpenSSL
On Wed, Sep 29, 2021 at 05:14:45PM -0400, Viktor Dukhovni wrote:
> A better fix, that emits the intended deprecation warning would be:
>
> --- a/apps/openssl.c
> +++ b/apps/openssl.c
> [...]
Opened as pull request https://github.com/openssl/openssl/pull/16714
addressi
On Wed, Sep 29, 2021 at 04:59:51PM -0400, Viktor Dukhovni wrote:
>400 if (fp == NULL) {
>401 if (EVP_get_digestbyname(argv[0])) {
>402 f.type = FT_md;
>403 f.func = dgst_main;
>404 fp = &f;
>405 } else if (EVP_ge
t; LD_LIBRARY_PATH=~/usr-kent-crux-linux-x86_64/opt/.ossl3/lib64/
> #?0|kent:$ ~/usr-kent-crux-linux-x86_64/opt/.ossl3/bin/openssl bla
> Invalid command 'bla'; type "help" for a list.
> #?1|kent:$ ~/usr-kent-crux-linux-x86_64/opt/.ossl3/bin/openssl chacha20
>
-crux-linux-x86_64/opt/.ossl3/bin/openssl bla
Invalid command 'bla'; type "help" for a list.
#?1|kent:$ ~/usr-kent-crux-linux-x86_64/opt/.ossl3/bin/openssl chacha20
Segmentation fault
#?139|kent:$
Works with "enc -chacha20".
--steffen
|
|Der Kragenbaer,
Hello,
I just released a first version of the tpm2-openssl provider.
TPM is a hardware crypto-processor, which can generate, store, and use
cryptographic keys. The tpm2-openssl is a provider for integration of TPM 2.0
to OpenSSL 3.0, which makes (some) functions of a TPM 2.0 chip accessible
> On 27 Sep 2021, at 11:24 am, Jay Foster wrote:
>
> I don't think so. The file system is a UBIFS on nand flash, and it works
> with 1.0.2 and 1.1.1. Even 1.1.1 is a *little* bit slower than 1.0.2, but
> nowhere near as much slower as 3.0.0.
>
> It looks like the
On Mon, 2021-09-27 at 08:24 -0700, Jay Foster wrote:
> On 9/27/21 7:33 AM, Michael Richardson wrote:
> > Jay Foster wrote:
> > > While migrating some applications from OpenSSL 1.0.2 (and
> > 1.1.1) to
> > > 3.0.0, I have noticed that the
>
On 9/27/21 7:33 AM, Michael Richardson wrote:
Jay Foster wrote:
> While migrating some applications from OpenSSL 1.0.2 (and 1.1.1) to
> 3.0.0, I have noticed that the SSL_CTX_set_default_verify_paths()
> function is much slower in 3.0.0. In 1.0.0 it would take
Jay Foster wrote:
> While migrating some applications from OpenSSL 1.0.2 (and 1.1.1) to
> 3.0.0, I have noticed that the SSL_CTX_set_default_verify_paths()
> function is much slower in 3.0.0. In 1.0.0 it would take about 0.1
> seconds and in 3.0.0 it takes over 3 sec
iders/defltprov.c and search for "seed”.
To use your custom seed source, you can either use the OpenSSL configuration
file to set a "random" section that includes a "seed" setting or you can call
RAND_set_seed_source_type() early in your startup sequence.
If you link in your p
ed to reimplement seed_src_generate() to use your RNG.
To use your custom seed source, you can either use the OpenSSL
configuration file to set a "random" section that includes a "seed"
setting or you can call RAND_set_seed_source_type() early in your
startup sequence.
Pauli
While migrating some applications from OpenSSL 1.0.2 (and 1.1.1) to
3.0.0, I have noticed that the SSL_CTX_set_default_verify_paths()
function is much slower in 3.0.0. In 1.0.0 it would take about 0.1
seconds and in 3.0.0 it takes over 3 seconds.
strace indicates that the extra time is
Hi,
I was wondering why it is currently impossible to encrypt a private key using
GCM mode (eg using aes-256-gcm). This cannot be done using the openssl command
line tool or using the library and API. This was not doable in version 1.0.2
and is still not possible with version 3. Is this a
erties via config too.
Everything is documented and I'd recommend starting with the migration
guide manual page and working from there.
In my opinion, the 1.0 -> 1.1 transition is the more onerous part.
Pauli
On 23/9/21 3:44 am, Kory Hamzeh wrote:
I have an OpenSSL app which perfo
I have an OpenSSL app which performs ECDH-KAS using openssl-1.0.1g +
openssl-fips-2.0.5. It needs to be FIPS compatible. The app was written using
the low level ECDH functions similar to what is documented here:
https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman
Hi, there
Is there a way to implement the different access identity for the different
cert? For example, by setting the custom field, then the code the read it from
the cert.
BRs
Mystic
-- Original --
From:
The number you asked for typically.
Pauli
On 21/9/21 4:49 pm, Nagarjun J wrote:
Hi,
What is the Number of Bytes Returned by aes-256 ctr drbg ?
Thanks,
Nagarjun
Hi,
What is the Number of Bytes Returned by aes-256 ctr drbg ?
Thanks,
Nagarjun
No.
The deprecated functions are not going away any time soon but there is
no direct replacement.
Pauli
On 21/9/21 6:46 am, Ken Goldman wrote:
... and RSA_get0_factors.
I know about EVP_PKEY_get_bn_param(). However, that allocates new
bignums. Therefore, the caller has to say, if >3.0.0
... and RSA_get0_factors.
I know about EVP_PKEY_get_bn_param(). However, that allocates new bignums.
Therefore, the caller has to say, if >3.0.0, free them, else don't.
The deprecated get0 functions just returned pointers that did not have to be
separately freed.
Is there a call to pass in
t;
I will open an issue.
Kory
> On Sep 20, 2021, at 12:18 AM, Tomas Mraz wrote:
>
> This is really weird. The OPENSSLDIR as in the Makefile should be
> applied during the build. If you do strings does
> it show the ssl-3? Is it possible that you have some other build of
>
Hello,
Usually you don't, and if you compile it against the same major release, no
problems happen.
I'd suggest you to look at the backtrace.
On Mon, Sep 20, 2021 at 3:03 AM Shariful Alam wrote:
> Hello,
> I have installed OpenSSL 1.1.1c. I'm trying to make a custom Ope
This is really weird. The OPENSSLDIR as in the Makefile should be
applied during the build. If you do strings does
it show the ssl-3? Is it possible that you have some other build of
openssl-3.0 with incorrect (default) OPENSSLDIR lying on the system
somewhere?
Please open an GitHub issue so we
As this requires support for Attribute Certificates which is not
currently present in OpenSSL neither RFC 5755 is supported.
Regards,
Tomas
On Sat, 2021-09-18 at 11:34 +0800, 215104920 via openssl-users wrote:
> Hi. There
> Could you give me some help?
> Thanks a lot.
>
>
Hello,
I have installed OpenSSL 1.1.1c. I'm trying to make a custom OpenSSL engine
for RSA. The following sample code is copied from the engine *e_dasync.c. *
Following is a sample code for my RSA engine (*rsa-eng
Hi. There
Could you give me some help?
Thanks a lot.
BRs
Mystic
> On Sep 14, 2021, at 12:03 AM, Tomas Mraz wrote:
>
> On Mon, 2021-09-13 at 16:13 -0700, Kory Hamzeh wrote:
>> I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything
>> seems to be working fine, except for the fact that I cannot get
>> OpenSSL to lo
On Wed, Sep 15, 2021 at 05:26:51PM +0530, Jaya Muthiah wrote:
> I am trying to reuse SSL_SESSION as below, it works fine when I use
> TLSv1_2_client_method() to create context. However, it does not work
> when I use TLS_client_method().
> [...]
> if (SSL_connect(ssl) != 1) { return -1; }
>
_method() and
SSL_session_reused() returns 1, handshake time is also reduced
considerably. However, if I use TLS_client_method(), reuse does not work
and SSL_session_reused() returns zero.
Any idea what is wrong? OpenSSL version is 1.1.1.g
s 1, handshake time is also reduced considerably. However, if I use
TLS_client_method(), reuse does not work and SSL_session_reused() returns
zero.
Any idea what is wrong? OpenSSL version is 1.1.1.g
On Tue, 2021-09-14 at 14:42 -0400, Ken Goldman wrote:
> On 9/14/2021 11:40 AM, Tomas Mraz wrote:
> > On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:
> > > Conceptually, how are these different?
> > >
> > > When do I use one vs the other?
> >
> > The EVP_PKEY is an object holding data (well,
On Tue, 2021-09-14 at 21:46 -0700, Kory Hamzeh wrote:
> I have written a custom provider which I need to include (link) with
> my Application at link time rather than load it at run-time. The init
> function is defined like this:
>
> OSSL_provider_init_fn sck_provider_init;
>
> int sck_provider_i
I have written a custom provider which I need to include (link) with my
Application at link time rather than load it at run-time. The init function is
defined like this:
OSSL_provider_init_fn sck_provider_init;
int sck_provider_init(const OSSL_CORE_HANDLE *handle,
const O
On 15/9/21 9:19 am, Ken Goldman wrote:
irc = EVP_PKEY_fromdata_init(ctx);
irc = EVP_PKEY_fromdata(ctx, (EVP_PKEY **)rsa_pub_key, /* freed by
caller */
EVP_PKEY_PUBLIC_KEY, params);
Do you mean :
irc = EVP_PKEY_fromdata(ctx, &rsa_pub_key, EVP_PKEY_PUBLIC_KEY,
pa
On 15/09/2021 00:19, Ken Goldman wrote:
I am doing the following, but the EVP_PKEY->pkey->rsa is null.
Am I misusing the API or missing a step?
Neither. This is normal. EVP_PKEY->pkey->rsa is only used if you have a
legacy key.
Matt
(error checking removed)
EVP_PKEY *rsa_p
I am doing the following, but the EVP_PKEY->pkey->rsa is null.
Am I misusing the API or missing a step?
(error checking removed)
EVP_PKEY*rsa_pub_key = NULL;
EVP_PKEY_CTX*ctx = NULL;
OSSL_PARAM_BLD *param_bld = NULL;
OSSL_PARAM *params = NULL;
On 9/14/2021 11:40 AM, Tomas Mraz wrote:
On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:
Conceptually, how are these different?
When do I use one vs the other?
The EVP_PKEY is an object holding data (well, rather a reference, but
that is fairly irrelevant) of a private key, public key,
On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:
> Conceptually, how are these different?
>
> When do I use one vs the other?
The EVP_PKEY is an object holding data (well, rather a reference, but
that is fairly irrelevant) of a private key, public key, or domain
parameters for asymetric cryp
Conceptually, how are these different?
When do I use one vs the other?
Where would I learn this?
I've written a blog post to explain the situation with the old Let's
Encrypt root certificate expiration which will happen on 2021-09-30 and
the behavior of OpenSSL 1.0.2 with that root certificate.
Please read, if interested:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRoot
On Mon, 2021-09-13 at 16:13 -0700, Kory Hamzeh wrote:
> I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything
> seems to be working fine, except for the fact that I cannot get
> OpenSSL to load the legacy module when I configure /ssl/openssl.cnf
> as such. I can, howev
I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything seems to
be working fine, except for the fact that I cannot get OpenSSL to load the
legacy module when I configure /ssl/openssl.cnf as such. I can, however, load
the module explicitly at run time.
This is a diff of my config
Try working from providers/implementations/rands/seed_src.c You'll need
to reimplement seed_src_generate() to use your RNG.
To use your custom seed source, you can either use the OpenSSL
configuration file to set a "random" section that includes a "seed"
Hi,
We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. Yes, I know,
big jump. We have our own entropy source we use to seed the OpenSSL DRBG. This
is a basic code snippet of how we set it up:
DRBG_CTX *dctx = FIPS_get_default_drbg();
FIPS_drbg_init(dctx
ke _tests
( SRCTOP=../../openssl-3.0.0 \
BLDTOP=. \
PERL="/usr/perl5/5.32/bin/perl" \
FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \
EXE_EXT= \
/usr/perl5/5.32/bin/perl ../../openssl-3.0.0/test/run_tests.pl
test_internal_modes test_ige )
00-prep
uli
>
>
>On 12/9/21 1:39 pm, Benjamin Kaduk via openssl-users wrote:
>> On Sat, Sep 11, 2021 at 10:29:07PM -0400, Dennis Clarke via openssl-users
>> wrote:
>>> This is slightly better than the beta release :
>>>
>>> Test Summary Report
>>> ---
What Ben suggests is a great start.
Note that none of the core developers have Solaris access, so that
debugging could be problematic.
Pauli
On 12/9/21 1:39 pm, Benjamin Kaduk via openssl-users wrote:
On Sat, Sep 11, 2021 at 10:29:07PM -0400, Dennis Clarke via openssl-users wrote:
This
On Sat, Sep 11, 2021 at 10:29:07PM -0400, Dennis Clarke via openssl-users wrote:
>
> This is slightly better than the beta release :
>
> Test Summary Report
> ---
> 03-test_internal_modes.t (Wstat: 256 Tests: 1 Failed: 1)
> Failed test: 1
>
This is slightly better than the beta release :
Test Summary Report
---
03-test_internal_modes.t (Wstat: 256 Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
90-test_ige.t(Wstat: 256 Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit
figuration was :
./Configure solaris64-sparcv9-cc no-asm --prefix=/opt/bw shared
no-engine -DPEDANTIC
So the no-engine may just mean I get an empty directory result ?
beta # /opt/bw/bin/openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
beta #
Looks fine and wit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 3.0.0 released
==
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 3.0.0 of our open source
n fact a bit misleading
>and should better be re-phrased to: "Untrusted certificates should not
>be added in this way."
>
> Regards,
>
> David
> On 28.08.21 03:52, bl4ck ness wrote:
>
> Hello,
>
> I'm trying to use OpenSSL to validate a certific
t CRLs are not trusted by themselves.
So the above sentence is in fact a bit misleading
and should better be re-phrased to: "Untrusted certificates should
not be added in this way."
Regards,
David
On 28.08.21 03:52, bl4ck ness wrote:
>
> Hello,
>
> I'm t
something where real random numbers
> > are
> > needed.
> >
> > Tomas
> >
> > On Mon, 2021-08-30 at 13:17 +0300, Billy Brumley wrote:
> > > This is not really true. At least, for some of the tests.
> > >
> > > https://github.com/op
needed.
>
> Tomas
>
> On Mon, 2021-08-30 at 13:17 +0300, Billy Brumley wrote:
> > This is not really true. At least, for some of the tests.
> >
> > https://github.com/openssl/openssl/blob/master/test/ecdsatest.c#L73
> >
> > That hijacks the RNG to feed the
accidentally used for something where real random numbers are
needed.
Tomas
On Mon, 2021-08-30 at 13:17 +0300, Billy Brumley wrote:
> This is not really true. At least, for some of the tests.
>
> https://github.com/openssl/openssl/blob/master/test/ecdsatest.c#L73
>
> That hijacks the
This is not really true. At least, for some of the tests.
https://github.com/openssl/openssl/blob/master/test/ecdsatest.c#L73
That hijacks the RNG to feed the expected nonce, so it can check vs a KAT.
Cheers,
BBB
On Mon, Aug 30, 2021 at 12:40 PM Tomas Mraz wrote:
>
> Hello,
>
> y
Thank you for the report.
This is already fixed on both 1.1.1 and master branches with:
https://github.com/openssl/openssl/pull/16409
Tomas Mraz
On Fri, 2021-08-27 at 13:34 -0400, Scott Lasley via openssl-users
wrote:
> Building openssl-1.1.1l with Xcode 10.1 under macOS 10.13.6 fails w
Hi,
>
> Does openssl-3.0.0 really does ecdsa KAT ? The post test logs says
> "ECDSA KAT :PASS. But when i debuged the code it actually doing ECDSA
> pairwise consistency test.
>
> Thanks,
> Nagarjun
--
Tomáš Mráz
No matter how far down the wron
Hello,
I'm trying to use OpenSSL to validate a certificate chain with CRLs. To
achieve this, I create a X509_STORE and add trusted (root) certificates
into it via X509_STORE_add_cert(). I also add CRLs published by root and
intermediate CAs into the store using X509_STORE_add_crl(). Then I c
On 8/27/2021 3:46 PM, Ken Goldman wrote:
I run valgrind on all my software to find memory leaks. This worked for
openssl 1.0.2 and 1.1.1, but fails with 3.0.0. Suggestions?
Sorry, I updated valgrind and all is well.
On Fri, Aug 27, 2021 at 2:47 PM Ken Goldman wrote:
>
> I run valgrind on all my software to find memory leaks. This worked for
> openssl 1.0.2 and 1.1.1, but fails with 3.0.0. Suggestions?
>
> vex amd64->IR: unhandled instruction bytes: 0xF3 0xF 0x1E 0xFA 0x49 0x89 0xD8
>
I run valgrind on all my software to find memory leaks. This worked for
openssl 1.0.2 and 1.1.1, but fails with 3.0.0. Suggestions?
vex amd64->IR: unhandled instruction bytes: 0xF3 0xF 0x1E 0xFA 0x49 0x89 0xD8
0x31
vex amd64->IR: REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR
Building openssl-1.1.1l with Xcode 10.1 under macOS 10.13.6 fails with this
error
In file included from crypto/rand/rand_unix.c:38:
/usr/include/CommonCrypto/CommonRandom.h:35:9: error: unknown type name
'CCCryptorStatus'
typedef CCCryptorStatus CCRNGStatus;
^
crypto/rand/r
Hi,
Does openssl-3.0.0 really does ecdsa KAT ? The post test logs says "ECDSA
KAT :PASS. But when i debuged the code it actually doing ECDSA pairwise
consistency test.
Thanks,
Nagarjun
tion file and add the dynamic path to the shared library like the
>> following,
>> ==
>> [rsa_section]
>> engine_id = rsa-engine-new
>> dynamic_path = /opt/openssl/lib/engines-1.1/rsa-engine-new.so
>> ==
>>
>> My en
itry,
> Thank you very much. After moving the above section at the end of the
> configuration file and add the dynamic path to the shared library like the
> following,
> ==
> [rsa_section]
> engine_id = rsa-engine-new
> dynamic_path = /opt/openssl
Dear Dmitry,
Thank you very much. After moving the above section at the end of the
configuration file and add the dynamic path to the shared library like the
following,
==
[rsa_section]
engine_id = rsa-engine-new
dynamic_path = /opt/openssl/lib/engines-1.1/rsa-engine-new.so
As I suspected, you have the remnants of main openssl config just after
your only directive in the [rsa_section]
I'd suggest you moving the following lines
=
[openssl_def]
engines = engine_section
[engine_section]
rsa-engine-new = rsa_section
[rsa_section]
engine_id = rsa-engin
Dear Dmitry,
In case if it helps, I have installed my OpenSSL from the source code and
my current version is OpenSSL 1.1.1c 28 May 2019
Regards,
Shariful Alam
On Thu, Aug 26, 2021 at 10:20 AM Shariful Alam wrote:
> Dmitry,
> Thank you for your response.
>
> As you have sugge
;;
Here is my whole *openssl.cnf* file content
=========
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Note that y
This port is for ILE (native OS/400) not PASE (PASE is almost like Unix, and
already comes with OpenSSL).
The idiosyncrasies are explained in the README.as400 file in AS400patch.tar.gz.
I had to rewrite the EBCDIC support in clienthellotest.c.
AS400patch.tar.gz (large patch for OpenSSL and
gt; On Thu, Aug 26, 2021, 12:06 AM Shariful Alam wrote:
>
>> Hello,
>>
>> I have a simple rsa engine code (from engines/e_dasync.c). My code
>> compiles. Command "*$openssl engine -t -c*" shows the following,
>>
>>
>> openssl engine -t -c
&
Any help regarding this matter??
Regards,
Shariful
On Thu, Aug 26, 2021, 12:06 AM Shariful Alam wrote:
> Hello,
>
> I have a simple rsa engine code (from engines/e_dasync.c). My code
> compiles. Command "*$openssl engine -t -c*" shows the following,
>
>
> o
Hello,
I have a simple rsa engine code (from engines/e_dasync.c). My code
compiles. Command "*$openssl engine -t -c*" shows the following,
openssl engine -t -c
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable
Hello OpenSSL Community,
Binary builds of OpenSSL version 1.1.1l for the HPE NonStop TNS/E (ia64) and
TNS/X (x86) platforms have been published on the
ITUGLIB website in its usual place at
https://ituglib.connect-community.org/apps/Ituglib/SrchOpenSrcLib.xhtml. The
builds consist
of
CKS5 connect to imap.gmail.com:993 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 18889 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello
e
> generated using Carmichaels lambda function instead of Euler like the ietf
> rfc stipulates? Does the Euler based blinding still work?
>
> https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_crpt.c
If the real public exponent used to generate the key is smaller than
la
r like the ietf
rfc stipulates? Does the Euler based blinding still work?
https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_crpt.c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [24 August 2021]
==
SM2 Decryption Buffer Overflow (CVE-2021-3711)
==
Severity: High
In order to decrypt SM2 encrypted data an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1l released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1l of our open
On 13.8.2021 21.14, Mishra, Ankur wrote:
At following website it is mentioned that QNX support is removed in
1.1.1 version of OpenSSL. Anyone know if this is right information and
in that case what is alternate for it.
See this for more information
https://github.com/openssl/openssl/pull
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL version 1.1.1l.
This release will be made available on Tuesday 24th August 2021
between 1200-1600 UTC.
OpenSSL 1.1.1l is a security-fix release. The highest severity issue
fixed in this release is HIGH:
https
Hi All,
I am not able to find EVP API for replacing deprecated DES_is_weak_key
API.
Does checking DES_is_weak_key not required for using EVP API's for DES
related operations in openssl 3.0.
Please suggest.
Thanks and Regards,
Sunil
Notice: This e-mail together wit
Corrected the typo
From: Paramashivaiah, Sunil
Sent: Tuesday, August 17, 2021 3:48 PM
To: openssl-users@openssl.org
Cc: Bhattacharjee, Debapriyo (c)
Subject: Replacing DES_ede3_cbc_encrypt with EVP API's for upgrading to openssl
3.0
Hi All,
I am trying to upgrad
Hi All,
I am trying to upgrade over application to use openssl 3.0 from
openssl 1.0.2.
I am trying to replace DES_ede3_cbc_encrypt with EVP API's as
below.
DES_ede3_cbc_encrypt accepts 3 keys got from des_key_sched.
But for same
fication is disabled by default because it doesn't add
any security."
I'm sure this can be debated, but that's at least an explanation.
Cheers,
Richard
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
> On 16 Aug 2021, at 11:33 am, Goetzke, Arnold (A.P.) wrote:
>
> Thanks for that Viktor - I'll see if the shlib_variant is an option.
Note that setting "shlib_variant" is something the vendor has to set
when building the bundled OpenSSL libraries. The Configurations/RE
601 - 700 of 24387 matches
Mail list logo
