* Sorry for being unclear, the goal would be to just not send the SCSV
value in the ClientHello.
Why?
Thanks for you reply Ben!
Sorry for being unclear, the goal would be to just not send the SCSV value
in the ClientHello.
-Mark
Am Di., 21. Apr. 2020 um 22:06 Uhr schrieb Benjamin Kaduk :
> On Tue, Apr 21, 2020 at 09:57:02PM +0200, Mark Windshield wrote:
> > Hello,
> >
> > I was wondering what
On Tue, Apr 21, 2020 at 09:57:02PM +0200, Mark Windshield wrote:
> Hello,
>
> I was wondering what I'd have to change in the openssl code/config before
> compiling to have renegation disabled by default, so it won't send the
> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) when using
Hello,
I was wondering what I'd have to change in the openssl code/config before
compiling to have renegation disabled by default, so it won't send the
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) when using curl.
Thanks!
l 12, 2019 9:21 PM
To: Chethan Kumar ; openssl-users@openssl.org
Subject: Re: How to disable tls 1.0 and tls 1.1
On 12/04/2019 15:50, Chethan Kumar wrote:
> Thank to both Hubert Kario and Matt Caswell for your valuable information.
> This group has helped a lot in gaining many insight
openssl-users-boun...@openssl.org] On Behalf Of
> Matt Caswell
> Sent: Friday, April 12, 2019 7:28 PM
> To: openssl-users@openssl.org
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
>
>
> On 12/04/2019 14:37, Chethan Kumar wrote:
>>> Please note that curl develope
nssl-users@openssl.org
Subject: Re: How to disable tls 1.0 and tls 1.1
On 12/04/2019 14:37, Chethan Kumar wrote:
>> Please note that curl developers have recently changed the meaning of those
>> options, please check if they do what you expect them to do by inspecting
>>
On 12/04/2019 14:37, Chethan Kumar wrote:
>> Please note that curl developers have recently changed the meaning of those
>> options, please check if they do what you expect them to do by inspecting
>> the curl man page.
> Thanks for the information. I understood it.
> I also used openssl
e is any other way to disable TLSv1.0 and TLS1.1
sorry, I'm not familiar with openssl compilation configuration to say if this
is expected and correct behaviour
> Thanks in advance,
> Chethan Kumar
> -Original Message-
> From: Hubert Kario [mailto:hka...@redhat.com]
> Sent: Friday, A
-Original Message-
From: Hubert Kario [mailto:hka...@redhat.com]
Sent: Friday, April 12, 2019 6:11 PM
To: Chethan Kumar
Cc: openssl-users@openssl.org
Subject: Re: How to disable tls 1.0 and tls 1.1
On Friday, 12 April 2019 13:54:24 CEST Chethan Kumar wrote:
> >what evidence you have that
l Message-
> From: Hubert Kario [mailto:hka...@redhat.com]
> Sent: Friday, April 12, 2019 4:50 PM
> To: Chethan Kumar
> Cc: openssl-users@openssl.org
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
> On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
>
l Message-
From: Hubert Kario [mailto:hka...@redhat.com]
Sent: Friday, April 12, 2019 4:50 PM
To: Chethan Kumar
Cc: openssl-users@openssl.org
Subject: Re: How to disable tls 1.0 and tls 1.1
On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
> > there is no "min"
receiving ServerHello
that is:
when SSL_CTX_set_min_proto_version is set to tls 1.2,
SSL_CTX_set_max_proto_version si set to tls 1.3
and the server replies with ServerHello.version of (3, 2) i.e. TLS 1.1
the client will abort the connection
> I would like to know how to disable TLSv1.0 and 1.1 using configu
in_proto_version() and SSL_CTX_set_max_proto_version() introduced
in 1.1.X along with SSL_CTX_set_options().
I would like to know how to disable TLSv1.0 and 1.1 using configure
option[CONFOPTS] in Makefile.
Thanks in advance,
Chethan Kumar
-Original Message-
From: Hubert Kario [mailto:hka...@redhat.com]
Sent: Thursday
t TLS 1.1 and see if your production compile can connect
> Thanks in advance,
> Chethan Kumar
>
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> To: openssl-users@openssl.org
> Subject: Ho
: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Chethan Kumar
Sent: Thursday, April 11, 2019 4:25 PM
To: openssl-users@openssl.org
Subject: How to disable tls 1.0 and tls 1.1
Dear all,
Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling
openssl
Dear all,
Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling
openssl package.
I am using 1.0.2n openssl version and disabled SSLv1 and v2 using
-DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2.
I also have a doubt on difference between -DSSL_OP_NO_SSLv2
> On Mar 21, 2019, at 2:14 AM, Hal Murray wrote:
>
>> Can I set any flags while building openssl 1.1.1 to disable TLS 1.3 or can
>> i get any package from ubuntu to disable TLS 1.3 ?
>
> You can do it at run time using SSL_set_max_proto_version
It can also be set in the system-wide default
> But I want to use TLS 1.2 only for my application with curl 7.58 in Ubuntu
> 18.04. So while using openssl 1.1.1 how to disable default TLS 1.3 and how
> to enable TLS 1.2?
Just curious. Why do you want to disable TLS 1.3? It will automagically use
1.2 if that's all the other end
I have updated my openssl from 1.1.0 to 1.1.1 recently. Openssl 1.1.1 version
supports TLS1.3 feature.
But I want to use TLS 1.2 only for my application with curl 7.58 in Ubuntu
18.04. So while using openssl 1.1.1 how to disable default TLS 1.3 and how to
enable TLS 1.2?
Can I set any flags
On 02/12/2018 22:13, Viktor Dukhovni wrote:
>
> [ While I could ask off-list, or RTFS, someone else might have the
> same question later, so might as well ask on-list. ]
>
> Postfix added support for ECDHE ciphers long ago, back when OpenSSL
> 1.0.0 was shiny and new, and the server-side
[ While I could ask off-list, or RTFS, someone else might have the
same question later, so might as well ask on-list. ]
Postfix added support for ECDHE ciphers long ago, back when OpenSSL
1.0.0 was shiny and new, and the server-side ECDHE support was
enabled by specifying a single preferred
On Sat, Jul 22, 2017 at 2:37 PM, Oliver Niebuhr
wrote:
> Hi.
>
> I searched the Web and checked the Configure File. Am I blind or is
> there really no Parameter to disable the creation of the Documentation?
>
> As I also test the Qt Framework, I often recompile
Hi.
I searched the Web and checked the Configure File. Am I blind or is
there really no Parameter to disable the creation of the Documentation?
As I also test the Qt Framework, I often recompile OpenSSL. You are
right, building the Docs will only take 2 Minutes - but it sums up to
countless
On 06/02/17 09:58, Devang Kubavat wrote:
> Hi,
> I am trying to configure the OpenSSL 1.0.2k for windows.
> Can anyone help me How to disable the DTLS?
I guess this email got stuck somewhere because I only just got this. See
my answer to this on your stackoverflow questio
Hi,
I am trying to configure the OpenSSL 1.0.2k for windows.
Can anyone help me How to disable the DTLS?
Best Regards,
Devang
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Mon, Sep 12, 2016 at 05:35:06PM +0300, Andrey Kulikov wrote:
> I'm using OpenSSL 1.0.2g
> In my client I would like to disable SSL session resumption completely (for
> test purposes).
The odd thing is that on the client side, nothing in OpenSSL does
resumption by default, because OpenSSL does
in traffic capture - is that my client always do session
reuse with sending non-empty session ID. And server does accept it.
How can I disable SSL session resumption completely?
More expanded code snippet:
SSL_CTX *ctx = NULL;
ctx = SSL_CTX_new(SSLv23_client_method()))
SSL_CTX_set_session_cache_mode
We can disable DSO support at configure time with 'no-dso'.
But its not clear to me how to explicitly disable the feature at
runtime if the platform/distro provided the OpenSSL libraries (and
they were enabled). I took a look at config(5), but that's more for
configuration files, and less
On Tue, Mar 10, 2015 at 08:44:57AM +, Christian Georg wrote:
I understand that the downgrading of the ciphersuites is a bug in the
library that should be patched. Doing this can however be dificult when
talking about mobile apps that use OS Libraries. From my understanding
the bug only
, 2015 06:53
To: openssl-users@openssl.org
Subject: Re: [openssl-users] How to disable all EXPORT Ciphers?
On Tue, Mar 10, 2015 at 08:44:57AM +, Christian Georg wrote:
I understand that the downgrading of the ciphersuites is a bug in the
library that should be patched. Doing this can however
From: openssl-users On Behalf Of Viktor Dukhovni
Sent: Monday, March 09, 2015 12:47
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH
with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56
and 1024?
You only need
...@openssl.org] Im Auftrag von
Viktor Dukhovni
Gesendet: Montag, 9. März 2015 17:47
An: openssl-users@openssl.org
Betreff: Re: [openssl-users] How to disable all EXPORT Ciphers?
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
How to I disable all EXPORT Ciphers from OpenSSL?
Will the use of string
How to I disable all EXPORT Ciphers from OpenSSL?
Will the use of string kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH
; openssl ciphers -v kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH |
grep EXP
;
Yes.
But really, SSLv2? Really? You have clients that haven't been
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
How to I disable all EXPORT Ciphers from OpenSSL?
Will the use of string kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH
with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and
1024?
Note that doing so does
Hi,
How to I disable all EXPORT Ciphers from OpenSSL?
Will the use of string kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH
with
SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024?
Thank you,
Deepak
___
openssl-users mailing
On 2/28/2013 6:27 PM, Chaim | Sz Studios wrote:
BH
Hi All,
I'm trying to pass a pci scan, I'm on Ubuntu 12.04 lts server and Nginx.
I've tried everything I know and did a lot of research... apparently
seems that need to disable a setting in OpenSSL which I can't find how
to do.
This is the
BH
Hi All,
I'm trying to pass a pci scan, I'm on Ubuntu 12.04 lts server and Nginx.
I've tried everything I know and did a lot of research... apparently seems
that need to disable a setting in OpenSSL which I can't find how to do.
This is the result of the scan:
SSL/TLS Protocol Initialization
in internet are all about how to disable them with other SW,
like apache.
Could anyone please help me on this point?
Best Regards
_
Sheng Liang
Hi,
I have an application which uses RSA or Diffie Hellman (DH) algorithms for
key exchange and RAND_seed and RAND_bytes to generate pseudo random number.
Now, I have added FIPS_mode_set(1) to enable FIPS. As per openSSL-fips
security policy document, my expectation is DH and RAND_seed and
On Mon, Jan 23, 2012, Vimol Kshetrimayum wrote:
Hi,
I have an application which uses RSA or Diffie Hellman (DH) algorithms for
key exchange and RAND_seed and RAND_bytes to generate pseudo random number.
Now, I have added FIPS_mode_set(1) to enable FIPS. As per openSSL-fips
security
Thanks Steve. So, that means, I don't need to add FIPS_rand_* function.
For DH key exchange algorithm, do I need to explicitly disable calling of
DH function in my code if it is in FIPS?
Or is there any DH algorithms loading issue in openssl-fips-1.2 that I am
consuming?
Thanks,
~Vimol
On Mon,
can any one tell me how to remove the crl revocation check and Expiry check.
i want to validate the signature of the certificate alone no CRL or Expiry
check.
any flag i need to set
--
View this message in context:
http://old.nabble.com/how-to-disable-theCRL-check-and-time-check
not an openssl expert, so
please don't assume that all I have said above is proven.
Regards
Alon
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Yan, Bob
Sent: Tuesday, March 08, 2011 1:07 AM
To: openssl-users@openssl.org
Subject: How to disable SSL/TLS
I have two questions regarding to SSL/TLS Renegotiation:
1) Can SSL/TLS Renegotiation happen automatically during the normal SSL_read
and SSL_write operation on a SSL connection? Basically if the application
doesn't invoke the SSL_renegotiate function, can SSL/TLS Renegotiation still
happen
On Wed, Jan 12, 2011 at 3:40 PM, Mark H. Wood mw...@iupui.edu wrote:
On Tue, Jan 11, 2011 at 05:39:19PM +0100, Fredrik Strömberg wrote:
Hello Patrick,
Thank you for your email. I somehow managed to miss the word
mandatory in the manual. I guess there´s nothing else for me to do
than code a
Ah. I did not understand that referenced by browser vendors meant
we were talking about inclusion in their canned trust stores. Thanks,
both of you.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking whether markets are efficient is like asking whether people are smart.
On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote:
In order to be referenced by browser vendors (Opera comes to mind, and
I think Mozilla will require this), the serial number MUST be random
(or at least *appear* random from the outside).
Oh, now I'm curious. How do they test the
On Tue, Jan 11, 2011 at 05:39:19PM +0100, Fredrik Strömberg wrote:
Hello Patrick,
Thank you for your email. I somehow managed to miss the word
mandatory in the manual. I guess there´s nothing else for me to do
than code a file lock. I need to run multiple openssl instances, and
openssl
Hodie pr. Id. Ian. MMXI, Mark H. Wood scripsit:
On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote:
In order to be referenced by browser vendors (Opera comes to mind, and
I think Mozilla will require this), the serial number MUST be random
(or at least *appear* random from the
On 1/12/2011 6:48 AM, Mark H. Wood wrote:
Oh, now I'm curious. How do they test the randomness of a single
sample? 1 is every bit as random (or nonrandom) as
0xdcb4a459f014617692d112f0942c89cb.
They don't validate the number itself, they validatet hat the method by
which the number was
Hello,
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
Not using -config makes openssl use the compiled default, and using my
own while commenting out database and serial gives me the error
variable lookup failed for CA_default
Hi Frederik,
-Original Message-
From: Fredrik Strömberg
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
you can't. But why would you care about openssl internals? Just generate your
certificates and fine.
Not using
On Tue, Jan 11, 2011 at 4:40 PM, Eisenacher, Patrick
patrick.eisenac...@bdr.de wrote:
Hi Frederik,
-Original Message-
From: Fredrik Strömberg
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
you can't. But why would you
Fredrik Strömberg a écrit :
Hello,
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
Not using -config makes openssl use the compiled default, and using my
own while commenting out database and serial gives me the error
variable
On 1/11/2011 7:02 AM, Fredrik Strömberg wrote:
(For the curious: I don´t need serial because I only identify with CN,
and I don´t need a database because I will never revoke any
certificates.)
The problem is, everybody else identifies by serial. So unless you don't
plan to interoperate with
On 01/11/2011 05:50 PM, Dominique Lohez wrote:
Fredrik Strömberg a écrit :
Hello,
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
by using the command x509 and not ca for example.
you can use a serial number based on a date
Hodie III Id. Ian. MMXI, Peter Sylvester scripsit:
by using the command x509 and not ca for example.
you can use a serial number based on a date
seconds plus processid for example) to guarantee
uniqueness.
More on this. A serial number MUST be unique (by X.509 design), and
SHOULD be random
Ramaswamy BM wrote:
Try this
SSL_CTX * tls_ctx;
STACK_OF(SSL_COMP)* compression ;
compression = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(compression); It should disable the compression
support for !!
You can also use below API accordingly to enable/disable
Try this
SSL_CTX * tls_ctx;
STACK_OF(SSL_COMP)* compression ;
compression = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(compression); It should disable the compression
support for !!
You can also use below API accordingly to enable/disable required
On Tue, Dec 14, 2010 at 06:20:54PM +1100, Corin Lawson wrote:
Hi All,
Is it possible to establish an SSL connection with no compression? How?
OpenSSL 1.0.0 provides a new option that can be set via
SSL_CTX_set_options() or SSL_set_options().
SSL_OP_NO_COMPRESSION
While I'm at it, is
Hi All,
Is it possible to establish an SSL connection with no compression? How?
While I'm at it, is it possible to use no encryption?
I.e. I only want SSL to authenticate/verify identity (handshake).
Cheers,
Corin.
__
[mailto:owner-openssl-us...@openssl.
org] 代表 Lutz Jaenicke
发送时间: 2009年3月25日 17:43
收件人: openssl-users@openssl.org
抄送: Victor Yepez
主题: [FWD] How to disable SSL
Forwarded to openssl-users for public discussion.
Best regards,
Lutz
- Forwarded message from Victor Yepez yepez.vic...@gmail.com
Forwarded to openssl-users for public discussion.
Best regards,
Lutz
- Forwarded message from Victor Yepez yepez.vic...@gmail.com -
Date: Tue, 24 Mar 2009 17:31:55 -0430
From: Victor Yepez yepez.vic...@gmail.com
Subject: How to disable SSL
To: r...@openssl.org
User-Agent
...@gmail.com
Subject: How to disable SSL
To: r...@openssl.org
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
Hello guys,
I really appreciate your help in the following issue:
One of our customers has installed Solaris 10 on his SUN machine.
Solaris 10 has installed open SSL and our
for your help.
Regards,
Alain
--
View this message in context:
http://www.nabble.com/How-to-disable-DNS-certificate-check--tp19367130p19367130.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL
philipina wrote:
Hello,
I'm using an application (that I could recompile) which is using OpenSSL. My
problem is that for some computers I have an internet access but no DNS
server. In this case I configure the application to connect to
https://xxx.xxx.xxx.xxx (ip address) instead of
Hello,
I'm using an application (that I could recompile) which is using
OpenSSL. My
problem is that for some computers I have an internet access but no DNS
server. In this case I configure the application to connect to
https://xxx.xxx.xxx.xxx (ip address) instead of
Hello,
How can I configure openssl to not do reverse lookups on client
connections on my RHEL system running the distribution apache?
Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
OpenSSL 0.9.7a Feb 19 2003
I've noticed that even with HostnameLookups set to off, connections to
Can anyone tell me how to disable id and pw checking
when entering a specific web site. I'd like to turn
it completely off.
Thanks,
Chuck
Mark wrote:
my last mail seem to be lost somewhere..
I got it!
Hi all,
Im testing an SSL server with s_client. I want to implement
client
This is an Apache query, not an OpenSSL query. Please ask on the
apache-users mailing list.
-Kyle
On 1/10/06, Chuck Aaron [EMAIL PROTECTED] wrote:
Can anyone tell me how to disable id and pw checking
when entering a specific web site. I'd like to turn
it completely off.
Thanks,
Chuck
Hello All,I have setup up a apache
OpenSSLHowever When I submit a form with https ...The browser (IE,
Netscaoe..) show the warming message box ask to acceptSSL
anyway...My question is How to disable the warming box (I donot want the
web-users doanything even they donothave a valid e-cert
72 matches
Mail list logo