Re: How to disable renegation before compiling openssl

* Sorry for being unclear, the goal would be to just not send the SCSV value in the ClientHello. Why?

Re: How to disable renegation before compiling openssl

Thanks for you reply Ben! Sorry for being unclear, the goal would be to just not send the SCSV value in the ClientHello. -Mark Am Di., 21. Apr. 2020 um 22:06 Uhr schrieb Benjamin Kaduk : > On Tue, Apr 21, 2020 at 09:57:02PM +0200, Mark Windshield wrote: > > Hello, > > > > I was wondering what

Re: How to disable renegation before compiling openssl

On Tue, Apr 21, 2020 at 09:57:02PM +0200, Mark Windshield wrote: > Hello, > > I was wondering what I'd have to change in the openssl code/config before > compiling to have renegation disabled by default, so it won't send the > Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) when using

How to disable renegation before compiling openssl

Hello, I was wondering what I'd have to change in the openssl code/config before compiling to have renegation disabled by default, so it won't send the Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) when using curl. Thanks!

RE: How to disable tls 1.0 and tls 1.1

l 12, 2019 9:21 PM To: Chethan Kumar ; openssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On 12/04/2019 15:50, Chethan Kumar wrote: > Thank to both Hubert Kario and Matt Caswell for your valuable information. > This group has helped a lot in gaining many insight

Re: How to disable tls 1.0 and tls 1.1

openssl-users-boun...@openssl.org] On Behalf Of > Matt Caswell > Sent: Friday, April 12, 2019 7:28 PM > To: openssl-users@openssl.org > Subject: Re: How to disable tls 1.0 and tls 1.1 > > > > On 12/04/2019 14:37, Chethan Kumar wrote: >>> Please note that curl develope

RE: How to disable tls 1.0 and tls 1.1

nssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On 12/04/2019 14:37, Chethan Kumar wrote: >> Please note that curl developers have recently changed the meaning of those >> options, please check if they do what you expect them to do by inspecting >>

Re: How to disable tls 1.0 and tls 1.1

On 12/04/2019 14:37, Chethan Kumar wrote: >> Please note that curl developers have recently changed the meaning of those >> options, please check if they do what you expect them to do by inspecting >> the curl man page. > Thanks for the information. I understood it. > I also used openssl

Re: How to disable tls 1.0 and tls 1.1

e is any other way to disable TLSv1.0 and TLS1.1 sorry, I'm not familiar with openssl compilation configuration to say if this is expected and correct behaviour > Thanks in advance, > Chethan Kumar > -Original Message- > From: Hubert Kario [mailto:hka...@redhat.com] > Sent: Friday, A

RE: How to disable tls 1.0 and tls 1.1

-Original Message- From: Hubert Kario [mailto:hka...@redhat.com] Sent: Friday, April 12, 2019 6:11 PM To: Chethan Kumar Cc: openssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On Friday, 12 April 2019 13:54:24 CEST Chethan Kumar wrote: > >what evidence you have that

Re: How to disable tls 1.0 and tls 1.1

l Message- > From: Hubert Kario [mailto:hka...@redhat.com] > Sent: Friday, April 12, 2019 4:50 PM > To: Chethan Kumar > Cc: openssl-users@openssl.org > Subject: Re: How to disable tls 1.0 and tls 1.1 > > On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote: >

RE: How to disable tls 1.0 and tls 1.1

l Message- From: Hubert Kario [mailto:hka...@redhat.com] Sent: Friday, April 12, 2019 4:50 PM To: Chethan Kumar Cc: openssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote: > > there is no "min"

Re: How to disable tls 1.0 and tls 1.1

receiving ServerHello that is: when SSL_CTX_set_min_proto_version is set to tls 1.2, SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies with ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort the connection > I would like to know how to disable TLSv1.0 and 1.1 using configu

RE: How to disable tls 1.0 and tls 1.1

in_proto_version() and SSL_CTX_set_max_proto_version() introduced in 1.1.X along with SSL_CTX_set_options(). I would like to know how to disable TLSv1.0 and 1.1 using configure option[CONFOPTS] in Makefile. Thanks in advance, Chethan Kumar -Original Message- From: Hubert Kario [mailto:hka...@redhat.com] Sent: Thursday

Re: How to disable tls 1.0 and tls 1.1

t TLS 1.1 and see if your production compile can connect > Thanks in advance, > Chethan Kumar > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM > To: openssl-users@openssl.org > Subject: Ho

RE: How to disable tls 1.0 and tls 1.1

: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM To: openssl-users@openssl.org Subject: How to disable tls 1.0 and tls 1.1 Dear all, Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling openssl

How to disable tls 1.0 and tls 1.1

Dear all, Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling openssl package. I am using 1.0.2n openssl version and disabled SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. I also have a doubt on difference between -DSSL_OP_NO_SSLv2

Re: How to disable TLS 1.3 in OpenSSL 1.1.1

> On Mar 21, 2019, at 2:14 AM, Hal Murray wrote: > >> Can I set any flags while building openssl 1.1.1 to disable TLS 1.3 or can >> i get any package from ubuntu to disable TLS 1.3 ? > > You can do it at run time using SSL_set_max_proto_version It can also be set in the system-wide default

Re: How to disable TLS 1.3 in OpenSSL 1.1.1

> But I want to use TLS 1.2 only for my application with curl 7.58 in Ubuntu > 18.04. So while using openssl 1.1.1 how to disable default TLS 1.3 and how > to enable TLS 1.2? Just curious. Why do you want to disable TLS 1.3? It will automagically use 1.2 if that's all the other end

How to disable TLS 1.3 in OpenSSL 1.1.1

I have updated my openssl from 1.1.0 to 1.1.1 recently. Openssl 1.1.1 version supports TLS1.3 feature. But I want to use TLS 1.2 only for my application with curl 7.58 in Ubuntu 18.04. So while using openssl 1.1.1 how to disable default TLS 1.3 and how to enable TLS 1.2? Can I set any flags

Re: [openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

On 02/12/2018 22:13, Viktor Dukhovni wrote: > > [ While I could ask off-list, or RTFS, someone else might have the > same question later, so might as well ask on-list. ] > > Postfix added support for ECDHE ciphers long ago, back when OpenSSL > 1.0.0 was shiny and new, and the server-side

[openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

[ While I could ask off-list, or RTFS, someone else might have the same question later, so might as well ask on-list. ] Postfix added support for ECDHE ciphers long ago, back when OpenSSL 1.0.0 was shiny and new, and the server-side ECDHE support was enabled by specifying a single preferred

Re: [openssl-users] OpenSSL 1.1+: How to disable building of Manpages etc.?

On Sat, Jul 22, 2017 at 2:37 PM, Oliver Niebuhr wrote: > Hi. > > I searched the Web and checked the Configure File. Am I blind or is > there really no Parameter to disable the creation of the Documentation? > > As I also test the Qt Framework, I often recompile

[openssl-users] OpenSSL 1.1+: How to disable building of Manpages etc.?

Hi. I searched the Web and checked the Configure File. Am I blind or is there really no Parameter to disable the creation of the Documentation? As I also test the Qt Framework, I often recompile OpenSSL. You are right, building the Docs will only take 2 Minutes - but it sums up to countless

Re: [openssl-users] How to disable the DTLS stuff in openssl 1.0.2k

On 06/02/17 09:58, Devang Kubavat wrote: > Hi, > I am trying to configure the OpenSSL 1.0.2k for windows. > Can anyone help me How to disable the DTLS? I guess this email got stuck somewhere because I only just got this. See my answer to this on your stackoverflow questio

[openssl-users] How to disable the DTLS stuff in openssl 1.0.2k

Hi, I am trying to configure the OpenSSL 1.0.2k for windows. Can anyone help me How to disable the DTLS? Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to disable SSL session resumption completelly?

On Mon, Sep 12, 2016 at 05:35:06PM +0300, Andrey Kulikov wrote: > I'm using OpenSSL 1.0.2g > In my client I would like to disable SSL session resumption completely (for > test purposes). The odd thing is that on the client side, nothing in OpenSSL does resumption by default, because OpenSSL does

[openssl-users] How to disable SSL session resumption completelly?

in traffic capture - is that my client always do session reuse with sending non-empty session ID. And server does accept it. How can I disable SSL session resumption completely? More expanded code snippet: SSL_CTX *ctx = NULL; ctx = SSL_CTX_new(SSLv23_client_method())) SSL_CTX_set_session_cache_mode

[openssl-users] How to disable DSO support at runtime?

We can disable DSO support at configure time with 'no-dso'. But its not clear to me how to explicitly disable the feature at runtime if the platform/distro provided the OpenSSL libraries (and they were enabled). I took a look at config(5), but that's more for configuration files, and less

Re: [openssl-users] How to disable all EXPORT Ciphers?

On Tue, Mar 10, 2015 at 08:44:57AM +, Christian Georg wrote: I understand that the downgrading of the ciphersuites is a bug in the library that should be patched. Doing this can however be dificult when talking about mobile apps that use OS Libraries. From my understanding the bug only

Re: [openssl-users] How to disable all EXPORT Ciphers?

, 2015 06:53 To: openssl-users@openssl.org Subject: Re: [openssl-users] How to disable all EXPORT Ciphers? On Tue, Mar 10, 2015 at 08:44:57AM +, Christian Georg wrote: I understand that the downgrading of the ciphersuites is a bug in the library that should be patched. Doing this can however

Re: [openssl-users] How to disable all EXPORT Ciphers?

From: openssl-users On Behalf Of Viktor Dukhovni Sent: Monday, March 09, 2015 12:47 On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote: kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024? You only need

Re: [openssl-users] How to disable all EXPORT Ciphers?

...@openssl.org] Im Auftrag von Viktor Dukhovni Gesendet: Montag, 9. März 2015 17:47 An: openssl-users@openssl.org Betreff: Re: [openssl-users] How to disable all EXPORT Ciphers? On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote: How to I disable all EXPORT Ciphers from OpenSSL? Will the use of string

Re: [openssl-users] How to disable all EXPORT Ciphers?

How to I disable all EXPORT Ciphers from OpenSSL? Will the use of string kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH ; openssl ciphers -v kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH | grep EXP ; Yes. But really, SSLv2? Really? You have clients that haven't been

Re: [openssl-users] How to disable all EXPORT Ciphers?

On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote: How to I disable all EXPORT Ciphers from OpenSSL? Will the use of string kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024? Note that doing so does

[openssl-users] How to disable all EXPORT Ciphers?

Hi, How to I disable all EXPORT Ciphers from OpenSSL? Will the use of string kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56 and 1024? Thank you, Deepak ___ openssl-users mailing

Re: how to disable

On 2/28/2013 6:27 PM, Chaim | Sz Studios wrote: BH Hi All, I'm trying to pass a pci scan, I'm on Ubuntu 12.04 lts server and Nginx. I've tried everything I know and did a lot of research... apparently seems that need to disable a setting in OpenSSL which I can't find how to do. This is the

how to disable

BH Hi All, I'm trying to pass a pci scan, I'm on Ubuntu 12.04 lts server and Nginx. I've tried everything I know and did a lot of research... apparently seems that need to disable a setting in OpenSSL which I can't find how to do. This is the result of the scan: SSL/TLS Protocol Initialization

How to disable weak/export ciphers

in internet are all about how to disable them with other SW, like apache. Could anyone please help me on this point? Best Regards _ Sheng Liang

How to disable non-FIPS approved algorithms - DH and RAND_bytes?

Hi, I have an application which uses RSA or Diffie Hellman (DH) algorithms for key exchange and RAND_seed and RAND_bytes to generate pseudo random number. Now, I have added FIPS_mode_set(1) to enable FIPS. As per openSSL-fips security policy document, my expectation is DH and RAND_seed and

Re: How to disable non-FIPS approved algorithms - DH and RAND_bytes?

On Mon, Jan 23, 2012, Vimol Kshetrimayum wrote: Hi, I have an application which uses RSA or Diffie Hellman (DH) algorithms for key exchange and RAND_seed and RAND_bytes to generate pseudo random number. Now, I have added FIPS_mode_set(1) to enable FIPS. As per openSSL-fips security

Re: How to disable non-FIPS approved algorithms - DH and RAND_bytes?

Thanks Steve. So, that means, I don't need to add FIPS_rand_* function. For DH key exchange algorithm, do I need to explicitly disable calling of DH function in my code if it is in FIPS? Or is there any DH algorithms loading issue in openssl-fips-1.2 that I am consuming? Thanks, ~Vimol On Mon,

how to disable theCRL check and time check in X509_verify_cert() api..?

can any one tell me how to remove the crl revocation check and Expiry check. i want to validate the signature of the certificate alone no CRL or Expiry check. any flag i need to set -- View this message in context: http://old.nabble.com/how-to-disable-theCRL-check-and-time-check

RE: How to disable SSL/TLS Renegotiation

not an openssl expert, so please don't assume that all I have said above is proven. Regards Alon From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Yan, Bob Sent: Tuesday, March 08, 2011 1:07 AM To: openssl-users@openssl.org Subject: How to disable SSL/TLS

How to disable SSL/TLS Renegotiation

I have two questions regarding to SSL/TLS Renegotiation: 1) Can SSL/TLS Renegotiation happen automatically during the normal SSL_read and SSL_write operation on a SSL connection? Basically if the application doesn't invoke the SSL_renegotiate function, can SSL/TLS Renegotiation still happen

Re: How to disable index and serial?

On Wed, Jan 12, 2011 at 3:40 PM, Mark H. Wood mw...@iupui.edu wrote: On Tue, Jan 11, 2011 at 05:39:19PM +0100, Fredrik Strömberg wrote: Hello Patrick, Thank you for your email. I somehow managed to miss the word mandatory in the manual. I guess there´s nothing else for me to do than code a

Re: [openssl-users] Re: How to disable index and serial?

Ah. I did not understand that referenced by browser vendors meant we were talking about inclusion in their canned trust stores. Thanks, both of you. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart.

Re: [openssl-users] Re: How to disable index and serial?

On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote: In order to be referenced by browser vendors (Opera comes to mind, and I think Mozilla will require this), the serial number MUST be random (or at least *appear* random from the outside). Oh, now I'm curious. How do they test the

Re: How to disable index and serial?

On Tue, Jan 11, 2011 at 05:39:19PM +0100, Fredrik Strömberg wrote: Hello Patrick, Thank you for your email. I somehow managed to miss the word mandatory in the manual. I guess there´s nothing else for me to do than code a file lock. I need to run multiple openssl instances, and openssl

Re: [openssl-users] Re: How to disable index and serial?

Hodie pr. Id. Ian. MMXI, Mark H. Wood scripsit: On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote: In order to be referenced by browser vendors (Opera comes to mind, and I think Mozilla will require this), the serial number MUST be random (or at least *appear* random from the

Re: [openssl-users] Re: How to disable index and serial?

On 1/12/2011 6:48 AM, Mark H. Wood wrote: Oh, now I'm curious. How do they test the randomness of a single sample? 1 is every bit as random (or nonrandom) as 0xdcb4a459f014617692d112f0942c89cb. They don't validate the number itself, they validatet hat the method by which the number was

How to disable index and serial?

Hello, I want to sign a certificate without using the index or serial files. Can someone tell me how to disable them? Not using -config makes openssl use the compiled default, and using my own while commenting out database and serial gives me the error variable lookup failed for CA_default

RE: How to disable index and serial?

Hi Frederik, -Original Message- From: Fredrik Strömberg I want to sign a certificate without using the index or serial files. Can someone tell me how to disable them? you can't. But why would you care about openssl internals? Just generate your certificates and fine. Not using

Re: How to disable index and serial?

On Tue, Jan 11, 2011 at 4:40 PM, Eisenacher, Patrick patrick.eisenac...@bdr.de wrote: Hi Frederik, -Original Message- From: Fredrik Strömberg I want to sign a certificate without using the index or serial files. Can someone tell me how to disable them? you can't. But why would you

Re: How to disable index and serial?

Fredrik Strömberg a écrit : Hello, I want to sign a certificate without using the index or serial files. Can someone tell me how to disable them? Not using -config makes openssl use the compiled default, and using my own while commenting out database and serial gives me the error variable

Re: How to disable index and serial?

On 1/11/2011 7:02 AM, Fredrik Strömberg wrote: (For the curious: I don´t need serial because I only identify with CN, and I don´t need a database because I will never revoke any certificates.) The problem is, everybody else identifies by serial. So unless you don't plan to interoperate with

Re: How to disable index and serial?

On 01/11/2011 05:50 PM, Dominique Lohez wrote: Fredrik Strömberg a écrit : Hello, I want to sign a certificate without using the index or serial files. Can someone tell me how to disable them? by using the command x509 and not ca for example. you can use a serial number based on a date

Re: [openssl-users] Re: How to disable index and serial?

Hodie III Id. Ian. MMXI, Peter Sylvester scripsit: by using the command x509 and not ca for example. you can use a serial number based on a date seconds plus processid for example) to guarantee uniqueness. More on this. A serial number MUST be unique (by X.509 design), and SHOULD be random

Re: How to disable compression?

Ramaswamy BM wrote: Try this SSL_CTX * tls_ctx; STACK_OF(SSL_COMP)* compression ; compression = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(compression); It should disable the compression support for !! You can also use below API accordingly to enable/disable

Re: How to disable compression?

Try this SSL_CTX * tls_ctx; STACK_OF(SSL_COMP)* compression ; compression = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(compression); It should disable the compression support for !! You can also use below API accordingly to enable/disable required

Re: How to disable compression?

On Tue, Dec 14, 2010 at 06:20:54PM +1100, Corin Lawson wrote: Hi All, Is it possible to establish an SSL connection with no compression? How? OpenSSL 1.0.0 provides a new option that can be set via SSL_CTX_set_options() or SSL_set_options(). SSL_OP_NO_COMPRESSION While I'm at it, is

How to disable compression?

Hi All, Is it possible to establish an SSL connection with no compression? How? While I'm at it, is it possible to use no encryption? I.e. I only want SSL to authenticate/verify identity (handshake). Cheers, Corin. __

答复: [FWD] How to disable SSL

[mailto:owner-openssl-us...@openssl. org] 代表 Lutz Jaenicke 发送时间: 2009年3月25日 17:43 收件人: openssl-users@openssl.org 抄送: Victor Yepez 主题: [FWD] How to disable SSL Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Victor Yepez yepez.vic...@gmail.com

[FWD] How to disable SSL

Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Victor Yepez yepez.vic...@gmail.com - Date: Tue, 24 Mar 2009 17:31:55 -0430 From: Victor Yepez yepez.vic...@gmail.com Subject: How to disable SSL To: r...@openssl.org User-Agent

Re: [FWD] How to disable SSL

...@gmail.com Subject: How to disable SSL To: r...@openssl.org User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) Hello guys, I really appreciate your help in the following issue: One of our customers has installed Solaris 10 on his SUN machine. Solaris 10 has installed open SSL and our

How to disable DNS certificate check?

for your help. Regards, Alain -- View this message in context: http://www.nabble.com/How-to-disable-DNS-certificate-check--tp19367130p19367130.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL

Re: How to disable DNS certificate check?

philipina wrote: Hello, I'm using an application (that I could recompile) which is using OpenSSL. My problem is that for some computers I have an internet access but no DNS server. In this case I configure the application to connect to https://xxx.xxx.xxx.xxx (ip address) instead of

RE: How to disable DNS certificate check?

Hello, I'm using an application (that I could recompile) which is using OpenSSL. My problem is that for some computers I have an internet access but no DNS server. In this case I configure the application to connect to https://xxx.xxx.xxx.xxx (ip address) instead of

how to disable reverse-lookups with openssl

Hello, How can I configure openssl to not do reverse lookups on client connections on my RHEL system running the distribution apache? Red Hat Enterprise Linux ES release 4 (Nahant Update 6) OpenSSL 0.9.7a Feb 19 2003 I've noticed that even with HostnameLookups set to off, connections to

How to disable id and password check

Can anyone tell me how to disable id and pw checking when entering a specific web site. I'd like to turn it completely off. Thanks, Chuck Mark wrote: my last mail seem to be lost somewhere.. I got it! Hi all, Im testing an SSL server with s_client. I want to implement client

Re: How to disable id and password check

This is an Apache query, not an OpenSSL query. Please ask on the apache-users mailing list. -Kyle On 1/10/06, Chuck Aaron [EMAIL PROTECTED] wrote: Can anyone tell me how to disable id and pw checking when entering a specific web site. I'd like to turn it completely off. Thanks, Chuck

How to disable the wraning message box from browser?

Hello All,I have setup up a apache OpenSSLHowever When I submit a form with https ...The browser (IE, Netscaoe..) show the warming message box ask to acceptSSL anyway...My question is How to disable the warming box (I donot want the web-users doanything even they donothave a valid e-cert