From ppzgs1 at gmail.com Tue Jan 5 09:42:27 2021 From: ppzgs1 at gmail.com (Paul Dale) Date: Tue, 5 Jan 2021 19:42:27 +1000 Subject: LibreSSL Message-ID: An article about LibreSSL and indirectly OpenSSL: https://lwn.net/SubscriberLink/841664/0ba4265680b9dadf/ Pauli -------------- next part -------------- An HTML attachment was scrubbed... URL: From christian.heinrich at cmlh.id.au Wed Jan 6 22:58:54 2021 From: christian.heinrich at cmlh.id.au (Christian Heinrich) Date: Thu, 7 Jan 2021 09:58:54 +1100 Subject: LibreSSL In-Reply-To: References: Message-ID: Paul, On Wed, 6 Jan 2021 at 04:29, Paul Dale wrote: > An article about LibreSSL and indirectly OpenSSL: > > https://lwn.net/SubscriberLink/841664/0ba4265680b9dadf/ TL;DR "One result of all this work is that Linux distributions have, in general, not shifted away from OpenSSL. Two distributions that did attempt to provide LibreSSL support were Alpine Linux and Gentoo. Alpine Linux supported LibreSSL as its primary TLS library for a while, but switched back to OpenSSL with the 3.9.0 release in January 2019. Gentoo never tried to switch over completely, but it supports LibreSSL as an alternative." https://lwn.net/ml/gentoo-dev/f87e940aed42fa95bd6557a02e4363380b8f1c0a.camel at gentoo.org/ is also relevant to the threads that proposes to refactor the OpenSSL API -- Regards, Christian Heinrich http://cmlh.id.au/contact From openssl at openssl.org Thu Jan 7 14:08:05 2021 From: openssl at openssl.org (OpenSSL) Date: Thu, 7 Jan 2021 14:08:05 +0000 Subject: OpenSSL version 3.0.0-alpha10 published Message-ID: <20210107140805.GA26451@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 alpha 10 released ===================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 10 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha10.tar.gz Size: 14084047 SHA1 checksum: dfeb99f9bdb270d11f723039d07fda1478a31219 SHA256 checksum: b1699acf2148db31f12edf5ebfdf12a92bfd3f0e60538d169710408a3cd3b138 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha10.tar.gz openssl sha256 openssl-3.0.0-alpha10.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/3ESsACgkQ2cTSbQ5g RJErmQgAj74iDsxOIigH87UxtnKLUqZc7ewbyZxM41XK52G/OPAzqSzGlMxhsYit gvN7k+4qHWGuzyP5UGoTnxued/eG3tggUJh/WeuTmZ8DdrdV4C8Mhfb9ZkocDZZj /wCnVGfb4xS5SPVnHU0qqtn0bWrltddjvdAzmuKvzQmyhftH6d/+VyUA9b9oUTkr ygAvJYI6sJ/WBBSbRzONhwO16GKiLi5AzpPTuW9z7ZJS3YdZCCFFCYKPO255To9y 1GgxhGns9VksvN6NR3AFeTKMQyet3Uo2tRmigtRYZvaJDCE4am40zSuhdFmujwMA HFVox7b+u1PJrUdxzOGJe+A+1I0R9A== =yDQs -----END PGP SIGNATURE----- From christian.heinrich at cmlh.id.au Sat Jan 9 21:28:55 2021 From: christian.heinrich at cmlh.id.au (Christian Heinrich) Date: Sun, 10 Jan 2021 08:28:55 +1100 Subject: =?UTF-8?Q?NSA_Releases_=E2=80=9CEliminating_Obsolete_Transport_Layer?= =?UTF-8?Q?_Security_=28TLS=29_Protocol_Configurations=E2=80=9D?= Message-ID: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2462345/nsa-releases-eliminating-obsolete-transport-layer-security-tls-protocol-configu/ -- Regards, Christian Heinrich http://cmlh.id.au/contact From matt at openssl.org Mon Jan 11 10:43:40 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 11 Jan 2021 10:43:40 +0000 Subject: Monthly Status Report (December) Message-ID: <952ea2a0-12a4-1736-480c-060114fb7737@openssl.org> As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, handling security reports, etc., key activities this month: - PRs to fix the sanitzer CI builds - Fixed no-sock and no-dtls - Incorporated "no-legacy" into run-checker - Fixed no-legacy - Fixed no-tls1_3 - Fixed no-err - Fixed no-dsa - Created patches for, and wrote security advisory for the EDIPARTYNAME security issue - Performed the 1.1.1 and 1.0.2 security release - Fixed typos in EVP_PKEY-DH pod file - Fixed no-threads - Fix to ensure DTLS free functions can handle a "NULL" - PR to fix a crash in muli-threaded applications using the FIPS Module: this introduces a new test which also identified further issues - Fix to cache various digest constants to improve performance - Optimised OPENSSL_init_crypto and additional "atomics" functions Matt From nelsonlogic at icloud.com Mon Jan 11 20:32:42 2021 From: nelsonlogic at icloud.com (Paul Nelson) Date: Mon, 11 Jan 2021 14:32:42 -0600 Subject: Monthly Status Report (December) Message-ID: <971B1962-795A-4AAF-83BC-E0A636BC256F@icloud.com> I participated in a number of meetings: OTC Face-to-Face meetings on 12/8, beginning of meeting on 12/10 FIPS Sponsors meeting on 12/7 I reviewed FIPS documents and set up a place in the otc-private repo for them. The three main documents are the security policy draft, vendor evidence draft and the finite state model. Other documents received from Acumen will be saved here as well. I will take over scheduling of FIPS meetings starting in January. The first meeting is scheduled for Jan 11 with Acumen. I have built OpenSSL 3.0.0 on my Macintosh and have experimented debugging into the FIPS module. I need to understand how the FIPS module will be built by users in the future. Right now, the user just pulls OpenSSL from a repo and builds it, then follows directions for installing the FIPS module. This seems to be only useful for the first release of OpenSSL 3.0.0. There are some inconsistencies in the FIPS documentation in the 3.0.0 master branch, and I will be addressing these in January. I worked on identifying the parts of OpenSSL that are needed to build the FIPS module. There appear to be 351 source files used to build the module including header files. There are 72 header files, 24 assembly language and 6 inc files. There are 208 files in the crypto tree, 103 in the providers tree, 38 in the include tree and 2 in the ssl tree. If we can identify only those issues that require a change to these files, we know what issues affect the FIPS module. This will be difficult but should be possible. I had a number of interactions with support customers, sending invoices. I did not handle this process well and a number of mistakes were made. Mark and I have discussed how to rectify these and I will be able to handle these tasks with much greater care in the future. Paul Nelson -------------- next part -------------- An HTML attachment was scrubbed... URL: From tm at t8m.info Tue Jan 12 13:35:36 2021 From: tm at t8m.info (Tomas Mraz) Date: Tue, 12 Jan 2021 14:35:36 +0100 Subject: OTC VOTE: Keeping API compatibility with missing public key In-Reply-To: <03937e1f3ba1077379ebdec6d7269393655481aa.camel@redhat.com> References: <03937e1f3ba1077379ebdec6d7269393655481aa.camel@redhat.com> Message-ID: This vote is now closed. accepted: yes (for: 8, against: 0, abstained: 0, not voted: 3) Tomas On Fri, 2020-12-04 at 13:45 +0100, Tomas Mraz wrote: > Vote background > --------------- > > The vote on relaxing the conceptual model in regards to required > public > component for EVP_PKEY has passed with the following text: > > For 3.0 EVP_PKEY keys, the OTC accepts the following resolution: > * relax the conceptual model to allow private keys to exist without > public components; > * all implementations apart from EC require the public component to > be > present; > * relax implementation for EC key management to allow private keys > that > do not contain public keys and > * our decoders unconditionally generate the public key (where > possible). > > However since then the issue 13506 [1] was reported. > > During OTC meeting we concluded that we might need to relax also > other > public key algorithm implementations to allow private keys without > public component. > > Vote > ---- > > topic: For 3.0 EVP_PKEY keys all algorithm implementations that were > usable > with 1.1.1 EVP_PKEY API or low level APIs without public > component must > stay usable. > > This overrules the > * all implementations apart from EC require the public > component to be present; > part of the vote closed on 2020-11-17. > > Proposed by Tomas Mraz > Public: yes > opened: 2020-12-04 > > Tomas Mraz > > -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From jasnell at gmail.com Wed Jan 13 01:07:17 2021 From: jasnell at gmail.com (James M Snell) Date: Tue, 12 Jan 2021 17:07:17 -0800 Subject: Revisiting quic api support Message-ID: Hello OMC, I wanted to write to ask if the OMC would be willing to revisit the hold on the quic support contributed in https://github.com/openssl/openssl/pull/8797 . Not having this functionality in a supported openssl release is causing delays in delivering support for the quic protocol in node.js and other platforms. - James -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Jan 28 13:28:52 2021 From: openssl at openssl.org (OpenSSL) Date: Thu, 28 Jan 2021 13:28:52 +0000 Subject: OpenSSL version 3.0.0-alpha11 published Message-ID: <20210128132852.GA11091@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 3.0 alpha 11 released ===================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 11 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha11.tar.gz Size: 14104901 SHA1 checksum: 7c934bab3e310884e97b0f4a53dfe9fb3d97bb76 SHA256 checksum: 2a18f18df6a7ba33cfcc423b77d93990bf70939c06aa2b599b1eabf6e222ea74 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha11.tar.gz openssl sha256 openssl-3.0.0-alpha11.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmASt0cACgkQ1enkP335 7ozLXA/9FQJ01swsFc5qzW0+Bn7vu2B4qykmyKhQURuyvR7BAbtiUaRIjaJf9sgY ah1Rx8Pik8ff4BEnCnPfK2CEo0M1T4A8V94Liqico0JAYabUUMa3rAoy6muQnsMh 0CKdYSKcptWZL9zNEKAuB0WUmAFnaT5fS01/STpsjfb8zfS5YQCSAOZ0UZbjxFM2 Qpx7xxNYBJcaspu6xKcWm+c2nyRBh1eB8kTDtK1s54TVdCRLLO+zFYHZXH0mOdww N+obyMk+GmD0tylSCMEHuXZzEfYO8fNjTL5gbnmlapdVpxk7vDCkTSiD0cT+dMlU zZMpXWoVLSTQKlbQuozPAt3Crz2fmmij2+SZRxVKWBbVvmlEqAsFarvNhzuR0T8o NrtKpKDHc2zEMXfeuRd9Wed/cxxiUe/nRjeh7kQ3K0eSciq0Cc2fSLGGZ/OihWQj QnGE8a31NPXZnqaugiUktS0xK4lDSvObtSch7hkMbRd/2r7tPoa+iwWlQ1ZVXck9 ZH39sFtX56dbjzVp2d5jqls76O2A8oON4kvW+Q8TPa8uHvojb2ulgvPZcB+SurRE sRYUzexVVZubMx1xvUIguDtsPeR0etVdWaRvLMYnoeMlfeb/DXR/7xGFvxLIjoEx TKNGgLSRxdZlnkRyyUWukH9VQLqGmf8DZC+nF1DAkyyjPjJu0XM= =m6RZ -----END PGP SIGNATURE----- From pauli at openssl.org Sun Jan 31 21:27:43 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Mon, 1 Feb 2021 07:27:43 +1000 Subject: Change of scenery Message-ID: Letting people know that I'm starting as an OpenSSL fellow today. I'm looking forward to working as part of the team and I'll be able to fully devote my efforts to the benefit of the project. Dr Paul Dale