Tomáš Mráz

Could we add `enable-ec_nistp_64_gcc_128` to one of the big endian targets in .github/workflows/cross-compiles.yml ? Or even add a new target? Perhaps s390x build would be the one? Or we could...

@dannytsen Any chance of taking over this work?

This is a fairly thorough rewrite. Have you tested that it still works?

@slontis @vdukhovni @levitte might have some opinions I think.

@shahsb It looks like at least some of your comments are AI generated. Could you please mark all your future comments that are AI generated so that AI use is...

> **Important Security Implication:** During decryption, plaintext must not be output until the HMAC is verified in EVP_Final() (to prevent unauthenticated data exposure). > > **Recommendation:** Explicitly document/verify that decrypted...

It is also enabled if conf_diagnostics is set in the config file. But yeah, enabling it by default would probably make some sense.

> 1. here should be `release` instead of `relaxed`: > https://github.com/openssl/openssl/blob/6afaa3f41f5b65432b6700064b077032b9e0c625/include/internal/refcount.h#L51 > > > Example of issue: [ClickHouse@10e427e](https://github.com/ClickHouse/openssl/commit/10e427ee32cf74bc2d1e4945c57e3d518c737e12) > > But tsan [doesn't work with such fences](https://github.com/google/sanitizers/issues/1415), so for tsan...

If they are observing TSAN errors with the current code it might mean they are not using the refcounted objects correctly. I.e., once you start using an object across multiple...

The problem is these tsan errors might indicate a bug in how Poco uses OpenSSL.