Tomáš Mráz

icon company @openssl icon location Software Developer at OpenSSL Software Foundation

Results 1511 comments of Tomáš Mráz

APPS: simplify `x509` cert generation; allow pubkey input options to read private key

@tmshort please reconfirm

`CMS_decrypt*()`: fix misconceptions and memory leak

I do not think this will cherry-pick cleanly to 3.0 branch.

Don't try to re-read data unless SSL_MODE_AUTO_RETRY is on

Needs rebase

Openssl1.0.0 or openssl1.0.2 no-tls1 when configuring, an error occurs when compiling

It removes the protocol version support, not necessarily any cipher suites. I.E., you will not be able to use TLS version 1.0 or 1.1.

OpenSSL-1.1.1: OpenSSL server sends only the host certificate from the certificate chain during the handshake

There is a `-cert_chain` option that should be used for the certificate chain. I am not sure why your use-case worked with 1.0.2 though.

OpenSSL-1.1.1: OpenSSL server sends only the host certificate from the certificate chain during the handshake

The SSL_CTX_set1_chain() sets stack of X509 certs as the chain for the server.

OpenSSL-1.1.1: OpenSSL server sends only the host certificate from the certificate chain during the handshake

No, SSL_CTX_set1_chain sets the chain in sk to the SSL_CTX ctx.

Find config, modules, engine, certs etc based on installed paths

I am afraid this is potentially asking for security issues. It would have to be implemented very carefully.

openssl:PKCS7_signatureVerify should call 'DigestVerify'

CI is relevant

OpenSSL legacy provider failed to load

I'd suggest reporting this to nmap. It looks like a nmap bug. There are no providers in OpenSSL 1.1.1.