Weird diagnostics for short RSA keys #89
Comments
noxxi
added a commit
that referenced
this issue
Jan 13, 2020
|
This is unfortunately not that easy to fix since it might fail for a variety of reasons. I've adjusted at least the error message to include more possible cases why it failed: 5f74d7f |
noxxi
added a commit
that referenced
this issue
Feb 14, 2020
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Mar 22, 2020
2.067 2020/02/14 - fix memory leak on incomplete handshake noxxi/p5-io-socket-ssl#92 Thanks to olegwtf - add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers This can decrease memory usage at the costs of more allocations https://rt.cpan.org/Ticket/Display.html?id=129463 - more detailed error messages when loading of certificate file failed noxxi/p5-io-socket-ssl#89 - fix for ip_in_cn == 6 in verify_hostname scheme https://rt.cpan.org/Ticket/Display.html?id=131384 - deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1 - fix warning when no ecdh support is available - documentation update regarding use of select and TLS 1.3 - various fixes in documentation noxxi/p5-io-socket-ssl#91 noxxi/p5-io-socket-ssl#90 noxxi/p5-io-socket-ssl#87 noxxi/p5-io-socket-ssl#81 - stability fix t/core.t 2.066 2019/03/06 - fix test t/verify_partial_chain.t by using the newly exposed function can_partial_chain instead of guessing (wrongly) if the functionality is available 2.065 2019/03/05 - make sure that Net::SSLeay::CTX_get0_param is defined before using X509_V_FLAG_PARTIAL_CHAIN. Net::SSLeay 1.85 defined only the second with LibreSSL 2.7.4 but not the first https://rt.cpan.org/Ticket/Display.html?id=128716 - prefer AES for server side cipher default since it is usually hardware-accelerated 2.064 2019/03/04 - make algorithm for fingerprint optional, i.e. detect based on length of fingerprint - https://rt.cpan.org/Ticket/Display.html?id=127773 - fix t/sessions.t and improve stability of t/verify_hostname.t on windows - use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are set - update fingerprints for live tests 2.063 2019/03/01 - support for both RSA and ECDSA certificate on same domain - update PublicSuffix - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but then linked against another API-incompatible version (ie. more than just the patchlevel differs). 2.062 2019/02/24 - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and OpenSSL (1.1.0+). This makes leaf certificates or intermediate certificates in the trust store be usable as full trust anchors too. 2.061 2019/02/23 - Support for TLS 1.3 session reuse. Needs Net::SSLeay 1.86+. Note that the previous (and undocumented) API for the session cache has been changed. - Support for multiple curves, automatic setting of curves and setting of supported curves in client. Needs Net::SSLeay 1.86+. - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when client certificates are provided. Thanks to jorton[AT]redhat[DOT]com. Needs Net::SSLeay 1.86+.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Openssl 1.1.1 does not treat 1024-bit RSA certificates as safe for clients authentification in SSL by default (@SECLEVEL=2) with diagnostics like
140510343623808:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:As IO::Socket::SSL tries to load a certificate as PEM, than DER, than PKCS12, when the original certificate is in PEM format, the diagnostics is smth about bad ASN.1 format instead of valid one.
package IO::Socket::SSL;
our $VERSION = '2.060';
The text was updated successfully, but these errors were encountered: