#cryptography-dev

/

      • __Yiota joined the channel
      • __Yiota has quit
      • __Yiota joined the channel
      • __Yiota has quit
      • Crys has quit
      • Antoxyde has quit
      • __Yiota joined the channel
      • __Yiota has quit
      • __Yiota joined the channel
      • NOTICE: [cryptography] alex closed pull request #3866: add test vector with invalid basicconstraints (master...vector-wosign) https://git.io/v7dii
      • NOTICE: [cryptography] alex pushed 1 new commit to master: https://git.io/v7bO3
      • NOTICE: cryptography/master 64dc16b Paul Kehrer: add test vector with invalid basicconstraints (#3866)...
      • __Yiota has quit
      • NOTICE: pyca/cryptography#10821 (master - 64dc16b : Paul Kehrer): The build passed.
      • NOTICE: Change view : https://github.com/pyca/cryptography/compare/7c8ed9e306c4...64dc16b9f91a
      • NOTICE: Build details : https://travis-ci.org/pyca/cryptography/builds/264970837
      • skibumdreamer joined the channel
      • __Yiota joined the channel
      • __Yiota has quit
      • CheckDavid joined the channel
      • Crys joined the channel
      • pyn^ joined the channel
      • pyn has quit
      • Antoxyde joined the channel
      • CheckDavid joined the channel
      • indistylo joined the channel
      • itsme joined the channel
      • indistylo joined the channel
      • CheckDavid has quit
      • __Yiota joined the channel
      • __Yiota has quit
      • skibumdreamer has quit
      • CheckDavid joined the channel
      • indistylo has quit
      • __Yiota joined the channel
      • Alex_Gaynor
      • reaperhulk
        yeah I read through it the other day
      • the chained DRBG thing is interesting
      • Alex_Gaynor
        reaperhulk: So, is this enough that we should stop using our own thing on 1.1.1?
      • reaperhulk
        My biggest question is what happens on fork now, but I haven't looked at the actual code
      • I would say yes if it reseeds on fork
      • (but we'll need to retain our old one until we drop <= 1.1.0 obviously)
      • Alex_Gaynor
        reaperhulk: so forever.
      • ;-)
      • reaperhulk: I ping'd rich
      • reaperhulk
        heh
      • in the 3.5 years since we released this project we managed to drop 0.9.8 and 1.0.0 ;)
      • but 1.0.1 is probably still a year or more away and 1.0.2 probably like...4 or 5 ugh
      • Alex_Gaynor
        Speaking of forcing everyone to get a version of pip that lets me not care about system OpenSSL...
      • How are you feeling about the "drop mega-old pips" PR?
      • Literally no one replied to my mailing list post.
      • reaperhulk
        I saw that
      • Alex_Gaynor
        heh
      • reaperhulk
        although the people most likely to be negatively affected are the least likely to notice anything we say until after we break them
      • I am probably going to merge it though
      • we'll just need to be ready to back it out if it causes a significant uptick in issues
      • I wish the error pip throws in this case was more useful
      • Alex_Gaynor
        It'll be obscure, but also easily workaroundable, they'll just not have those deps install, which can be fixed manually easily.
      • __Yiota has quit
      • NOTICE: [cryptography] alex opened issue #3867: Once OpenSSL 1.1.1 comes out - don't use our custom ENGINE on it https://git.io/v7NWH
      • __Yiota joined the channel
      • __Yiota has quit
      • Crys
        Alex_Gaynor / reaperhulk: OpenSSL uses pthread_atfork(). Client handler calls rand_fork() which simply increments a global counter.
      • Alex_Gaynor
        Crys: And it's apparently not enabled by default -- I talked to Rich and he encouraged me to send an email to openssl-dev to see about changing that.
      • Crys
        It's not? oh
      • Alex_Gaynor: oh, it's even worse. I'm getting the same RNG value in every child.
      • Alex_Gaynor
        Crys: did you enable the AT_FORK handler?
      • OPENSSL_init_crypto(OPENSSL_INIT_ATFORK, <I don't know what you pass here>)
      • Crys
        Alex_Gaynor: I've compiled a test program against git master (./config && make).
      • Alex_Gaynor
        `OPENSSL_init_crypto(OPENSSL_INIT_ATFORK, NULL)` can you add that and let me know if it works
      • Crys
        one it
      • one sec
      • openssl_rng.c:62:25: error: ‘OPENSSL_INIT_ATFORK’ undeclared (first use in this function); did you mean ‘OPENSSL_INIT_SETTINGS’?
      • mh
      • ah, I forgot a header.
      • Alex_Gaynor
        `#include <openssll/crypto.h>`
      • but spell things right
      • Crys
        That fixes both issues: PID wrap around bug and constant PID in every fork.
      • Alex_Gaynor
        Cool, so we just need to make OPENSSL_INIT_ATFORK a default and we're good!
      • Crys
      • Alex_Gaynor: +1
      • Crys is off, dinner time
      • Alex_Gaynor: +1 for safe and sane defaults
      • Alex_Gaynor
        Crys: amen