I've been working to update Dynamic C 10's TLS (the protocol formerly
known as SSL) implementation from 1.0 to 1.2, and feel that it's ready for
testing if anyone is interested. Modern web browsers will refuse to connect to
Rabbit products with the TLS 1.0 implementation, hence the push to support 1.2.
Along the way, I removed support for protocols and ciphers now considered
insecure.
I've pasted the draft release notes to the end of this email, and you can
find the beta code on GitHub:
https://github.com/digidotcom/DCRabbit_10/tree/feature-tls1.2
If you haven't already worked with the GitHub repository, be sure to follow
the instructions in the README on how to link a Dynamic C installation to the
repository so you can pull updates. If you are an inexperienced Git user,
please make sure your Dynamic C directory is backed up, especially if
you've made modifications to any of the files. I always recommend keeping
your project files outside of the Dynamic C directory.
I have done some testing of HTTP server code (i.e., HTTPS), along with HTTP,
SMTP and POP client code. I've run some OpenSSL scripts against the HTTP
server to confirm correct operation (and an ability to handle large cipher lists
in the Client Hello).
All testing has been with RSA certificates and not pre-shared keys (PSK
mode).
If you are using PSK or some other uncommon TLS configuration, but don't
have time to test the new release yourself, please email me with some details of
how you've used TLS and I'll try to test that functionality myself.
Note that the update only supports the TLS 1.2 protocol, and cannot negotiate a
TLS 1.1 or TLS 1.0 connection. This should make it more secure, but could cause
problems with legacy web browsers that don't support TLS 1.2.
If you know of any TLS bugs (or even non-TLS bugs) present in 10.72, please let
me know so I can ensure that they're addressed in an upcoming release.
Please open issues on GitHub for tracking purposes, but feel free to email bug
reports if that's your preference.
-Tom
ReleaseNotes_TLS1.2.txt:
Dynamic C 10.72A includes an update from TLS 1.0 to 1.2. This document
summarizes the impact this may have on your programs, and calls out
changes to "Dynamic C TCP/IP Users Manual, Volume 3: Security".
http://ftp1.digi.com/support/documentation/90001160_a.pdf
This document assumes your program was already working with Dynamic C
10.72 before attempting an upgrade to 10.72A. SSL/TLS support has
changed with various Dynamic C releases, please test with 10.72 before
upgrading in order to isolate potential failures.
With TLS 1.2, Dynamic C 10.72A:
- Is compatible with modern web browsers.
- Removes support for insecure SSLv2, SSLv3 and TLS 1.0 protocols.
- Removes support for insecure RC4 cipher and MD5 digest.
- Automatically enables required AES128_CBC cipher.
- Adds optional AES256_CBC cipher, SHA256 digests, and support for
SHA256 signatures in X.509 (TLS/SSL) certificates.
Readers interested in the technical details of the switch from TLS 1.0
to TLS 1.2 might want to read section 1.1 of RFC4346 and section 1.2
of RFC5246, which document the differences between TLS 1.0/1.1 and
TLS 1.1/1.2 respectively.
https://tools.ietf.org/html/rfc4346#section-1.1
https://tools.ietf.org/html/rfc5246#section-1.2
Macros used to configure TLS 1.2 (in addition to existing
documentation):
TLS_VERBOSE: Define to see debugging information dumped to STDOUT that
may help in troubleshooting or reporting connectivity issues. Be
sure to disable this in production firmware.
SSL_USE_AES256: Define to enable 256-bit versions of the AES128_CBC
ciphersuites (in addition to AES128_CBC which is always required).
SSL_USE_PSK: Define to use pre-shared keys for authentication.
SSL_DONT_USE_RSA: Define to disable support for RSA certificates (you
must then define SSL_USE_PSK to use pre-shared keys instead).
MP_SIZE: The default value of 130 only allows for 1024-bit RSA keys.
Most certificates are using 2048-bit keys (#define MP_SIZE 258) and
4096-bit keys will only become more common (#define MP_SIZE 514).
SSL_DISABLE_LEGACY_DCC: If you aren't using the ".dcc" filetype, you
can define this macro to reduce code size.
SSL_DISABLE_USERBLOCK: If you aren't storing certificates in the
UserBlock, you can define this macro to reduce code size.
The following macros are no longer used or have been deprecated:
SSL_USE_AES: Defining this macro previously enabled the optional
AES128_CBC cipher. Since it's required by TLS 1.2, and support
for the insecure RC4 cipher was removed, AES128_CBC is enabled
by default and cannot be disbled.
SSL_DONT_USE_RC4: Support for RC4 was removed.
SSL_S_FORBID_MD5 and SSL_S_FORBID_RC4: TLS 1.2 doesn't use the MD5
digest or RC4 cipher, so it now ignores these flags.
TLS 1.2 for Dynamic C 10
Started by ●January 26, 2016
Reply by ●February 17, 20162016-02-17
Just a quick followup on on my previous email to announce that I've
completed work on TLS 1.2 for Dynamic C 10, and it's been released to the
"master" branch on GitHub.
https://github.com/digidotcom/DCRabbit_10/
In addition, we are planning to release a "Dynamic C 10.72A" installer with the TLS 1.2 code along with other bug fixes and improvements. The installer should be completed and ready on Digi's website by the end of March.
-Tom
On Jan 26, 2016, at 10:21 AM, Tom Collins t...@tomlogic.com [rabbit-semi] wrote:
> I've been working to update Dynamic C 10's TLS (the protocol formerly known as SSL) implementation from 1.0 to 1.2, and feel that it's ready for testing if anyone is interested. Modern web browsers will refuse to connect to Rabbit products with the TLS 1.0 implementation, hence the push to support 1.2. Along the way, I removed support for protocols and ciphers now considered insecure.
>
> I've pasted the draft release notes to the end of this email, and you can find the beta code on GitHub: https://github.com/digidotcom/DCRabbit_10/tree/feature-tls1.2
>
> If you haven't already worked with the GitHub repository, be sure to follow the instructions in the README on how to link a Dynamic C installation to the repository so you can pull updates. If you are an inexperienced Git user, please make sure your Dynamic C directory is backed up, especially if you've made modifications to any of the files. I always recommend keeping your project files outside of the Dynamic C directory.
>
> I have done some testing of HTTP server code (i.e., HTTPS), along with HTTP, SMTP and POP client code. I've run some OpenSSL scripts against the HTTP server to confirm correct operation (and an ability to handle large cipher lists in the Client Hello).
>
> All testing has been with RSA certificates and not pre-shared keys (PSK mode).
>
> If you are using PSK or some other uncommon TLS configuration, but don't have time to test the new release yourself, please email me with some details of how you've used TLS and I'll try to test that functionality myself.
>
> Note that the update only supports the TLS 1.2 protocol, and cannot negotiate a TLS 1.1 or TLS 1.0 connection. This should make it more secure, but could cause problems with legacy web browsers that don't support TLS 1.2.
>
> If you know of any TLS bugs (or even non-TLS bugs) present in 10.72, please let me know so I can ensure that they're addressed in an upcoming release. Please open issues on GitHub for tracking purposes, but feel free to email bug reports if that's your preference.
>
> -Tom
>
> ReleaseNotes_TLS1.2.txt:
>
> Dynamic C 10.72A includes an update from TLS 1.0 to 1.2. This document
> summarizes the impact this may have on your programs, and calls out
> changes to "Dynamic C TCP/IP Users Manual, Volume 3: Security".
>
> http://ftp1.digi.com/support/documentation/90001160_a.pdf
>
> This document assumes your program was already working with Dynamic C
> 10.72 before attempting an upgrade to 10.72A. SSL/TLS support has
> changed with various Dynamic C releases, please test with 10.72 before
> upgrading in order to isolate potential failures.
>
> With TLS 1.2, Dynamic C 10.72A:
> - Is compatible with modern web browsers.
> - Removes support for insecure SSLv2, SSLv3 and TLS 1.0 protocols.
> - Removes support for insecure RC4 cipher and MD5 digest.
> - Automatically enables required AES128_CBC cipher.
> - Adds optional AES256_CBC cipher, SHA256 digests, and support for
> SHA256 signatures in X.509 (TLS/SSL) certificates.
>
> Readers interested in the technical details of the switch from TLS 1.0
> to TLS 1.2 might want to read section 1.1 of RFC4346 and section 1.2
> of RFC5246, which document the differences between TLS 1.0/1.1 and
> TLS 1.1/1.2 respectively.
>
> https://tools.ietf.org/html/rfc4346#section-1.1
> https://tools.ietf.org/html/rfc5246#section-1.2
> Macros used to configure TLS 1.2 (in addition to existing
> documentation):
>
> TLS_VERBOSE: Define to see debugging information dumped to STDOUT that
> may help in troubleshooting or reporting connectivity issues. Be
> sure to disable this in production firmware.
>
> SSL_USE_AES256: Define to enable 256-bit versions of the AES128_CBC
> ciphersuites (in addition to AES128_CBC which is always required).
>
> SSL_USE_PSK: Define to use pre-shared keys for authentication.
>
> SSL_DONT_USE_RSA: Define to disable support for RSA certificates (you
> must then define SSL_USE_PSK to use pre-shared keys instead).
>
> MP_SIZE: The default value of 130 only allows for 1024-bit RSA keys.
> Most certificates are using 2048-bit keys (#define MP_SIZE 258) and
> 4096-bit keys will only become more common (#define MP_SIZE 514).
>
> SSL_DISABLE_LEGACY_DCC: If you aren't using the ".dcc" filetype, you
> can define this macro to reduce code size.
>
> SSL_DISABLE_USERBLOCK: If you aren't storing certificates in the
> UserBlock, you can define this macro to reduce code size.
>
> The following macros are no longer used or have been deprecated:
>
> SSL_USE_AES: Defining this macro previously enabled the optional
> AES128_CBC cipher. Since it's required by TLS 1.2, and support
> for the insecure RC4 cipher was removed, AES128_CBC is enabled
> by default and cannot be disbled.
>
> SSL_DONT_USE_RC4: Support for RC4 was removed.
>
> SSL_S_FORBID_MD5 and SSL_S_FORBID_RC4: TLS 1.2 doesn't use the MD5
> digest or RC4 cipher, so it now ignores these flags.
https://github.com/digidotcom/DCRabbit_10/
In addition, we are planning to release a "Dynamic C 10.72A" installer with the TLS 1.2 code along with other bug fixes and improvements. The installer should be completed and ready on Digi's website by the end of March.
-Tom
On Jan 26, 2016, at 10:21 AM, Tom Collins t...@tomlogic.com [rabbit-semi] wrote:
> I've been working to update Dynamic C 10's TLS (the protocol formerly known as SSL) implementation from 1.0 to 1.2, and feel that it's ready for testing if anyone is interested. Modern web browsers will refuse to connect to Rabbit products with the TLS 1.0 implementation, hence the push to support 1.2. Along the way, I removed support for protocols and ciphers now considered insecure.
>
> I've pasted the draft release notes to the end of this email, and you can find the beta code on GitHub: https://github.com/digidotcom/DCRabbit_10/tree/feature-tls1.2
>
> If you haven't already worked with the GitHub repository, be sure to follow the instructions in the README on how to link a Dynamic C installation to the repository so you can pull updates. If you are an inexperienced Git user, please make sure your Dynamic C directory is backed up, especially if you've made modifications to any of the files. I always recommend keeping your project files outside of the Dynamic C directory.
>
> I have done some testing of HTTP server code (i.e., HTTPS), along with HTTP, SMTP and POP client code. I've run some OpenSSL scripts against the HTTP server to confirm correct operation (and an ability to handle large cipher lists in the Client Hello).
>
> All testing has been with RSA certificates and not pre-shared keys (PSK mode).
>
> If you are using PSK or some other uncommon TLS configuration, but don't have time to test the new release yourself, please email me with some details of how you've used TLS and I'll try to test that functionality myself.
>
> Note that the update only supports the TLS 1.2 protocol, and cannot negotiate a TLS 1.1 or TLS 1.0 connection. This should make it more secure, but could cause problems with legacy web browsers that don't support TLS 1.2.
>
> If you know of any TLS bugs (or even non-TLS bugs) present in 10.72, please let me know so I can ensure that they're addressed in an upcoming release. Please open issues on GitHub for tracking purposes, but feel free to email bug reports if that's your preference.
>
> -Tom
>
> ReleaseNotes_TLS1.2.txt:
>
> Dynamic C 10.72A includes an update from TLS 1.0 to 1.2. This document
> summarizes the impact this may have on your programs, and calls out
> changes to "Dynamic C TCP/IP Users Manual, Volume 3: Security".
>
> http://ftp1.digi.com/support/documentation/90001160_a.pdf
>
> This document assumes your program was already working with Dynamic C
> 10.72 before attempting an upgrade to 10.72A. SSL/TLS support has
> changed with various Dynamic C releases, please test with 10.72 before
> upgrading in order to isolate potential failures.
>
> With TLS 1.2, Dynamic C 10.72A:
> - Is compatible with modern web browsers.
> - Removes support for insecure SSLv2, SSLv3 and TLS 1.0 protocols.
> - Removes support for insecure RC4 cipher and MD5 digest.
> - Automatically enables required AES128_CBC cipher.
> - Adds optional AES256_CBC cipher, SHA256 digests, and support for
> SHA256 signatures in X.509 (TLS/SSL) certificates.
>
> Readers interested in the technical details of the switch from TLS 1.0
> to TLS 1.2 might want to read section 1.1 of RFC4346 and section 1.2
> of RFC5246, which document the differences between TLS 1.0/1.1 and
> TLS 1.1/1.2 respectively.
>
> https://tools.ietf.org/html/rfc4346#section-1.1
> https://tools.ietf.org/html/rfc5246#section-1.2
> Macros used to configure TLS 1.2 (in addition to existing
> documentation):
>
> TLS_VERBOSE: Define to see debugging information dumped to STDOUT that
> may help in troubleshooting or reporting connectivity issues. Be
> sure to disable this in production firmware.
>
> SSL_USE_AES256: Define to enable 256-bit versions of the AES128_CBC
> ciphersuites (in addition to AES128_CBC which is always required).
>
> SSL_USE_PSK: Define to use pre-shared keys for authentication.
>
> SSL_DONT_USE_RSA: Define to disable support for RSA certificates (you
> must then define SSL_USE_PSK to use pre-shared keys instead).
>
> MP_SIZE: The default value of 130 only allows for 1024-bit RSA keys.
> Most certificates are using 2048-bit keys (#define MP_SIZE 258) and
> 4096-bit keys will only become more common (#define MP_SIZE 514).
>
> SSL_DISABLE_LEGACY_DCC: If you aren't using the ".dcc" filetype, you
> can define this macro to reduce code size.
>
> SSL_DISABLE_USERBLOCK: If you aren't storing certificates in the
> UserBlock, you can define this macro to reduce code size.
>
> The following macros are no longer used or have been deprecated:
>
> SSL_USE_AES: Defining this macro previously enabled the optional
> AES128_CBC cipher. Since it's required by TLS 1.2, and support
> for the insecure RC4 cipher was removed, AES128_CBC is enabled
> by default and cannot be disbled.
>
> SSL_DONT_USE_RC4: Support for RC4 was removed.
>
> SSL_S_FORBID_MD5 and SSL_S_FORBID_RC4: TLS 1.2 doesn't use the MD5
> digest or RC4 cipher, so it now ignores these flags.
Reply by ●February 18, 20162016-02-18
Tom,
Is there a reason the new release wouldn't be labeled as 10.73, or similar?
Steve
From: "Tom Collins t...@tomlogic.com [rabbit-semi]"
To: r...
Sent: Wednesday, February 17, 2016 3:44 PM
Subject: Re: [rabbit-semi] TLS 1.2 for Dynamic C 10 -- released
Just a quick followup on on my previous email to announce that I've completed work on TLS 1.2 for Dynamic C 10, and it's been released to the "master" branch on GitHub.
https://github.com/digidotcom/DCRabbit_10/
In addition, we are planning to release a "Dynamic C 10.72A" installer with the TLS 1.2 code along with other bug fixes and improvements. The installer should be completed and ready on Digi's website by the end of March.
-Tom
On Jan 26, 2016, at 10:21 AM, Tom Collins t...@tomlogic.com [rabbit-semi] wrote:
I've been working to update Dynamic C 10's TLS (the protocol formerly known as SSL) implementation from 1.0 to 1.2, and feel that it's ready for testing if anyone is interested. Modern web browsers will refuse to connect to Rabbit products with the TLS 1.0 implementation, hence the push to support 1.2. Along the way, I removed support for protocols and ciphers now considered insecure.
I've pasted the draft release notes to the end of this email, and you can find the beta code on GitHub: https://github.com/digidotcom/DCRabbit_10/tree/feature-tls1.2
If you haven't already worked with the GitHub repository, be sure to follow the instructions in the README on how to link a Dynamic C installation to the repository so you can pull updates. If you are an inexperienced Git user, please make sure your Dynamic C directory is backed up, especially if you've made modifications to any of the files. I always recommend keeping your project files outside of the Dynamic C directory.
I have done some testing of HTTP server code (i.e., HTTPS), along with HTTP, SMTP and POP client code. I've run some OpenSSL scripts against the HTTP server to confirm correct operation (and an ability to handle large cipher lists in the Client Hello).
All testing has been with RSA certificates and not pre-shared keys (PSK mode).
If you are using PSK or some other uncommon TLS configuration, but don't have time to test the new release yourself, please email me with some details of how you've used TLS and I'll try to test that functionality myself.
Note that the update only supports the TLS 1.2 protocol, and cannot negotiate a TLS 1.1 or TLS 1.0 connection. This should make it more secure, but could cause problems with legacy web browsers that don't support TLS 1.2.
If you know of any TLS bugs (or even non-TLS bugs) present in 10.72, please let me know so I can ensure that they're addressed in an upcoming release. Please open issues on GitHub for tracking purposes, but feel free to email bug reports if that's your preference.
-Tom
ReleaseNotes_TLS1.2.txt:
Dynamic C 10.72A includes an update from TLS 1.0 to 1.2. This documentsummarizes the impact this may have on your programs, and calls outchanges to "Dynamic C TCP/IP User’s Manual, Volume 3: Security".
http://ftp1.digi.com/support/documentation/90001160_a.pdf
This document assumes your program was already working with Dynamic C10.72 before attempting an upgrade to 10.72A. SSL/TLS support haschanged with various Dynamic C releases, please test with 10.72 beforeupgrading in order to isolate potential failures.
With TLS 1.2, Dynamic C 10.72A: - Is compatible with modern web browsers. - Removes support for insecure SSLv2, SSLv3 and TLS 1.0 protocols. - Removes support for insecure RC4 cipher and MD5 digest. - Automatically enables required AES128_CBC cipher. - Adds optional AES256_CBC cipher, SHA256 digests, and support for SHA256 signatures in X.509 (TLS/SSL) certificates.
Readers interested in the technical details of the switch from TLS 1.0to TLS 1.2 might want to read section 1.1 of RFC4346 and section 1.2of RFC5246, which document the differences between TLS 1.0/1.1 andTLS 1.1/1.2 respectively.
https://tools.ietf.org/html/rfc4346#section-1.1 https://tools.ietf.org/html/rfc5246#section-1.2
Macros used to configure TLS 1.2 (in addition to existingdocumentation):
TLS_VERBOSE: Define to see debugging information dumped to STDOUT that may help in troubleshooting or reporting connectivity issues. Be sure to disable this in production firmware.
SSL_USE_AES256: Define to enable 256-bit versions of the AES128_CBC ciphersuites (in addition to AES128_CBC which is always required).
SSL_USE_PSK: Define to use pre-shared keys for authentication.
SSL_DONT_USE_RSA: Define to disable support for RSA certificates (you must then define SSL_USE_PSK to use pre-shared keys instead).
MP_SIZE: The default value of 130 only allows for 1024-bit RSA keys. Most certificates are using 2048-bit keys (#define MP_SIZE 258) and 4096-bit keys will only become more common (#define MP_SIZE 514).
SSL_DISABLE_LEGACY_DCC: If you aren't using the ".dcc" filetype, you can define this macro to reduce code size.
SSL_DISABLE_USERBLOCK: If you aren't storing certificates in the UserBlock, you can define this macro to reduce code size.
The following macros are no longer used or have been deprecated:
SSL_USE_AES: Defining this macro previously enabled the optional AES128_CBC cipher. Since it's required by TLS 1.2, and support for the insecure RC4 cipher was removed, AES128_CBC is enabled by default and cannot be disbled.
SSL_DONT_USE_RC4: Support for RC4 was removed.
SSL_S_FORBID_MD5 and SSL_S_FORBID_RC4: TLS 1.2 doesn't use the MD5 digest or RC4 cipher, so it now ignores these flags.
#yiv4348678102 #yiv4348678102 -- #yiv4348678102ygrp-mkp {border:1px solid #d8d8d8;font-family:Arial;margin:10px 0;padding:0 10px;}#yiv4348678102 #yiv4348678102ygrp-mkp hr {border:1px solid #d8d8d8;}#yiv4348678102 #yiv4348678102ygrp-mkp #yiv4348678102hd {color:#628c2a;font-size:85%;font-weight:700;line-height:122%;margin:10px 0;}#yiv4348678102 #yiv4348678102ygrp-mkp #yiv4348678102ads {margin-bottom:10px;}#yiv4348678102 #yiv4348678102ygrp-mkp .yiv4348678102ad {padding:0 0;}#yiv4348678102 #yiv4348678102ygrp-mkp .yiv4348678102ad p {margin:0;}#yiv4348678102 #yiv4348678102ygrp-mkp .yiv4348678102ad a {color:#0000ff;text-decoration:none;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ygrp-lc {font-family:Arial;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ygrp-lc #yiv4348678102hd {margin:10px 0px;font-weight:700;font-size:78%;line-height:122%;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ygrp-lc .yiv4348678102ad {margin-bottom:10px;padding:0 0;}#yiv4348678102 #yiv4348678102actions {font-family:Verdana;font-size:11px;padding:10px 0;}#yiv4348678102 #yiv4348678102activity {background-color:#e0ecee;float:left;font-family:Verdana;font-size:10px;padding:10px;}#yiv4348678102 #yiv4348678102activity span {font-weight:700;}#yiv4348678102 #yiv4348678102activity span:first-child {text-transform:uppercase;}#yiv4348678102 #yiv4348678102activity span a {color:#5085b6;text-decoration:none;}#yiv4348678102 #yiv4348678102activity span span {color:#ff7900;}#yiv4348678102 #yiv4348678102activity span .yiv4348678102underline {text-decoration:underline;}#yiv4348678102 .yiv4348678102attach {clear:both;display:table;font-family:Arial;font-size:12px;padding:10px 0;width:400px;}#yiv4348678102 .yiv4348678102attach div a {text-decoration:none;}#yiv4348678102 .yiv4348678102attach img {border:none;padding-right:5px;}#yiv4348678102 .yiv4348678102attach label {display:block;margin-bottom:5px;}#yiv4348678102 .yiv4348678102attach label a {text-decoration:none;}#yiv4348678102 blockquote {margin:0 0 0 4px;}#yiv4348678102 .yiv4348678102bold {font-family:Arial;font-size:13px;font-weight:700;}#yiv4348678102 .yiv4348678102bold a {text-decoration:none;}#yiv4348678102 dd.yiv4348678102last p a {font-family:Verdana;font-weight:700;}#yiv4348678102 dd.yiv4348678102last p span {margin-right:10px;font-family:Verdana;font-weight:700;}#yiv4348678102 dd.yiv4348678102last p span.yiv4348678102yshortcuts {margin-right:0;}#yiv4348678102 div.yiv4348678102attach-table div div a {text-decoration:none;}#yiv4348678102 div.yiv4348678102attach-table {width:400px;}#yiv4348678102 div.yiv4348678102file-title a, #yiv4348678102 div.yiv4348678102file-title a:active, #yiv4348678102 div.yiv4348678102file-title a:hover, #yiv4348678102 div.yiv4348678102file-title a:visited {text-decoration:none;}#yiv4348678102 div.yiv4348678102photo-title a, #yiv4348678102 div.yiv4348678102photo-title a:active, #yiv4348678102 div.yiv4348678102photo-title a:hover, #yiv4348678102 div.yiv4348678102photo-title a:visited {text-decoration:none;}#yiv4348678102 div#yiv4348678102ygrp-mlmsg #yiv4348678102ygrp-msg p a span.yiv4348678102yshortcuts {font-family:Verdana;font-size:10px;font-weight:normal;}#yiv4348678102 .yiv4348678102green {color:#628c2a;}#yiv4348678102 .yiv4348678102MsoNormal {margin:0 0 0 0;}#yiv4348678102 o {font-size:0;}#yiv4348678102 #yiv4348678102photos div {float:left;width:72px;}#yiv4348678102 #yiv4348678102photos div div {border:1px solid #666666;height:62px;overflow:hidden;width:62px;}#yiv4348678102 #yiv4348678102photos div label {color:#666666;font-size:10px;overflow:hidden;text-align:center;white-space:nowrap;width:64px;}#yiv4348678102 #yiv4348678102reco-category {font-size:77%;}#yiv4348678102 #yiv4348678102reco-desc {font-size:77%;}#yiv4348678102 .yiv4348678102replbq {margin:4px;}#yiv4348678102 #yiv4348678102ygrp-actbar div a:first-child {margin-right:2px;padding-right:5px;}#yiv4348678102 #yiv4348678102ygrp-mlmsg {font-size:13px;font-family:Arial, helvetica, clean, sans-serif;}#yiv4348678102 #yiv4348678102ygrp-mlmsg table {font-size:inherit;font:100%;}#yiv4348678102 #yiv4348678102ygrp-mlmsg select, #yiv4348678102 input, #yiv4348678102 textarea {font:99% Arial, Helvetica, clean, sans-serif;}#yiv4348678102 #yiv4348678102ygrp-mlmsg pre, #yiv4348678102 code {font:115% monospace;}#yiv4348678102 #yiv4348678102ygrp-mlmsg * {line-height:1.22em;}#yiv4348678102 #yiv4348678102ygrp-mlmsg #yiv4348678102logo {padding-bottom:10px;}#yiv4348678102 #yiv4348678102ygrp-msg p a {font-family:Verdana;}#yiv4348678102 #yiv4348678102ygrp-msg p#yiv4348678102attach-count span {color:#1E66AE;font-weight:700;}#yiv4348678102 #yiv4348678102ygrp-reco #yiv4348678102reco-head {color:#ff7900;font-weight:700;}#yiv4348678102 #yiv4348678102ygrp-reco {margin-bottom:20px;padding:0px;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ov li a {font-size:130%;text-decoration:none;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ov li {font-size:77%;list-style-type:square;padding:6px 0;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ov ul {margin:0;padding:0 0 0 8px;}#yiv4348678102 #yiv4348678102ygrp-text {font-family:Georgia;}#yiv4348678102 #yiv4348678102ygrp-text p {margin:0 0 1em 0;}#yiv4348678102 #yiv4348678102ygrp-text tt {font-size:120%;}#yiv4348678102 #yiv4348678102ygrp-vital ul li:last-child {border-right:none !important;}#yiv4348678102
Is there a reason the new release wouldn't be labeled as 10.73, or similar?
Steve
From: "Tom Collins t...@tomlogic.com [rabbit-semi]"
To: r...
Sent: Wednesday, February 17, 2016 3:44 PM
Subject: Re: [rabbit-semi] TLS 1.2 for Dynamic C 10 -- released
Just a quick followup on on my previous email to announce that I've completed work on TLS 1.2 for Dynamic C 10, and it's been released to the "master" branch on GitHub.
https://github.com/digidotcom/DCRabbit_10/
In addition, we are planning to release a "Dynamic C 10.72A" installer with the TLS 1.2 code along with other bug fixes and improvements. The installer should be completed and ready on Digi's website by the end of March.
-Tom
On Jan 26, 2016, at 10:21 AM, Tom Collins t...@tomlogic.com [rabbit-semi] wrote:
I've been working to update Dynamic C 10's TLS (the protocol formerly known as SSL) implementation from 1.0 to 1.2, and feel that it's ready for testing if anyone is interested. Modern web browsers will refuse to connect to Rabbit products with the TLS 1.0 implementation, hence the push to support 1.2. Along the way, I removed support for protocols and ciphers now considered insecure.
I've pasted the draft release notes to the end of this email, and you can find the beta code on GitHub: https://github.com/digidotcom/DCRabbit_10/tree/feature-tls1.2
If you haven't already worked with the GitHub repository, be sure to follow the instructions in the README on how to link a Dynamic C installation to the repository so you can pull updates. If you are an inexperienced Git user, please make sure your Dynamic C directory is backed up, especially if you've made modifications to any of the files. I always recommend keeping your project files outside of the Dynamic C directory.
I have done some testing of HTTP server code (i.e., HTTPS), along with HTTP, SMTP and POP client code. I've run some OpenSSL scripts against the HTTP server to confirm correct operation (and an ability to handle large cipher lists in the Client Hello).
All testing has been with RSA certificates and not pre-shared keys (PSK mode).
If you are using PSK or some other uncommon TLS configuration, but don't have time to test the new release yourself, please email me with some details of how you've used TLS and I'll try to test that functionality myself.
Note that the update only supports the TLS 1.2 protocol, and cannot negotiate a TLS 1.1 or TLS 1.0 connection. This should make it more secure, but could cause problems with legacy web browsers that don't support TLS 1.2.
If you know of any TLS bugs (or even non-TLS bugs) present in 10.72, please let me know so I can ensure that they're addressed in an upcoming release. Please open issues on GitHub for tracking purposes, but feel free to email bug reports if that's your preference.
-Tom
ReleaseNotes_TLS1.2.txt:
Dynamic C 10.72A includes an update from TLS 1.0 to 1.2. This documentsummarizes the impact this may have on your programs, and calls outchanges to "Dynamic C TCP/IP User’s Manual, Volume 3: Security".
http://ftp1.digi.com/support/documentation/90001160_a.pdf
This document assumes your program was already working with Dynamic C10.72 before attempting an upgrade to 10.72A. SSL/TLS support haschanged with various Dynamic C releases, please test with 10.72 beforeupgrading in order to isolate potential failures.
With TLS 1.2, Dynamic C 10.72A: - Is compatible with modern web browsers. - Removes support for insecure SSLv2, SSLv3 and TLS 1.0 protocols. - Removes support for insecure RC4 cipher and MD5 digest. - Automatically enables required AES128_CBC cipher. - Adds optional AES256_CBC cipher, SHA256 digests, and support for SHA256 signatures in X.509 (TLS/SSL) certificates.
Readers interested in the technical details of the switch from TLS 1.0to TLS 1.2 might want to read section 1.1 of RFC4346 and section 1.2of RFC5246, which document the differences between TLS 1.0/1.1 andTLS 1.1/1.2 respectively.
https://tools.ietf.org/html/rfc4346#section-1.1 https://tools.ietf.org/html/rfc5246#section-1.2
Macros used to configure TLS 1.2 (in addition to existingdocumentation):
TLS_VERBOSE: Define to see debugging information dumped to STDOUT that may help in troubleshooting or reporting connectivity issues. Be sure to disable this in production firmware.
SSL_USE_AES256: Define to enable 256-bit versions of the AES128_CBC ciphersuites (in addition to AES128_CBC which is always required).
SSL_USE_PSK: Define to use pre-shared keys for authentication.
SSL_DONT_USE_RSA: Define to disable support for RSA certificates (you must then define SSL_USE_PSK to use pre-shared keys instead).
MP_SIZE: The default value of 130 only allows for 1024-bit RSA keys. Most certificates are using 2048-bit keys (#define MP_SIZE 258) and 4096-bit keys will only become more common (#define MP_SIZE 514).
SSL_DISABLE_LEGACY_DCC: If you aren't using the ".dcc" filetype, you can define this macro to reduce code size.
SSL_DISABLE_USERBLOCK: If you aren't storing certificates in the UserBlock, you can define this macro to reduce code size.
The following macros are no longer used or have been deprecated:
SSL_USE_AES: Defining this macro previously enabled the optional AES128_CBC cipher. Since it's required by TLS 1.2, and support for the insecure RC4 cipher was removed, AES128_CBC is enabled by default and cannot be disbled.
SSL_DONT_USE_RC4: Support for RC4 was removed.
SSL_S_FORBID_MD5 and SSL_S_FORBID_RC4: TLS 1.2 doesn't use the MD5 digest or RC4 cipher, so it now ignores these flags.
#yiv4348678102 #yiv4348678102 -- #yiv4348678102ygrp-mkp {border:1px solid #d8d8d8;font-family:Arial;margin:10px 0;padding:0 10px;}#yiv4348678102 #yiv4348678102ygrp-mkp hr {border:1px solid #d8d8d8;}#yiv4348678102 #yiv4348678102ygrp-mkp #yiv4348678102hd {color:#628c2a;font-size:85%;font-weight:700;line-height:122%;margin:10px 0;}#yiv4348678102 #yiv4348678102ygrp-mkp #yiv4348678102ads {margin-bottom:10px;}#yiv4348678102 #yiv4348678102ygrp-mkp .yiv4348678102ad {padding:0 0;}#yiv4348678102 #yiv4348678102ygrp-mkp .yiv4348678102ad p {margin:0;}#yiv4348678102 #yiv4348678102ygrp-mkp .yiv4348678102ad a {color:#0000ff;text-decoration:none;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ygrp-lc {font-family:Arial;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ygrp-lc #yiv4348678102hd {margin:10px 0px;font-weight:700;font-size:78%;line-height:122%;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ygrp-lc .yiv4348678102ad {margin-bottom:10px;padding:0 0;}#yiv4348678102 #yiv4348678102actions {font-family:Verdana;font-size:11px;padding:10px 0;}#yiv4348678102 #yiv4348678102activity {background-color:#e0ecee;float:left;font-family:Verdana;font-size:10px;padding:10px;}#yiv4348678102 #yiv4348678102activity span {font-weight:700;}#yiv4348678102 #yiv4348678102activity span:first-child {text-transform:uppercase;}#yiv4348678102 #yiv4348678102activity span a {color:#5085b6;text-decoration:none;}#yiv4348678102 #yiv4348678102activity span span {color:#ff7900;}#yiv4348678102 #yiv4348678102activity span .yiv4348678102underline {text-decoration:underline;}#yiv4348678102 .yiv4348678102attach {clear:both;display:table;font-family:Arial;font-size:12px;padding:10px 0;width:400px;}#yiv4348678102 .yiv4348678102attach div a {text-decoration:none;}#yiv4348678102 .yiv4348678102attach img {border:none;padding-right:5px;}#yiv4348678102 .yiv4348678102attach label {display:block;margin-bottom:5px;}#yiv4348678102 .yiv4348678102attach label a {text-decoration:none;}#yiv4348678102 blockquote {margin:0 0 0 4px;}#yiv4348678102 .yiv4348678102bold {font-family:Arial;font-size:13px;font-weight:700;}#yiv4348678102 .yiv4348678102bold a {text-decoration:none;}#yiv4348678102 dd.yiv4348678102last p a {font-family:Verdana;font-weight:700;}#yiv4348678102 dd.yiv4348678102last p span {margin-right:10px;font-family:Verdana;font-weight:700;}#yiv4348678102 dd.yiv4348678102last p span.yiv4348678102yshortcuts {margin-right:0;}#yiv4348678102 div.yiv4348678102attach-table div div a {text-decoration:none;}#yiv4348678102 div.yiv4348678102attach-table {width:400px;}#yiv4348678102 div.yiv4348678102file-title a, #yiv4348678102 div.yiv4348678102file-title a:active, #yiv4348678102 div.yiv4348678102file-title a:hover, #yiv4348678102 div.yiv4348678102file-title a:visited {text-decoration:none;}#yiv4348678102 div.yiv4348678102photo-title a, #yiv4348678102 div.yiv4348678102photo-title a:active, #yiv4348678102 div.yiv4348678102photo-title a:hover, #yiv4348678102 div.yiv4348678102photo-title a:visited {text-decoration:none;}#yiv4348678102 div#yiv4348678102ygrp-mlmsg #yiv4348678102ygrp-msg p a span.yiv4348678102yshortcuts {font-family:Verdana;font-size:10px;font-weight:normal;}#yiv4348678102 .yiv4348678102green {color:#628c2a;}#yiv4348678102 .yiv4348678102MsoNormal {margin:0 0 0 0;}#yiv4348678102 o {font-size:0;}#yiv4348678102 #yiv4348678102photos div {float:left;width:72px;}#yiv4348678102 #yiv4348678102photos div div {border:1px solid #666666;height:62px;overflow:hidden;width:62px;}#yiv4348678102 #yiv4348678102photos div label {color:#666666;font-size:10px;overflow:hidden;text-align:center;white-space:nowrap;width:64px;}#yiv4348678102 #yiv4348678102reco-category {font-size:77%;}#yiv4348678102 #yiv4348678102reco-desc {font-size:77%;}#yiv4348678102 .yiv4348678102replbq {margin:4px;}#yiv4348678102 #yiv4348678102ygrp-actbar div a:first-child {margin-right:2px;padding-right:5px;}#yiv4348678102 #yiv4348678102ygrp-mlmsg {font-size:13px;font-family:Arial, helvetica, clean, sans-serif;}#yiv4348678102 #yiv4348678102ygrp-mlmsg table {font-size:inherit;font:100%;}#yiv4348678102 #yiv4348678102ygrp-mlmsg select, #yiv4348678102 input, #yiv4348678102 textarea {font:99% Arial, Helvetica, clean, sans-serif;}#yiv4348678102 #yiv4348678102ygrp-mlmsg pre, #yiv4348678102 code {font:115% monospace;}#yiv4348678102 #yiv4348678102ygrp-mlmsg * {line-height:1.22em;}#yiv4348678102 #yiv4348678102ygrp-mlmsg #yiv4348678102logo {padding-bottom:10px;}#yiv4348678102 #yiv4348678102ygrp-msg p a {font-family:Verdana;}#yiv4348678102 #yiv4348678102ygrp-msg p#yiv4348678102attach-count span {color:#1E66AE;font-weight:700;}#yiv4348678102 #yiv4348678102ygrp-reco #yiv4348678102reco-head {color:#ff7900;font-weight:700;}#yiv4348678102 #yiv4348678102ygrp-reco {margin-bottom:20px;padding:0px;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ov li a {font-size:130%;text-decoration:none;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ov li {font-size:77%;list-style-type:square;padding:6px 0;}#yiv4348678102 #yiv4348678102ygrp-sponsor #yiv4348678102ov ul {margin:0;padding:0 0 0 8px;}#yiv4348678102 #yiv4348678102ygrp-text {font-family:Georgia;}#yiv4348678102 #yiv4348678102ygrp-text p {margin:0 0 1em 0;}#yiv4348678102 #yiv4348678102ygrp-text tt {font-size:120%;}#yiv4348678102 #yiv4348678102ygrp-vital ul li:last-child {border-right:none !important;}#yiv4348678102
Reply by ●February 19, 20162016-02-19
Steve,
My work has been focused on the libraries and samples, and I have not made any changes to the compiler. As a result, the compiler will still report its version as 10.72, so we decided on using a letter to indicate an update to that release.
If there was a release with an updated compiler, then the version number would definitely change.
I intend to have the installer default to C:\DCRABBIT_10.72A, hopefully making it clear that it's a different version.
-Tom
On Feb 18, 2016, at 5:04 PM, Steve Trigero s...@yahoo.com [rabbit-semi] wrote:
> Tom,
>
> Is there a reason the new release wouldn't be labeled as 10.73, or similar?
> Steve
>
My work has been focused on the libraries and samples, and I have not made any changes to the compiler. As a result, the compiler will still report its version as 10.72, so we decided on using a letter to indicate an update to that release.
If there was a release with an updated compiler, then the version number would definitely change.
I intend to have the installer default to C:\DCRABBIT_10.72A, hopefully making it clear that it's a different version.
-Tom
On Feb 18, 2016, at 5:04 PM, Steve Trigero s...@yahoo.com [rabbit-semi] wrote:
> Tom,
>
> Is there a reason the new release wouldn't be labeled as 10.73, or similar?
> Steve
>
Reply by ●February 19, 20162016-02-19
Tom,
That makes sense. Thanks.
Steve
From: "Tom Collins t...@tomlogic.com [rabbit-semi]"
To: r...
Sent: Friday, February 19, 2016 10:05 AM
Subject: Re: [rabbit-semi] TLS 1.2 for Dynamic C 10 -- released
Steve,
My work has been focused on the libraries and samples, and I have not made any changes to the compiler. As a result, the compiler will still report its version as 10.72, so we decided on using a letter to indicate an update to that release.
If there was a release with an updated compiler, then the version number would definitely change.
I intend to have the installer default to C:\DCRABBIT_10.72A, hopefully making it clear that it's a different version.
-Tom
On Feb 18, 2016, at 5:04 PM, Steve Trigero s...@yahoo.com [rabbit-semi] wrote:
Tom,
Is there a reason the new release wouldn't be labeled as 10.73, or similar?
Steve
#yiv9329854321 #yiv9329854321 -- #yiv9329854321ygrp-mkp {border:1px solid #d8d8d8;font-family:Arial;margin:10px 0;padding:0 10px;}#yiv9329854321 #yiv9329854321ygrp-mkp hr {border:1px solid #d8d8d8;}#yiv9329854321 #yiv9329854321ygrp-mkp #yiv9329854321hd {color:#628c2a;font-size:85%;font-weight:700;line-height:122%;margin:10px 0;}#yiv9329854321 #yiv9329854321ygrp-mkp #yiv9329854321ads {margin-bottom:10px;}#yiv9329854321 #yiv9329854321ygrp-mkp .yiv9329854321ad {padding:0 0;}#yiv9329854321 #yiv9329854321ygrp-mkp .yiv9329854321ad p {margin:0;}#yiv9329854321 #yiv9329854321ygrp-mkp .yiv9329854321ad a {color:#0000ff;text-decoration:none;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ygrp-lc {font-family:Arial;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ygrp-lc #yiv9329854321hd {margin:10px 0px;font-weight:700;font-size:78%;line-height:122%;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ygrp-lc .yiv9329854321ad {margin-bottom:10px;padding:0 0;}#yiv9329854321 #yiv9329854321actions {font-family:Verdana;font-size:11px;padding:10px 0;}#yiv9329854321 #yiv9329854321activity {background-color:#e0ecee;float:left;font-family:Verdana;font-size:10px;padding:10px;}#yiv9329854321 #yiv9329854321activity span {font-weight:700;}#yiv9329854321 #yiv9329854321activity span:first-child {text-transform:uppercase;}#yiv9329854321 #yiv9329854321activity span a {color:#5085b6;text-decoration:none;}#yiv9329854321 #yiv9329854321activity span span {color:#ff7900;}#yiv9329854321 #yiv9329854321activity span .yiv9329854321underline {text-decoration:underline;}#yiv9329854321 .yiv9329854321attach {clear:both;display:table;font-family:Arial;font-size:12px;padding:10px 0;width:400px;}#yiv9329854321 .yiv9329854321attach div a {text-decoration:none;}#yiv9329854321 .yiv9329854321attach img {border:none;padding-right:5px;}#yiv9329854321 .yiv9329854321attach label {display:block;margin-bottom:5px;}#yiv9329854321 .yiv9329854321attach label a {text-decoration:none;}#yiv9329854321 blockquote {margin:0 0 0 4px;}#yiv9329854321 .yiv9329854321bold {font-family:Arial;font-size:13px;font-weight:700;}#yiv9329854321 .yiv9329854321bold a {text-decoration:none;}#yiv9329854321 dd.yiv9329854321last p a {font-family:Verdana;font-weight:700;}#yiv9329854321 dd.yiv9329854321last p span {margin-right:10px;font-family:Verdana;font-weight:700;}#yiv9329854321 dd.yiv9329854321last p span.yiv9329854321yshortcuts {margin-right:0;}#yiv9329854321 div.yiv9329854321attach-table div div a {text-decoration:none;}#yiv9329854321 div.yiv9329854321attach-table {width:400px;}#yiv9329854321 div.yiv9329854321file-title a, #yiv9329854321 div.yiv9329854321file-title a:active, #yiv9329854321 div.yiv9329854321file-title a:hover, #yiv9329854321 div.yiv9329854321file-title a:visited {text-decoration:none;}#yiv9329854321 div.yiv9329854321photo-title a, #yiv9329854321 div.yiv9329854321photo-title a:active, #yiv9329854321 div.yiv9329854321photo-title a:hover, #yiv9329854321 div.yiv9329854321photo-title a:visited {text-decoration:none;}#yiv9329854321 div#yiv9329854321ygrp-mlmsg #yiv9329854321ygrp-msg p a span.yiv9329854321yshortcuts {font-family:Verdana;font-size:10px;font-weight:normal;}#yiv9329854321 .yiv9329854321green {color:#628c2a;}#yiv9329854321 .yiv9329854321MsoNormal {margin:0 0 0 0;}#yiv9329854321 o {font-size:0;}#yiv9329854321 #yiv9329854321photos div {float:left;width:72px;}#yiv9329854321 #yiv9329854321photos div div {border:1px solid #666666;height:62px;overflow:hidden;width:62px;}#yiv9329854321 #yiv9329854321photos div label {color:#666666;font-size:10px;overflow:hidden;text-align:center;white-space:nowrap;width:64px;}#yiv9329854321 #yiv9329854321reco-category {font-size:77%;}#yiv9329854321 #yiv9329854321reco-desc {font-size:77%;}#yiv9329854321 .yiv9329854321replbq {margin:4px;}#yiv9329854321 #yiv9329854321ygrp-actbar div a:first-child {margin-right:2px;padding-right:5px;}#yiv9329854321 #yiv9329854321ygrp-mlmsg {font-size:13px;font-family:Arial, helvetica, clean, sans-serif;}#yiv9329854321 #yiv9329854321ygrp-mlmsg table {font-size:inherit;font:100%;}#yiv9329854321 #yiv9329854321ygrp-mlmsg select, #yiv9329854321 input, #yiv9329854321 textarea {font:99% Arial, Helvetica, clean, sans-serif;}#yiv9329854321 #yiv9329854321ygrp-mlmsg pre, #yiv9329854321 code {font:115% monospace;}#yiv9329854321 #yiv9329854321ygrp-mlmsg * {line-height:1.22em;}#yiv9329854321 #yiv9329854321ygrp-mlmsg #yiv9329854321logo {padding-bottom:10px;}#yiv9329854321 #yiv9329854321ygrp-msg p a {font-family:Verdana;}#yiv9329854321 #yiv9329854321ygrp-msg p#yiv9329854321attach-count span {color:#1E66AE;font-weight:700;}#yiv9329854321 #yiv9329854321ygrp-reco #yiv9329854321reco-head {color:#ff7900;font-weight:700;}#yiv9329854321 #yiv9329854321ygrp-reco {margin-bottom:20px;padding:0px;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ov li a {font-size:130%;text-decoration:none;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ov li {font-size:77%;list-style-type:square;padding:6px 0;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ov ul {margin:0;padding:0 0 0 8px;}#yiv9329854321 #yiv9329854321ygrp-text {font-family:Georgia;}#yiv9329854321 #yiv9329854321ygrp-text p {margin:0 0 1em 0;}#yiv9329854321 #yiv9329854321ygrp-text tt {font-size:120%;}#yiv9329854321 #yiv9329854321ygrp-vital ul li:last-child {border-right:none !important;}#yiv9329854321
That makes sense. Thanks.
Steve
From: "Tom Collins t...@tomlogic.com [rabbit-semi]"
To: r...
Sent: Friday, February 19, 2016 10:05 AM
Subject: Re: [rabbit-semi] TLS 1.2 for Dynamic C 10 -- released
Steve,
My work has been focused on the libraries and samples, and I have not made any changes to the compiler. As a result, the compiler will still report its version as 10.72, so we decided on using a letter to indicate an update to that release.
If there was a release with an updated compiler, then the version number would definitely change.
I intend to have the installer default to C:\DCRABBIT_10.72A, hopefully making it clear that it's a different version.
-Tom
On Feb 18, 2016, at 5:04 PM, Steve Trigero s...@yahoo.com [rabbit-semi] wrote:
Tom,
Is there a reason the new release wouldn't be labeled as 10.73, or similar?
Steve
#yiv9329854321 #yiv9329854321 -- #yiv9329854321ygrp-mkp {border:1px solid #d8d8d8;font-family:Arial;margin:10px 0;padding:0 10px;}#yiv9329854321 #yiv9329854321ygrp-mkp hr {border:1px solid #d8d8d8;}#yiv9329854321 #yiv9329854321ygrp-mkp #yiv9329854321hd {color:#628c2a;font-size:85%;font-weight:700;line-height:122%;margin:10px 0;}#yiv9329854321 #yiv9329854321ygrp-mkp #yiv9329854321ads {margin-bottom:10px;}#yiv9329854321 #yiv9329854321ygrp-mkp .yiv9329854321ad {padding:0 0;}#yiv9329854321 #yiv9329854321ygrp-mkp .yiv9329854321ad p {margin:0;}#yiv9329854321 #yiv9329854321ygrp-mkp .yiv9329854321ad a {color:#0000ff;text-decoration:none;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ygrp-lc {font-family:Arial;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ygrp-lc #yiv9329854321hd {margin:10px 0px;font-weight:700;font-size:78%;line-height:122%;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ygrp-lc .yiv9329854321ad {margin-bottom:10px;padding:0 0;}#yiv9329854321 #yiv9329854321actions {font-family:Verdana;font-size:11px;padding:10px 0;}#yiv9329854321 #yiv9329854321activity {background-color:#e0ecee;float:left;font-family:Verdana;font-size:10px;padding:10px;}#yiv9329854321 #yiv9329854321activity span {font-weight:700;}#yiv9329854321 #yiv9329854321activity span:first-child {text-transform:uppercase;}#yiv9329854321 #yiv9329854321activity span a {color:#5085b6;text-decoration:none;}#yiv9329854321 #yiv9329854321activity span span {color:#ff7900;}#yiv9329854321 #yiv9329854321activity span .yiv9329854321underline {text-decoration:underline;}#yiv9329854321 .yiv9329854321attach {clear:both;display:table;font-family:Arial;font-size:12px;padding:10px 0;width:400px;}#yiv9329854321 .yiv9329854321attach div a {text-decoration:none;}#yiv9329854321 .yiv9329854321attach img {border:none;padding-right:5px;}#yiv9329854321 .yiv9329854321attach label {display:block;margin-bottom:5px;}#yiv9329854321 .yiv9329854321attach label a {text-decoration:none;}#yiv9329854321 blockquote {margin:0 0 0 4px;}#yiv9329854321 .yiv9329854321bold {font-family:Arial;font-size:13px;font-weight:700;}#yiv9329854321 .yiv9329854321bold a {text-decoration:none;}#yiv9329854321 dd.yiv9329854321last p a {font-family:Verdana;font-weight:700;}#yiv9329854321 dd.yiv9329854321last p span {margin-right:10px;font-family:Verdana;font-weight:700;}#yiv9329854321 dd.yiv9329854321last p span.yiv9329854321yshortcuts {margin-right:0;}#yiv9329854321 div.yiv9329854321attach-table div div a {text-decoration:none;}#yiv9329854321 div.yiv9329854321attach-table {width:400px;}#yiv9329854321 div.yiv9329854321file-title a, #yiv9329854321 div.yiv9329854321file-title a:active, #yiv9329854321 div.yiv9329854321file-title a:hover, #yiv9329854321 div.yiv9329854321file-title a:visited {text-decoration:none;}#yiv9329854321 div.yiv9329854321photo-title a, #yiv9329854321 div.yiv9329854321photo-title a:active, #yiv9329854321 div.yiv9329854321photo-title a:hover, #yiv9329854321 div.yiv9329854321photo-title a:visited {text-decoration:none;}#yiv9329854321 div#yiv9329854321ygrp-mlmsg #yiv9329854321ygrp-msg p a span.yiv9329854321yshortcuts {font-family:Verdana;font-size:10px;font-weight:normal;}#yiv9329854321 .yiv9329854321green {color:#628c2a;}#yiv9329854321 .yiv9329854321MsoNormal {margin:0 0 0 0;}#yiv9329854321 o {font-size:0;}#yiv9329854321 #yiv9329854321photos div {float:left;width:72px;}#yiv9329854321 #yiv9329854321photos div div {border:1px solid #666666;height:62px;overflow:hidden;width:62px;}#yiv9329854321 #yiv9329854321photos div label {color:#666666;font-size:10px;overflow:hidden;text-align:center;white-space:nowrap;width:64px;}#yiv9329854321 #yiv9329854321reco-category {font-size:77%;}#yiv9329854321 #yiv9329854321reco-desc {font-size:77%;}#yiv9329854321 .yiv9329854321replbq {margin:4px;}#yiv9329854321 #yiv9329854321ygrp-actbar div a:first-child {margin-right:2px;padding-right:5px;}#yiv9329854321 #yiv9329854321ygrp-mlmsg {font-size:13px;font-family:Arial, helvetica, clean, sans-serif;}#yiv9329854321 #yiv9329854321ygrp-mlmsg table {font-size:inherit;font:100%;}#yiv9329854321 #yiv9329854321ygrp-mlmsg select, #yiv9329854321 input, #yiv9329854321 textarea {font:99% Arial, Helvetica, clean, sans-serif;}#yiv9329854321 #yiv9329854321ygrp-mlmsg pre, #yiv9329854321 code {font:115% monospace;}#yiv9329854321 #yiv9329854321ygrp-mlmsg * {line-height:1.22em;}#yiv9329854321 #yiv9329854321ygrp-mlmsg #yiv9329854321logo {padding-bottom:10px;}#yiv9329854321 #yiv9329854321ygrp-msg p a {font-family:Verdana;}#yiv9329854321 #yiv9329854321ygrp-msg p#yiv9329854321attach-count span {color:#1E66AE;font-weight:700;}#yiv9329854321 #yiv9329854321ygrp-reco #yiv9329854321reco-head {color:#ff7900;font-weight:700;}#yiv9329854321 #yiv9329854321ygrp-reco {margin-bottom:20px;padding:0px;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ov li a {font-size:130%;text-decoration:none;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ov li {font-size:77%;list-style-type:square;padding:6px 0;}#yiv9329854321 #yiv9329854321ygrp-sponsor #yiv9329854321ov ul {margin:0;padding:0 0 0 8px;}#yiv9329854321 #yiv9329854321ygrp-text {font-family:Georgia;}#yiv9329854321 #yiv9329854321ygrp-text p {margin:0 0 1em 0;}#yiv9329854321 #yiv9329854321ygrp-text tt {font-size:120%;}#yiv9329854321 #yiv9329854321ygrp-vital ul li:last-child {border-right:none !important;}#yiv9329854321
