Michael Sweet <[EMAIL PROTECTED]> writes:
> Richard Levitte - VMS Whacker wrote:
> > ...
> > I think Eric's point is one of user request and feedback. How
> > does a user easily request a secure channel? As it is right now,
> > "https:" as opposed to "http:" is a very simple way, and also
> > c
Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> writes:
> From: Eric Rescorla <[EMAIL PROTECTED]>
> ekr> Also, HTTP Upgrade interacts very badly with proxies. Since
> ekr> Upgrade is a hop-by-hop header, there's no way to negotiate
> ekr> an end-to-end HTTP Upgrade to TLS through a proxy, which
Richard Levitte - VMS Whacker wrote:
> ...
> I think Eric's point is one of user request and feedback. How
> does a user easily request a secure channel? As it is right now,
> "https:" as opposed to "http:" is a very simple way, and also
> contains direct feedback. The user knows (hopefully) th
Funny question -- easy answer:
We should expect user interfaces to not provide such a question in such a fashion --
that's why "are you sure?" question boxes appear for formatting, etc. in most UIs,
including "alias rm 'rm -i'".
That said, its the UI that's the problem in the certificate case
Dharmendra Mohan
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
From: Michael Sweet <[EMAIL PROTECTED]>
mike> The "HTTP Upgrade" spec defines a new HTTP status code (426)
mike> and the necessary fields and values needed to upgrade an
mike> existing HTTP link (on port 80 or whatever) to an encrypted
mike> one. The client or server can initiate the upgrade. O
From: Eric Rescorla <[EMAIL PROTECTED]>
ekr> Frankly, RFC 2817 has a lot of problems. Although it allows
ekr> automatic negotiation, which is a plus, there's no way to
ekr> specify in the URL that the client should EXPECT to negotiation
ekr> TLS (other than using https:// which would indicate tha
I have a new Digital ID from Verisign, how do I get Openssl/Apache to
use it rather that the test certificate???
===
Steve Larsen
MONTAGE eIntegration TM Inc.
Network Services
e-mail: [EMAIL PROTECTED]
Phone: (780) 423-4553
> Jeffrey Altman wrote:
> > ...
> > I would hope that anyone interested in implementing Kerberos
> > in HTTP do so by using the TLS Kerberos cipher suites.
>
> OK, bad example. Maybe AES (Rjidahl or however you spell it :)
> then?
This is a bad example as well. The idea is not to allow additio
Jeffrey Altman wrote:
> ...
> I would hope that anyone interested in implementing Kerberos
> in HTTP do so by using the TLS Kerberos cipher suites.
OK, bad example. Maybe AES (Rjidahl or however you spell it :)
then?
In any case, it's an attempt to allow for more than one encryption
protocol to
> The upgrade method also has the added benefit of supporting
> new technologies more easily - e.g. Kerberos over HTTP.
> A HTTP client or server app can provide modules for all of
> the encryption support - new module, new upgrade method.
I would hope that anyone interested in implementing Kerbe
Hi everyone. I'm having a problem while trying to compile the openssl.
I'm running a linux box, that's a slackware 7.1, apache 1.3.14, openssl
0.9.6, and modssl 2.7.1. I had the same problem when I was installing
on another machine, I found the solution it was very simple, just
downloaded a ne
Richard Levitte - VMS Whacker wrote:
> ...
> Uhmm, what exactly is the functional difference between HTTPS and
> HTTP/TLS? For me, they describe the function "running HTTP
> through a SSL or TLS encryption tunnel"...
The https scheme defines a secure connection (default port 443)
for HTTP. The
Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> writes:
> From: Eric Rescorla <[EMAIL PROTECTED]>
>
> ekr> Not as far as I know. It was never really expected that this
> ekr> technique would replace HTTPs for web pages, only for other
> ekr> HTTP/TLS uses. (Though frankly I doubt that as well
From: Eric Rescorla <[EMAIL PROTECTED]>
ekr> Not as far as I know. It was never really expected that this
ekr> technique would replace HTTPs for web pages, only for other
ekr> HTTP/TLS uses. (Though frankly I doubt that as well.)
Uhmm, what exactly is the functional difference between HTTPS and
Eric Rescorla wrote:
> ...
> Not as far as I know. It was never really expected that this
> technique would replace HTTPs for web pages, only for other
> HTTP/TLS uses. (Though frankly I doubt that as well.)
It's the only recognized way of doing encryption for IPP... :(
--
_
Lutz Jaenicke <[EMAIL PROTECTED]> writes:
> > Are there any web browsers out there that support the HTTP Upgrade
> > spec to upgrade to TLS/SSL? (so far I've only had a chance to try
> > Netscape 4.x and MSIE 5.0 and 5.5)
>
> As far as I know there has no browser been released using this techniqu
Hi,
In the generated Makefile (solaris, shared), the line:
LIBS=libcrypto.so* libssl.so*
expands to:
libcrypto.so libcrypto.so.0.9.6 libssl.so.0
libcrypto.so.0 libssl.solibssl.so.0.9.6
hence, the install rule segment:
@for i in $(LIBS) ;\
d
Gary Feldman wrote:
>
> > From: [EMAIL PROTECTED]
> > On Behalf Of Sean Wieland
> ...
> > (with OK as the default -- stupid users always assume the defaults are
> > correct)
>
> Let's be fair. As your example really points out, the problem in this
> specific case (your example, not necessarily
On Wed, Dec 20, 2000, Gary Feldman wrote:
> Let's be fair. As your example really points out, the problem in this
> specific case (your example, not necessarily the "Accept this invalid
> certificate case") is with the developers, not the users.
Which browser would that be? Netscape has no defa
This is what I did, hope it helps.
You can create a directory and work under this directory.
1. Create a self signed CA
openssl genrsa -des3 -out ca.key 1024 (generate CA
key)
openssl req -new -x509 -days 365 -key ca.key -out ca.crt(Create self
signed certif
i cannot handle the CRL Distribution Points with the following code:
#include "openssl\x509.h"
#include "openssl\x509v3.h"
X509_EXTENSION*ext=NULL;
ASN1_OCTET_STRING*extValue=NULL;
STACK_OF(DIST_POINT)*crlDPStack=NULL;
X509 *x509=...a valid X509v3 certificate
extIndex=X509_get_ext_by_NID(x5
> From: [EMAIL PROTECTED]
> On Behalf Of Sean Wieland
...
> (with OK as the default -- stupid users always assume the defaults are
> correct)
Let's be fair. As your example really points out, the problem in this
specific case (your example, not necessarily the "Accept this invalid
certificate ca
On Wed, Dec 20, 2000 at 05:06:37PM +0200, Wirta, Ville wrote:
> I'm not actually reusing SSL_s but just read and write on it. Every
> operation is actually surrounded by mutexes so I'm quite a bit confused
> about what's still going wrong. (If you remember) I've been talking with you
> too a
Sean,
I tried doing a creation on a Sun box earlier and it didn't
work because of no /dev/random. You could try installing 'EGD'
or the 'Entropy Gathering Daemon'...
(available from http://www.lothar.com/tech/crypto/ ) but I had
little success.
In the end I just installed openssl etc on a linux
I don't have experience with threads.
Too bad :-)
Did you call SSL_clear() after finishing the connection and before reusing
the SSL object?
I'm not actually reusing SSL_s but just read and write on it. Every
operation is actually surrounded by mutexes so I'm quite a bit confuse
Dear Sir/Madam,
I want to set up a secure web server (https) using your OpenSSL toolkit & am
having some difficulty. I've checked the FAQ but it didn't give me what I
need (FYI I'm experienced in C, some experience of shell scripts / general
unix commands, no perl, experienced in general web prin
On Wed, Dec 20, 2000 at 04:25:03PM +0200, Wirta, Ville wrote:
> I was wondering what might the differences between
> "SSL_use_certificate_file" and "SSL_CTX_use_certificate_file" be? Private
> key file can also be attached to both ssl_s and ssl_ctx... Would there be a
> place to read more of thes
On Wed, Dec 20, 2000 at 10:32:59AM -0500, Michael Sweet wrote:
> CUPS 1.1.5 supports both dedicated TLS/SSL connections (https
> scheme) as well as the HTTP Upgrade mechanism for upgrading to
> TLS/SSL. Both methods work perfectly with the CUPS client apps,
> but web browsers (so far) seem only t
Hi!
I was wondering what might the differences between
"SSL_use_certificate_file" and "SSL_CTX_use_certificate_file" be? Private
key file can also be attached to both ssl_s and ssl_ctx... Would there be a
place to read more of these or could someone help me a little?
I would also like to know i
Hi, All!
We're about to release a TLS/SSL-capable version of CUPS (1.1.5)
that uses OpenSSL. So far everything is working great (so far not
a single glitch I can see with 0.9.6!), but we're struggling with
one final issue...
CUPS 1.1.5 supports both dedicated TLS/SSL connections (https
scheme)
On Wed, Dec 20, 2000 at 12:55:18PM -, sinead obrien wrote:
> I am new to SSL and I am trying to use it so that I can specify the
> MAC algorithms and symmetric algorithms that it is to use. I have
> found the function SSL_set_cipher_list and I have found the cipher lists
> in ssl2.h, ssl3.h an
I am new to SSL and I am trying to use it so that I can specify the
MAC algorithms and symmetric algorithms that it is to use. I have
found the function SSL_set_cipher_list and I have found the cipher lists
in ssl2.h, ssl3.h and tls1.h. My problem is the format of theses cipher
lists don't make mu
Hiya,
I am new to OpenSSL and am trying to create a new certificate.
I have followed the instructions as per the FAQ and everything
works fine up until the CA.pl -signreq command.
I get the following error message:
[root@box misc]# ./CA.pl -signreq
Using configuration from /usr/local/ssl/openss
Dr S N Henson wrote:
>
> You can't exclude private keys from a PKCS#12 file using the OpenSSL
> command line tool. The -nokeys options is for parsing a PKCS#12 file
> only, not for creation.
>
> Normally PKCS#12 files are used to store certificates and keys so there
> isn't any need to exclude
On Tue, 19 Dec 2000, Richard Levitte - VMS Whacker wrote:
> From: James Dabbs <[EMAIL PROTECTED]>
>
> JDabbs> Does OpenSSL presently support hardware tokens for client-side
> JDabbs> authentication, such as Aladdin "eToken" or Rainbow "iKey
> JDabbs> 2000"? If not, is there any activity in this
Richard Levitte - VMS Whacker wrote:
> From: James Dabbs <[EMAIL PROTECTED]>
>
> JDabbs> Does OpenSSL presently support hardware tokens for client-side
> JDabbs> authentication, such as Aladdin "eToken" or Rainbow "iKey
> JDabbs> 2000"? If not, is there any activity in this direction?
>
> I've b
Robert Sandilands wrote:
>
[SNIP]
>
> Until people start really demanding security, companies like Microsoft
> will be buzzword complaint but not really secure without a lot of extra
> work and tools. There will always be the message box that you can press
> that it is Ok to delete all your files
I've had several phone calls from irate customers demanding to disable
the anti-virus software because it would not allow him/her to run a
virus.
Any security system/software is only as good as the weakest link, which
in general is the human element. The real trick is that after you have
put the
39 matches
Mail list logo
