Re: OpenSSL and iPlanet problems - again

Hi all, Just some updates I used the openssl tool to try and establish communication with both the engine (which fails) and the "proxy engine" (which succeeds). I've pasted the output below. Some details: the engine is a java application on a remote machine(Windows). The proxy engine is a

Re: anybody using EGADS?

Ah, thanks Marcus. We're talking bits, not bytes, I see. In that case, I'm using way too big a number. Thanks, Ed --- Marcus Carey <[EMAIL PROTECTED]> wrote: > Ed > > > See the book "Network Security with OpensSSL." > > With 4 bits of entropy, an attacker has 1 in 16 > chances of guessing t

Re: anybody using EGADS?

I hear what you're saying, and I totally agree. The problem with using RAND_screen() is that the app I'm writing is a server. So it may be running on a box hidden away in some closet, and may not even have a monitor attached to it. So there may not be any user interaction at all, in which case,

Re: anybody using EGADS?

Thanks Dick. I heard about the the Intel RNG. Unfortunately, we may also run on AMD machines, in which case, this wouldn't be portable. But it might be worth looking into. Thanks again, Ed --- [EMAIL PROTECTED] wrote: > > Not exactly open source, but > http://www.intel.com/design/security/rng

Error Log

Hi (B (BMy SSL server periodically output same error messages as follow.. (B (B (B[Sun Oct 13 05:35:26 2002] [error] SSL_accept failed (B[Sun Oct 13 09:05:40 2002] [error] error:1407609C:SSL (Broutines:SSL23_GET_CLIENT_HELLO:http request (B (BThis server runs OPENSSL-0.95a and Apache-SSL 1

Re: anybody using EGADS?

Ed See the book "Network Security with OpensSSL." With 4 bits of entropy, an attacker has 1 in 16 chances of guessing the right seed. If you're creating 128-bit keys you should use 128 bits of entropy anything less than 64 bits may not be secure enough. I am not sure how nBytes is read. To get

Re: installation openssl urgent!

Thanks Guy, I hope don't boring you, but I' a little new with this. Well If understand you... I have to do that: #cd usr/local/ssl #CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS #./configure Are these steps rights? It is to compile my old openssl, so I don't need to erase my old installat

Re: installation openssl urgent!

set it in your environment . . . just before you run configure, type: CPPFLAGS=-I/usr/local/ssl/openssl; export CPPFLAGS then run configure. the CPPFLAGS environment setting should tell configure to check in that directory for the include files it needs. again, let me know if you have a proble

Re: installation openssl urgent!

Hi Guy! Thanks for your reply :) but Where do I set : CPPFLAGS="-I/usr/local/ssl/openssl? the rc5.h is in the /usr/local/ssl/include/openssl and the libs like libcrypto are in /usr/local/ssl/libs so I guess I have to set this path: "-I/usr/local/ssl/include/openssl"...is that right?...but where

Re: Are self signed certificates bad?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Witzel wrote: | Except when you have an independent means to verify that |a) the self-signed certificate which you received druing the handshake | comes from the entity which claims to be the originator |b) you also feel comforta

Re: client-side session reuse

This is very interesting. I don't understand how your solution completely fixes things though. What if the server is restarted with caching disabled while the client still has sessions cached. When the sessions were cached by the client the session ID was not zero length so you validly cached

Re: FW: updates (SSL-Certificates-HOWTO)

Thanks Franck. I have referred to your docs often. --- Franck Martin <[EMAIL PROTECTED]> wrote: > I'm pleased to announce a new version of the SSL-Certificates-HOWTO. > > Thanks to all for your contributions and comments. > > Can someone put a link on the openssl.org web site? Thanks. > > Comm

Re: anybody using EGADS?

Hi Ed, Knowing very little about any of this cryptography stuff, I have no idea what value of nBytes is enough. I think the wisdom, though, is that it depends upon your situation. From what I've read, the whole purpose of cryptography is to make it too difficult for an attacker to succeed wi

Re: installation openssl urgent!

it looks like you have an issue with your include files . . . try setting CPPFLAGS="-I/usr/local/ssl/openssl", or whatever the path to your rc5.h file is, then run configure. let me know if that doesn't work. regards, guy Ivone Uribe wrote: Hi all! I have problems with the openssl in an ins

installation openssl urgent!

Hi all! I have problems with the openssl in an installation of a wap gateway, I'm using the RedHat 7.2. When I was trying to install the gateway rpm I got this messages: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. To solve it I removed the openssl0.9.6 rpm (is it right?) and I just

FW: updates (SSL-Certificates-HOWTO)

I'm pleased to announce a new version of the SSL-Certificates-HOWTO. Thanks to all for your contributions and comments. Can someone put a link on the openssl.org web site? Thanks. Comments, critics,... you know how to join me... Cheers. -Original Message- From: Greg Ferguson [mailto:gf

Re: anybody using EGADS?

Not exactly open source, but http://www.intel.com/design/security/rng/rng-capi.htm "Accessing the Intel® Random Number Generator through a CSP for Microsoft* CryptoAPI" describes how to access the Intel *hardware* RNG. Might be of some use to you on Windows platforms. (I believe some *NIXs use t

Re: Are self signed certificates bad?

On Tue, Oct 22, 2002 at 12:50:04PM +0200, Martin Witzel wrote: > > Except when you have an independent means to verify that >a) the self-signed certificate which you received druing the handshake > comes from the entity which claims to be the originator >b) you also feel comfortabl

Re: config file help

In message <[EMAIL PROTECTED]> on Tue, 22 Oct 2002 13:05:40 -0700, "Eric Weitzman" <[EMAIL PROTECTED]> said: eweitzman> Richard, eweitzman> eweitzman> > "Eric Weitzman" <[EMAIL PROTECTED]> said: eweitzman> > eweitzman> > eweitzman> Is there any overview documentation on the relationship eweitzma

Re: anybody using EGADS?

Hi Stephen, Thanks for the reply. You're absolutely right. It does appear that I am not blocked indefinitely...it certainly does take a while to gather entropy. I was using nBytes = 1024. Then I tried 512. Still very long time. Any suggestions on what a number should be for acceptable random

RE: config file help

Richard, > "Eric Weitzman" <[EMAIL PROTECTED]> said: > > eweitzman> Is there any overview documentation on the relationship > eweitzman> between the keys and sections in openssl.cnf and both the > Isn't http://www.openssl.org/docs/apps/req.html enough? There's a > small blurb about distinguished

Outlook DOES NOT support client-side certs

This is for the purposes of the list archives, as I have wasted a great deal of time on this and there is misleading information on the Internet. I have tested Outlook 2002, both with and without Office ServicePack1 and Office ServicePack2 (independently), on 4 different workstati

signature decoding with pubkey in command line

Hello! Could you help me in decoding a signature with public key in command line. The purpose is that I could compare the result with a fingerprint calculated from a document (with a hash-function ie. md5), because it would be used on a web-page, and I think nobody wanna send a private document t

Re: config file help

In message <[EMAIL PROTECTED]> on Tue, 22 Oct 2002 11:49:39 -0700, "Eric Weitzman" <[EMAIL PROTECTED]> said: eweitzman> Is there any overview documentation on the relationship eweitzman> between the keys and sections in openssl.cnf and both the eweitzman> commands that use those keys (ca, req, x5

config file help

Is there any overview documentation on the relationship between the keys and sections in openssl.cnf and both the commands that use those keys (ca, req, x509, etc) and to which other sections in the config file certain keys point? For example, the value for the key distinguished_name in the [ req ]

RE: OpenSSL PROBLEM on HP-UX 11.00 and 11.11 (11i)

We are using OpenSSL 0.9.6g on HP-UX 11.00 and 11.11 without any trouble. It's bundled into our CDS package (OpenLDAP+OpenSSL+Heimdal+SASL) and is available for free download from www.symas.com. We aren't doing anything fancy here, just using libssl for LDAP connection security, but it works withou