serious openssl vulnerability

please reply if you can: this is a serious openssl vulnerability: here is the log: [Fri Nov 22 11:08:33 2002] [error] [client 164.77.208.74] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Fri Nov 22 11:08:43 2002 : 64.86.0.229] domain silvercrest.ca rar 29 (24502) [Fr

RE: IMPORTANT: The release of 0.9.6h is postponed

Sorry, my fingers banged out the message before my brain thought to look at the rest of the thread to see if anyone had suggested making the buffers volatile. -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED]] Sent: Friday, November 22, 2002 7:22 AM To: [EMAIL PROTECTED] Cc

RE: IMPORTANT: The release of 0.9.6h is postponed

If a variable is declared as "volatile", the compiler by definition is not supposed to make these kinds of optimizations. I had issues one time with some software I wrote for a hardware company to do a BIT (built-in test) for memory errors and the compiler optimizing the store and read of the memo

RE: Beta 4 of OpenSSL 0.9.7

what is actually of greater urgence for me is an openssl vulnerability that allows clients to just open the connection and leave it hanging hence forcing my web server to reach its maxclients setting and crash. this problem was addressed by openssl version g for the linux platform, but on solaris t

Recertify CA

Dear all, I created a CA with a lifetime from one year :-< I am now searching for a solution to change the expiration date. How can I do this? Pls. keep my address in CC, because I am not on the list. Thanks in advance. Regards Dominik

Re: IMPORTANT: The release of 0.9.6h is postponed

I am concerned about the performance impact of the use of 'volatile' memory access because it means that all access to the memory region must be performed without use of memory caches. > You are worried about a performance impact of clearing a small password buffer? I > would think the idea of

Re: IMPORTANT: The release of 0.9.6h is postponed

I thought making a memset() look-alike (somewhere in the discussion, "setmem()" was proposed) was enough to prevent it. No? It is possible that a compiler will have more knowledcge about memset() than your setmem() variant. Not sure how likely. /r$ _

Re: IMPORTANT: The release of 0.9.6h is postponed

Hi, On Fri, Nov 22, 2002 at 09:32:14AM -0600, Kenneth R. Robinette wrote: > > You are worried about a performance impact of clearing a small password buffer? I > would think the idea of changing memset() to a more secure function is an excellent > idea and well worth a couple of days of delay.

Re: Converting own CA certificate to pkcs12

Matthew Hall wrote: > I'm trying to find out how to take my ca.crt file (signed > by my own CA self) and convert it to pkcs12 format for importation > into Mozilla, so that Mozilla will recognize anything else signed > by me as 'OK'. If indeed a PKCS#12 can include a CA certificate as well as an

Re: Symmetric key renegotiation

Michael Sierchio wrote: __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]

Re: Hard-wired CA-cert in source code?

David Schwartz wrote: ... > No, embedding private keys is a perfectly good thing. It's useful for many > things, including protecting clients against malicious servers or impostor > servers. It just won't work to protect the client from itself. There are > other techniques to do that. I'd appreci

Re: IMPORTANT: The release of 0.9.6h is postponed

Date sent: Fri, 22 Nov 2002 10:21:30 EST From: Jeffrey Altman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject:Re: IMPORTANT: The release of 0.9.6h is

Re: IMPORTANT: The release of 0.9.6h is postponed

> I thought making a memset() look-alike (somewhere in the discussion, > "setmem()" was proposed) was enough to prevent it. No? There were three suggestions made that I had seen that appeared to work: . change all password buffers to volatile . replace memset() with your own function not call

Re: IMPORTANT: The release of 0.9.6h is postponed

In message <[EMAIL PROTECTED]> on Fri, 22 Nov 2002 23:28:27 +1100, mlh <[EMAIL PROTECTED]> said: mlh> Rich Salz wrote: mlh> >>I still see it as a problem, since the data then mlh> >>potentially sticks around for a longer time, and is therefore mlh> >>retrievable for anyone who cracked root if tha

Re: IMPORTANT: The release of 0.9.6h is postponed

In message <[EMAIL PROTECTED]> on Fri, 22 Nov 2002 06:05:15 -0500 (EST), Rich Salz <[EMAIL PROTECTED]> said: rsalz> Anyone who can crack root will just install a trojan openssl library, rsalz> anyway. Seems little point in holding up a release for this. Possible. I still want us to get some ex

Re: OCMP(Onlie Certificate Status Protocol)

Yes, the version 0.9.7 of OpenSSL includes ocsp. But what do you want to do with OCSP. Do you want to implement an OCSP client or an OCSP responder ? Michiels Olivier On Fri, 2002-11-22 at 12:34, HASEGAWA Takashi wrote: > Hello. > > I have a question. > > I want to use OCMP(Onlie Certificate St

Re: IMPORTANT: The release of 0.9.6h is postponed

On Fri, Nov 22, 2002 at 11:28:27PM +1100, mlh wrote: > Rich Salz wrote: > >>I still see it as a problem, since the data then > >>potentially sticks around for a longer time, and is therefore > >>retrievable for anyone who cracked root if that would happen. > > > > > >Anyone who can crack root will

Re: Unable to load DSA public key?

Paul L. Allen wrote: > Nils Larsch wrote: > > Paul L. Allen wrote: > > > One of our customers showed up with a certificate that OpenSSL's x509 > > > subcommand doesn't appear to like. It complains about the public key: > > > > > > [paula@bluesky C_pdp]$ /usr/local/ssl/bin/openssl x509 -in > > > HA

RE: Converting own CA certificate to pkcs12

My problem is I am afraid that I spend too much time with excel and powerpoint (I am not even allowed to use StarOffice) instead of tinkering with nice pieces of software. Good point. Roberto -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joern Sierw

[no subject]

hi i am a new user of openssl,and i am trying to make an application that use openssl to manage a pki. so i begin by trying make a command like genrsa ,i began with RSA_generate_key() function ,it works but the problem is what function must be used to encrypt RSA key with DES or 3DES ,and ho

Re: IMPORTANT: The release of 0.9.6h is postponed

Rich Salz wrote: I still see it as a problem, since the data then potentially sticks around for a longer time, and is therefore retrievable for anyone who cracked root if that would happen. Anyone who can crack root will just install a trojan openssl library, anyway. Seems little point in hold

RE: Converting own CA certificate to pkcs12

At 13:02 22.11.2002 +0100, you wrote: As far as I know there are only two ways for importing a CA certificate into Netscape browser: 1) Through an HTTP/HTTPs connection to a Web server hosting the CA certificate (using MIME type application/x-x509-ca-cert) 2) Importing it piggyba

RE: Converting own CA certificate to pkcs12

As far as I know there are only two ways for importing a CA certificate into Netscape browser: 1) Through an HTTP/HTTPs connection to a Web server hosting the CA certificate (using MIME type application/x-x509-ca-cert) 2) Importing it piggybacked in an user PKCS#12 (i.e., you impo

OCMP(Onlie Certificate Status Protocol)

Hello. (B (BI have a question. (B (BI want to use OCMP(Onlie Certificate Status Protocol). (BOpenSSL has OCSP ? (B (BWhat mast I do for using OCSP ? (B (BWould you like to tell me ? (B (B-- (B= (B HASEGAWA Takashi $B(BE-Ma

Re: IMPORTANT: The release of 0.9.6h is postponed

> I still see it as a problem, since the data then > potentially sticks around for a longer time, and is therefore > retrievable for anyone who cracked root if that would happen. Anyone who can crack root will just install a trojan openssl library, anyway. Seems little point in holding up a relea

Re: IMPORTANT: The release of 0.9.6h is postponed

In message <000601c291fc$73eca570$0701a8c0@Michael> on Fri, 22 Nov 2002 15:54:53 +0800, "Michael Lee" <[EMAIL PROTECTED]> said: mlee> > A fairly recent problem report (PR 343 in our bugs database) proves to mlee> > be a showstopper. It mentions that 'memset(ptr, 0, n)' may not happen mlee> > if

Re: Converting own CA certificate to pkcs12

On Thu, 21 Nov 2002, mikecross wrote: > Seems to me that you problem is that you didn't supply > password. > PKCS12 format stores Private + Public key pair > encrypted with password. Why would I want to store all this in a pcks12 file that I want to give to clients/other people to import into the