On Tue, 17 Dec 2002, Eric Rescorla wrote:
> Eric Rescorla <[EMAIL PROTECTED]> writes:
> > Now consider what happens if you're running 512 virtual servers (IPs)
> > with 256 child processes. If Slapper contacts all of them, it will
> > freeze all your children and you're frozen until the timeouts
>
Stephen Amadei <[EMAIL PROTECTED]> writes:
> On Tue, 17 Dec 2002, Eric Rescorla wrote:
>
> > Now consider what happens if you're running 512 virtual servers (IPs)
> > with 256 child processes. If Slapper contacts all of them, it will
> > freeze all your children and you're frozen until the timeou
On Tue, 17 Dec 2002, Eric Rescorla wrote:
> Now consider what happens if you're running 512 virtual servers (IPs)
> with 256 child processes. If Slapper contacts all of them, it will
> freeze all your children and you're frozen until the timeouts
> happen. Joe, do you have more virtual servers tha
Geoff Thorpe <[EMAIL PROTECTED]> writes:
> > just didn't understand why Slapper was doing it since it only tries to
> > probe your machine once AFAIK. But if you have a lot of IPs
>
> But along the lines of what the original poster mentioned, this courtesy
> from Slapper can hardly be relied u
Hi there,
* Eric Rescorla ([EMAIL PROTECTED]) wrote:
> I've long suspected that you could connect to Apache and consume all
> the processes until a timeout. It's very hard to defend against this
> attack since it's hard to distinguish attackers from slow clients. I
This is what I was wondering a
Eric Rescorla <[EMAIL PROTECTED]> writes:
> Now consider what happens if you're running 512 virtual servers (IPs)
> with 256 child processes. If Slapper contacts all of them, it will
> freeze all your children and you're frozen until the timeouts
> happen. Joe, do you have more virtual servers than
Stephen Amadei <[EMAIL PROTECTED]> writes:
> We have 512 ip addresses on our system as well, so the same Slapper system
> hits us over and over... but our server is actually pretty robust.
Hmm This may be the issue. Assume for the sake of argument that
Slapper manages to freeze your server when
On Tue, 17 Dec 2002, Eric Rescorla wrote:
> Joe Rhett <[EMAIL PROTECTED]> writes:
> > Both. Only on SSL-enabled servers. Rephrase, only on OpenSSL servers.
> > And yes I'm hella confused myself.
> So, say you have a server which listens on both port 443 for SSL
> and 80 for HTTP, does access on po
> So, say you have a server which listens on both port 443 for SSL
> and 80 for HTTP, does access on port 80 get blocked at the same
> time as access on port 443 gets blocked.
Yes. Not 'blocked' -- TCP connects happen, but the server doesn't reply
for up to the Timeout period. It you telnet to
Joe Rhett <[EMAIL PROTECTED]> writes:
> Both. Only on SSL-enabled servers. Rephrase, only on OpenSSL servers.
> And yes I'm hella confused myself.
So, say you have a server which listens on both port 443 for SSL
and 80 for HTTP, does access on port 80 get blocked at the same
time as access on port
> > 2. Being able to log in and identify the right processes within the Timeout
> > period. On our servers that is 3 minutes. There's usually that much lag
> > just in the time period from alert generated until it hits our pagers.
> Or attacking your own server with Slapper, which is what someon
Hello all:
As a follow-up to this question:
I am able to generate certificates on my Linux machine
using openssl. Will those cretificates work on pcAnywhere
10.5?
Thanks,
Neil.
--
Neil Aggarwal
JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com
Custom Internet Develo
Joe Rhett <[EMAIL PROTECTED]> writes:
> > This is a surprising report. Since Apache 1.3.x runs separate
> > server processes, it's kind of surprising that a single client
> > would stall all server processes. Could you put a debugger on
> > one of the stalled processes and see where it is?
>
> T
> This is a surprising report. Since Apache 1.3.x runs separate
> server processes, it's kind of surprising that a single client
> would stall all server processes. Could you put a debugger on
> one of the stalled processes and see where it is?
That requires:
1. Being instantly available when sl
Joe Rhett <[EMAIL PROTECTED]> writes:
> > May I ask, is it just the daemon which happens to handle the worm
> > request which dies? (I presume it is not the parent apache process!) Can
> > you advise on a handy string to search for in the logs to see if we have
> > been getting hit? (We have notice
On Tue, Dec 17, 2002 at 01:48:22PM -0800, Paul L. Allen wrote:
> Joe Rhett wrote:
> >
> > [... about Slapper worm affecting immune servers ...]
> >
> > Thus my confusion on this topic -- people are feeling the brunt, and there
> > are numerous posts about changes to minimize the effect. But all o
Joe Rhett wrote:
>
> [... about Slapper worm affecting immune servers ...]
>
> Thus my confusion on this topic -- people are feeling the brunt, and there
> are numerous posts about changes to minimize the effect. But all of these
> fixes are either (1) breaking something else or (2) security thro
Should openssl be compiled with any special flag to get AES functionality?
This is w.r.t openssl-0.9.7-beta3
I have:
ssl = SSL_new (ctx); CHK_NULL(ssl);
if(!SSL_set_cipher_list(ssl,cipher)) {
printf("error setting cipher list\n");
}else {
printf("setting
> I was very interested by your posting - according to the various news
> reports, the slapper worm affects only Linux and was fixed from openSSL
> 0.9.6e onwards. However, you're saying that, although your server is
> unable to be infected, it still crashes when probed by the worm.
Goes unrespon
Wade L. Scholine wrote:
> This is almost the same question I have been asking about in the "Strange
> rsa_lib application" thread. The danger of using RSA_NO_PADDING seems to be
> the problem I ran into, which is that the plaintext can be too big for the
> key. ...
The reason for using padding is
Title: RE: ciphertext should match length of key?
This is almost the same question I have been asking about in the "Strange rsa_lib application" thread. The danger of using RSA_NO_PADDING seems to be the problem I ran into, which is that the plaintext can be too big for the key. The suggested
Thanks for that
how does Padding fit into this
I have been using RSA_NO_PADDING with
RSA_public_encrypt
man pages say this is not such a good idea
but my call to RSA_public_encrypt fails if i use any
of the other PADDING optionsi am assuming this is
because my msg(to be encrypted) is
Title: RE: ciphertext should match length of key?
sharun santhosh asks:
> In openssl-0.9.6g/demos/maurice/example2.c
>
> why is a check performed after calling
> RSA_public_encrypt
>
>
> if (len != EVP_PKEY_size(pubKey))
> {
> fprintf(stderr,"Error: ciphertext should matc
-BEGIN PGP SIGNED MESSAGE-
The sixth beta release of OpenSSL 0.9.7 is now available from the
OpenSSL FTP site ftp://ftp.openssl.org/source/>. This beta
contains just a few fixes since beta 5.
This is assumed to be the final beta. The final release of OpenSSL
0.9.7 has been res
Hi,
I am trying to 'GET' and 'POST' to a secure server requiring a
client-side certificate from Perl which authenticates my certificate at the
URL level (i.e. https://www.abc.com/atdb). My attempts using 'do_https' have
failed miserably because I think 'do_https' is attempting to authenticate a
Matthew Hall wrote:
>> Err, folks. I just took a ca.cer file with a normal DER-encoded CA
certificate,
>> chose "open file" in Mozilla 1.1 and I got a nice dialog box:
>> "You've been asked to trust a new CA
>> ( ) trust this CA to identify web sites
>> ( ) trust this CA to identify email users
>
Dmitri Bogutski wrote:
Nils Larsch wrote:
Dmitri Bogutski wrote:
Hello,
How to get a DER-encoded of the certificate issuer name?
I do the following:
BIO *mem;
X509 *x;
X509_NAME *issuer;
/* 'buf' is a buffer the containing certificate read from an ID-card */
/* 'len' - length of certificate
27 matches
Mail list logo
