Re: core dump from RAND_SSLeay

--- "Michael P. Soulier" <[EMAIL PROTECTED]> wrote: > Hey, > > I'm on a CentOS 4.3 Linux system, and ssh-keygen is > occasionally > crashing. The backtrace from the coredump shows that > it's in openssl. > > Core was generated by `/usr/bin/ssh-keygen -l -f > /etc/ssh/ssh_host_key.pub'. > Progr

Re: Certificates for virtual clients

I'm not entirely certain what you're asking here. Usually, clients have a list of CAs that they trust, and a list of personal certificates to which they have the private keys. If a server requests a certificate and gives a certain CA, the client can automatically send the certificate they have f

Re: SSL Error

On Wed, Aug 09, 2006, Carlo Agopian wrote: > Hello, > > Has anybody seen the following runtime error message before? > > error::lib(0):func(0):reason(0) > Yes. It normally means "no error has been placed on the queue and the the application wrongly thinks it has and can print it

RE: CHecking the version of OpenSSL

Yes, nefarious types would eventually figure it out, but we probably shouldn't lay out the red carpet for them either...:) R. -Original Message- From: [EMAIL PROTECTED] on behalf of William A. Rowe, Jr. Sent: Thu 8/10/2006 3:44 PM To: openssl-users@openssl.org Subject: Re: CHecking th

Re: CHecking the version of OpenSSL

Randy Turner wrote: > I would probably consider the publishing of the openssl version on the web > server announcment message as a security issue. And some of us would laugh in your general direction ;-) Exploiters don't need to know, they can just persist till they find a known exploit. ___

RE: CHecking the version of OpenSSL

I would probably consider the publishing of the openssl version on the web server announcment message as a security issue. Randy -Original Message- From: [EMAIL PROTECTED] on behalf of Marek Marcola Sent: Thu 8/10/2006 2:45 PM To: openssl-users@openssl.org Subject: Re: CHecking the vers

Re: CHecking the version of OpenSSL

Hello, > Does anyone know how to externally check what version of OpenSSL is > running a server? I mean without connecting to the server via the > shell but perhaps by a browser and checking the headers? If we are talking about HTTP servers then sometimes this information MAY be available in Serve

CHecking the version of OpenSSL

Does anyone know how to externally check what version of OpenSSL is running a server?  I mean without connecting to the server via the shell but perhaps by a browser and checking the headers?   Mark T. Pearson Assistant Manager of Web Administration UFT Welfare Fund 52 Broadway, 8th Flo

core dump from RAND_SSLeay

Hey, I'm on a CentOS 4.3 Linux system, and ssh-keygen is occasionally crashing. The backtrace from the coredump shows that it's in openssl. Core was generated by `/usr/bin/ssh-keygen -l -f /etc/ssh/ssh_host_key.pub'. Program terminated with signal 11, Segmentation fault. (no debugging symbols fou

Re: SSL Error

You can't reuse a socket for a TCP connection, but you certainly can reuse the same TCP socket for an arbitrary number of SSL connections as long as you don't compromise the TCP connection while you're doing it.  I suspect that is the intention here and from the sounds of things (if all he is getti

CHecking the version of OpenSSL

Does anyone know how to externally check what version of OpenSSL is running a server?  I mean without connecting to the server via the shell but perhaps by a browser and checking the headers?   Mark T. Pearson Assistant Manager of Web Administration UFT Welfare Fund 52 Broadway, 8th Flo

RE: SSL Error

sorry if I misunderstood you, but AFAIK, pure sockets API doesnt allow socket reuse as such. You have to have a new socket for every TCP connection, you can't "reuse" a socket. From: "Carlo Agopian" <[EMAIL PROTECTED]>Reply-To: openssl-users@openssl.orgTo: CC: "Carlo Agopian" <[EMAIL PROTECTED]>S

Certificates for virtual clients

I have a client that masquerades as different virtual clients and thus needs to present a different certificate to a server based on some internal policy. For instance, consider a client that hosts two virtual domains: foo.com and bar.com. When initiating requests from a user in foo.com domain,

RE: Custom CA vs Openssl CA

Hi Andrew, Its pretty much the typical argument of commercial software vs. open source. There are a few open source PKI initiatives underway. I haven't really followed them in the last couple of years, but this is a decent resource to read about them: http://ospkibook.sourceforge.net/ If your pl

Re: SSL Error

This error is indicative that there is no error.  You have simply read the error buffer one more time than you should have.  There is absolutely nothing wrong with your application state if you see this reported.  In my experience it wont cause any application problems if you check the error queue

Custom CA vs Openssl CA

Are there any major advantages to using a third party packaged CA over openssl's CA? The CA from openssl seems more than adequate for most uses. A concern I am hearing is developing an interface to openssl CA would be time consuming and might have security issues. Is this a valid concern or woul

Re: Certificate Chain Problems

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] schrieb: > PKI newbie in need of help. Hello Steward, > When I sign a SSL cert with my CA, the certification path only lists the > web server. Not my SubCA or the Windows Root CA. ??? Which certification path do you mean ? The c

Re: merging certs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marten Lehmann schrieb: > Hello, Hello Marten, > I recently read, that it is possible the have more than one ssl-host per > ip-address. This shall be possible with two special requirements: > > - all ssl-hosts share the same key > - all certs for the

RE: Certificate Chain Problems

Hi Stewart, Not sure if I have you right here but I came across a similar problem when I was trying to generate OCSP responses. Firstly I assume you have this man page : http://www.openssl.org/docs/apps/openssl.html Some commands have a parameter -CAfile This should have the full cert chain

Certificate Chain Problems

PKI newbie in need of help. When I sign a SSL cert with my CA, the certification path only lists the web server. Not my SubCA or the Windows Root CA. I am trying to stand up a SubCa under a Windows Certificate Authority and I am having issues getting the Chain of Authority correct. I have bee

Re: Signing an arbitrary buffer with an arbitrary RSA key: how to?

On Thu, Aug 10, 2006, ?? wrote: > > So, the remaining part of MiniCert must be the signature - exactly 128 > bytes, which corresponds to the CA's key of 1024 bits. > Currently I'm stuck on guessing the algorithm they could use to obtain > that signature. I did try "md5",

Re[6]: Signing an arbitrary buffer with an arbitrary RSA key: how to?

Thanks for helping me with forced external RSA keys. Now I've dissected the example MiniCert and found where the user's public key is stored. User's key is 512 bits. I did a testing utility that takes both keys (the example documentation provides the user's private key as well) and tryes to encry

RE: merging certs

That part I can't help you with. Sorry. However I did just merge them as you describe. Good luck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marten Lehmann Sent: Thursday, August 10, 2006 3:31 PM To: openssl-users@openssl.org Subject: Re: merging c

Re: merging certs

Hello, I merged some certs which were in PEM format just by putting them together in the editor. so merging is really just the step of putting several certs like this in one file? -BEGIN CERTIFICATE- [...] -END CERTIFICATE- -BEGIN CERTIFICATE- [...] -END CERTIFIC

RE: Re[2]: What does "PEM" mean?

Ty che, prikalyvaeshsia? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of генерал Пурпоз > Sent: Thursday, August 10, 2006 2:44 PM > To: Hugo de Paix de Coeur > Subject: Re[2]: What does "PEM" mean? > > Hello Hugo, > > Thursday, August 10, 2006,

RE: merging certs

I merged some certs which were in PEM format just by putting them together in the editor. The openssl ocsp command has a param -CAfile where fname needs the entire cert chain back to the root. I did it in Notepad and it worked fine. I haven't tried it with .DER format. -Original Message

merging certs

Hello, I recently read, that it is possible the have more than one ssl-host per ip-address. This shall be possible with two special requirements: - all ssl-hosts share the same key - all certs for the hosts are bundled within one file For the letter requirement I think it doesn't only have to b

Re: Generation of Public Key using exponent and modulus

On Wed, Aug 09, 2006, James Richard van den Berg wrote: > Hi > And if the Modulud and exponent are in a textfile, in format >? > There isn't a function to do that directly though functions exist to convert hex or decimal strings to a BIGNUM which can be used. It is possible to convert

Re: What does "PEM" mean?

On Thu, Aug 10, 2006, ??? ?? wrote: > And what is DER then? > Distinguished Encoding Rules. That's a set of rules which determine how ASN1 data is encoded such that each structure can only have one unique encoding (hence the "distinguished"). Steve. -- Dr Stephen N. Henson. Email, S/MI

Re[2]: What does "PEM" mean?

Hello Hugo, Thursday, August 10, 2006, 12:55:09 PM, you wrote: > Privacy Enhanced Mail > This is a base64 encoded format, for mailing, or other purposes... And what is DER then? Thank you in advance. -- Best regards, Tony mailto:[EMAIL PROTECTED] __

Re: What does "PEM" mean?

Bhupendra Joshi wrote: http://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail On 8/1/06, *Bo Xie* <[EMAIL PROTECTED] > wrote: I know openSSL supports .pem format. But what does "PEM" mean? Persoanl Encrypto Management? Thanks! Best Regards,