The problem is that virtually no legit users will ever look, but the
hackers
definitely will. I'll admit (being a geek) that I checked once when
logging
into my banking site for the first time many years ago. So maybe I was
'benefitted' that one time (and my case is definitely not typical),
> [EMAIL PROTECTED] wrote:
> > Blocking the version number is worse than reporting stale version
> > information. At least they can determine a minimum security level.
> > Incorrect information cuts both ways, helping the hacker and legitimate
> > user at the same time. Better to prefer the legiti
Thomas J. Hruska wrote:
> Now compare that number to how many hackers know and care about the same
> information.
None. If an exploit exists, it will be exploited. You are a fool if you
expect that a hacker would rely on the reported version number to elect
one of the dozens of past exploits. T
[EMAIL PROTECTED] wrote:
Blocking the version number is worse than reporting stale version
information. At least they can determine a minimum security level.
Incorrect information cuts both ways, helping the hacker and legitimate
user at the same time. Better to prefer the legitimate user's int
Hi. I am new at this and at my wits end. I keep on getting the same error when I try and start lighttpd. I have rekeyed my cert 2 times now so I am fairly certain that it is not a problem there. I have redone the KEY and CSR as well. I do not know what to do. Please let me know if you have any idea
Blocking the version number is worse
than reporting stale version information. At least they can determine a
minimum security level. Incorrect information cuts both ways, helping the
hacker and legitimate user at the same time. Better to prefer the legitimate
user's interest.
SP
[EMAIL PROTEC
Look at X509_REQ_* functions.
Subash Kalbarga wrote:
Hi all
I am trying to fit a CSR generating capability into a small footprint
embedded system.
Note that I already have the openssl library in there
Openssl is about 300K in size which I want to avoid copying over if I
can just for generatin
> The OP, however, is right. Why report the version at all to the user of
> a website? There is no need to let them know you are even running
> OpenSSL let alone the version being run. I'm not talking about security
> through obscurity. I'm referring to common sense. Don't tell people
> what
Thomas J. Hruska wrote:
David Schwartz wrote:
The long version: We run security check software, which makes
connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it m
David Schwartz wrote:
The long version: We run security check software, which makes connections
with various services, calls up the header, and then tells us that based
upon the version it read in the header, this service has certain
vulnerabilities.
You mean it might have certain vuln
Hello,
> The quick version: How can I disable or prevent OpenSSL headers
> from being viewable to outside traffic (similiar to when you disable
> Apache from allowing its header and version information from being
> viewable to the outside world)?
OpenSSL is realizing SSL3/TLS1 protocol and t
> > The long version: We run security check software, which makes
> > connections
> > with various services, calls up the header, and then tells us that based
> > upon the version it read in the header, this service has certain
> > vulnerabilities.
I just have to say one more thing:
Nice advertising here by john..
i think there are more products =) - try bouncycastle
API they can do it too ... for free
--- John Pattern <[EMAIL PROTECTED]> wrote:
> As far as I know the only product that supports this
> is iSafeGuard from MXC Software
> (http://www.mxcsoft.com). You might be
> The long version: We run security check software, which makes connections
> with various services, calls up the header, and then tells us that based
> upon the version it read in the header, this service has certain
vulnerabilities.
You mean it might have certain vulnerabilities. You c
Scott Campbell wrote:
The long version: We run security check software, which makes
connections with various services, calls up the header, and then tells
us that based upon the version it read in the header, this service has
certain vulnerabilities. For security purposes, we would like
Dear All, The quick version: How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)?
The long version: We run security check softwa
> The application I am writing has requirement that
> after a request is sent to server, it should hear
> from the server in xyz seconds.
> With normal tcp socket, i can achieve this through select()
> function. But how do I achieve this for SSL_read?
Same way.
> As I understand from last few t
To generate a library suitable for multithreaded use, the malloc and
free implementations must be the same as the ones used by the rest of
the program. (That's the number one issue.) A second issue is that
certain data structures must be wrapped in mutexes (linked lists, as
only one example). T
I am trying to decide whether building OpenSSL with
"threads" option is appropriate or not for my particular
situation. The Configure script says that the option
"tr[ies] to create a library that is suitable for
multithreaded applications." How exactly are the libraries
created to be suitable fo
Hi all
I am trying to fit a CSR generating capability into a small footprint
embedded system.
Note that I already have the openssl library in there
Openssl is about 300K in size which I want to avoid copying over if I
can just for generating CSRs
Are there any APIs in the OpenSSL library that ca
As far as I know the only product that supports this is iSafeGuard from MXC Software (http://www.mxcsoft.com). You might be able to get some information from them."Jaraba Nieto, Fernando" <[EMAIL PROTECTED]> wrote: Hello, Do you know how I can to create a PKCS#7 file containing multiple sign
Title: multiple signers
Hello,
Do you know how I can to create a PKCS#7 file containing multiple signs?
I need to sign a file with multiple signers and generate just one PKCS#7 file with all the signs inside.
Thank you very much.
Fernando Jaraba Nieto
Madrid, Spain.
---
Hello,
> The application I am writing has requirement that after a request is
> sent to server, it should hear from the server in xyz seconds.
>
> With normal tcp socket, i can achieve this through select() function.
> But how do I achieve this for SSL_read?
> As I understand from last few thread
Hi,
> The application I am writing has requirement that after a
> request is sent to server, it should hear from the server in
> xyz seconds.
I have done this by using non blocking sockets with SSL_read.
I call SSL_read in a loop using select() when necessary. I use
a timeout in the calls to
Hi,
The application I am writing has requirement that
after a request is sent to server, it should hear from the server in xyz
seconds.
With normal tcp socket, i can achieve this
through select() function. But how do I achieve this for SSL_read?
As I understand from last few threads on this
Yes, giving an absolute path to SSL_use_certificate_file will work. If you are
on windows, then you should escape the \ which will be present in the path -
thats all.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bu Bacoo
Sent: Monday, August 21, 2006 3
Hello !
The following works for me (it's hardcoded however!).
#define certificate_file "/root/security/server.crt"
if((SSL_use_certificate_file(m_ssl,certificate_file,1))!=1) //FG: Define
SSL certificate to use
{
cout << "SSL certificate file error - did not open" << endl;
}
else
{
co
Is it possible to specify instead of filename (char* file) for
SSL_use_certificate_file file with absolute path? Because it doesn't
work for me :-( and in the man page is nothing about 'path'
Thanks
__
OpenSSL Project
Hello,
> I tried to encrypt and decrypt a text using different ciphers. There I
> found that the decryption failes at EVP_CipherFinal_ex() call. Somebody
> please point me out what I've done wrong. The code is attached.
After looking at your source code my first proposition is not
to use strlen()
29 matches
Mail list logo
