Thanks for the quick response, David. I hadn't seen any documentation on
BIO_set_ssl_renegotiate_bytes/timeout(), but that sounds like a simpler
way to go. If I set them both, do they both reset whenever a
renegotiation takes place? Any recommendations on reasonable settings
for SSLv3/TLSv1?
Re: t
On Tue May 19 2009, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Ger Hobbelt
> > Sent: Monday, 18 May, 2009 13:04
> - - - snip - - -
> >
> > c) the 'guaranteed delivery' I mentioned before: VMS offers
> > this as a message-based protocol, but you can easily convert
Wayne Feick wrote:
> Our server has one background thread constantly calling SSL_read()
> to drain incoming data. There are multiple threads generating outgoing
> data but all the SSL_write() calls are serialized with a semaphore.
> All I/O is blocking.
I'm not sure how you could make this work.
Hi All,
I've been banging my head against the wall for the last few days trying
to get session renegotiation working in a server I'm working on, and I'm
hoping someone here can give me a clue. I'm using openssl-0.9.8i.
Our server has one background thread constantly calling SSL_read() to
drain in
João Távora wrote:
> Given a NDA forbids me from giving you more details let me give you
> an analogy with postal services: I assume you know of postal services
> where you can get a delivery receipt. you can get a receipt that the
> recipient was notified, if the postman gets shot along the way
> From: owner-openssl-us...@openssl.org On Behalf Of Silviu VLASCEANU
> Sent: Tuesday, 19 May, 2009 01:57
> 2009/5/18
> > Does anybody has any experience with generating a
certificate from a
> > certificate request, by signing it with an nCipher HSM
> From: owner-openssl-us...@openssl.org On Behalf Of Ger Hobbelt
> Sent: Monday, 18 May, 2009 13:04
> Quite a bit has been covered in the answers so far, but
> there's still some material left.
Apparently. Much that I agree with, or is redundant, snipped.
> Considering the 'guaranteed delivery'
> From: owner-openssl-us...@openssl.org On Behalf Of Neerav Singh
> Sent: Tuesday, 19 May, 2009 03:37
> I also tried using openssl as below
> I generated the key as below
> $ openssl genrsa -des3 -out ca.key 1024
> But when I try to generate Certificate it t
Dear all,
I am a bit confused after reading the man pages for -showcerts and -verify.
The latter makes it sound as if it is the only way to do full verification
of a cert chain if I want to see all errors, as -showcerts would stop on the
first error. However, I've fiddled around a bit and tested -
I'm trying to make a bridge firewall that allows ssh in, and allows http/https
out, but nothing else... ebtable ruleset isn't working Sad
This is what I have so far. When I set the default policy to allow everything
gets through, when deny nothing gets through:
Here is the net setup: squid/ssh
Thank you ,
I was thinking about the possiblities of Man in the Middle Attack,
hence i asked the question " can we have one public key and two private
keys". So if the CA's private key is compromised then it can lead to
Man in the Middle Attack and any other scenario as far a TLS is concern
> The equivalent of application acknowledgment would be the
> *letter* saying to the person "once you read this, return
> the attached form." Then you need the application has
> read the message and done something about it.
Certainly. But I don't need this. I just need registered mail, that is
be
Obviously that's not how I wrote it :-)
However, I basically said that the memory only starts to get ramped up when I
call SSL_CTX_load_verify_locations. Note that the SSL_CTX object plus all the
set up code is being done once for each connection, whereas we've just spotted
that the object sho
Don't worry, I only checked the reference count to make sure that I didn't have
any other references to the object in my code. I don't delete or free
depending on this value.
Leak - I'm confused too. The memory goes up and up but the tool we have does
not show a "leak".
> -Original Messa
On 2009.05.19 at 16:46:14 +0530, naveen.bn wrote:
>What is the contents on which CA would have signed from his private key. I
>want to know it because if an attacker replaces his public key in the
>server certificate which i get than its game over for me .
See RFC3280.
Block of signe
On Tue May 19 2009, naveen.bn wrote:
> Hi ALL,
> I have a question ? can we have one public key and two private keys.
>
It is not a built-in feature. Which I think is your question.
Note that *in general* the terms "public key" and "private key" are
just labels. The math does not make the disti
Client initiates the TCP connection, Server listens for TCP connection.
Client takes on 'TLSServer' role, Server takes on 'TLSClient' role.
This does exactly what you're looking to do, without having to change
the protocol. (The TLSServer can send a ClientHelloRequest to inform
the other side that
Hi All!
Remember the Debian hack discovered one year ago
(http://wiki.debian.org/SSLkeys)? A number of Debian distributions
over a period of two years contained a flaw that resulted in a
ridiculously small OpenSSL key space. All these keys had to be
replaced, systems to be updated. Has anyone fol
Ummm... could you resend this, in something intelligible? :)
-Kyle H
On Tue, May 19, 2009 at 4:16 AM, Andy Murphy wrote:
> V2VsbCBJJ3ZlIGZvdW5kIG91dCB3aGF0IGlzIHRha2luZyB0aGUgbWVtb3J5IGFuZCBpdCdzIHRo
> aXM6IFNTTF9DVFhfbG9hZF92ZXJpZnlfbG9jYXRpb25zLiAgSSdtIGNhbGxpbmcgaXQgZm9yIGVh
> Y2ggU1NMX0NUWCw
When you get an SSL_ERROR_SYSCALL, that's when you need to check errno
for its value (since errno is set by the system call). This will give
you the correct reason why the library is throwing the error that it
is.
You say that you aren't getting a memory leak with each ping, but
you're getting a
What is the contents on which CA would have signed from his private key.
I want to know it because if an attacker replaces his public key in the
server certificate which i get than its game over for me .
Victor B. Wagner wrote:
On 2009.05.19 at 15:24:43 +0530, naveen.bn wrote:
Thank yo
Well I've found out what is taking the memory and it's this:
SSL_CTX_load_verify_locations. I'm calling it for each SSL_CTX, which is being
done on each "ping" and the memory usage is just going up and up and up. Is
there a method to call that will clear down this memory after I've done with a
I will be out of the office starting 05/19/2009 and will not return until
06/01/2009.
I will respond to your message when I return. If you require immediate
assistance, please contact our support line at net-h...@csulb.edu.
On Tue, May 19, 2009 at 10:53:05AM +0200, João Távora wrote:
> Given a NDA forbids me from giving you more details let me give you
> an analogy with postal services: I assume you know of postal services
> where you can get a delivery receipt. you can get a receipt that the
> recipient was notified
On 2009.05.19 at 15:24:43 +0530, naveen.bn wrote:
>Thank you .
>
>Can i include the public key generated below to a certificate and if
>possible how can it be done.
>
>openssl rsa -pubout -in priv.pem -out pub.pem
I think there is no easy way to do it.
Certificates are typicall
Thank you .
Can i include the public key generated below to a certificate and if
possible how can it be done.
openssl rsa -pubout -in priv.pem -out pub.pem
Erwann ABALEA wrote:
Bonjour,
Hodie XIV Kal. Iun. MMIX, naveen.bn scripsit:
I have used this command to obtain public key in hex but
Bonjour,
Hodie XIV Kal. Iun. MMIX, naveen.bn scripsit:
> I have used this command to obtain public key in hex but, how to get
> the individual value of public key ( n,e).
> openssl x509 -modulus -noout -inform PEM <
> /home/certificates/MTA/MTA_DEVICE.cert.pem | sed s/Modulus=/0x/
> 0xC147647
Bonjour,
Hodie XIV Kal. Iun. MMIX, naveen.bn scripsit:
>Thank you for the reply. I was thinking that, if i ( A ) encrypt the
>data with the public key from the certificate obtained from B, can the
>intruder generate a private key using the public key from the same
>certifica
Hi Kyle, thanks for the response (although I missed it at first).
I do get a SSL_ERROR_SYSCALL although a subsequent call to ERR_error_string
gives me nothing. I'm now not sure that I'm on the correct track though as
I'll explain.
* We use OpenSSL to secure a "ping" from a mobile device to a
Hi
I have used this command to obtain public key in hex but, how to get
the individual value of public key ( n,e).
openssl x509 -modulus -noout -inform PEM <
/home/certificates/MTA/MTA_DEVICE.cert.pem | sed s/Modulus=/0x/
0xC147647398B19BBC59CD2CEC49B8774E0025AC9161955CE5F9C6E2DCA8D026D04565F4
Given a NDA forbids me from giving you more details let me give you
an analogy with postal services: I assume you know of postal services
where you can get a delivery receipt. you can get a receipt that the
recipient was notified, if the postman gets shot along the way, the
postal service will sen
Dear Erwann ABALEA
Thank you for the reply. I was thinking that, if i ( A ) encrypt the
data with the public key from the certificate obtained from B, can the
intruder generate a private key using the public key from the same
certificate from B, which may lead to Man in Middle attack.
P
Hi,
Hodie XIV Kal. Iun. MMIX, naveen.bn scripsit:
> I have a question ? can we have one public key and two private keys.
You can (set d' to d+k.n with an integer k), but all the private keys
will be equivalent. Everything you encrypt to the public key can be
decrypted with either private key, and
33 matches
Mail list logo
