Redux and Resolved: Deconstructing OASIS Web Services Security SOAP Messages with OpenSSL utilities

For some reason I didn't get any newsfeeds after re-subscribing, so I can't really post to my earlier inquiry. I've figured this out. 1) Convert Key's CipherValue from base64-to-binary 2) rsautl against the Key's CipherValue.bin - gives binary version of the decoded key  (uses the private key)

Re: Is Openssl vulnerable to Null-Prefix Attacks?

Roger No-Spam wrote: Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack?. The attack is not an attack against SSL/TLS, but against implementation o

RE: Is Openssl vulnerable to Null-Prefix Attacks?

When I read through the null prefix attack paper I took it to mean that browser and certificate vendors were not doing an adequate job of verifying domain names. There's nothing inherently wrong with using counted strings (actually that is a step in the right direction IMHO). The problem is th

Re: Is Openssl vulnerable to Null-Prefix Attacks?

>> Recently there has been some discussion on th Internet regarding so called >> null-prefix attacks, see >> http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl >> vulnerable to this attack? > I read the PDF and my first question would be. > How is this relevant to openssl, since

Re: Is Openssl vulnerable to Null-Prefix Attacks?

Hi, I read the PDF and my first question would be. How is this relevant to openssl, since it is normally only used for creating and signing certificates It is more up to a brower to do the proper checking; That's why the PDF states While many SSL/TLS implemntations fall victim to this, Mozila's NS

Noticed something in the openssl-1.0.0 20090811 SNAPshot

First Time I have seem Cannot find /engines/ . In FreeBSD-7.2 and64 it is a show stopper. In the old BSDI BSD/OS 4.3.X just create directory and away you go. Suggestion: Can the /engines/ point ot /lib/ after all only .so's are being installed. -- Member - Liberal International This is doc..

Help!!!

Hi, I am new to OpenSSL and I was going through the following post. http://marc.info/?l=openssl-users&m=112774769218757&w=2 Well I want achieve a similar thing. I want to reduce the per connection memory usage of OpenSSL. Now, I am facing a few issues : *i) Connecting a client to the server.*

Is Openssl vulnerable to Null-Prefix Attacks?

Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger _ Med Windows Live kan

Certificate verification through Callback

Hi All I am using SSL_CTX_set_cert_verify_callback(ctx, callback, (void *)arg) API to register the callback function for certificate verification. However I need to set the mode (SSL_VERIFY_PEER) for SSL Context. I am using below code to set mode and callback function. Is it right way of doing i

Re: Des3 and the salt option

ALL SORTED NOW :jumping: :handshake::clap: Many thanks for your help Steve! :) Furthermore, why when it is decrypting does it appear to be overwritting with these characters So Steve, do I strip out the "salted__" characters plus the following 8 bits? On Tue, Aug 11, 2009, MusicAndy wrote

Re: Des3 and the salt option

Furthermore, why when it is decrypting does it appear to be overwritting with these characters MusicAndy wrote: > > So Steve, do I strip out the "salted__" characters plus the following 8 > bits? > > Dr. Stephen Henson wrote: >> >> On Tue, Aug 11, 2009, MusicAndy wrote: >> >>> >>> Hi f

Re: Des3 and the salt option

On Tue, Aug 11, 2009, MusicAndy wrote: > > So Steve, do I strip out the "salted__" characters plus the following 8 bits? > If by "strip out" you mean, "don't try to decrypt them" and if by "8 bits" you mean "8 bytes" then yes ;-) Steve. -- Dr Stephen N. Henson. OpenSSL project core developer.

Re: Des3 and the salt option

So Steve, do I strip out the "salted__" characters plus the following 8 bits? Dr. Stephen Henson wrote: > > On Tue, Aug 11, 2009, MusicAndy wrote: > >> >> Hi folks. Well almost got things to work the way i want to :jumping: >> >> One more question. The salt format of a file in DES3. >> >>

Re: Des3 and the salt option

On Tue, Aug 11, 2009, MusicAndy wrote: > > Hi folks. Well almost got things to work the way i want to :jumping: > > One more question. The salt format of a file in DES3. > > I notice that the file that has been encrypted with the use of salt has > Salted__ followed by bytes of data. > If i re

Re: Des3 and the salt option

Also, do I need to strip out these salt characters in my input buffer? The reason i ask is that it is decrypting most of the file but leaves this at the top (if you see the rest of this string is an xml header) ›³žšb+pÙ\ªú6*ýÑ­.Ë€ÆÑErsion="1.0" encoding="UTF-8"?> MusicAndy wrote: > > Hi folk

Des3 and the salt option

Hi folks. Well almost got things to work the way i want to :jumping: One more question. The salt format of a file in DES3. I notice that the file that has been encrypted with the use of salt has Salted__ followed by bytes of data. If i read this from a stream, do i strip the Salted__ part off

Re: EVP errors!

GOT IT WORKING!! WOOHOO! (open up the champagne!) Now I just need to get it working with salt (maybe with a tequilla and lemon) MusicAndy wrote: > > This is not working... > I have just done a hex dump and the key still bears no resemblence to the > key reported by the command lineis it bec

Re: EVP errors!

This is not working... I have just done a hex dump and the key still bears no resemblence to the key reported by the command lineis it because i have version 0.9.8k of the SDK and 0.9.8g of the command line? Dr. Stephen Henson wrote: > > On Mon, Aug 10, 2009, MusicAndy wrote: > >> >> The K