In the case of a DNS attack, the only information that your users can rely upon
is information which comes out of the PKI. If your attackers can attack both
DNS and the PKI, then you're 0wned, game over.
Otherwise, if DNS is completely attacked but you can still have some trust in
the PKI, yo
We will have to check if all our sites are ready to accommodate the list of
servers file which will be fetched securely. They should also be ready to
update that list each time a server is added or removed from DNS SRV
records.
I am not sure if I got your second option. You said that I should be r
On first glance, it's rather stupid, but Apache (partly due to baggage from the
underlying OpenSSL, but this baggage was unavoidable) requires the end-entity
certificate (the certificate which contains the public key for which you have
the private key) to be loaded separately from the chain tha
Sandeep Kiran P wrote:
> We dont have any control on how the server generates its certificates.
> As said earlier, we only control the client portion of SSL/TLS.
> Sites where our client application runs, is handed over the location
> where trusted CA certs are stored and thats all we have.
> Se
On Thu, Aug 12, 2010 at 1:56 PM, wrote:
> You're looking at a couple of issues here. (First, please be aware that
> this is the OpenSSL users list, not necessary a mod_ssl support list;
> however, since they're intertwined, we do have some knowledge of mod_ssl.)
>
Plus, single-to-noise ration i
On 13/08/2010 5:12 AM, Dave Thompson wrote:
I'm not sure why they even used an HMAC in the Policy.
Probably the 'priests' just liked it. It doesn't add anything.
Any actual security comes from having the digest, *or* HMAC,
protected by a different means than the subject data.
And unfortunately h
You're looking at a couple of issues here. (First, please be aware that this
is the OpenSSL users list, not necessary a mod_ssl support list; however, since
they're intertwined, we do have some knowledge of mod_ssl.)
What you need to do is change that from 'SSLCACertificateFile' to
'SSLCACert
I am not trying to set up client auth on Apache, just install a new SSL
certificate.
The instructions[1] for the new certificate says to install and intermediate
certificate:
SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt
I've done that, confirmed the paths and the certificate, but apa
> From: owner-openssl-us...@openssl.org On Behalf Of David Stafford
> Sent: Thursday, 12 August, 2010 11:31
> To: openssl-users
> Subject: openssl-fips-1.2.crossbuild.diff.gz signature incorrect
>
> When attempting to verify the hmac signature of the file
> "openssl-fips-1.2.crossbuild.diff.gz" I
Hi,
I am able to generate RSA key using RSA_generate_key(). i need to know how
to manage these keys...is there any doucment available for key management?
Thanks for your time,
Krishnamurthy
On Thu August 12 2010, Tim Cloud wrote:
>
> That is EXACTLY what I want to do.
> But having a background as a SQL DBA, I have no idea how to do that.
> Is there an easy answer?
> The server will be running Windows 2003 32-Bit, and I just want to
> compile it with only the FIPS compliant stro
Q: I am a bit confused by the limits to your question, the two parts: "have no
access to the code internal to that application"
A: Meaning that I'm working with a commercial pre-compiled application that was
designed to use OpenSSL.exe, but does not allow you to "edit" how that
application integ
2010/8/12 홍성일 :
> Hi.
>
> Umm.. I'm so sorry .. I can't speak English Well.!!
>
> I want to build libosslfips.dll (Windows) in openssl-0.9.8o or
> openssl-fips-1.2
> But This is build(link) error (LNK2001)!!
>
>
> In UserGuide-1.2 (http://www.openssl.org/docs/fips/UserGuide-1.2.pdf)
>
> ===
When attempting to verify the hmac signature of the file
"openssl-fips-1.2.crossbuild.diff.gz" I get a wrong value. At least
it's wrong when compared with the Security Policy document.
Also, the file when retrieved from the web is not compressed as the
file name might imply, but merely a text form
Many applications have a configuration for that, either via a range
(high/medium/low security), or by explicitly listing the cipher suites. The
configuration may be in a file, Windows registry, or anywhere; it's completely
up to the application implementation.
Remember that the client offers t
On Wed August 11 2010, Tim Cloud wrote:
> Let's pretend for a moment that an out of the box application uses openssl to
> provide access not through a browser, but rather through a SOAP client like
> Eclipse.
> And let's also say that you have no access to the code internal to that
> application
We dont have any control on how the server generates its certificates. As
said earlier, we only control the client portion of SSL/TLS. Sites where our
client application runs, is handed over the location where trusted CA certs
are stored and thats all we have.
Secondly, as you pointed out, if we w
On Wed, Aug 11, 2010 at 11:36 PM, sandeep kiran p
wrote:
[ ... ]
> Client would then blindly establish an SSL/TLS connection with that server
> and would end up handing over the user credentials to it. Note that, as part
> of the SSL handshake, the malicious serve would provide a certificate signe
Hi.
Umm.. I'm so sorry .. I can't speak English Well.!!
I want to build libosslfips.dll (Windows) in openssl-0.9.8o or
openssl-fips-1.2
But This is build(link) error (LNK2001)!!
In UserGuide-1.2 (http://www.openssl.org/docs/fips/UserGuide-1.2.pdf)
==
On 11-08-2010 17:40, cmkastn wrote:
With regards to initialization vectors for CBC-mode block ciphers, how does
one extract the vector? Is it merely the first X bytes of data after the
record header, where X is the block size?
No, the IV is computed according to a formula in the protocol. For
On 12-08-2010 05:36, sandeep kiran p wrote:
Hi,
Ours is an LDAP client application that fetches LDAP server names on the fly
using DNS SRV Resource Records. We then randomly pick one the servers
returned from DNS, establish an SSL/TLS connection with that server and then
perform a bind operation
21 matches
Mail list logo
