Re: Problem with HMAC_Init_ex

2011-05-04 Thread Jeffrey Walton
2011/5/4 Prashant Batra : > http://pastebin.com/0BG97RDH > This does not contain complete source code, but will definitely give you the > idea about what I am trying to do. After a quick look, it does not appear there is enough code to say what is wrong. For example, you perform: (key->v)[0]=0x

Re: RSA_private_decrypt across processes

2011-05-04 Thread David Schwartz
On 5/4/2011 9:14 AM, Ashwin Chandra wrote: Okay I read the complete bug report and it looks like there is a fix in the latest openssl. However I checked it out and it limits the maximum time RAND_poll will take to a second. 1000ms. Is there any other way to speed this up? Populate the OpenSSL

Re: RSA_private_decrypt across processes

2011-05-04 Thread Michael S. Zick
On Wed May 4 2011, Michael S. Zick wrote: > On Wed May 4 2011, Mounir IDRASSI wrote: > > > > Well, this is not quiet adapted to the situation. OpenSSL is a library > > and it doesn't spawn any process. Moreover, the issue is with the > > internal builtin RNG of OpenSSL and a simple user of OpenS

Re: RSA_private_decrypt across processes

2011-05-04 Thread Michael S. Zick
On Wed May 4 2011, Mounir IDRASSI wrote: > > Well, this is not quiet adapted to the situation. OpenSSL is a library > and it doesn't spawn any process. Moreover, the issue is with the > internal builtin RNG of OpenSSL and a simple user of OpenSSL can not > change its implementation. > Apart fro

Re: RSA_private_decrypt across processes

2011-05-04 Thread Mounir IDRASSI
Well, this is not quiet adapted to the situation. OpenSSL is a library and it doesn't spawn any process. Moreover, the issue is with the internal builtin RNG of OpenSSL and a simple user of OpenSSL can not change its implementation. Apart from a change to OpenSSL internal, the only option is t

Re: RSA_private_decrypt across processes

2011-05-04 Thread carlyoung
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Start second process as a daemon so it only does the entropy gathering at process start-up? On Wed 04/05/11 5:35 PM , Mounir IDRASSI mounir.idra...@idrix.net sent: Indeed, their have been already a modification to OpenSSL in orde

Re: RSA_private_decrypt across processes

2011-05-04 Thread Mounir IDRASSI
Indeed, their have been already a modification to OpenSSL in order to limit the observed delay but that doesn't completely solve the problem. This issue is linked to an internal design of OpenSSL which uses heap walking as a mean to gather entropy and unfortunately Windows 7 have made this mec

RE: RSA_private_decrypt across processes

2011-05-04 Thread Ashwin Chandra
Okay I read the complete bug report and it looks like there is a fix in the latest openssl. However I checked it out and it limits the maximum time RAND_poll will take to a second. 1000ms. Is there any other way to speed this up? -Original Message- From: owner-openssl-us...@openssl.org [ma

RE: RSA_private_decrypt across processes

2011-05-04 Thread Ashwin Chandra
Yes it is Windows 7. If it is an open bug, any workarounds? The only thing I have been able to do is to disable RSA blinding..that seems to speed it up a bit at the expense of insecurity? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On B

Re: RSA_private_decrypt across processes

2011-05-04 Thread Mounir IDRASSI
Hi, This could be related to the slowness of RAND_poll under Windows 7. See : http://rt.openssl.org/Ticket/Display.html?id=2100&user=guest&pass=guest Your second process is certainly trying to initialize its RNG and that's why you see this delay. Do you confirm that you are executing these pro

Re: Restricting ciphers list to RSA only in Client Hello

2011-05-04 Thread Gauri Kshirsagar
Thanks Dave. I could not find application explicitly calling SSL_set_cipher_list() anywhere and it seemed to be using new libraries. However as per your suggestion I am now setting the cipher list in the application before SSL_connect and it sends the desired ciphers. Thanks, Gauri On Wed, May 4,

Re: Problem with HMAC_Init_ex

2011-05-04 Thread Prashant Batra
http://pastebin.com/0BG97RDH This does not contain complete source code, but will definitely give you the idea about what I am trying to do. Thanks, Prashant On Wed, May 4, 2011 at 4:38 PM, derleader mail wrote: > Hi all, > > I am finding a strange problem with HM

Re: Problem with HMAC_Init_ex

2011-05-04 Thread derleader mail
Hi all, I am finding a strange problem with HMAC_Init_ex. After the call to this function the stack is getting corrupted. The sequence of functions used are- HMAC_CTX ctx ;HMAC_CTX_init(&ctx); HMAC_Init_ex(&ctx, hash_key->v, hash_key->l, EVP_sha1(), NULL); Key->v points t

Re: RSA_private_decrypt across processes

2011-05-04 Thread derleader mail
I generate an RSA key using RSA_generate_key in one process. I then take the RSA structure that is generated and serialize it and send it to another process via an RPC mechanism. In the other process I then de-serialize the RSA data and use that as input to an RSA_private_decrypt function to de

Re: [openssl-users] Re: Possibility to create CRL without the CA key

2011-05-04 Thread Viliam Ďurina
That's what I'm not sure about either. I think the general knowledge about CRL is low among developers and administrators, considering mine and googled knowledge. I looked at verisign's Class 1 Public Primary Certification Authority crl and it has validity from 2011-03-22 until 2011-07-01. Quit

Problem with HMAC_Init_ex

2011-05-04 Thread Prashant Batra
Hi all, I am finding a strange problem with HMAC_Init_ex. After the call to this function the stack is getting corrupted. The sequence of functions used are- HMAC_CTX ctx ; HMAC_CTX_init(&ctx); HMAC_Init_ex(&ctx, hash_key->v, hash_key->l, EVP_sha1(), NULL); Key->v points to 20 bytes of memory,

Re: TPM engine

2011-05-04 Thread Dr. Stephen Henson
On Tue, May 03, 2011, Nicholas Wehr wrote: > thanks > > some detail just in case: > > i was actually able to get it to link and invoke the engine functions. when > trying to sign data, the call would fail because the pkey structure was not > correctly filled out by the engine, the field "ameth"

Re: [openssl-users] Re: Possibility to create CRL without the CA key

2011-05-04 Thread Erwann ABALEA
Hodie IV Non. Mai. MMXI, Viliam Ďurina scripsit: > Thanks very much for the hints. Finally, I decided to generate CRL for three > years and replace it, when something needs to be revoked, if ever. I think > the support is not good. We will have to distribute the CRL issuer > certificate to partn

Re: Possibility to create CRL without the CA key

2011-05-04 Thread Viliam Ďurina
Thanks very much for the hints. Finally, I decided to generate CRL for three years and replace it, when something needs to be revoked, if ever. I think the support is not good. We will have to distribute the CRL issuer certificate to partner applications to be able to verify the CRL signature.

Re: How to handle "Expired" or "not yet valid" X.509 certificates - or simply is the system date wrong?

2011-05-04 Thread qnx_user
JoelKatz wrote: > > > If a system does not have a reliable source of time, then it cannot > reliably perform security operations other than verifying timestamped > signatures. That should have been addressed when the system was designed. > > I have a similar, but propably foolish question:

Re: TPM engine

2011-05-04 Thread Nicholas Wehr
thanks some detail just in case: i was actually able to get it to link and invoke the engine functions. when trying to sign data, the call would fail because the pkey structure was not correctly filled out by the engine, the field "ameth" in the structure is left NULL. if i try the same call aga