On Fri, Aug 23, 2013 at 1:12 AM, Patrick Pelletier
wrote:
> On 8/22/13 12:46 PM, Nico Williams wrote:
>> The parent might be multi-threaded, leading to the risk that a thread
>> in the parent and the child will obtain the same PRNG outputs until
>> the parent thread that fork()ed completes the re-
On 8/22/13 12:46 PM, Nico Williams wrote:
The parent might be multi-threaded, leading to the risk that a thread
in the parent and the child will obtain the same PRNG outputs until
the parent thread that fork()ed completes the re-seeding.
That's a good point; I hadn't thought of that.
Also, i
Hi,
BIO_printf function replaces the last char of the output with \0 under
certain conditions.
In the following code, the problem occurs:
/* sample code */
char *str="aaa...aaa"; /* 2046 characters */
BIO_printf(bio, "%s\r\n", str); /* 2046(str) + 2("\r\n") = 2048 */
this problem occurs
> From: owner-openssl-us...@openssl.org On Behalf Of mycompuser
> Sent: Wednesday, 21 August, 2013 01:35
> Thanks for the reply.
> I do have access to the server code but cannot change it's
> implementation to
> suite my requirement as the server is serving other clients in other
> platforms as
>From: owner-openssl-us...@openssl.org On Behalf Of Matt McPhee
>Sent: Wednesday, 21 August, 2013 07:17
>I am new to OpenSSL and have a private RSA key and am trying to
>read a encrypted message that looks to be in base64 format but
>I'm not to sure. When i do [rsautl] i get [PKCS1 padding error
> > (So we probably should use the current time in addition to the PID to
> get a
> > general solution to the PID wrap-around problem even on systems where
> > actual independent reseeding isn't possible.)
>
> The FIPS PRNG uses a combination of PID, a counter and a form of system
> timer
> for the
On Thu, Aug 22, 2013 at 2:46 PM, Nico Williams wrote:
> Use of fork() presents many problems, not the least of which is a
> performance problem in multi-threaded processes with very large heaps
> and high page dirtying rates, such as Java programs. [...]
Also, obviously, web browsers.
__
On Thu, Aug 22, 2013 at 1:00 AM, Patrick Pelletier
wrote:
> On 8/21/13 8:55 AM, Nico Williams wrote:
>
>> OpenSSL should use pthread_atfork() and mix in more /dev/urandom into
>> its pool in the child-side of the fork(), Only a child-side handler
>> is needed, FYI, unless there's locks to acquire
*If I specify the subject fields in the command line instead of the config
file*
openssl req -new -nodes -out my.csr -days 731 -keyout mykey.pem
-batch -extensions v3_OCSP -config myconfig -subj /C=US/ST=North
Carolina/L=RTP/O=IBM Corporation/CN=192.168.2.16"
*I can get these fields in the Cert
FYI, in a few weeks I'll have some time to actually implement and
submit patches. I'll attempt to identify useful points for automatic
self-initialization (any hints as to commonly used first calls, not
counting the callback setters, would be welcomed). I'll also have to
spend sometime with the b
Hi,
I am using BIO for data transmission over ssl connection, but there is a
problem when I want to transmit data larger than 1Mb. The codes works fine
when I write to the socket bio with less data. I want to ask if there is a
data size limit for the BIO_write() for the socket bio? How to solve th
> certificate.) A pathLenConstraint of zero indicates that no non-
> self-issued intermediate CA certificates may follow in a valid
> certification path.
Validation of the certification path is the responsibility of the relying party
-- the recipient of data.
It is not safe to rely on the
On Thu, Aug 22, 2013 at 4:50 AM, Bodo Moeller wrote:
>
> Most other libraries I've seen handle this by saving the pid in a static
>> variable, and then comparing the current pid to it. This has the advantage
>> of not needing pthreads, and also of only adding the entropy to the child
>> if it is
Bonjour,
Le 22/08/2013 14:56, Peter1234 a écrit :
You misunderstand how it’s supposed to work.
OpenSSL does not prevent you from signing anything. It can’t; for example,
you could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the ch
On 08/22/2013 01:29 PM, Peter1234 wrote:
Hi Walter,
I started with release 0.9.8h and just updated to release 1.0.1e (both on MS
Windows). The update to release 1.0.1e didn't change anything unless that
the new release does not redirect certificates converted from PEM format to
text format into
You misunderstand how it’s supposed to work.
OpenSSL does not prevent you from signing anything. It can’t; for example,
you could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the chain, it
should reject the chain because the signing C
You misunderstand how it’s supposed to work.
OpenSSL does not prevent you from signing anything. It can’t; for example,
you could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the chain, it
should reject the chain because the signing C
Hi Walter,
I started with release 0.9.8h and just updated to release 1.0.1e (both on MS
Windows). The update to release 1.0.1e didn't change anything unless that
the new release does not redirect certificates converted from PEM format to
text format into specified file:
>openssl x509 -in Root_Key
I had thought that may have been the issue and it was thanks.
The ca signing needed the option to copy.
--
View this message in context:
http://openssl.6102.n7.nabble.com/OPENSSL-Config-file-OCSP-CHECK-DELEGATED-missing-ocspsigning-usage-tp46275p46284.html
Sent from the OpenSSL - User mailing
If you create a selfsigned certificate, the signature algorithm will obviously
be that of the public key of the certificate. If you use an EC key, you can
only end up with a ecds-with* signature. If you want sha1WithRSAEncryption,
you need to create a RSA key. Or have your EC-certificate signed
Hi,
I am facing an issue while I am trying to create a sample self-signed
certificate using openssl -req for EC Cipher suites.
*Requirement:*
I need to install a self-signed certificate for the cipher suite
ECDH-RSA-AES128-SHA which has the following attributes:-
1. Signature Algorithm:
> Most other libraries I've seen handle this by saving the pid in a static
> variable, and then comparing the current pid to it. This has the advantage
> of not needing pthreads, and also of only adding the entropy to the child
> if it is actually needed (i. e. it doesn't exec after fork).
>
We m
22 matches
Mail list logo
