y yet. But it was
planned so and maybe we will see it in the future.
If ENGINE is now deprecated (is it?), what HSM vendors should do?
--
Alex Dankow
On Fri, Oct 29, 2021 at 10:11 PM Matt Caswell wrote:
> Hi Alex,
>
> On 29/10/2021 14:32, Alex Dankow wrote:
> > Hi Open
something, but if you built a key management system, sign
interface, ciphers that allows key virtualization, why not go further ? I'm
ready to implement the encryption interface, but why OpenSSL still care
about key type name. In the new era of version 3, it can check if the key
provides necessary interfaces.
--
Alex Dankow
ext
It works completely.
Am I missing something or is it a bug ?
--
Best Regards
Alex Dankow
and says types are different. If I declare
that my key management also handles RSA in OSSL_ALGORITHM as "MYPKEY:RSA"
OpenSSL tool gives an error that RSA has an existing different identity.
I'm exploring the source, but I'm stuck. Is it the wrong approach or I
missed something ?
--
Best Regards
Alex Dankow
> You don't have to explain the code to me. :-)
^^. Ok. I was also trying to explain what I understood so you can correct
me if I'm wrong.
Everything is Cristal clear now.
Thanks a million.
On Sun, 3 Oct 2021, 22:25 Viktor Dukhovni,
wrote:
> On Sun, Oct 03, 2021 at 09:33:
te that code and
> never see it again.
>
I hear you :).
On Sun, Oct 3, 2021 at 6:48 PM Viktor Dukhovni
wrote:
> > On 3 Oct 2021, at 12:33 pm, Alex Robuchon
> wrote:
> >
> > So I suppose openssl skip the part that is supposed to build the chain
> when no store is con
f code relying on eventmachine so we'll
see if we can improve the library or move away from it.
Thanks so much for your time, explanation and responsiveness.
On Sun, 3 Oct 2021, 17:37 Viktor Dukhovni,
wrote:
> On Sun, Oct 03, 2021 at 01:54:44PM +0200, Alex Robuchon wrote:
>
> &g
Thanks for the detailed answer.
>From strace I can see that I'm using /lib/x86_64-linux-gnu/libssl.so.1.1
When I use the eventmachine lib that uses the wrong cert chain I can see
with strace :
openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such
file or directory)
stat("/usr/l
normal behavior how can I have additional certificate verification
on the trusted first chain.
Thanks for reading, I hope it was not too boring or confusing.
Alex
). It also does some DANE-related manipulations, for
example. Are those fears unfounded? In other words, is calling
X509_verify_cert() directly always enough to make the right certificate
validation decision?
Thanks a lot,
Alex.
ry ugly (unreliable, wasteful, and noisy) solution.
Can you think of another trick?
Thank you,
Alex.
P.S. Squid does not support BoringSSL, but BoringSSL's
SSL_ERROR_WANT_CERTIFICATE_VERIFY result of the certificate validation
callback seemingly addresses our use case. I do not know whether Op
I don't mind upwinding it. These different reactions and input only help me
design my things better. Very pleased with the discussion so far.
Den mån 13 aug. 2018 20:26Viktor Dukhovni
skrev:
>
>
> > On Aug 13, 2018, at 2:13 PM, Jordan Brown
> wrote:
> >
> > I'm curious: how did this ever work
Oh wow! That's perfect!
Now the docs are very clear on this and essentially SSL _does_ support
half-closed sockets.
Thanks for clarifying this, TLS 1.3 seems like a big step forward.
Den sön 12 aug. 2018 kl 21:05 skrev Kurt Roeckx :
> On Sun, Aug 12, 2018 at 08:49:35PM +0200, Kurt Roeckx wrote:
that I’m also interested, as a contributor to Libevent,
> which provides SSL-socket support.
>
> I’ve opened an OpenSSL issue:
>
> https://github.com/openssl/openssl/issues/6911
>
> to collect the details on how a graceful shutdown can be implemented in
> Libevent.
>
> Thanks,
down does not return with any data.
Regarding the SSL_RECEIVED_SHUTDOWN - do you think this is a minor bug?
Den ons 1 aug. 2018 kl 21:16 skrev Viktor Dukhovni <
openssl-us...@dukhovni.org>:
>
>
> > On Aug 1, 2018, at 2:27 AM, Alex H wrote:
> >
> > Is it possible
I would appreciate an answer to this question, it's holding me back and
should be a simple yes/no.
And yes, "client_notify" is a typo and should be "close_notify".
Thanks
Den ons 1 aug. 2018 kl 08:27 skrev Alex H :
> Hi,
>
> I have trouble understanding the
Hi,
I have trouble understanding the details of TLS shutdown. I get the basics
but,
Is it possible to receive data after calling SSL_shutdown? Reading the
specs and docs leaves this rather blurry.
That is, after sending a close_notify, can I receive data before getting my
client_notify response?
Hi,
I have a custom BIO_TYPE_MEM BIO with write and read callbacks that map to
a networking socket. I'm getting a lot better performance by using the
MSG_MORE flag of the Linux send syscall to "cork" segments of a stream
together.
So far I have guessed whether to pass MSG_MORE or not based of the
@openssl.org; Michael Wojcik; Alex H
> > Subject: Re: [openssl-users] Receive throttling on SSL sockets
>
> > TLS could (but as far as I can tell does not) have such a mechanism. It
> could have a window, like TCP, where the receiver
> > would say "you can send me 64K
Yeah TCP is really the same as TLS in terms of being "bidirectional". Even
if you stop polling for readable and never call recv, you will still
receive ACKS for whatever you write.
A receive window for TLS implemented completely ontop of TCP would solve
this issue and allow applications to truly t
using
some kind of internal backup queue for cases like these, right?
2018-05-19 11:02 GMT+02:00 Alex H :
> Okay that's a good theoretical answer but practically not very useful.
>
> I know for instance Node.js to implement their Streams interface with both
> TCP and SSL sockets. Th
ottle only one side.
>
>
>
> *From: *Alex H
> *Reply-To: *openssl-users
> *Date: *Friday, May 18, 2018 at 7:21 PM
> *To: *openssl-users
> *Subject: *[openssl-users] Receive throttling on SSL sockets
>
>
>
> How do you properly implement receive throttling on SSL soc
How do you properly implement receive throttling on SSL sockets without
hindering writing?
As opposed to raw TCP sockets, an SSL socket cannot be receive-throttled
simply by stop polling for readable events on the underlying raw TCP
socket. SSL_write still could require reading of data so simply s
changes of IV and I can't find a way to set it other than
EVP_CipherInit. Initialization, however, relatively high time-consuming
operation.
Question: Is there a way to set IV for CTX after its initialization for FIPS
version of OpenSSL?
--
Best regards,
Alex Dankow
d before
SSL_write, when a previous call to SSL_write failed with WANT_READ?
2016-09-15 7:01 GMT+02:00 Viktor Dukhovni :
> On Thu, Sep 15, 2016 at 05:07:22AM +0200, Alex Hultman wrote:
>
> > If SSL_write returns the error SSL_ERROR_WANT_READ, am I then allowed to
> > call SS
If SSL_write returns the error SSL_ERROR_WANT_READ, am I then allowed to
call SSL_read before I have called SSL_write?
What I'm trying to figure out is, can I handle SSL_ERROR_WANT_READ with one
or many calls to SSL_read, and can I handle SSL_ERROR_WANT_WRITE with one
or many calls to SSL_write -
e
error:ts_rsp_verify.c:291:
which lead me to this
http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tt43128.html#none
Not sure if there has been any work on this since then.
On 29 April 2016 at 11:25, Alex Samad wrote:
> Okay I have the cert from
se this
> information to download the missing certificates, but there
> is no information in this file that would allow a computer
> to do this.
>
> I wonder if changing some parameter in the timestamp request
> would cause the Symantec server to return a more complete
> timest
Yes you are correct. I'm doing things wrong - it seems to be Chrome and
Curl that report "no received data" because it actually does work in
Firefox. Well, thanks for taking the time.
2016-04-26 7:05 GMT+02:00 Alex Hultman :
> Yes you are correct. I'm doing things wrong
D5 1D A6 D6 F8
: 6A 22 07 E5 BC 01 C1 E0j"..
: 10 09 BD 92 09 B5 B7 29...)
: 8B 6A 4D 28 C4 63 7A 4C.jM(.czL
: 8E 7A AF 87 5D BE A4 BD.z..]...
: C1 20 9
Okay thats good. so I am on the right track
thanks
On 19 April 2016 at 14:29, Jakob Bohm wrote:
> On 19/04/2016 05:55, Alex Samad wrote:
>>
>> Hi
>>
>> I have a SHA.sha file
>>
>> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
>
Hi
I have a SHA.sha file
/usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
Content-Type:application/timestamp-query --data-binary @-
http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
/usr/bin/openssl ts -reply -in SHA.sha.tsr -text > SHA.sha.ts.txt
cat
gt; If they are indeed inside the response, then the question
> would be why the "openssl ts -verify" command didn't find
> them automatically.
>
> If they are not inside the response, then the question
> would be why Symantec didn't include them like other
> tsa-s
mantecs site to no available
and I am working on guess work here
On 8 April 2016 at 16:26, Jakob Bohm wrote:
> Try something like
>
> $OPENSSL ts -reply -in ${FL}.tsr -text -noout
>
> (Not sure if it accepts the -noout option or not).
>
>
> On 08/04/2016 08:01, Alex
Okay, how do I dump the intermediaries then ?
On 8 April 2016 at 15:49, Jakob Bohm wrote:
> On 08/04/2016 07:39, Alex Samad wrote:
>>
>> Hi
>>
>> I am trying to use a rfc3161 timestamp service to record timestamps.
>>
>>
>> Basically I have a sha of
Hi
I am trying to use a rfc3161 timestamp service to record timestamps.
Basically I have a sha of some files and I would like to sign the file.
basically I am using something like this
# Generate Query and send
$OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
"Content-Type:application/time
can give a recommendation of
how to proceed?
Thanks,
Alex.
[1]
#0 0x7f6b82cb14d0 in ?? () from
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#1 0xca62c1d6ca62c1d6 in ?? ()
#2 0xca62c1d6ca62c1d6 in ?? ()
#3 0xca62c1d6ca62c1d6 in ?? ()
#4 0xca62c1d6ca62c1d6 in ?? ()
#5 0xca62c1d6ca62c1d6 i
Yes, I did. It still failed. I manually made the symbolic links and the
compilation completed without problem.
But this should have been taken care of by Configure, should it not?
Alex
On 2/11/16, 1:07 AM, "openssl-users on behalf of Matt Caswell"
wrote:
>
>
>On 1
/crypto/bf/blowfish.h.
This is true for idea, cast, jpake, camellia, too.
What has changed?
Alex
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
error modes and how to work through them.
-Kyle H
On 12/17/2015 10:00 PM, Alex william wrote:
>
> Hello,
>
>
>
>
> I have been trying to install a product named wanguard and each time am
> starting a collector I receive this error message:
>
&
encountered this error or can someone help please?
Thanks.
Regards,
Alex
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
t are defined in
ob_jmac.h.
What I would like to know is how the names are related to NIST's
recommendation list?
Is there a convention?
Thanks
On 11/11/2015 1:08 PM, Jakob Bohm wrote:
On 11/11/2015 21:02, Alex Chen wrote:
I see there is a list of recommended list by NIST in
http://csrc.nist.
Alex
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi
Is this the right mailing list to ask this question ?
Can somebody suggest a better ML
Thanks
From: Alex Samad - Yieldbroker
Sent: Wednesday, 18 March 2015 2:21 PM
To: openssl-users@openssl.org
Subject: RE: [openssl-users] question about resigning a certificate
Hi
I have done that and
Hi
I have done that and compared the output with diff
The only differences are
Serial number
Signature algo
Comment
Signature.
Alex
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: Wednesday, 18 March 2015 6:50 AM
To: openssl-users@openssl.org
.
Alex
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I assume SSL_OP_NO_TLSv1 affect TLS v1.0 only but not TLS v1.x in general?
Alex
===
Is this expected response of the tests?
Alex
;cc:-arch x86_64 -g -DL_ENDIAN
-Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG
RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my
$asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC
-fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
...
Is this is mistake in Configure or is it intentional. If so, what is the
reason?
Thanks for the help.
Alex
) API?
On 12/11/2012 2:30 AM, Florian Weimer wrote:
On 12/11/2012 02:44 AM, Alex Chen wrote:
I want to set up SSL so it does not use SSL v2 or older, just like that
Apache has in its httpd-ssl.conf
SSLProtocol all -SSLv2
What is the equivalent API to do this?
After reviewing existing documen
I want to set up SSL so it does not use SSL v2 or older, just like that
Apache has in its httpd-ssl.conf
SSLProtocol all -SSLv2
What is the equivalent API to do this?
Thanks.
__
OpenSSL Project h
Thanks to Mr. Hohnstaedt and Dr. Henson for answering my questions. It
was very useful.
Alex
On 12/6/2012 4:38 AM, Dr. Stephen Henson wrote:
On Thu, Dec 06, 2012, Christian Hohnstaedt wrote:
On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote:
I am trying to change the password of a
I am trying to change the password of a private key with 'openssl rsa'
command. The original key file, server.key.enc has the following format:
-BEGIN ENCRYPTED PRIVATE KEY-
-END ENCRYPTED PRIVATE KEY-
When I used the command "openssl rsa -in server.key.enc -passin
pass:ol
We only use OpenSSL_add_all_algorithms during SSL initialization, no other
SSL_[CTX]_set_cipher_list calls are made, therefore the cipher used should be
the default DHE-RSA-AES256-SHA then.
Alex
On Oct 14, 2012, at 3:01 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.
DHE-RSA-AES256-SHA, will be used,
correct?
Alex
389
Comments are more then welcome!
Cheers,
Alex
diff -Nur openssl-original/apps/s_client.c openssl/apps/s_client.c
--- openssl-original/apps/s_client.c 2012-09-27 10:45:09.175327999 +0200
+++ openssl/apps/s_client.c 2012-09-28 15:07:38.298329407 +0200
@@ -349,8 +349,8 @@
BIO_printf(bio_err," -
er that is different from what is already done by OpenSSL?
Alex
On Sep 25, 2012, at 3:49 AM, Klaus Darilion wrote:
>
>
> On 24.09.2012 23:56, Alex Chen wrote:
>> Sorry I did not use new mail command to start a new topic. Let me start
>> over again.
>>
>> I remember s
ble the use of these instructions?
Alex
I remember seeing somewhere that OpenSSL supports Intel AES instruction set.
If so, which release is that and what flag is needed to enable it.
Does the 'no-asm' flag in 'Configure' disable the use of these
When FIPS mode is turned on, I assume OpenSSL will only use FIPS 140-2
approved encryption algorithms for network traffic encryptions as well,
correct?
Alex
__
OpenSSL Project http
Thanks, Steve.
Alex
On 7/6/12 4:36 PM, "Steve Marquess" wrote:
>On 07/05/2012 12:43 PM, Alex Chen wrote:
>> Thanks for the information, Steve. I do have some questions about the
>>FIPS
>> module.
>>
>> 1. What does 'support' mean? Do
g the configure script but use the same flags and
defines specified in the Makefile, will the resulting library still be
consider valid, assuming it passes all the tests that come with the source
code?
Alex
On 7/4/12 6:05 AM, "Steve Marquess" wrote:
>On 07/03/2012 07:35 PM, Alex Ch
I assume this module will work with both OpenSSL 1.0.0 and 1.0.1?
On 6/25/12 7:03 AM, "Steve Marquess"
wrote:
>The OpenSSL FIPS Object Module 1.2 has been extended to include support
>for the iOS and Mac OS X operating systems, as the newly released
>revision 1.2.4. This new support was made po
er use the client public key to decrypt
it, RSA_public_decrypt(). But I am not familiar with the API . How do I get
the RSA data from a PEM file?
Thanks.
Alex
On May 2, 2012, at 6:15 PM, Erwin Himawan wrote:
> I have the impression you want to protect (providing message integrity,
> messag
key, which will then be
use to symmetric encryption/decryption.
1. Use Diffie-Hellman
2. Use PKI
Which approach is a better? If I go with 2., what APIs are used to extract the
private key and public key from the PEM file?
Thanks for the help.
Alex
Thanks for the response, Steve.
Alex
On Apr 4, 2012, at 4:58 PM, Steve Marquess wrote:
> On 04/04/2012 07:17 PM, Alex Chen wrote:
>> Steve,
>>
>> Unfortunately it has been four weeks and the status is still stuck in
>> 'coordination'. Well, we all
ed in that
status?
When an application reaches 'finalization', I assume it will eventually
'graduate', i.e. removed, from that list and gets a certificate number, right?
Alex
On Mar 6, 2012, at 3:08 AM, Steve Marquess wrote:
> The OpenSSL FIPS Object Module 2.0 is now in &
There is a 'rand' command in the openssl command line tool to generate 'pseudo'
random number generator. But I cannot find the API from either the 'ssl' or
'crypto' man pages.
Can someone point me to the API page if it is available?
Is this RNG implementation different in the regular distributi
When the padding is disabled by setting the padding size to 0 in
EVP_CIPHER_CTX_set_padding(), is the output data block size the same as the
input block size?
Will this reduce the encryption strength?
Alex
__
OpenSSL Project
My mistake in the subject line in previous mail. What I have actually
downloaded is FIPS 2.0.
The questions below are still valid.
Alex
On Mar 16, 2012, at 6:48 PM, Alex Chen wrote:
> I have downloaded the OpenSSL 1.0.1 and FIPS object module v2.0. Both will
> build a libcrypto.a l
lue attempted, subscript -1 at
./incore line 366.
Alex
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
was it filed and is there an expected approval date?
Thanks.
Alex
JOR).$(SHLIB_MINOR).dylib to an empty string. What triggers that?
3. The -OPENSSL_NO_RFC3779 CFLAG is always there, even if I feed the 'rfc3779'
parameter to 'Configure'. Why? How to fix that?
Can someone shed some light on these questions?
Alex
Thanks for the information Jakob. I cannot find such module from OpenSSL
source download page.
Alex
On Feb 17, 2012, at 2:19 AM, Jakob Bohm wrote:
> On 2/16/2012 10:28 PM, Alex Chen wrote:
> > From what I saw in OpenSSL site and the user guide, the
> > FIPS object module is
understand it has to be build without any changes. If we need to build it in
64-bit mode, does the build script support that?
How about building it on Windows? Does it also have batch file to build on
Windows and for 64-bit, too?
Any help is appreciated.
Alex
I am reading the OpenSSL FIPS user guide and the first thing I notice is
that it says it only supports openssl 0.9.8j and up but not openssl 1.0.0.
We are currently using openssl 1.0.0. Does that mean we cannot use the
FIPS module? Do we have to move back to 0.9.8 branch?
Alex
l.org/msg64208.html
The OCSP issue is also listed in the Request Tracker.
http://rt.openssl.org #2460: OCSP server uses only IP6
I hope that clarifies things.
@Tomasz: I've put you on BCC because I thought you might find this
interesting.
Cheers,
Alex
On 02/12/2011 01:05 AM, Timoth
Thanks.
--- On Fri, 7/22/11, Victor Duchovni wrote:
From: Victor Duchovni
Subject: Re: How to extract Certificate info from file with multible
certificates?
To: openssl-users@openssl.org
Date: Friday, July 22, 2011, 4:15 PM
On Fri, Jul 22, 2011 at 02:03:27PM -0700, Alex Lindberg wrote:
>
CAcert.pem -date -all
to extract the start/end dates for all certs.
Thanks for your help with this.
Alex Lindberg
thing to do
with the AKID/SKID.
> If you were in this situation, and only were able to verify end-user
> certificates if the new CA certificate had the same serial number as
> the old one, then I'm sure you made a mistake in your tests.
I agree, maybe I did something wrong h
uation, and only were able to verify end-user
certificates if the new CA certificate had the same serial number as
the old one, then I'm sure you made a mistake in your tests.
I agree, maybe I did something wrong here. What steps would I have to do
to recertify
cate the same
serial number as the previous one.
openssl req -new -x509 -days 1000 -key cakey.pem \
-set_serial -out new_cacert.pem
After that, verification of already signed certificates is working fine
with the old and new Root Certificate.
Alex
_
for sha256, sha384, etc., too, correct?
Alex
On 9/1/2010 4:28 PM, Alex Chen wrote:
So if I want to use SHA-2 in my certificates, how do I choose on from the
available SHA-2 family?
The only thing I see in the config file we use is
default_md = md5
and the generated pem file has the
?
Alex
On Aug 10, 2010, at 10:44 AM, Erwann ABALEA wrote:
> Hodie IV Id. Aug. MMX, Alex Chen scripsit:
>> I am only a end user and not familiar with SSL internal. If I
>> understand the replies correctly, OpenSSL 1.0.x currently supports
>> SHA-2 in certificates but not in t
and with the highest
security, correct?
For people that uses openssl right out of the box and does not any special
cipher selection, if we use the same version of openssl on both ends I assume
the cipher used in the connection will be the first one, DHE-RSA-AES256-SHA,
right?
Alex
On Aug
.
-END RSA PRIVATE KEY-
-BEGIN CERTIFICATE REQUEST-
.
-END CERTIFICATE REQUEST-
Thanks for the help
Alex
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
I am only a end user and not familiar with SSL internal. If I understand the
replies correctly, OpenSSL 1.0.x currently supports SHA-2 in certificates but
not in the cipher suites used in network communication protocol. Is that a
correct statement?
Alex
On Aug 9, 2010, at 6:44 AM, Jakob
use of
> > SHA-1 is hardcoded, would certainly be welcomed.
> >
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > Development Mailing List openssl-...@openssl.org
> >
> > Automated List Manager majord...@openssl.org
> >
Does that means SHA-2 is still not in OpenSSL 1.0 yet?
Alex
ptive error
message to OpenSSL?
Many thanks to everybody that replied to this thread. Your help has been
really appreciated.
Kind Regards,
Alex
On 8 July 2010 18:47, Michael S. Zick wrote:
> On Thu July 8 2010, Dirk Menstermann wrote:
> > Hi,
> >
> > on https:
: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
as the first of of it's 35 supported cipher suites
I started the serve like this
openssl s_server -cert /home/alex/keys/ssltest/Certs/secp160r2TestServer.pem
-cipher ECDHE-ECDSA-AES256-SHA -www
so that it responds to the browser's http request. I test
Hi Patrick,
Thanks for your response. FF 3.6.2 is
sending TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA in it's client hello message.
The command line OpenSSL client can be made to connect using this cipher
suite. Any ideas?
Thanks,
Alex
On 8 July 2010 13:41, Eisenacher, Patrick wrote:
>
enssl s_server -cert /home/alex/keys/ssltest/Certs/secp160r2TestServer.pem
-cipher ECDHE-ECDSA-AES256-SHA
An open ssl client can be successfully connected like this:
openssl s_client -connect localhost:4433
The client says the connection is established with
the ECDHE-ECDSA-AES256-SHA cipher
W
enssl cms from #sh can do the trick?
Are theese steps right? (at least in theory?)
1. SIGN DATA WITH SENDERS PRIVATE KEY
2. GZIP FILE (openssl cms --compress?)
3. ENCRYPT WITH RECIPIENTS PUBLIC KEY
Thanks in advance,
Alex
__
Op
idea what is going wrong here?
thanks,
alex.
:-(
Thanks,
Alex.
$ ./openssl s_server -dtls1 -debug
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
read from 0x6cab10 [0x6d0160] (18437 bytes => 99 (0x63))
- 16 fe ff 00 00 00 00 00-00 00 00 00 56 01 00 00 V...
0010 - 4a 00 00 00 00 00 00 00-4a fe ff 4b
Hi all,
The patch that disable renegotiation has broken DTLS's ClientHello exchange
in 0.9.8l.
Server sends an Alert together with HelloVerifyRequest...
Thanks,
Alex.
alexl-lnx2:~/openssl-098l/openssl/apps> ./openssl s_server -dtls1 -debug
Using default temp DH parameters
Using defa
tem.run()V+75
j java.lang.Thread.run()V+11
v ~StubRoutines::call_stub:
Thanks for your help.
Alex
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listope
Hi all,
Just wondering if there is any plan to release OpenSSL 0.9.8l ?
If so, do we know when?
I'd like to stay with the 0.9.8 branch, but I do see some fixes double
committed from the 1.0.0 branch.
Thanks,
Alex.
Hi all,
Is there a way in which an application is made aware the SSL / TLS / DTLS
connection rekeyed?
Thanks,
alex
=
Does this means SHA-2 is only used in certificate verification, but
not in any other crypto suite used
for traffic?
And do we 'enable' the "all" algorithm? Any man page for more
information?
Thanks.
Alex
On May 8, 2009, at 11:40 AM, Victor Duchovni wrote:
On Fri, May 08
1 - 100 of 165 matches
Mail list logo
