No. OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a wor
s different to what I am using. Is there some way I can see
what its using or am I going in the wrong direction here?
Regards
Ben
All,
Does anyone know what the proper syntax is for the undocumented -header host
switch? I'm getting some different responses/behaviors when I try these:
-header "Host" "ocsp.example.com"
-header 'Host' 'ocsp.example.com'
-head
Fun Fact: (For me) Gmail often marks completely legit emails from
mailing lists as spam and you manually have to mark them as "no spam".
The fun comes in when you notice that actual spam is not marked as
such at all.
Looks like strong encryption is much easier to develop than a decent
spam filter.
I see. Thank you very much Jakob and Jeffrey!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
2016-03-31 18:09 GMT+02:00 Jakob Bohm :
> On 31/03/2016 17:16, warron.french wrote:
> 3. Then create new server certificates for the 2 servers again.
>
> Yep, and give the new ones a slightly different "full"
> distinguished name (important for CRL and "ca" database).
> My approach is to include t
2015-12-13 22:57 GMT+01:00 Salz, Rich :
>
>> And we don't know on which client OP will have to use that pem file, thus
>> give advise that works on all clients, not just OpenSSL or GnuTLS or
>> whatever.
>
> It is quite reasonable to give openssl-specific answers on the openssl-users
> mailing li
2015-12-13 20:27 GMT+01:00 Viktor Dukhovni :
>
> This is both wrong and irrelevant. The OP should proceed as instructed.
> OpenSSL's CAfile feature reads multiple certificates from a single file.
Exactly that is the point. Only "linux based" tools will be able to
read such a pem file. Windows cer
2015-12-13 3:53 GMT+01:00 Viktor Dukhovni :
>
> In other words, you can concatenate all the trusted root CA
> certs into the "cert.pem" file in that directory, but this
> has a performance cost, as all the certificates are loaded
> into memory and parse even though most go unused. Alternatively,
/X.crt -inkey out/X.key -chain -out out/X.p12
You can check the openssl pkcs12 help for more arguments.
Best regards,
Ben
2015-12-12 22:23 GMT+01:00 Dominik Mahrer (Teddy) :
> Hi everyone
>
> My question is:
> How can I set up a bundle of commercial root CA certificates?
> Exactl
Tell the person who created the CSR that the value of the
stateOrProvinceName field has to be HK. If that is not possible
because the subCA is in a different country you can change your
openssl.cnf to allow different values in that field so instead of
stateOrProvinceName = match you have to use at
://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
2015-11-04 16:06 GMT+01:00 Ben Humpert :
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here
That guide is a little bit old and not very accurate. I setup my PKI
using the OpenSSL Cookbook recommended to me by Rich Salz. This free
guide / documentation is here:
https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other sourc
blogs.msdn.com/b/vcblog/archive/2013/06/28/c-11-14-stl-features-fixe
s-and-breaking-changes-in-vs-2013.aspx discusses the addition of several
useful C99 features in VS2013, including compound literals, designated
initializers, and variable declarations.
-Ben Kaduk
_
Take a look in your openssl.cnf and you should see the option "serial"
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate is created then 01 is used as a serial for it.
Rich Salz recommended me this SSL Co
2015-06-24 1:35 GMT+02:00 Jakob Bohm :
> On 19/06/2015 16:24, Ben Humpert wrote:
>>
>> When the CSR contains an email address and the email_in_dn setting in
>> the config file is set to "no" the email address is actually present
>> in the issuer DN but not
; permitted;DNS.0 = example.com
>
> client configuration file has subjectAltName:
> subjectAltName = DNS: www.cs.com
>
> So is this a mismatch? How come s_client/s_server test was okay?
>
>
>
>
>
> On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert wrote:
>> Do you us
Do you use nameConstraints or have specified IP in subjectAltName?
Because OpenSSL can't handle that correctly.
2015-06-29 22:51 GMT+02:00 David Li :
> Hi,
>
> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
> a client cert (signed by the subCA). Now I want to use verify,
>
When the CSR contains an email address and the email_in_dn setting in
the config file is set to "no" the email address is actually present
in the issuer DN but not in the subject DN. This causes errors when
verifying certificate chains since the subject hash is used to
identify a cert but the issue
As a workaround try running openssl with the -config command line option.
2015-06-04 22:17 GMT+02:00 Cathy Fauntleroy :
> Hello,
>
>
>
> I have OpenSSL 1.0.2a installed on my Windows 7 box. I am attempting to
> generate a CSR so new security certificates can be issued and am running
> into the fo
ertificate/key but
without subjectAltName and another new cert/key without subjectAltName
but CN set to "radius.home.lan".
Windows XP, Vista, 7, 8 and 10 as well as MacOS and iOS accepted the
initial RADIUS Server certificate. It is just OpenSSL doing some weird
stuff with nameConstrain
2015-05-27 14:02 GMT+02:00 Jakob Bohm :
> Just to clarify: The log messages in your original post,
> were those from Android or from the server?
These are from the RADIUS server debug output.
___
openssl-users mailing list
To unsubscribe: https://mta.ope
2015-05-27 8:17 GMT+02:00 Jakob Bohm :
> Maybe the Android user interface is really asking about
> something other than the issuing CA cert.
>
> What are you trying to achieve by selecting a CA cert
> in the client UI?
The official Google documentation as well as other sources say that it
asks for
the client
cert as a CA certificate or vice-versa.
Any help is much appreciated!
Best regards,
Ben
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Technical report: https://weakdh.org/imperfect-forward-secrecy.pdf
Check your browser (currently all are affected) at https://weakdh.org/
Check your Server at https://weakdh.org/sysadmin.html
Deploying Guide: https://weakdh.org/sysadmin.html
___
openss
I love that when it happens :)
2015-05-12 16:56 GMT+02:00 Ben Humpert :
> Ok, after plenty of testing and some googling: the name constraints
> extension is ... improvable. I ran plenty of tests but it looks like
> that the extension is not very well implemented in todays browsers.
&
Ok, after plenty of testing and some googling: the name constraints
extension is ... improvable. I ran plenty of tests but it looks like
that the extension is not very well implemented in todays browsers.
I have attached three txt files (DOS format) with the settings and
results of each test run.
addresses just because
DNS is permitted? Would I also have to exlcude email, URI, RID,
dirName and / or othername too?
Thank you very much in advance!
Best regards,
Ben
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/l
2015-05-09 21:47 GMT+02:00 Salz, Rich :
>
>> After getting into building and especially configuring my own CA again I'm
>> nearly at the end and I've noticed some errors in the documentation I want
>> to report.
>
> I like the "again" :)
Yeah, once upon a time I had done a comprehensive configurat
sion (or subtree) of
openssl that is cleaned up. Currently there are many ways of creating
a CSR, signing a certificate, etc. I think this is confusing
everybody.
Thank you very much in advance.
Best regards,
Ben
___
openssl-users mailing list
T
n port 700. Furthermore, check if any firewall(s) are blocking you (although
on localhost that would be surprising).
Ben Pottier
UK Head of Technology
www.funnelback.com
109-123 Clifton Street, London EC2A 4LD
T +44 (0)207 183 6814 M +44 (0)7525 124 805 E bpott...@funnelback.com
UNITED KI
You could try examining both PEM-encoded certificates using an ASN.1
decoder, such as the one here - http://lapo.it/asn1js
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Barbe, Charles
Sent: Sunday, July 6, 2014 8:42 PM
To: o
Looking at http://www.openssl.org/docs/apps/ca.html you can designate the
-passin option whose argument has several options including environment
variable and direct input with pass: which should be fine for your
local tests.
Cheers,
Ben
> On 20 May 2014, at 17:45, "Dalisay, Chris
On 20 May 2014 15:17, Ken Goldman wrote:
> On 5/20/2014 7:24 AM, Ben Laurie wrote:
>>
>>
>> There is already a strndup replacement: BUF_strndup(). Switching to
>> use that would be better.
>
>
> However
>
> - if that function points to strndup, don
On 20 May 2014 06:40, The Doctor,3328-138 Ave Edmonton AB T5Y
1M4,669-2000,473-4587 wrote:
> Found that strndup would not work.
>
> I had to add
>
> #if !HAVE_STRNDUP
>
> #include
> #include
> #include
> #include
>
> /* Find the length of STRING, but scan at most MAXLEN characters.
>If no
Hello everyone,
I have a question about the crl in ssl server, I load the crl's file successed,
but when one new connection come in, SSL_accept return NULL, whether the
client cert is in crl's file.l certainly if I didn't load crl file, the ssl
server is very ok.
and the ssl_accept retur
luck.
From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org>
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Arnold
Sent: Tuesday, December 17, 2013 06:05
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: *** Spam *** HTTPS TLSv1.
g, or do they point to the problem? They don't seem to
match cURL's diagnostic output, but I can't see the network capture from cURL
as it won't output the session keys)
Many thanks,
Ben
ClientCertFail.keys
Description: ClientCertFail.keys
ClientCertFail.pcapng
Description: ClientCertFail.pcapng
On 13 November 2013 10:35, Igor Sverkos wrote:
> According to RFC 3280, which defines
> X.509 certficates, these entries, if they exist, must not have
> an empty value.
FWIW, RFC 3280 has been obsoleted by RFC 5280.
I couldn't find where it said this in RFC 5280. Pointer?
___
cipherlist seems to
bear out; I removed some of the ciphers you suggested and the server still
happily connects. It creates a Client Hello of 198 bytes which should also
avoid the other problem you mention (that I haven't seen on this particular
server).
Thanks for all the help,
B
o talk to support DES-CBC3-SHA, this may not
always be the case. Any idea how likely it is I will find a server that
doesn't? Or is there something else I can set to make renegotiation supported
without specifying the cipher.
Thanks for all your suggestions so far,
Ben
s_client_default.pcap
Description: s_client_default.pcap
s_client_des_cbc3_sha.pcap
Description: s_client_des_cbc3_sha.pcap
as
openssl-allow-us...@openssl.org
which does exactly what I want (keep an eye on "allow"). But OpenSSL Majordomo
seems not to offer this feature.
Ben
__
OpenSSL Project http://www.o
r.com Error: timeout exceeded
Hmm, whats wrong?
How else can I store a remote (*.pem) certificate on the local computer?
Ben
__
OpenSSL Project http://www.openssl.org
User
On 3 October 2013 22:14, Jeff Trawick wrote:
> E.g., run
>
> echo GET / | openssl s_client -connect host:port
>
> It does the handshake then stalls until you press a key (which will be
> left unused in the buffer when openssl exits), then it sends the input. I
> guess the kbhit() in the s_client
On 21 August 2013 03:19, Patrick Pelletier wrote:
> On 8/15/13 11:51 PM, Patrick Pelletier wrote:
>
>> On Aug 15, 2013, at 10:38 PM, Nico Williams wrote:
>>
>> Hmm, I've only read the article linked from there:
>>> http://android-developers.**blogspot.com/2013/08/some-**
>>> securerandom-thought
Try
write_data( file_, data, strlen(data) + 1, "mykey");
On 16 August 2013 03:34, Ztatik Light wrote:
> ps, yes, line 29 is a mistake and should read: char new_filename[strlen(
> filename ) + 5];
>
> But even with that fix i get the same results
>
>
> On Fri, Aug 16, 2013 at 2:27 AM, Ztatik L
On 24 July 2013 08:57, Lionel Estrade wrote:
> Hello,
>
>
>
> I am looking for a SSL/TLS stack for a project based on CVP2 and I need to
> know if the following RFCs (which are required by CVP2) are fully/partially
> implemented in OpenSSL.
>
> RFC 4680 - TLS Handshake Messages for Supplemental
sg-13
Could someone please point in a direction on where to look at?
I am basically running out of Ideas to check.
Thanks a lot,
Ben
On 18 April 2013 00:17, Jakob Bohm wrote:
> This sounds like a gross violation of the Postel principle.
A principle that should be pretty much universally violated.
__
OpenSSL Project http://www.op
On 6 March 2013 03:55, Nayna Jain wrote:
>
> Hi all,
>
> Are RAND_seed(), RAND_add() NIST SP 800-151A compliant ?
800-151 does not appear to exist, got a link?
__
OpenSSL Project http://www.openssl
On 20 January 2013 00:09, Jeffrey Walton wrote:
> Hi All,
>
> How does one specify and architecture for Configure?
I don't think there is an approved way to do it in general. Probably
you have to edit Configure to specify a new target.
However, your problem appears to be that you can';t put CFLA
On 19 January 2013 16:31, Jeffrey Walton wrote:
> On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie wrote:
>> On 26 December 2012 20:07, Jeffrey Walton wrote:
>>> On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wrote:
>>>> On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey
On 26 December 2012 20:07, Jeffrey Walton wrote:
> On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wrote:
>> On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton wrote:
>>> I fetched `makedepend` from FreeDesktop.org
>>> (http://xorg.freedesktop.org/releases/individual/util/).
The sharp-eyed will have already noticed we're moving to git.
Well, it looks like that's actually happened now. We're also shifting
pretty much everything to new infrastructure.
So, there may be outages, unexpected changes and general weirdness for
a little while.
We'll let you know when we're d
On Fri, Jan 4, 2013 at 9:58 AM, Tayade, Nilesh
wrote:
> Hi,
>
> The RSA_private_decrypt() function is proved to be costlier on my system.
> I will try for some hardware cards (PCI or over the network), which will help
> me perform asymmetric decryption in case of Premaster-decryption.
> I am look
On Wed, Jan 2, 2013 at 8:34 AM, Jeffrey Walton wrote:
> On Mon, Dec 31, 2012 at 7:00 AM, Ben Laurie wrote:
>> On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton wrote:
>>> On Sun, Dec 30, 2012 at 3:20 PM, wrote:
>>>> On 30-12-2012 21:01, Jeffrey Walton wrote:
>
On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton wrote:
> On Sun, Dec 30, 2012 at 3:20 PM, wrote:
>> On 30-12-2012 21:01, Jeffrey Walton wrote:
>>>
>>> Hi All,
>>>
>>> While working on Apple with Mac OS X and iOS, I found I needed to
>>> patch OpenSSL 1.0.1c's Makefile.
>>>
>>> Makefile.org has
On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton wrote:
> I fetched `makedepend` from FreeDesktop.org
> (http://xorg.freedesktop.org/releases/individual/util/). It would not
> build due to missing dependencies. Ad infinitum.
$ port search makedepend
makedepend @1.0.4 (x11, devel)
Create depend
On Tue, Nov 13, 2012 at 6:34 PM, Sanford Staab wrote:
> I have been struggling with openssl for a few months now writing batch
> scripts on windows trying to make a .net web client with a client
> certificate work with 2-way ssl against an apache web server.
>
> Do you guys just want to continue t
On Wed, Oct 17, 2012 at 9:52 AM, Brent Evans wrote:
> Hi,
>
> I'm currently trying to use the openSSL library to perform DES3 encryption
> on a string. The result from this encryption then has a base64 operation
> performed on it, before this is passed to a Java application to decode the
> base64
On Sat, Oct 6, 2012 at 2:52 PM, Charles Mills wrote:
> I have recently written a product that incorporates SSL/TLS server code that
> processes client certificates. I designed what I thought made sense at the
> time but now I am wondering if what I did was best.
>
> In the product's configuration
t;
ls /usr/local/ssl
cert.pem certsmisc openssl.cnf private
Is there any way to have openssl spit out where it's looking for the
certificate store? Ideally I don't want to have to specify any parameters
in my client program since the code is mostly automatically generated by
gSOAP. On my Fedora box it just picks up the defaults and works smoothly. I
want the same behaviour on my target board.
Thanks a lot,
Ben
arget (ARM) system seems
to receive/interpret a different certificate chain.
Please help! I have no idea why the output is different.. can somebody
explain how I might be able to get my target device verifying the
certificate correctly in the same way as my build machine.
Thanks muchly,
Ben
OUTPUT
On Fri, Aug 24, 2012 at 2:18 AM, Jeffrey Walton wrote:
> On Thu, Aug 23, 2012 at 9:06 PM, Paulo Roberto
> wrote:
>> Hello, I am using the package libssl-dev on ubuntu in my beagleboard xm, and
>> I have to run two C algorithms using the openSSL library..
>> Although I can't compile using the com
On Tue, Aug 21, 2012 at 2:14 PM, Charles Mills wrote:
> Actually, there IS *almost* a general solution to this problem.
>
> The input consists of characters from some set of 'n' characters. (Perhaps
> 'n' is 94 -- 0x21 through 0x7e inclusive -- but it does not matter.) You need
> to pack those c
x27;t work.
I'll have to think about this for a bit.
Anyway, thanks for the clarifications!
Ben
-Original Message-
From: CASTELLUCCI, BEN CIV DFAS
Sent: Thursday, May 24, 2012 11:21 AM
To: openssl-users@openssl.org
Subject: RE: pkcs11 Certificate Selection Dialog
Thank you for the r
rompt.
Let me know any thoughts on this.
Thanks!
Ben
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, May 24, 2012 9:52 AM
To: openssl-users@openssl.org
Subject: Re: pkcs11 Certificate Sele
Is there currently a way to 'remember' the decision?
Let me know any thoughts.
Thanks!
Ben
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-us
On Tue, May 22, 2012 at 9:55 AM, Simner, John
wrote:
> Dear all,
>
> I am working on an embedded product which currently uses OpenSSL 0.9.8w with
> FIPS support.
I'm curious: what product is this? I had a quick poke around and
couldn't find any mention of OpenSSL on Siemen's websites...
> We hav
On Sat, May 12, 2012 at 12:15 AM, wrote:
> Ahhh!
> So, a 15 byte block (or ends with a 15 byte after multiples of 16 bytes)
> would use a 0x01 in the last position...?
>
> And a whole multiple of 16 blocks would have an extra block filled with
> 0x0f's...?
0x10, actually.
>
> My initial testing
demos/state_machine
demos/tunala
On Tue, May 8, 2012 at 2:17 PM, Marcin Głogowski wrote:
> Hello,
> I have to write non blocking SSL/TLS server based on the OpenSSL library.
> I couldn't find any example/tutorial with this.
> Please write me where can I find some client/server examples or simple
Hello,
I'm trying to create a cert with an intermediate cert for testing. So
I'm going to build it all locally.
I will be testing with uploading to cisco's netscaler.
I have done some looking around and I find the names of "Intermediate,
Chained look to be the same thing", Netscaler is using
Engineer | Quantum Corporation | Office:
> 949.856.7748 | paul.suh...@quantum.com
> Preserving the World's Most Important Data. Yours.T
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Laurie
> Sent
On Mon, Apr 30, 2012 at 12:45 PM, Dr. Stephen Henson wrote:
> On Sun, Apr 29, 2012, Mike Hoy wrote:
>
>> We use McAfee to scan our website for vulnerabilities. They claim the
>> following:
>>
>> > Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
>> > Configure SSL/TLS servers
On Sun, Apr 29, 2012 at 10:40 PM, Mike Hoy wrote:
> We use McAfee to scan our website for vulnerabilities. They claim the
> following:
>>
>> Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
>> Configure SSL/TLS servers to only support cipher suites that do not use
>> block ci
On Thu, Mar 29, 2012 at 5:40 AM, Prashanth kumar N <
prashanth.kuma...@gmail.com> wrote:
> Thanks Ken for pointing out the mistake... after changing to
> AES_Decrypt(), it worked but i still see issue when i print the
> decrypted output as it has extra non-ascii characters in it.
>
> Below is the
On Tue, Mar 27, 2012 at 8:26 PM, Ken Goldman wrote:
> On 3/27/2012 3:51 PM, Jakob Bohm wrote:
>
>> On 3/27/2012 9:37 PM, Dr. Stephen Henson wrote:
>>
>>> You should really be using EVP instead of the low level routines.
>>> They are well documented with examples.
>>>
>> Where, precisely?
>>
>> I
On Tue, Feb 21, 2012 at 7:04 PM, Ben Laurie wrote:
> On Tue, Feb 21, 2012 at 5:47 PM, Chris Dodd wrote:
>> On 02/19/2012 07:36 PM, anthony berglas wrote:
>>>
>>> Exactly. So you need about 112 bits of "entropy" / Pass Phrase to
>>> generate a good
On Tue, Feb 21, 2012 at 5:47 PM, Chris Dodd wrote:
> On 02/19/2012 07:36 PM, anthony berglas wrote:
>>
>> Exactly. So you need about 112 bits of "entropy" / Pass Phrase to
>> generate a good 2048 bit key. Remember that the vast majority of 2048
>> bit numbers are not valid key pairs.
>>
>> My
On Sat, Jan 7, 2012 at 4:12 PM, Manish Jain wrote:
>
> Hello Michael/Anyone Else,
>
> Can you be kind enough to please point me to some place/URL where I can get
> a bit more information about how the key is negotiated upon ?
>
> I have gone through a a couple of write-ups on OpenSSL which throw l
On Fri, Sep 23, 2011 at 4:54 PM, Dr. Stephen Henson wrote:
> On Fri, Sep 23, 2011, Jakob Bohm wrote:
>
>>
>> Is openssl running out of bit values for SSL_OP_ constants?
>>
>
> Well more ran out of contants. When a new flag was needed for TLS v1.2 all 32
> bits were used but fortunately two ancient
On Wed, Sep 21, 2011 at 3:48 PM, Thomas J. Hruska
wrote:
> The Register published an article yesterday that some people here might be
> interested in on TLS 1.0 being "cracked":
>
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
>
>
> The Register points their Finger of Blame r
The offender was removed from the list earlier today :-)
On Wed, Sep 14, 2011 at 3:41 PM, Jakob Bohm wrote:
> WARNING: The automatic "vacation response" mail system used by your coworker
> Mr. Lau
> is spamming a public mailing lists with its automatic responses. You may
> want to stop that
> so
t is failing on sparc solaris 10 (using sun C 5.8 compiler with optimisations
turned off)
Any help would be gratefully received
Thanks
Ben Ritchie
t is failing on sparc solaris 10 (using sun C 5.8 compiler with optimisations
turned off)
Any help would be gratefully received
Thanks
Ben Ritchie
free to send the ecnrypted key back to alice
Note: you should also look at the open_ssl api. I found this very helpful.
Cheers,
Ben.
On 21 July 2010 15:41, Harshvir Sidhu wrote:
> Ben:
>Yes thats what i need to do. If you can provide some example, that will
> be great.
>
>
that's what you need to do, I can give a more concrete ( albeit
probably naive) example...
Cheers,
Ben.
On 21 July 2010 15:02, Harshvir Sidhu wrote:
> Hi All,
> I am trying to use encryption over Client/Server machines. My
> requirement is that i have to use winsock UDP functio
Assuming i'm only using SSL_set_bio to assign a BIO to the SSL object
(all other calls are read/write), will the SSL_free suffice?
Amit
On Wed, Jul 14, 2010 at 16:08, Darryl Miles
wrote:
> Amit Ben Shahar wrote:
>>
>> The documentation specifies that SSL_ERROR_ZERO_R
Hi,
The documentation specifies that SSL_ERROR_ZERO_RETURN is returned if
the transport layer is closed normally.
My question is, how should i handle this return code?
specifically should i call SSL_free normally to free resources, or are
resources already freed?
Thanks,
Amit Ben Shahar
Hi,
Does anyone know if a buffer passed to ssl_write (or any other method)
must remain valid (i.e not freed) for any period.
for example, if i have this code:
// allocate buffer
char* tmpBuff = (char*)malloc(1024);
// .. some code to put data in buff
// write buffer to ssl
ssl_write
I am having issues with a server, i'm getting many of these errors
especially while running a load (~80 users), up to a point that every
client i use gets this error
the decryption_failed_or_bad_record_mac flag is set in s3_pkt.c:466,
the mac does not match the 'md' variable
Here is the call stack:
I am having issues with a server, i'm getting many of these errors
especially while running a load (~80 users).
here is the full error message:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac
It seems to be occurring during the negotiation (accept) phase.
Maybe some
,
Ben
On Sat, Apr 24, 2010 at 18:29, James Mansion
wrote:
> Amit Ben Shahar wrote:
>
>> The .Net.Security.SslStream is not working in asynchronous calls, meaning
>> we'd have to implement it in a thread-per-connection paradigm, which is
>> obviously not an option.
>&
Patrice,
Thank you for the clarification, i'll try just that and post back with my
results.
Thanks!
Amit Ben Shahar
2010/4/24 Patrice Guérin
> Amit,
> No, I don't misunderstand you.
> The (real) example I gave is in fact similar (I think so)
> In a classic Win32 ap
Would anyone happen to know how i can eliminate the requirement of the
applink implementation? why would we actually need it?
Amit Ben Shahar
On Sat, Apr 24, 2010 at 13:25, Amit Ben Shahar wrote:
> Patrice,
>
> I think your have misunderstood me (or i did you),
> From what you wr
get the
Uplink/applink to recognize a method in the .Net assembly (i understood that
it cannot be in an adjacent dll) OR to completely eliminate the Applink
usage.
If i misunderstood please correct me :)
Amit Ben Shahar
VP R&D
ISQ Technologies
(+972) 545-592-934
a...@isqgroup.net
www.isqgroup.net
On Fri, Apr 23, 2010 at 21:35, James Mansion
wrote:
> Amit Ben Shahar wrote:
>
>> One of the crucial ingredients is ssl using OpenSsl. but we are
>> encountering a problem with the 'no OPENSSL_Applink' error.
>> as this is a .Net project, there is no way (i ca
e project is running with openSsl 0.9.8, all the source and relevant
binaries are in the sourceforge project.
I'd appreciate any insight.
Regards,
Amit Ben Shahar
On Tue, Mar 30, 2010 at 12:14 PM, Kyle Hamilton wrote:
> That's your shell talking. Try:
>
> openssl ciphers -v 'HIGH:!RSA'# note the single-quotes
>
> You just have to tell the shell not to interpret the bang, by quoting
> it -- either with a backslash or in an uninterpreted-quoted string.
1 - 100 of 335 matches
Mail list logo
