I'm wondering if there's an error in the man page of BIO_should_retry.
Under description, it says:
"BIO_get_retry_reason() returns a mask of the cause of a retry condition
consisting of the values BIO_FLAGS_READ, BIO_FLAGS_WRITE,
BIO_FLAGS_IO_SPECIAL though current BIO types will only set one
Dave Thompson wrote:
3. Use SSL_set_verify() and provide a callback function.
This sounds promising but the callback function gets called
for every certificate in the chain. How can I find out
whether the certificate in question is the peer's cert and
not some intermediate cert?
x509storectx
I'm wondering what's the best way to check the identity of the peer i.e.
compare the commonName or subjectAltName included in the x509 cert with
the data I expect.
The book "Network Security with OpenSSL" calls this "Post-connection
assertions" (page 134).
I already managed to extract all th
I'm experimenting with 1.0.0-beta2 and it appears to me that
SSL_CTX_set_verify_depth
has no effect. This function is supposed to set the maximum depth of the
certificate chain that's sent by the peer.
It appears to work with 0.9.8g though.
I tried to do some debugging and found out that there
minus the IP
per-packet overhead minus the UDP per-datagram overhead minus the DTLS
per-record overhead
-Daniel
Daniel Mentz wrote:
I've got the impression that the DTLS part of OpenSSL is based on an
incorrect understanding of the term MTU (Maximum Transmission Unit).
My understanding
Hi Michael,
I'm using Linux for development but the software should also run on FreeBSD.
I also did some research on how to get the result of the Path MTU
discovery and I also ended up with this unpleasant #define statement.
The only place I could find that #define in a header file was
linux
an you provide a patch?
Daniel, can you test the patch when it is available? The path MTU
discovery might be platform specific...
Best regards
Michael
On May 12, 2009, at 8:24 PM, Daniel Mentz wrote:
I've got the impression that the DTLS part of OpenSSL is based on an
incorrect understand
I've got the impression that the DTLS part of OpenSSL is based on an
incorrect understanding of the term MTU (Maximum Transmission Unit).
My understanding is that the MTU refers to the size of the IP packet
including the IP header (usually 20 bytes) and the UDP header (usually 8
bytes) in case
ing
example is the only basis you can build on if you're trying to use DTLS
in your app.
I hope that somebody can fix that problem or at least print out a log
message saying "No DTLS support for ECDHE"
Thanks
Daniel Mentz
comer merryl wrote:
Is it possible to create a certificate with a dn,
"uid=user3,ou=People,dc=org,dc=com"
Did you try the -subj command option of "openssl req"? Try using -subj
"/uid=user3/ou=People/dc=org/dc=com"
__
OpenSSL
Wes Hardaker wrote:
http://www.net-snmp.org/wiki/index.php/DTLS_Implementation_Notes
Hi Wes,
I have some comments regarding your wiki article. But first of all
thanks for taking the time writing down all this information:
I'm trying to implement IPFIX on top of DTLS so I also made some
ex
Robin Seggelmann wrote:
As a workaround you can use connected UDP sockets. Just use accept() and
connect() as you would with TCP connections and create new BIO and SSL
objects for every connection. I have tested that and it works pretty
well so far.
Hi Robin,
I'm surprised that you can use a
ing IPFIX messages. That's
why I'm surprised that there's no simple solution to this problem.
Thanks
Daniel
Ger Hobbelt wrote:
On Mon, Jan 19, 2009 at 10:47 AM, Daniel Mentz wrote:
Please note that I can not solve this problem via the protocol that I use on
[...]
the fact
Hi everybody,
how can I detect a dead server with *DTLS*?
I'm developing an application (IPFIX exporter and collector) that only
*sends* data using DTLS over UDP. Imagine the collector (DTLS server)
crashes and comes up again. The exporter (DTLS client) does not notice
the fact that the serve
14 matches
Mail list logo
