Re: ssl handshake with multiple tcp connect?

On 8/25/2011 6:04 AM, Arjan Filius wrote: Hello, today i ran into a situation, where i notice firefox/chrome and gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl s_client takes only one. one tcp session is what i expect, and i hope someone may have an explanation. comp

Re: Simple question: Maximum length of PEM file?

On 7/26/2011 10:16 PM, Katif wrote: Can you tell me what are the application dependency factor here so we'll be able to chase a limit? It is used as an RSA key exchange certification/private key pairing. Thanks... Maximum RSA key size supported. Extensions supported. DS __

Re: Simple question: Maximum length of PEM file?

On 7/26/2011 4:38 AM, Katif wrote: I need to know in advance the maximum length of the following three PEM formatted files (excluding the -BEGIN/END lines): It's application-dependent. There is no answer in general. DS _

Re: Query Regarding usage of SSL_Connect()

On 7/14/2011 6:17 AM, Amit Kumar wrote: Hi team, I am using SSL_Connect() in one of my projects and this SSL_connect is returning a value of -1. With SSL_get_error() i can see it is *SSL_ERROR_WANT_READ ?* * * * Now i am not understanding why this can come and if this is there then sho

Re: SSL_read returns SSL_ERROR_WANT_READ

On 7/11/2011 3:18 PM, Carla Strembicke wrote: The server recieves the encrypted data and sends to the lower level and where it is pumped into the SSL structure ( which is using these memory buffers) using the BIO_write call ( I acutally see that bytes are written into it) and the buffer looks

Re: Replacement of functions that operate with sockets

On 6/22/2011 3:20 AM, ml.vladimbe...@gmail.com wrote: Where can I find this example with BIO pairs? I can't understand only with openssl's documentation how to work with BIO pairs. I will be grateful for the help. Look in ssl/ssltest.c, in the doit_biopair function. DS _

Re: Replacement of functions that operate with sockets

On 6/21/2011 2:53 AM, ml.vladimbe...@gmail.com wrote: Jim, for me the main goal to replace functions that operate with sockets is performance. I want to use OpenSSL with Windows IO Completion ports. The method that you suggest is very interesting but the main is not achieved - OpenSSL is still w

Re: Replacement of functions that operate with sockets

On 6/21/2011 2:40 AM, ml.vladimbe...@gmail.com wrote: The fourth function is SSL_EncryptUserData, which encrypt our own application data before we can send their to secure channel: int SSL_EncryptApplicationData(char *buf_in, int buf_in_len, char buf_out, int buf_out_len, int *need_buf_out_len)

Re: Replacement of functions that operate with sockets

On 6/15/2011 11:57 AM, ml.vladimbe...@gmail.com wrote: Hello. By default OpenSSL itself works with sockets. I would want to implement operation with sockets without admitting it to OpenSSL. I.e. for example, when OpenSSL wants to write down something in a socket, it should cause my function and I

Re: Why my SSL_Connect() hangs at times?

On 6/11/2011 8:52 AM, kali muthu wrote: I have Linux Server which has been connected with a Windows XP client using SSL Sockets. I am able to read and write through those sockets. Good. Recently my calls to SSL_Connect() waits for long time. And yes I am using in Blocking mode. My search on

Re: SSL Communication using BIO

On 5/23/2011 1:59 AM, Harshvir Sidhu wrote: David, So are you suggesting that i change the approach in my Code. Hard for me to give you a useful answer without seeing your code. If your code tries to treat OpenSSL as a filter, expecting input and output to correlate, then yes. If your cod

Re: SSL Communication using BIO

On 5/22/2011 5:10 PM, Harshvir Sidhu wrote: Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So

Re: How do calculate the

On 5/18/2011 3:27 AM, G S wrote: I'm probably being obtuse here, but I don't see how encrypting your request with a public key would help you with your original problem. What stops a rogue app from doing the same encryption? They can't see what the parameters are. So what are they

Re: Clients glomming onto a listener

On 5/10/2011 2:10 AM, John Hollingum wrote: I have a service written in Perl, running on Linux that presents a very simple SSL listener. When this service is hit, it identifies the connecting node from its certificate/peer address and just sends some xml to them containing data from some files i

Re: Multiple connection from 1 client

On 5/9/2011 1:45 PM, Eric S. Eberhard wrote: > int setblock(fd, mode) > int fd; > int mode; /* True - blocking, False - non blocking */ > { > int flags; > int prevmode; > > flags = fcntl(fd, F_GETFL, 0); > prevmode = !(flags & O_NDELAY); > if (mode) > flags &= ~O_NDELAY; /* turn blocking on */ >

Re: Multiple connection from 1 client

On 5/9/2011 6:27 AM, Harshvir Sidhu wrote: Also i suspect, that if i change the socket to non blocking, then my current read write code will not work. i mean the one in which i use FD_SET and select to perform operations. Thanks. It's very easy to get things wrong and it won't work unless

Re: OpenSSL and multithreaded programs

On 5/5/2011 10:01 AM, Chris Dodd wrote: Is the OpenSSL library supposed to be at all reentrant? I've had odd problems (intermittent errors) when trying to use OpenSSL in a multithreaded program (multiple threads each dealing with independent SSL connections), and have apparently solved them by

Re: RSA_private_decrypt across processes

On 5/4/2011 9:14 AM, Ashwin Chandra wrote: Okay I read the complete bug report and it looks like there is a fix in the latest openssl. However I checked it out and it limits the maximum time RAND_poll will take to a second. 1000ms. Is there any other way to speed this up? Populate the OpenSSL

Re: How to create threaded pool with OpenSSL

On 5/3/2011 11:31 AM, derleader mail wrote: Hi, I found OpenSSL server code which uses threds in order to process clients. Is it possible to create connection pool with OpenSSL. There is no information about this on openssl.org How I can add threaded pool to this code? http://pastebin.com/pkDB7

Re: Cannot encrypt text - need help

On 5/1/2011 3:31 AM, derleader mail wrote: So I need a high performance solution that can handle many connections with little server load. 1. SSL is a good solution but is not high performance - it's more suitable for encryption of a web page. When establishing connection more that 100 connecti

Re: Cannot encrypt text - need help

On 5/1/2011 1:34 AM, derleader mail wrote: I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part We mean application protocol. while (1) { sock = accept(listensock, NULL, NULL); printf("client connected to child thread %i with p

Re: Cannot encrypt text - need help

On 4/30/2011 10:48 AM, derleader mail wrote: Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen(). Is there other solution? Are you designi

Re: Combining MD5 and SHA-1 to reduce collision probability

On 4/20/2011 1:18 AM, Luc Perthuis wrote: Hi all, I'm specially interested on finding a way to uniquely identify rather small data chunks (less than or equal to 128*1024 bytes in size) without using a byte per byte compare. Is there any theoretical proof for a "good" selection of 2 HASH (comput

Re: RSA key

On 4/13/2011 2:35 AM, pattabi raman wrote: *1. If I can't use sprintf then how can I copy the enrypted message to a character buffer. Bcoz so far I am sending the request to middleware in Char Buffer using TCP /IP socket. How can I able to achieve now.* ** If you don't know how to copy bytes o

Re: RSA key

On 4/11/2011 6:36 PM, Adrian D. Sacrez wrote: > I'm fairly new to OpenSSL. How do I convert the rsa generated > ry rsa_keygen_ex() into a public and private key? > Is there a way to do that? I assume you mean RSA_generate_key_ex. It already is. The purpose of this function is to generate a new

Re: does OpenSSL call locking-callback/thread-id-callback from any internal threads?

On 4/10/2011 3:03 PM, Anton Vodonosov wrote: The question: if I provide locking_callback, will it be called only from the threads where I invoke OpenSSL functions, or OpenSSL may call it from some private/internal threads not created by me? Since there's no callback to create a thread, OpenSS

Re: Examples to encrypt/decrypt

On 3/25/2011 4:17 PM, Jeremy Farrell wrote: From: Jeffrey Walton Sent: Friday, March 25, 2011 8:45 PM On Fri, Mar 25, 2011 at 3:56 PM, Anthony Gabrielson wrote: This will do what you want: http://agabrielson.wordpress.com/2010/07/15/openssl-an-example-from-the-command-line/ memset(p

Re: BIO_do_accept() + fork() is leaking 64B?

On 3/25/2011 2:33 PM, Michal Stawinski wrote: 2011/3/25 David Schwartz: I don't know of any elegant solution. But there's a way that works. Open a file descriptor or socket you don't care about (for example, open /dev/null). Then 'dup2' that file descriptor

Re: BIO_do_accept() + fork() is leaking 64B?

On 3/25/2011 3:50 AM, Michał Stawiński wrote: //freeing popped client BIO in parent would disconnect client in child, //so I can not free it, which will cause 64B memory leak //parent: BIO_free ( b=client_bio ) : 1 //??? I don't know of any elegant solution. But there's a way that works.

Re: How to handle "Expired" or "not yet valid" X.509 certificates - or simply is the system date wrong?

On 3/22/2011 9:07 AM, Steffen DETTMER wrote: When some entity verifies a certificate, finds a valid signature etc but the current date is not between "Valid From" to "Valid To", meaning the certificate seems "not yet valid" or "expired", what is recommended to do? It depends what you're doing.

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 7:43 AM, ikuzar wrote: I am confused. When I used a simple c++ program which uses SSL functions for the first time, I need not implement a protocol. when I tell SSL_write( ) to send 5 bytes and tell SSL_read( ) to read 10 bytes, the last reads 5 bytes ! ( doesn't it ? am I wrong ?

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 6:40 AM, ikuzar wrote: Why do we expect \r\n ? why not \0 ? That's why you need to implement a protocol. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 5:00 AM, ikuzar wrote: The problem : when I print data, I have got : HELLO��y0�y 0�y��y i`�

0�y ������L���L��-M etc... instead of HELLO. in MYrecv, when I make L = 5, it works what should I do to read just the right size so that when I print I get HELLO, GOODBYE, etc .

Re: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

On 3/7/2011 4:19 PM, Yan, Bob wrote: Thank you very much, David, In general, if the application use "select/poll" system function to > check the readable of underline BIO and invoke the SSL_read/SSL_write > only if there are data available on the socket, can the deadlock still > happened? No

Re: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

On 3/7/2011 2:45 PM, Yan, Bob wrote: My question is that if my Reader thread gets a SSL_ERROR_WANT_WRITE error from SSL_read function call, can my Writer thread do the SSL_write operation right after the Reader’s SSL_read operation? Yes. > Or, if my Writer thread gets a SSL_ERROR_WANT_READ e

Re: BN_mod_mul_montgomery() causing cpu spike

On 3/5/2011 6:23 AM, prakgen wrote: > and linked it against openssl-fips-1.2. Everytime time sshd is spawned, the cpu utilization shoots up and remains high (40% to 90%) for around 5 seconds. "Doctor, it hurts when I do that." "Then don't do that." Well "Doctor", I need to do that. Then i

Re: BN_mod_mul_montgomery() causing cpu spike

On 3/2/2011 10:23 AM, prakgen wrote: I've enabled fips in sshd (OpenSSH 5.5p1) Why? > and linked it against openssl-fips-1.2. Everytime time sshd is spawned, the cpu utilization shoots up and remains high (40% to 90%) for around 5 seconds. "Doctor, it hurts when I do that." "Then don't do

Re: SSL_connect( ) want read

On 3/3/2011 6:50 AM, ikuzar wrote: Hello, I have got a SSL_ERROR_WANT_READ after a call to SSL_connect. I 'd like to know what should I do exactly ? Thanks Retry the connect operation later, ideally after confirming that the underlying socket is readable. DS ___

Re: SSL_write( ) fails

On 3/2/2011 9:55 AM, ikuzar wrote: 3) I come back to the SSL_write( ). He wants to read( ). The doc says : " Caveat: Any TLS/SSL I/O function can lead to either of *SSL_ERROR_WANT_READ* and *SSL_ERROR_WANT_WRITE*. In particular, |SSL_read()| or |SSL_peek()| may want to write data and |SSL_write(

Re: Registration

On 2/25/2011 5:03 PM, John R Pierce wrote: the root certificate in question is not in either Google Chrome's list of CAs, or in Mozilla Firefox's list. "AC-SSL da ICPEDU" is the Root CA, issuing a certificate to www.icp.edu.br The Root Certificate appears to be one locally generated... CN=AC-

Re: Registration

On 2/25/2011 11:59 AM, Michael S. Zick wrote: On Fri February 25 2011, Ricardo Custodio wrote: Veja www.icp.edu.br Interesting, I get a "server certificate fails authentication" from the above address. You haven't chosen to trust the CA that issued it. Keep in mind that when the person of

Re: Expiration date of a STARTTLS certificate

On 2/20/2011 6:42 PM, Bharani Dharan wrote: Hi, I want to find following details but getting error. Errors are highlighted in RED. Kindly advise. # echo "" | openssl s_client -connect server:25 -starttls smtp > certificate gethostbyname failure connect:errno=0 Presumably the name of the ser

Re: problem in ssl connection with server

On 2/2/2011 9:13 PM, praveen kumar wrote: i got this error,they configured port 8000 for ssl but still i cant get problem where it is? Can any one help me where is the exact problem? Their server doesn't correctly support SSL negotiation. You can make it work by disabling TLS1 negot

Re: RSA_generate_key function

On 1/31/2011 5:37 PM, Ashwin Chandra wrote: I would like to call this function to generate the same public/private key everytime. I thought all I had to do was create the same seed using RAND_seed each time, however I still keep getting different key pairs. Is there any way to have RSA_generate

Re: [FWD] problem in privete key

On 1/31/2011 12:25 AM, Lutz Jaenicke wrote: Dear friend This is praveenkumar working as a app developer from Linkwell telesystems,hyderabad,India. i have a problem in ssl while hitting the server with the certificate provided by server.i am using openssl tool in linux. When

Re: Intermediate CA

On 1/12/2011 3:19 PM, Jijo wrote: Hi All, I hope this a basic question for you guys.. I'm trying to setup TLS connection between Client and Server. In the server i did following things, 1. Created a selfsigned rootCA 2. Created IntermediateCA and signed with rootCA. 3. Create a Server Certific

Re: [openssl-users] Re: How to disable index and serial?

On 1/12/2011 6:48 AM, Mark H. Wood wrote: Oh, now I'm curious. How do they test the randomness of a single sample? "1" is every bit as random (or nonrandom) as "0xdcb4a459f014617692d112f0942c89cb". They don't validate the number itself, they validatet hat the method by which the number was

Re: How to disable index and serial?

On 1/11/2011 7:02 AM, Fredrik Strömberg wrote: (For the curious: I don´t need serial because I only identify with CN, and I don´t need a database because I will never revoke any certificates.) The problem is, everybody else identifies by serial. So unless you don't plan to interoperate with a

Re: openssl socket

On 12/29/2010 1:11 AM, Esimorp E wrote: Hi all, I tried changing the one-to-one socket type in OpenSSL to one-to-many by changing SOCK_STREAM to SOCK_SEQPACKET and it compiled fine but while trying to run other program on it I had the following error: bss_dgram.c(236): OpenSSL internal error, ass

Re: SSL cert chain validation & timestamp issues

On 12/20/2010 10:49 AM, travis+ml-open...@subspacefield.org wrote: So a friend ran into this lately; libnss, at least on Linux, checks that the signing cert (chain) is valid at the time of signature - as opposed to present time. (It may check present time as well - not sure on that) This is

Re: How to find the other end can support SSL or not

On 12/17/2010 1:41 AM, Kingston Smiler wrote: Is there any way to identify whether the other end supports TLS or not. There is no way we could know the answer to this question. We have no idea what your other end is, who designed it, or how. My requirement is like this. If the other end su

Re: SSL shutdown

On 12/2/2010 2:36 AM, Aarno Syvänen wrote: Hi List, I have problem with SSL_shutdown. Advice seems to be to call it again, if the return value is 0. However, this means that shutdown can hang forever. Can I just call SSL_shutdown and go on ? You can go do other things and try to shut the con

Re: Handshake split across multiple TCP connections

On 11/29/2010 2:34 AM, A. N. Alias wrote: I've been using IE, Chrome and Firefox as clients for a test SSL/TLS server. This works fine with Firefox, which uses a single TCP connection for the TLS handshake and subsequent communication. However, IE and Chrome seem often to send different parts o

Re: Question regarding OpenSSL Security Advisory

On 11/18/2010 7:26 AM, Pandit Panburana wrote: I am not clear about the condition that vulnerability when using internal session caching mechanism. Is it the same thing as TLS session caching or this is some thing different? The internal session caching mechanism caches TSL session information

Re: problem with "pem" file, no start line. centos.

On 11/18/2010 12:50 AM, Steve yongjin Shin wrote: -BEGIN RSA PRIVATE KEY- ...omitted.. -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- ...omitted... -END CERTIFICATE- ===

Re: Question regarding OpenSSL Security Advisory

On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote: Hi, I had some questions about the latest security advisory. I understand that this applies to multi-threaded application while using ssl sessions. Correct. If the application is written thread safe using CRYPTO_set_locking_callback functions

Re: Force ASN.1 encoding routines to keep existing encoding

On 11/6/2010 7:44 AM, Martin Boßlet wrote: I just tested, whether the BER-encoding is preserved if I do not alter any of the contents. Unfortunately, it seems as if the encoding is not preserved. I did the following: d2i_PKCS7_bio(file,&p7); and then directly i2d_PKCS7_bio(file2, p7); again.

Re: SSL_connect and SSL_accept deadlock!

This may be a stretch, but did you confirm the socket is within the range of sockets your platform allows you to 'select' on? For example, Linux by default doesn't permit you to 'select' on socket numbers 1,025 and up, though you can have more than 1,024 file descriptors in use without a pro

Re: SSL_connect and SSL_accept deadlock!

On 11/2/2010 6:25 PM, Md Lazreg wrote: r=select(m_sock_fd + 1, &fds, 0, 0, ptv); if (r <= 0 && (Errno == EAGAIN || Errno == EINTR))/*if we timed out with EAGAIN try again*/ { r = 1; } This code is broken. If 'select' returns zero, checking errno

Re: FIPS mode - fails to read the RSA key

On 10/6/2010 5:01 AM, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any optio

Re: Set Time out for SSL read

On 9/30/2010 11:39 PM, Raj wrote: Can you please let me know how can I set time out as a whole. I think you are mentioning about SSL_CTX_Set_timeout function. If it is so then I have set the time out using this function, and sadly I didn't get the expected result. There are a lot of ways. The

Re: Set Time out for SSL read

On 9/29/2010 11:41 PM, Raj wrote: Hi All Is there any method to set time our for SSL _read function. As from the Open SSL document SSL_read will not return if there is no data to read from the socket You really shouldn't need this. If you know for sure that it's the other side's turn to trans

Re: where is the memory being held

On 9/27/2010 4:13 PM, Scott Neugroschl wrote: As David said, yes. On the other hand, you could re-implement malloc() and free() for your platform. There's really no way to make that help very much. It might help a little, but the fundamental problem is this: If you want to implement each 'ma

Re: where is the memory being held

On 9/26/2010 11:14 PM, zhu qun-ying wrote: Does it mean that it is hard to change the behavior? Yes, because it's not implemented in any one particular place. It's a fundamental design assumption throughout OpenSSL that it's aimed at general-purpose computers with virtual memory subsystems.

Re: Does OpenSSL have any plans of supporting SSL_read / SSL_write on the same SSL_S from multiple threads?

On 9/25/2010 9:31 AM, Jayaraghavendran k wrote: (a) Does OpenSSL plan to support this feature in any of it's future releases? (Or does any of the releases already support it? I went through the Change Logs, but couldn't find anything), If no, why not? I can't answer whether there are any plans

Re: where is the memory being held

On 9/24/2010 11:05 AM, zhu qun-ying wrote: I think I should clarify something here. The app is running > in a small device that does not have virtual memory (no swap space) and the memory is limited (256/512 M). > In peek connections, it may use up to 90% of the system memory, > and when con

Re: where is the memory being held

On 9/23/2010 11:42 AM, zhu qun-ying wrote: Hi, I have an SSL apllication, that it suppose to run for a long time. After some time of running, I found the usage of the memory is growing. I stop all SSL connections and checked all SSL * has been freed but it could not release the memory back

Re: Creating Extended Validation SSL Certificates

On 9/23/2010 7:16 AM, Gumbie wrote: Can someone explain what is needed to create and EV (Extended Validation) Certificate? I have been trying to research this and have found limited information on this. Only one document that was of any help -àhttp://www.cabforum.org/EV_Certificate_Guidelines.

Re: SHA-1 Hash Problem with i2d_Pubkey()

On 9/12/2010 11:38 PM, Raj Singh wrote: issuer_pubkey_len = i2d_PUBKEY(pubKey, NULL); issuer_pubkey = malloc(issuer_pubkey_len); i2d_PUBKEY(pubKey, &issuer_pubkey); memory_dump("issuer_pubkey", issuer_pubkey, issuer_pubkey_len); The problem, is issuer_pubkey buffer is different each time, I run

RE: Connection Resetting

Sam Jantz wrote: > It's multi threaded with non-blocking I/O.  I'm not sure exactly what > you mean by socket discovery, but I think you are asking how my program > determines when something is ready?  If that's the case then my program > uses a select statement to watch the file descriptor to se

RE: Connection Resetting

> I'm writing a SSL proxy (which is working great except for this issue) > and every time I got to attach a file in an email the connection resets, > and it gets caught in an infinite retransmit loop. There are two totally different ways you can make an SSL proxy, and to figure out your issue, w

RE: Man in the middle proxy - Not working

Raj wrote: > I have tried one more method to read the data from the socket, > which was > partially successful it is defined as follows > do > { > dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); // Gets > the > data from the server side > SSL_write(SourceSsl,pBuff,dwRead

RE: SSL/TLS with server names picked from DNS

Sandeep Kiran P wrote: > We dont have any control on how the server generates its certificates. > As said earlier, we only control the client portion of SSL/TLS. > Sites where our client application runs, is handed over the location > where trusted CA certs are stored and thats all we have.   > Se

RE: Man in the middle proxy - Not working

Raj wrote: > Thanks for all the response > 1. I was able to do the handshaking successfully with the > browser. > On receiving the request from the browser I will send "HTTP OK " > response > back to the browser, I was able to do the handshaking and read the > actual > GET request. >

RE: Man in the middle proxy - Not working

Rene Hollan: > Oh! I totally misunderstood this. > I thought OP wanted to MITM SSL sessions (which is possible, if > (a) the traffic is decrypted, (b) certs are reissued and resigned, > and (c) the client TRUSTS the modified cert chain (typically its > root cert)). > This is just HTTPS Proxy. In

RE: Man in the middle proxy - Not working

Alexey Drozdov wrote: > Hi! > > When your setup proxy setting for browsers, they using HTTP CONNECT > method for establish pure tcp-connection via proxy (not for local > resources). > It's seems like: > > Client send HTTP-request to proxy > CONNECT remotehost:port HTTP/1.1 > Host: re

RE: Why does my browser give a warning about a mismatched hostname

> I generated the ssl request, I signed it in my CA (openssl) and > uploaded > signed certificate back to device. > I generated also ca.der and uploaded it to my Internet browser. When I > trying open ilo my browser give a warning about a mismatched hostname. > > I'm accessing this device via IP a

RE: handling SSL_ERROR_ZERO_RETURN from SSL_read

Amit Ben Shahar wrote: > Hi, > > The documentation specifies that SSL_ERROR_ZERO_RETURN is returned if > the transport layer is closed normally. > My question is, how should i handle this return code? > specifically should i call SSL_free normally to free resources, or are > resources already fr

RE: question about max length string to encrypt with rsa 2048

Chuck Pareto wrote: > My group is using RSA with a key thats 2048 in size. > We want to encrypt strings that are longer then this > key size gives. > If we switch to a key that is 4096 what is the max > string length we can encrypt? is it double? No, no! You are doing this all wrong! RSA is an

RE: Smime decrypting passin argument with windows shell

fatalfr fatalfr wrote: > Thank you for your reply. Actually I use > -passin (email editing problem ?) > Complete command line working fine in cmd is > the following one :   > openSSL> smime -decrypt -in OUT\TEST_OK.TXT -out OUT\OK.TXT > -inkey SBE\sbe-test.key.pem -passin pass:tn!;bg+xy:tABrP1Y&Z

RE: blowfish failing after around 1k input data...

Charlie wrote: > His algorithm has one part that doesn't seem right to me, but changing > it made things even worse. It seems weird that the "Final" function is > inside the main for loop. It seems like "final" should mean... final. > (ie: after the looping is done). It's quite common that fix

RE: Segfault when encrypting

Hannes Schuller wrote: > > I'm very puzzled here. Why do you sign the reply and then sign a hash > > of the signature? You say "Message encryption successful", but that's > > a signature you're doing, not an encryption. > I was under the impression that RSA_private_encrypt and > RSA_public_encr

RE: Segfault when encrypting

Hannes Schuller wrote: > hash = (unsigned char *)malloc(RSA_size(rsa) * sizeof(unsigned char)); > ciphertext = (char *)malloc(RSA_size(rsa) * sizeof(char)); > signature = (char *)malloc(RSA_size(rsa) * sizeof(char)); > if (ciphertext != NULL && signature != NULL && hash != NULL) { > memset(

RE: max length to encrypt

Chuck Pareto wrote: > I'm not sure what you mean by "shouldn't be using public-key > encryption", why? Because you don't understand its properties, so there's no way you can know whether or not it meets your security requirements. > It seems like .Net sets up a nice class that is easily > impl

RE: OpenSSL Error Handling

Pankaj Aggarwal wrote: > I am able to think about the following approaches :   > 1. Keep a record a threads which are spawned.   > 2. Expose a function from our library for cleanup when the thread exits  > Is there any other way to avoid the memory leak caused by error queues ? There are severa

RE: max length to encrypt

Chuck Pareto wrote: > if my public key is 256 bytes long, what is the max length > of the string I can use to encrypt? Is it 256? If the output is exactly 256 bytes, there are (in theory) 2^(256*8) possible outputs. That means there can be at most 2^(256*8) possible inputs. There are more than

RE: compilation problem for xscale.

Rusty Carruth wrote: > I would have thought that OPENssl, for which I have the source, would > have met the requirements to use the _GPL symbols in the kernel. The requirement is that the module claim that it is available under the GPL by containing a specific license declaration. You can fix thi

RE: AES-256 CBC encrypt/decrypt usage problem

Kunal Sharma wrote: >What I see happening is this: >ENCRYPT - size of /etc/rgconf on disk is 157043 bytes >ENCRYPT - size of /etc/rgconf_encrypted on disk is 157044 bytes. >BROWSER saves the file to disk - size is 136 bytes (How ???) You called 'strlen' on something that was not a string, so it

RE: AES-256 CBC encrypt/decrypt usage problem

Kunal Sharma wrote: void encode2(char *inbuf,char *outbuf) { unsigned char key32[] = "As different as chalk and cheese"; unsigned char iv[] = "As dark as pitch"; AES_KEY aeskey; memset(outbuf, 0, sizeof(outbuf)); AES_set_encrypt_key(key32, 32*8,

RE: openssl enc block size

Johannes Baeuer wrote: > Why would a 16 byte block need to be padded by one byte to 17 bytes? Is it really not immediately obvious? No encrypted output for one or more bytes of input can be less than 16 bytes. Thus the smallest possible output sequence is 16-bytes. The number of possible encrypt

RE: Is it not possible to decrypt partial AES messages?

Christina Penn wrote: > Hello David,   > Can you show me exactly how to break up my example code to make my example work? It's really simple. When you want to decrypt a message, call EVP_DecryptInit_ex. For each chunk of data you want to decrypt that is part of the message, call EVP_DecryptUpda

RE: Is it not possible to decrypt partial AES messages?

Christina Penn wrote: > Here is some example code of me trying to decrypt a partial AES message. > It doesn't work.. is there a way I can do something like this? It only works > if I call DecryptMessage() with the entire encrypted string. Why? Your DecryptMessage function is specifically designe

RE: Verisign client requirements

Piper Guy1 wrote: > > This is precisely what a browser does. Again, using the > > "https://www.amazon.com"; example, OpenSSL takes care of getting the > > certificate from the server, making sure the certificate is valid, > checking > > that the server owns the certificate, and making sure the >

RE: Multi Threaded questions

Sad Clouds wrote: > > 1) According to the FAQ, "an SSL connection may not concurrently be > > used by multiple threads". Does this mean that an SSL connection can > > be used by different threads provided access is limited to one at a > > time? > I assume that having a mutex for each SSL objec

RE: Verisign client requirements

Piper.guy1 wrote: > Hi, > > Please understand I'm a newbie to security if my question sounds > rather elementary. > > The embedded product I'm working on requires a secure connection to > our server that uses a Verisign certificate to authenticate. I've been > porting the OpenSSL examples from

RE: Pre Master Secret Regarding

Aravinda babu wrote: > During SSL/TLS handshake,a pre master secret is sent from client to the > server by encrypting pre master secret with server's public key. > From that both client and server derive master secret and finally one > symmetric key. My doubt is, why both cannot use pre master se

RE: Random Numbers

P Kamath wrote: > I said it is an RNG, not cryptographic RNG. By adding current time > source, > however crude, and doing a sha1/md5, why should it not be cryptoPRNG? > What > properties should I look for? You should look for a cryptographically-secure random number generator. Seriously, you sh

RE: Shorten the timeout for openssl s_client?

Todd Thatcher wrote: > Using the command  “openssl s_client –connect gmail.google.com:443” > openssl gets the certificate information and stays connected until I enter QUIT, > or the timeout is hit -- about 2 minutes later.   I want to script certificate > expiration date checks for out servers. I

RE: Sign an SSL certificate with mutile trusted roots?

Rene Hollan wrote: > I guess I'm just dense and stupid. Won't that fail since the CA > IC cert won't be signed by the CA cert identified as it's issuer? Yeah, I think you're right. I made the same mistake I was trying to convince the OP not to make -- thinking that CAs sign certificates. The pub

RE: Sign an SSL certificate with mutile trusted roots?

Ooops, tiny mistake: > Again, the "fake IC" is a certificate signed by the manufacturer's CA > with no AKID. This part was incorrect. It should read "with its SKID". So the short version is: Simply have the manufacturer's CA sign the CA's IC. Use that IC along with the CA's IC in the server. It s

  1   2   3   4   5   6   7   8   9   10   >