Hi,
seconds after I send the previous mail, I found the bug in my code. It is
working with Benjamin's suggestion.
Thanks
Jens
On 12/11/2022 11:18, Dirk Menstermann wrote:
Hi Benjamin,
thanks for your response. I updated to 111s and replaced the SNI callback with
the ClientHello callba
:12, Benjamin Kaduk wrote:
On Sat, Nov 05, 2022 at 11:50:18AM +0100, Dirk Menstermann wrote:
Hello,
I did few experiments with early data but was not successful in solving my
exotic use case: "Using early data dependent on the SNI"
I control the server (linux, supports http2) based
Hello,
I did few experiments with early data but was not successful in solving my
exotic use case: "Using early data dependent on the SNI"
I control the server (linux, supports http2) based on OpenSSL 111q and use a
recent firefox as client:
1) Setting SSL_CTX_set_max_early_data in the SSL_CTX*
Hi,
I’m using OpenSSL 1.1.1 to issue a certificate and include the AKI by defining
authorityKeyIdentifier = keyid,issuer:always
The issued certificate contains the AKI afterwards with 3 values:
KeyID: issuer's key id
Serial: issuer's serial
Issuer: the issuer’s issuer, not the issuer’s subje
GEN_URI, and
> whose value (as an IA5String) is the url you want, and then point
> distpoint->name.fullname at the GENERAL_NAMES.
>
> And, as before, you can do this multiple times and add additional DIST_POINTs.
>
> Good luck,
> -Dave
>
>
>> On Nov 23, 2
Thanks Dave,
It seems that I do something wrong when filling the STACK_OF(DIST_POINT):
X509_NAME_ENTRY *nameEntry = X509_NAME_ENTRY_new();
X509_NAME_ENTRY_set_data (nameEntry, V_ASN1_IA5STRING /*MBSTRING_ASC*/, (const
unsigned char*) "http://example.com/";, 19);
S
Hi,
can anybody share example code to add more than 1 CRL distribution point to a
certificate?
The below works only for one URI:
X509_EXTENSION *ext = X509V3_EXT_conf_nid (NULL, &v3ctx,
NID_crl_distribution_points, (char*) "URI:http://exmaple.com/crl";);
X509_add_ext (certificate, ext, -1);
Tha
Hi,
I've trouble with the newest OpenSSL as I'm operating a webserver application
that answers with HTTP1.x and HTTP2.
I registered the ALPN callback and in this the cipher list was adjusted
"SSL_set_cipher_list (ssl, "ECDHE-RSA-AES128-GCM-SHA256")" if H2 was negotiated.
With versions < OpenSSL
Anybody able to help?
Thanks
Dirk
On 10.11.2015 17:09, Dirk Menstermann wrote:
> Hi,
>
> I'm using openssl 1.0.2 (as web server application) and utilize the APLN
> callback to react on protocols offered by the client. In this callback I need
> a
> way to get the list of
Hi,
I'm using openssl 1.0.2 (as web server application) and utilize the APLN
callback to react on protocols offered by the client. In this callback I need a
way to get the list of ciphers that the client sends within the client_hello.
Background is that http2 should only be negotiated if client s
Hi Steve,
as far as I can see this works only if the application embedding openssl is the
ssl client; but how can this be achieved from the server's point of view?
Thanks
Dirk
On 25.03.2015 16:35, Dr. Stephen Henson wrote:
> On Wed, Mar 25, 2015, Dirk Menstermann wrote:
>
Very helpful. Thank you Steve.
Dirk
On 25.03.2015 16:35, Dr. Stephen Henson wrote:
> On Wed, Mar 25, 2015, Dirk Menstermann wrote:
>
>> Hello,
>>
>> which API function can I use to obtain the bit strength of the key exchange
>> (size of the DH or ECDH parameters
Hello,
which API function can I use to obtain the bit strength of the key exchange
(size of the DH or ECDH parameters)?
There is the function SSL_get_cipher_bits, but this is only for the symmetric
cipher, not including the key exchange.
Thanks
Dirk
__
Hello,
I try to understand which function will be called in FIPS mode to generate an
RSA key. While looking trough the code I found two candidates:
RSA_X931_generate_key_ex (in rsa_x931g.c)
rsa_buildin_keygen in (rsa_gen.c)
They seem to use different algorithms, but both contains FIPS-checks lik
Hi,
I just recognized that openssl 1.0.1 prevents setting of alloc, re-alloc and
free functions if compiled with FIPS support. Can anybody give the background,
why this was changed (compared to 0.9.8)?
Thanks a lot
Dirk
__
OpenSS
Thank you Matt!
On 08.02.2013 16:33, Matt Caswell wrote:
> It is a feature of GCM that the ciphertext (excluding the authentication tag)
> is
> identical length to the plaintext. Therefore no padding is required.
>
> Matt
>
> On 8 February 2013 14:27, Dirk Mensterm
Hi,
I'm playing around with "EVP_aes_128_gcm". This works, but it seems that EVP_*
does not include padding. Is this expected/needed or did I miss a step?
Thanks
Dirk
__
OpenSSL Project http://www.
Thank you Stephen.
On 04.10.2012 17:34, Dr. Stephen Henson wrote:
> On Tue, Oct 02, 2012, Dirk Menstermann wrote:
>
>> Hello list,
>>
>> is there a way to use ENGINEs in a non-blocking way - meaning for a network
>> operation (remote HSM) the thread can do som
Anybody?
Thanks
On 02.10.2012 15:58, Dirk Menstermann wrote:
> Hello list,
>
> is there a way to use ENGINEs in a non-blocking way - meaning for a network
> operation (remote HSM) the thread can do something else instead of waiting for
> the IO operation to complete?
>
Hello list,
is there a way to use ENGINEs in a non-blocking way - meaning for a network
operation (remote HSM) the thread can do something else instead of waiting for
the IO operation to complete?
Thanks
Jens
__
OpenSSL Project
Hello Steve,
do you see another way to force the error state?
Thanks
Dirk
On 03.07.2012 10:49, Dirk Menstermann wrote:
> Hello Steve,
>
> On 02.07.2012 19:37, Dr. Stephen Henson wrote:
>
>>
>> As I indicated HEAD wont work as it isn't currently FIPS capable.
&g
Hello Steve,
On 02.07.2012 19:37, Dr. Stephen Henson wrote:
>
> As I indicated HEAD wont work as it isn't currently FIPS capable.
OK - I will concentrate on 1.0.1c!
The (largely
> internal use) functions like FIPS_corupt_aes are not exported from the Windows
> DLL at present: do you have a sp
Subject: FIPS in 1.0.1 windows 7 64 bit compile / link problems
>>
>> Anybody able to help me (problem posted below some days ago)?
>>
>> Thanks a lot
>> Dirk
>>
>> On 27.06.2012 14:42, Dirk Menstermann wrote:
>> > Hello,
>> >
>> >
Anybody able to help me (problem posted below some days ago)?
Thanks a lot
Dirk
On 27.06.2012 14:42, Dirk Menstermann wrote:
> Hello,
>
> I tried to build the FIPS version (openssl-fips-2.0.1) on win7 and VS2005
> (command line prompt) using the build target debug-VC-WIN64A and opti
Anybody able to help me?
Thanks a lot
Dirk
On 27.06.2012 14:42, Dirk Menstermann wrote:
> Hello,
>
> I tried to build the FIPS version (openssl-fips-2.0.1) on win7 and VS2005
> (command line prompt) using the build target debug-VC-WIN64A and option
> no-asm.
>
&g
'
Stop.
Can anybody help me? With which versions is it supposed to work (win 7 64 bit)
Thanks a lot
Dirk
On 15.05.2012 22:18, Steve Marquess wrote:
> On 05/15/2012 12:03 PM, Dirk Menstermann wrote:
>> Hello,
>>
>> are the sassumptions below correct?
>>
>>
Thank you Steve!
Bye
Jens
On 18.06.2012 19:42, Dr. Stephen Henson wrote:
> On Mon, Jun 18, 2012, Dirk Menstermann wrote:
>
>> Thanks,
>>
>> unfortunately I forget to include the information that I need to know it
>> from a
>> c programm, not from the shell
Thanks,
unfortunately I forget to include the information that I need to know it from a
c programm, not from the shell. Do you also know the solution here?
Thanks
__
OpenSSL Project http://www.o
Hello,
Would anybody be so kind to explain me how I can read the digest algorithm
(sha1, sha256, other) from a X509 struct that was used by a CA when issuing the
certificate (I am using version 0.9.8).
Thanks
Dirk
__
OpenSSL Proj
Hello,
are the sassumptions below correct?
For 0.9.8 I have to use fips123
For 1.0.1 I have to use fips2
For 1.0.0 there isn't a fips implementation.
Thanks
Dirk
__
OpenSSL Project http://www.op
Hello Steve,
On 26.04.2012 15:50, Dr. Stephen Henson wrote:
>
> What DH parameters are you using? You can get better performance by tweaking
> the parameters.
>
Can you explain how to tweak the parameters and if this reduces security.
Thanks
Dirk
__
Hello,
is there somewhere a release schedule for version 1.0.1 published?
Thanks
Dirk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.or
Thanks,
On 14.10.2011 13:16, Jakob Bohm wrote:
>>
> Unfortunately not, I am a security engineer, not a fully trained
> cryptographer/cryptanalyst.
>
> As an engineer I am aware that attacking an algorithm such as RSA is easier
> the
> more the
> attacker knows or can control about the input, an
Hello Jakob,
On 12.10.2011 22:21, Jakob Bohm wrote:
>> I know that to sign, i have to take a hash of some document or message but,
>> theoretically, i could encrypt any document? The padding scheme would shrink
>> the message and them could reveal the same message after deciphering?
> The padding
Hello list,
I've questions about how (temporary) RSA keys will be used in a SSL/TLS
handshake. I understand that DH key exchange is the preferred and standard way
to exchange the shared secret. Nevertheless
1) When will RSA key exchange be used? Is this a configuration of the server?
2) Are the
Hi,
on https://developer.mozilla.org/en/Security_in_Firefox_2 I found that FF 2 does
support only curves with 256, 384, and 521. Maybe this is the same for FF 3 and
your 160 bit curve is not supported.
Bye
Dirk
Alex Birkett wrote:
> Hi,
>
> Firefox 3.6.2 supports the TLS_ECDHE_ECDSA_WITH_AES_2
Thank you Dave!
Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Dirk Menstermann
>> Sent: Wednesday, 10 March, 2010 10:57
>
>> when I generate DH parameters with:
>>
>> int bits = 1024;
>> DH *params = DH_generate_parameter
Hi,
when I generate DH parameters with:
int bits = 1024;
DH *params = DH_generate_parameters (bits, DH_GENERATOR_5, NULL, NULL);
Can I then later read the value of the bits parameter from the DH struct?
Thanks
Dirk
__
OpenSSL Pr
Can anybody help me?
Thanks
> -Ursprüngliche Nachricht-
> Von: "Dirk Menstermann"
> Gesendet: 09.12.09 18:22:46
> An: openssl-users@openssl.org
> Betreff: Question to SSL_SESSION
> Hello,
>
> I have a problem with the saving SSL_SESSIO
Hello,
I have a problem with the saving SSL_SESSION objects. As there seems to be no
SSL_SESSION_dup function I have created one:
SSL_SESSION* SSL_SESSION_dup (SSL_SESSION *sslSession)
{
SSL_SESSION *newSession = (SSL_SESSION *) ASN1_dup ((int(*)(void
*in,unsigned char **pp)) i2d_SSL_SE
40 matches
Mail list logo
