Hi All,
I am trying to build a regression suite for the known vulnerabilities
published by OpenSSL. For some of the CVEs, I am facing issues to generate
test data.
Is there anywhere test data available for the known CVEs for re-use.
Any help would be appreciated.
--
Regards,
Girish
I am facing the same issue and getting same error on FreeBED 9.1 as below.
FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not
match:fips.c:232:
Only thing different is I am using openssl-fips-2.0.5. Did anyone get
solution for this problem?
--Girish
--
View this message in
I am facing the same issue and getting same error on FreeBED 9.1 as below.
FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not
match:fips.c:232:
Only thing different is I am using openssl-fips-2.0.5. Did anyone get
solution for this problem?
--Girish
--
View this message in
Hi,
I am trying to compile the OpenSSL DLLs using VC++ on Windows XP - I am
using Microsoft Visual C++ 2008 Express Edition
I downloaded and installed the ActivePerl in C:\Perl.
While runing the nmake command, I get following error -
Building OpenSSL
perl util/copy.pl ".\.\e_os.h" "t
particular
hardware device.
I don't think there are any free implementations. Usually the vendor from whom
you buy the accelerator hardware provides sample code that can be used without
issues with OpenSSL...
YMMV
regards,
Girish
--
Linux is for folks who hate Windoze.
FreeBSD is for folk
inctly remember how it is done in IPsec code in OpenBSD...
I oversimplified it, but not too far from the real thing.
regards,
Girish
--
Linux is for folks who hate Windoze.
FreeBSD is for folks who love UNIX.
OpenBSD is for fol
ntion that HMAC has a secret key associated with it so
that you cannot forge MD5 or SHA1 digests.
This is done by simply appending the key to the digest input.
regards,
Girish
--
Linux is for folks who hate Windoze.
FreeBSD is for folks who love UNIX.
OpenBSD is for folks who ca
eciated.
>
> This violates the purpose of the controls, if you don't want to mandate
> an encrypted channel, change the Sendmail configuration to not require it.
You don't stand to gain much by not encrypting and only authenticating.
There is no piecemeal security solution.
Best,
ernet Live Conferencing).
The only difference between data encryption and voice encryption being that
voice is very very delay sensitive and data is very very loss sensitive. So UDP
is used for voice and TCP for data.
I am not quite clear if SSL is used for VoIP. I doubt. One possibility is
DTLS
On Thu, Oct 19, 2006 at 12:14:55PM +0530, Kaushalye Kapuruge wrote:
> Hi,
> I tried to get the base64 encoded result of a SHA1 digest. But the
> result is not compatible with the same operation in Java. Also I tried
> to use a javascript function. It is matching with the result of the Java
> imp
is one of the keys in the schedule.
The way the input block interacts with the round key therefore is not a one to
one relationship...
Sorry my knowledge stops there as things are misty right now. It is close to 6
years since I took an interest in these things. :-)
Best,
Girish
__
ems to
> be a headdacke for me.
It is impossible to suggest anything since you have
not given enough detail. What is it that you are
trying to do? Please send the code snippet.
If the client is crashing it could be a simple buffer
overflow issue. Most crashes are caused by this.
--- Florian G otter <[EMAIL PROTECTED]> wrote:
> Added code:
>
> if(SSL_set_cipher_list(m_ssl,"EXP-RC4-MD5")==1)
> {
> cout << "setting cipher went okay" << endl;
> }
> else
> {
> cout << "cipher not set" << endl;
> }
>
Dont use EXP- ciphers!
__
uarantees good
> security as long as the
> user's private keys are not compromised.
>
> Of course, you could go for some creative combos
> like having two private
> keys for one public key with simple X-ORing and so
> on ...
>
> Remember what I told you is just a conceptua
I wasn't able to find the
> definitions
> of MD5_Update() and MD5_Final().
>
This is no problem. OpenSSL may not be the right place
if you want only MD5 or SHA1. I did much better by
taking it from some other standalone utility in
FreeBSD. Unfortunately I don't have those
lues should be
> given
> for these fields?
>
> Thank you very much.
Are you sure you want to squeeze in the entire OpenSSL
library into your Blackfin processor?
What is it that you want?
It will be worthwhile to just do a surgical removal of
the requisite parts...
Do you want SS
nfo on PBKDF2 many
thanks for that.Just quickly though in point 3 does
that mean I should use ECB mode ornot if I am going to
split the file and send two parts to
differentlocations?
Girish:
You should avoid ECB mode at all costs. Always go for
CBC mode. ECB mode is just too easy to crack.
I will
mean that they are correct ? - Is there a problem
> with the certificate /
> key ? - Could the problem be somewhere else ?
>
> Many thanks
If you could be kind enough to post the client and
server source code, I could gladly debug it for you.
:-)
regards,
Girish
>
> Florian G ott
--- "Buicliu, Ion VSA:EX" <[EMAIL PROTECTED]>
wrote:
> Thank you Girish, I understand now. The
> combination: encrypt with
> public key - decrypt with private works.
>
> What we are trying to do is to place an encrypted
> file on our ftp server
> for a sp
TOH, if you want to do public key decryption then you
could do first encrypt with the client's public key...
Since I am not quite clear what is it that you want to
accomplish, I can only tell you this much that if you
encrypt with public key, you decrypt with private key
and vice versa.
re
--- [EMAIL PROTECTED] wrote:
> Hello openssl-users,
>
> I generate an RSA key-pair like this:
> openssl genrsa 1024
> And put it's output into a PEM file.
> Now I need to read both private and public parts
> of the key-pair
> into an RSA object in a program.
>
> This is how I try h
flag should I set to avoid this
> formatting?
>
> Please comment.
> Thank you in advance.
>
If there is no solution u shud be happy with a
workaround. If I were you I would do something like
$cat pem-file | tr -d '\n' > pem-file-oneline.pem
HTH,
Girish
> --
/libcrypto.so.4 ->
> libcrypto.so.0.9.7a
> [EMAIL PROTECTED] ~]# rpm -qf /lib/libcrypto.so.0.9.7a
> openssl-0.9.7a-43.8
>
> I don't suppose that this is a known issue?
Recently someone in freebsd-questions@ was having a
similar issue though his core dump was in
ersion of OpenSSL headers.
Try adding -I/usr/include/openssl or some such to a
recent version to your CFLAGS. Make sure you install a
recent version of OpenSSL first.
Best,
Girish
>
> Regards,
> Jaya
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--- "Bhat, Jayalakshmi Manjunath"
<[EMAIL PROTECTED]> wrote:
> Hi All,
>
> I am trying to complie openssl.9.8a on HP-UX. I am
> getting errors
>
> ../../include/openssl/pem.h:610: parse error before
> `RSA'
> ../../include/openssl/pem.h:611: warning:
> return-type defaults to `int'
> pem_all.
n "perl Makefile.PL".
It didnt' work against 0.9.8. Maybe someone else can
look into it?
I don't have time to do more digging. Please excuse
me.
But I think this should get u going at least.
regards,
Girish
>
> Cheers, Jon.
>
>
___
--- Robert Butler <[EMAIL PROTECTED]> wrote:
> Okay, that works, I get an OK from OpenSSL, but now
> I'm getting other,
> more cryptic errors-
>
> DEBUG LEVEL: 7 (Dump to Screen)
>
--
> [EMAIL PROTECTED]:~/stunnel# sbin/stunnel
ou get it when you send another packet is
the notification you get for the "another packet", not
for the previous remnant. Obviously when reading you
have to read the remant first.
In other words it is not possible to do what you plan
to achieve.
In fact it is not even guaranteed
at OpenSSL wants an infile when
> generating this file. Has
> anybody had experience with this? Can anybody help
> me out here?
I think if you set your openssl.cnf file properly and
get rid of the password prompt "man openssl" u shud be
set.vim /etc/ssl/openssl.cnf or some such thing
H
--- Marten Lehmann <[EMAIL PROTECTED]> wrote:
> Hello,
>
> how can I view the information that are contained in
> a CSR, KEY or
> CRT-file? E.g. for which hostname a cert is issued,
> when it will expire,
> who is the company it is issued for ...
man x509
For eg,
$ openssl x509 -text -noout
-- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> If you installed it to /usr/local/ssl/bin, and you
> have changed
> directory to /usr/local/ssl/bin, then the most
> likely scenario is that
> you do not have "." in your $PATH.
>
> I consider it a security risk to have the current
> directory in your
ris.
Once it finishes,
run
#locate bin/openssl
Then once you figure out the actual path, add it to
your PATH env variable in your .profile or equivalent.
You are all set then.
Best,
Girish
>
> Is there any environment variable or anything else
> to be set ?
>
ending it again.
HTH,
Girish
> did find one
> example on the web from a project call cfengine that
> uses EVP but when
> compiling gives me LOTS of linker errors (linking
> against libeay32MD.lib
> or ssleay32MD.lib) which I acquired via the
> precompiled binaries from
> Shinin
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Sat, Jul 22, 2006, Bu Bacoo wrote:
>
> > Thanks you both... after correcting my
> BIO_do_connect (and all
> > read/write following it) -> adding retries (as
> Girish pointed), it
> &g
ill now. However you
have to keep trying in a while loop until
BIO_do_connect() succeeds. That is the way non
blocking IO works.
HTH,
Girish
>
> BIO* pBio = BIO_new_connect((char*)conn.c_str());
> BIO_socket_nbio(BIO_get_fd(pBio,NULL), 1);
> BIO_do_connect(pBio); //returns -1
>
Moreover you should
check for decrypt errors since if you don't follow
padding conventions most of the time you will know by
checking the result of decryption.
Padding is handled transparently by evp interface. If
you use AES_* functions, you have to manually add and
remove padding. It is easy to
Don't know the specifics but you do need all certs
till the root CA for verification in the web of
trust model.
You navigate up and up with the issuername matching
the subject name until both are same.
HTH
--- "Michael P. Soulier" <[EMAIL PROTECTED]>
wrote:
> Marek Marcola wrote:
> > Maybe
Do you know stunnel ( www.stunnel.org ) ?
You could use that to setup https tunnel.
man evp will give u enuf info on encrypting strings
with OpenSSL.
OpenSSL really is the definitive resource for
cryptography. :-)
Please find attached my code. It may be of use.
regards,
Girish
--- "Ma
Excuse me if I am saying the obvious.
But did you factor the fact that an SSL renegotiation
or handshake can happen anytime during the
conversation?
Irrespective of whether you are doing SSL_read or
SSL_write... That is why you have to check for pending
write during a SSL_read and vice versa in
In a blocking socket when a network read freezes, it
is normal. It only means that nothing arrived on the
socket.
You got to take a look at the MSN protocol. With HTTP,
it might be sending a TCP FIN or something which is
why it is working in that case...
--- Robert Olsson <[EMAIL PROTECTED]> wro
I am afraid few can help u with this. "man 3 rsa" on a
linux/*BSD system might help u.
The code samples at www.opensslbook.com have couple of
samples IIRC
All the best!
regards,
Girish
--- Neil Dugan <[EMAIL PROTECTED]>
wrote:
> Hi,
>
> OpenSSL newbie here, I am loo
You urself answered it just now! :-)
The client doesn't matter, so you can connect to
s_server...
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> > Well ... In that case,
> > A] how is it that s_server and s_client can
> > communicate
> > 1) Using the same ssl library
> > 2) Using the same certif
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> Hi,
> Thanks for the reply.> > Urjit,
> > >
> > > I got it working once I replaced
> > > "EXP-DES-CBC-SHA" with
> > > "DES-CBC-SHA"
> > >
> > > I think you might have to do something special
> to
> > > enable export quality ciphers.
> > >
> >
> > Th
Urjit,
I got it working once I replaced
"EXP-DES-CBC-SHA" with
"DES-CBC-SHA"
I think you might have to do something special to
enable export quality ciphers.
regards,
Girish
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> Hi,
> I have attached the sample
evp" will help. Also you will
find a couple of good books with examples.
http://www.opensslbook.com
For signing you need PKI and is more elaborate than
just encryption.
HTH,
Girish
--- Kaushalye Kapuruge <[EMAIL PROTECTED]> wrote:
> Hi Steffen,
> Thanks for the reply.
&g
Yes, u can use setsockopt(...TCP_NODELAY) before
SSL_set_fd(). OpenSSL doesn't care about Nagle.
regards,
Girish
--- Leandro Gustavo Biss Becker
<[EMAIL PROTECTED]> wrote:
> Hello
>
> Can I disable Nagle algorithm using OpenSSL? My
> application always send
> entir
If you could send me the source I could debug it for
you
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> Hi Girish,
>
> Thanks for replying.
>
>
>
> I am specifying the ssl method as SSLv23_method()
> while creating the SSL context. As I understand, the
> met
I am guessing here, did you check the methods you
specified in SSL_set_ssl_method() ? Most
interoperability problems are caused due to this.
Since some cipher suites are not supported in some
protocols it might be a good guess. :-)
HTH,
Girish
--- Urjit Gokhale <[EMAIL PROTECTED]>
IPsec
source tree too. There are plenty other.
HTH,
Girish
--- Marek Marcola <[EMAIL PROTECTED]> wrote:
> Hello,
> > Is there any other C/C++ libraries (except
> openSSL) supporting SHA-512?
> Many, you may look for example at:
>
>
http://www.koders.com/c/fidDD35D1386FBE5
rmats using the x509 command
again. In general PEM format is much more convenient
than DER.
regards,
Girish
--- "Bhat, Jayalakshmi Manjunath"
<[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I have a created a certificate certficate.cer, to
> which I have
> p
portable as a bonus.
You may read the paper by Jonathan Lemmon on kqueue()s
advantages over select(). Select() gets horribly
inefficient as the number of file descriptors
increases.
HTH,
Girish
--- Darryl Miles <[EMAIL PROTECTED]>
wrote:
> Krishna M Singh wrote:
> > We are usi
I think ur HP UX box is not able to get enough random
data to seed its PRNG. Consider using the -rand option
as suggested by the error message or figure out what
is different in HP UX. Maybe the devices
/dev/(u)random is not configured properly
randomness is very imp for cryptography
--- Matthew
TED]> wrote:
> how come ? plz explain.
>
> On 6/13/06, Girish Venkatachalam
> <[EMAIL PROTECTED]> wrote:
> >
> > bcoz d2i resolves to d2i_X509() , not to
> > d2i_PrivateKey
> >
> > --- �� ���� <[EMAIL PROTECTED]>
> wrote
bcoz d2i resolves to d2i_X509() , not to
d2i_PrivateKey
--- �� ���� <[EMAIL PROTECTED]> wrote:
> when i use PEM_read_PrivateKey find it work error
> ,so i look into
> PEM_read_PrivateKey to find the reason.
> first i find in
> #define PEM_read_PrivateKey(fp,x,cb,u) (EVP_PKEY
>
The IV is used only for decrypting the first block
since after that the first block serves as the IV for
the second block and so on.
To answer ur question, the IV has to be known at both
sides along with the key.
regards,
Girish
--- Wai Wu <[EMAIL PROTECTED]> wrote:
>
> Do
AFAIK it uses something called NSS, which is another
SSL implementation.
http://www.mozilla.org/projects/security/pki/nss/
HTH,
Girish
--- Dan M <[EMAIL PROTECTED]> wrote:
> What does Firefox use for SSL? Is it a custom
> implementation, or does it
> use something similar t
might want to
vary the seed somehow using getpid() or gettimeofday()
or better, using /dev/random or /dev/urandom.
And random number generation has to be verified to
make sure that what you are getting is truly random.
All the best!
regards,
Girish
--- "Allan E. Johannesen" <[EM
the ENGINE interface is the hardware interface of
OpenSSL. If you are not using any cypto hardware you
can safely
#define OPENSSL_NO_ENGINE
CRYPTO_cleanup_all_ex_data() is defined in ex_data.c
file. Make sure your compiler picks up the definition
from there...
--- Namrata Patil <[EMAIL PROTECTED
,
Girish
--- Aidaros Dev <[EMAIL PROTECTED]> wrote:
> Dear all,
> What are the requirements for using Openssl crypto
> algorithms without
> openssl installation?
> For instance, i want to seperate and compile HMAC
> code without errors
Looks like I have not understood your problem.
Why do you have to do an SSL_read() to figure out if
it has closed? SSL_write() will fail it the other side
closes...
--- michael Dorrian <[EMAIL PROTECTED]> wrote:
> Here is the relevant code. The problem is in this
> do_client_loop. I need to rea
helps.
regards,
Girish
--- michael Dorrian <[EMAIL PROTECTED]> wrote:
> Not boring at all and thank you for your detailed
> reply. I guess the last part of my question was
> pretty vague. I just wanted to know how the
> diffie-hellman and RSA public key algorithms work
> together.
ryption as mere transposition and
substitution.
Also this is what explains why an RSA keysize of 2048
is roughtly equivalent to an AES keysize of 256 bits.
Hope I haven't bored you.
regards,
Girish
Padding is a standard enforced by encryption algos and
protocols and independent of language...
I suggest you use the openssl enc command line to
verify the padding with Java.
It will certainly work. Actually DES padding scheme is
very simple. It is only 4 lines of C code.
regards,
Girish
Sorry if I sound too obvious.
Actually I think you need to allocate space for the
buffer, try with
unsigned char buf[4096] or something.
I am sure you have tried it ...
regards,
Girish
--- vipin rathor <[EMAIL PROTECTED]> wrote:
>
> hi all,
> i need to fetch the th
I tried your code and I had a suspicion that using the
*_ex() functions along with *() functions can cause
trouble. Which is what has happened in your case.
Here is the correct code for your reference. You are
supposed to stick to either Init_ex() , Final_ex()
functions or Init() ,Final() functio
very small number for you to run into
this sort of problem. I suggest you try some other
approach for attacking this problem.
Hope this helps.
regards,
Girish
--- "Henry Yip (hyip)" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have a SSL server program that accepts SSL
hex output as words
are reversed but you can easily see the
correspondence.
Hope this helps.
regards,
Girish
--- uno wand <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I've been pulling my hair for two days, trying to
> figure out why a msg
> encrypted in Java
> can
best!
regards,
Girish
--- Doug Frippon <[EMAIL PROTECTED]> wrote:
> Hi all,
>I'm trying to get a win2k interpolate with a
> OpenBSD 3.8 using ISAKMPD.
> The problem is I get a "no keystate in ISAKMP SA"
> error.
> I suspect that my certificate are not wel
performance and security with
AES.
If I were you I wouldn't use any cipher other than
AES.
regards,
Girish
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 02, 2006, ?? wrote:
>
> > Dear friends I use OpenSSL's speed command testi
.
write() or read() will return a 0 or -1 on a closed
socket, so you stand to lose nothing by ignoring
SIGPIPE.
regards,
Girish
--- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> SIGPIPE is a remnant of BSD attempting to overlay
> UNIX socket (named
> pipe) semantics onto TCP/IP conne
--- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> SIGPIPE is a remnant of BSD attempting to overlay
> UNIX socket (named
> pipe) semantics onto TCP/IP connections. If the
> socket that you are
> writing to is a socket (or pipe), AND the pipe is
> closed, then you
> receive a SIGPIPE.
>
> In this
standard practice.
Best,
Girish
--- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> SIGPIPE is a remnant of BSD attempting to overlay
> UNIX socket (named
> pipe) semantics onto TCP/IP connections. If the
> socket that you are
> writing to is a socket (or pipe), AND the pipe is
> cl
standard practice.
Best,
Girish
--- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> SIGPIPE is a remnant of BSD attempting to overlay
> UNIX socket (named
> pipe) semantics onto TCP/IP connections. If the
> socket that you are
> writing to is a socket (or pipe), AND the pipe is
> cl
The standard practice is that of ignoring SIGPIPE in
all TCP servers.
signal(SIGPIPE,SIG_IGN);
OpenSSL cannot help you here because the problem
occurs at a lower level(TCP).
I remember seeing this line in the ssh server source
code as well.
regards,
Girish
--- Alberto Alonso <[EM
using SSL_CTX_set_timeout() or something.
regards,
Girish
--- JCA <[EMAIL PROTECTED]> wrote:
> Two questions: First, what is the default session
> ID reuse timeout for
> OpenSSL? Second, is it possible
> two specify that timeout in a system-wi
If all you need it add an IP address, e-mail or FQDN
SubjAltName extension then this utility may help.
Do let me know if this is what you need and then I can
mail the program that I have.
HTH.
regards,
Girish
--- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> ...you can't, without re
to give
some info.
http://crypto.stanford.edu/~nagendra/projects/dtls/dtls.html
Once you get familiarised with TLS DTLS should not be
much different I guess.
All the best!
regards,
Girish
--- Pjothi <[EMAIL PROTECTED]> wrote:
> Dear all,
>
> I am a student and am tr
Try calling EVP_CIPHER_CTX_cleanup(&ctx) at the end...
--- Felix Dorner <[EMAIL PROTECTED]> wrote:
> Hi,
>
> the following code executes once, and does fine.
> Calling the function a
> second time gives a segfault during the call marked
> by "-->"
>
> unsigned char *encrypt_message(unsigned cha
Try calling EVP_CIPHER_CTX_cleanup(&ctx) at the end...
--- Felix Dorner <[EMAIL PROTECTED]> wrote:
> Hi,
>
> the following code executes once, and does fine.
> Calling the function a
> second time gives a segfault during the call marked
> by "-->"
>
> unsigned char *encrypt_message(unsigned cha
Dear Kadir,
Did you enable mod_ssl while building httpd?
Is mod_ssl listed in "httpd -l"?
Most likely httpd doesn't recognize the directive
"SSLEngine" since mod_ssl is not able to see it.
Hope this helps.
Also this mail belongs to Apache mailing list. :-)
regards,
works non
interactively.
The key is specifying -batch and -passin
pass:
You could verify it first on the command line with
$ oenssl ca -batch -in -days 365 -passin
pass: -out cert.pem
Hope this helps.
regards,
Girish
--- Sandhya <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I need to
the format of
messages, not sending some of the messages etc.
I am not using HTTPS as it is not a web application!
Can you pls let me know if i can do anything other than this to format the
messages and send the same to the SSL client?
Thanks a lot
regards
girish
From: Gilad Finkelstein
, but not the negative test cases.
Can anyone pls help to resolve this problem.
thanks and regards
Girish
_
Are you Unmarried? http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?4d
Register in India's No 1 Matr
Can u pls let me know the exact error message which it is giving?
Which certificate r u using for the SSL Communication? And also give me the
cipher details which u r using?
Have u written your own server application or using some readymade stuffs?
regards
girish
From: [EMAIL PROTECTED]
Reply
s a bug in one of those pkcs7_ routines. Is
there a workaround for this problem?
We are using Openssl 0.9.6c 21 Dec 2001 version.
Any help is greatly appreciated.
Thanks and regards,
Girish
Hi,
The FILE pointer corresponding to stdout,stdin and stderr gets corrupted in
Windows NT when we use openssl.
Is there a way out ?
kind regards,
Girish V
__
OpenSSL Project http
Hi samaritans and friends,
Is there a port of openssl on VxWorks? If not, what will be the
difficulty in doing the same? Has anyone attempted it?
Thanks in advance for the help.
kind regards,
Girish V
__
OpenSSL Project
87 matches
Mail list logo
