lieve there’s a good reason for it.
> Anyway, thanks for your answer!
>
> Regards
> Matt
>
> On 18. 11. 2022, at 17:13, Kyle Hamilton wrote:
>
>
> X25519?
>
> On Mon, Nov 14, 2022, 05:23 ORNEST Matej - Contractor via openssl-users <
> openssl-users@openssl.org>
X25519?
On Mon, Nov 14, 2022, 05:23 ORNEST Matej - Contractor via openssl-users <
openssl-users@openssl.org> wrote:
> Hi all,
>
>
>
> I need to implement support for X52219/X448 for DH key exchange (and
> Ed52219/Ed448 for DSA) elliptic curves in our project. I need to export
> public key for DH
>From a conceptual perspective, I think "creating a CSR" should be different
than "signing a CSR with a given keypair", and on that reason alone I'd
separate them, allowing some small code duplication.
The difference between "signing with a certified key" and "signing with its
own key" is really j
An EE certificate is an "end entity" certificate, which identifies an
entity that isn't a certifier.
On Wed, Jul 21, 2021, 18:23 Thejus Prabhu wrote:
> Thanks for your reply Viktor. I would like to add that this is a self
> signed certificate created on the server. What is EE certificate?
>
>
>
Also, OIDs for extendedKeyUsage can be defined per-application, so
there's no way to compile a full list of them.
-Kyle H
On Fri, Jul 16, 2021 at 4:23 AM Viktor Dukhovni
wrote:
>
> > On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote:
> >
> > I am looking for openssl APIs to get all the OIDs associa
If he's trying to muck with the library, he's probably struggling with a
precompiled binary he doesn't have the source code to.
-Kyle H
On Thu, Mar 11, 2021, 11:48 Viktor Dukhovni
wrote:
> > On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
> >
> > I am searching for the functions in openss
If you get SSL_ERROR_WANT_WRITE, call the same function with the same
parameters and same buffer content immediately. (Same with
SSL_ERROR_WANT_READ.)
If you need to, stash those parameters in variables for ease of reference.
But don't do anything else on the SSL layer until you get a different
re
There's another reason why you'll want to close your socket with
SSL_close(): SSL (and TLS) view a prematurely-closed stream as an
exceptional condition to be reported to the application. This is to
prevent truncation attacks against the data communication layer.
While your application may not need
Could this be dealt with by the simple removal of any caching layer
between an SSL_CTX and a directory processed by openssl c_rehash?
Would reading the filesystem on every certificate verification be too
heavy for your use case?
On Sun, Aug 30, 2020 at 7:20 PM Jordan Brown
wrote:
>
> Well, I can
I'm not sure I can follow the "in all cases it's important to keep the key
and cert in the same file" argument, particularly in line with openat()
usage on the cert file after privilege to open the key file has been
dropped. I agree that key/cert staleness is important to address in some
manner, b
It is never recommended to upgrade you distribution's version of OpenSSL
with one you compile yourself. Doing so will often break all software
installed by the distribution that uses it.
If you need functionality from newer versions of OpenSSL, your options are
to upgrade your OS version, or to i
(I'm not an OpenSSL developer, but I know enough of development
processes to explain what I see here. Actual OpenSSL developers
should correct me if I'm wrong.)
Most likely, yes this is currently expected. Since it's a dev branch,
not a release branch, it's not expected to have everything intern
party for me.)
-Kyle H
On Sun, May 24, 2020, 14:59 Kyle Hamilton wrote:
> From glancing at the abstract, https://patents.google.com/patent/US5799086
> looks like it might be the one? It also says that it is expired,
> expiration having been anticipated on 2014-01-13.
>
> -Kyle
>From glancing at the abstract, https://patents.google.com/patent/US5799086
looks like it might be the one? It also says that it is expired,
expiration having been anticipated on 2014-01-13.
-Kyle H
On Sun, May 24, 2020, 11:54 Salz, Rich wrote:
>
>- In any case, I am unaware of any existin
There are two ways to handle multiple authorizations needed:
1) Secret data is shared across multiple locations/holders, or
2) Secret data is stored in a trusted system which itself requires multiple
authorizations.
You could perhaps put together multiple trusted systems, each of which has
a share
application/pkix-pkipath
Defined in RFC4366 (section 8) and RFC6066 (section 10.1)
PkiPath ::= SEQUENCE OF Certificate
Within the sequence, the order of certificates is such that the subject of
the first certificate is the issuer of the second certificate, etc.
(It's also defined in ITU-T Recomm
There is a format that puts all DER certificates into a single
DER-formatted structure. It is called PKIpath, and it's defined as
`SEQUENCE OF Certificate`. The problem with it is that its order was
standardized by X.509 2001 TC1 to begin with the root and continue to the
leaf, which is backwards
If you need multiple certificates in a single DER structure, you're looking
for something to create a "PKIpath". I've never heard of curl requiring
such, though. Chances are it will handle the PEM chain just fine.
What curl command line are you trying to use?
-Kyle H
On Thu, May 21, 2020, 18:00
Is there a way to have OpenSSL's command line generate OCSP responses
for every entry in index.txt, without having to go through the process
of generating a blank (no-nonce, unsigned) request and then generating
a response to each one for each serial number therein?
-Kyle H
On a tangent, this file format (and order) was actually finally
standardized as "application/pem-certificate-chain" by RFC 8555
section 9.1 (the Automatic Certificate Management Environment
protocol, or ACME).
On Wed, May 6, 2020 at 2:59 PM Michael Wojcik
wrote:
> Get rid of the call to use_certi
Note: This is better asked on the CentOS support forums, since it asks
about changes that CentOS made to OpenSSL.
This is an unsupported configuration, and will be overwritten if you audit
or reinstall the crypto-policies package. Also, I haven't looked to see
where /etc/crypto-policies/back-ends
32 bytes means you're signing using RSA-WITH-SHA-256, yes?
tbs is the digest value you calculated, tbslen is the size in bytes of
the digest.
-Kyle H
On Tue, Apr 7, 2020 at 1:07 PM Jason Proctor wrote:
>
> Esteemed cryptologists,
>
> Question regarding the "tbslen" parameter to the sign and ver
ssl_prefer_server_ciphers on;
On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan
wrote:
>
>
> On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <
> michael.woj...@microfocus.com> wrote:
>
>> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*,
>> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_
Be aware that you just posted your certificate's private key, and thus you
should regenerate a new keypair/certificate to use. Otherwise, anyone who
can manipulate traffic to your machine can execute a man-in-the-middle
attack.
-Kyle H
On Fri, Feb 14, 2020, 07:40 Jason Schultz wrote:
>
> Than
A CSR is self-signed to provide what's called "proof of possession" -- that
is, proof that the requester possesses the private key to the claimed
public key. It doesn't act as a CA in that case, because the CSR is not an
actual Certificate structure.
-Kyle H
On Thu, Jan 30, 2020, 18:26 Douglas M
No, it's not possible,to use a webserver certificate to issue other
certificates of any kind. (Oh, it is technically possible with openssl to
create certificates which might seem valid on the surface -- just use the
webserver key to generate a self-signed CA certificate with the same
Subject as is
OpenSSL is a toolkit, not a full implementation. More importantly, it is a
library, so anyone who can link against it can perform all operations that
the library can support, and the library has no concept of role separation
built in.
As such, the 'openssl' commandline tool allows the use of any
You might be able to set this in the equivalent of /etc/ld.so.conf and
rerun ldconfig(8), but those specific operations rely on the GNU dynamic
linker. The only clue that suggests it may be GNU's dynamic linker is the
LD_LIBRARY_PATH environment variable name. If it's not, you'll have to
look up
If a CA signs a certificate without proof of possession of the private key,
the CA is enabling whoever does have that private key to look as though
they are the one who they sign the certificate for (i.e., impersonation).
The entire structure of PKI (the binding of the public half of a keypair to
s
Also, on question b: No. You need to build a compatible version of openssl
as specified in the User Guide, and link that version. FIPS_mode_set()
tells the library to always and only use the implementations in the FIPS
canister; the canister does not replace the library entirely.
-Kyle H
On Wed
Step a. needs to verified the digest with an existing FIPS 140-2 validated
cryptography implementation. Otherwise, to my understanding, this is the
correct sequence of events.
Do note that after building the fipscanister.lib, you will want to digest
it and print it on a certification letter that
o capture why something is failing.)
>>
>> Good luck.
>>
>> -Kyle H
>>
>> On Mon, Jun 10, 2019, 03:34 Giovanni Fontana <
>> giovanni.fontan...@gmail.com> wrote:
>>
>>> The unmodified version works. As I said, it's sure the issue is
t; so what is missing are the following files:
>
>- libssl.map
>- libcrypto.so
>- libssl.so
>
>
> Il giorno dom 9 giu 2019 alle ore 19:30 Kyle Hamilton
> ha scritto:
>
>> Can you try building an unmodified version of the tarball, and see if it
>>
Can you try building an unmodified version of the tarball, and see if it
has a problem?
-Kyle
On Sun, Jun 9, 2019, 07:31 Giovanni Fontana
wrote:
> Hello Kurt,
>
>
>- it's perl 5, version 26, subversion 1 (v5.26.1) built for
>x86_64-linux-gnu-thread-multi
>- ldd (Ubuntu GLIBC 2.27-3u
That's a configuration issue with the servers, not an issue with the
openssl command itself.
There's no information on what the back-end HTTP server software is
being used. If it were Apache, there would be a ServerName directive
that could change the server's idea of what name it should refer to
It appears you could create() a socket, bind() it to the interface you
want to use, possibly connect() it, and then pass it to either
BIO_s_connect() or BIO_s_socket() depending on which meets your needs.
-Kyle H
On Sat, Feb 9, 2019 at 7:21 AM Rajinder Pal Singh wrote:
>
> Thanks Mark for the pr
I would expect that correct results would be provided for all valid
inputs (including those inputs that are not otherwise constrained).
As such, I would class this as a bug in OpenSSL.
-Kyle H
On Mon, Jan 7, 2019 at 7:44 PM Patrick Steuer wrote:
>
> Dear Bo-Yin Yang,
>
> I looked into your felem
sions that permitted
such degenerate cases.
Merry Christmas (or happy holidays!),
-Kyle H
On Sun, Dec 23, 2018 at 5:33 PM Viktor Dukhovni
wrote:
>
>
>
> > On Dec 23, 2018, at 6:01 PM, Kyle Hamilton wrote:
> >
> > You're right, I typoed. SubjectDN is non-optio
5 PM Viktor Dukhovni
wrote:
>
>
>
> > On Dec 23, 2018, at 4:29 PM, Kyle Hamilton wrote:
> >
> > SubjectCN is an operational requirement of X.509, I believe.
>
> You're confusing the DN and the CN.
>
> > It's not optional in the data structure, at a
SubjectCN is an operational requirement of X.509, I believe. It's not
optional in the data structure, at any rate.
-Kyle H
On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson wrote:
>
>
> Salz, Rich via openssl-users wrote:
> > Putting the DNS name in the CN part of the subjectDN has been
>
Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?
-Kyle H
On Sun, Dec 23, 2018 at 3:25 AM Walter H. wrote:
>
> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
> > > >. New certificates should only use the subjectAltName extension.
> >
> >> Are any
Getting the key for any given communication from OpenSSL is definitely
doable if you're not using an engine. If you are using an engine, it may
or may not be even possible.
In any case, maintaining that key once you have it is definitely out of
scope of OpenSSL. As an app developer subject to tha
Because only showing the O= is insufficient, you also need to show the
jurisdiction the O= is based in. (In the case of Amazon, it's a Delaware
corporation.)
The fact that browsers are getting tricked into thinking EV doesn't help is
only because their UX designers refuse to allow the information
CAs *do* verify the attributes they certify. That they're not presented as
such is not the fault of the CAs, but rather of the browsers who insist on
not changing or improving their UI.
The thing is, if I run a website with a forum that I don't ask for money on
and don't want any transactions hap
Wireshark and other packet capture tools can help you determine
exactly what's in the chain sent by the client. If the self-signed
root isn't being sent, then the "self-signed certificate in
certificate chain" error should never have been sent, and a bug report
on that issue would be appropriate.
The DER (Distinguished Encoding Rules of ASN.1, which can be found in ITU-T
recommendation X.680 and X.681) requirement is that if a particular number
is positive, the highest-order bit can never be set (since the
highest-order bit is always the negative sign indicator). The rules further
explain t
I thibk those are all the .asm modules. If they are, you'll probably want
to Configure with no-asm and rebuild in order to get the C implementations.
-Kyle H
On Wed, Nov 28, 2018, 01:07 Vinay Kumar via openssl-users <
openssl-users@openssl.org wrote:
> Hi All,
>
> The 32bit OpenSSL 1.1.0i libra
Generally, you don't want to replace any system-provided version of OpenSSL
with a different version that has a different ABI. The way you've done so
(without deleting the libraries from the older version) is safe, but don't
remove the system package of openssl-1.0.2. Other packages may link to tha
If subjectAltName exists, CN= is not evaluated. All the given
examples should work. (The only exceptions are validators that
haven't been current for more than 20 years.) None of the examples is
correct. CN= should not even be included in the certificate. If it
is, (d) is the closest to correc
...and once again FIPS screws those who don't want to adhere to its
mandates (which everyone in the know has always stated simply reduces
security by requiring the use of less-secure ciphers and implementations,
without allowing patches or modifications to deal with newly-discovered
classes of atta
Probably because the definition of X25519 requires that bits 0, 1, and 2 of
the first byte of the private key are set to 0 before being used, and
OpenSSL counts the number of bits including the highest-order set bit.
(Really, there's an additional 2 bits that are also set to known values:
bit 6 of
Generally, you *really* do not want to replace the vendor-provided
version. Vendors often alter things to be more compatible with their
ABIs, which are the binary interfaces that other programs use to link
to the vendor-provided libraries.
If you find you actually do want to, it's best to figure
> #$ openssl s_server -key privkey.pem -cert server.pem -accept 8446 -verify
> ca.pem
Change the '-verify' to '-CAfile' and it might work.
-Kyle H
On Sun, Mar 4, 2018 at 9:58 PM, salil GK wrote:
>
> #$ openssl s_client -cert tomcat.pem -key tomcat_priv.pem -CAfile
> ca.pem -connect lrc1
rote:
>
>
> On Tue, Feb 13, 2018 at 9:33 AM, Emmanuel Deloget wrote:
>>
>> Hello,
>>
>> On Tue, Feb 13, 2018 at 7:14 AM, Kyle Hamilton wrote:
>>
>> > The only thing that the server can know is whether the client has
>> > terminated
The only thing that the server can know is whether the client has
terminated the connection with a fatal alert. If the client validates
presented cert chains, then its continuation with the connection means
that it passed validation. If the client does not, or ignores any
given error, then it doe
On the algorithmic side of things, the ECDSA algorithm cannot encrypt.
It is signing-only.
In order to use Elliptical Curves to encrypt, you would have to use
the "Elliptical Curve Diffie-Hellman" algorithm to perform a key
agreement. This requires that both the sender and the recipient have
EC k
It's important to note that NSS-based applications (such as Firefox)
will actually categorically refuse to connect to a site with an
Issuer/serial collision with another certificate it has seen before.
So yes, it can cause some applications to fail their SSL connections.
-Kyle H
On Tue, Jan 16,
On Mon, Dec 18, 2017 at 9:59 AM, Colony.three via openssl-users
wrote:
>
> Hear about the HP keylogging case recently? Do you think a keylogger is
> actually used in testing of a keyboard driver, in practice?
Yes.
More specifically, it's used to ensure that the scancodes that should
be detected
On Sun, Dec 17, 2017 at 3:58 PM, Salz, Rich via openssl-users
wrote:
>> If you follow Schnieder, elliptic curve is not an option.
>
> That’s interesting, you have a reference for that?
I'm guessing OP's referring to "Applied Cryptography, 2nd Edition".
There was one page on elliptical curve cryp
SSL alert number 48 is specified in the documents that define SSL/TLS.
It is the code for "unknown_ca", which means that verification failed
because it didn't get set up with the correct CA to verify against.
You might wish to look up SSL_CTX_load_verify_locations(3). There may
also be other API c
4Q? 8X? 1Z?
Those are not octets that can show up in serial numbers.
-Kyle H
On Fri, Dec 1, 2017 at 2:21 PM, FOURES TOM wrote:
> Hello,
>
> When I see SSL certificates, their serial number is like this :
> 0A:8D:9A:4Q:8X:1A:0B:88:18:1Z
>
> So, how could I set my serial file (with serial.old) fo
The -servername [host] is what causes the SNI extension to be sent. I
don't think its sending is put into the debug output. Do you really need it
there?
I'm pretty certain that s_server outputs it in debug output.
-Kyle H
On Nov 26, 2017 18:59, "John Jiang" wrote:
> Hi,
> The following is my
Use a publicly-trusted certification authority, such as Let's Encrypt.
The problem is from the remote side (it's sending the alert that it
does not recognize your certificate issuer).
-Kyle H
On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
wrote:
> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijs
What kind of stateful packet inspection are the NATs doing?
Can you run packet captures on each network that's being translated?
-Kyle H
On Thu, Nov 2, 2017 at 4:23 PM, Paul Greene wrote:
> Yes. I've made captures on both - the production client that I manage and
> the test client I have at hom
Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519?
-Kyle H
On Mon, Oct 23, 2017 at 3:24 PM, Jakob Bohm wrote:
> On 21/10/2017 15:38, Codarren Velvindron wrote:
>>
>> https://tls13.crypto.mozilla.org is using : The connection to this site is
>> encrypted and authenticate
Important caveat: SSL_read() and SSL_write() don't directly return
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. Those values are returned
by SSL_get_error().
I apologize for the misstatement.
-Kyle H
On Sun, Oct 8, 2017 at 5:58 PM, Kyle Hamilton wrote:
> Do you have a reference to wha
) and read() have the means to tell you how much data was
written or read, and that's what you're supposed to use to keep
blocking descriptors from hanging your application, I thought.
-Kyle H
On Sun, Oct 8, 2017 at 6:48 AM, Thomas J. Hruska
wrote:
> On 10/8/2017 4:17 AM, Kyle Hamilt
The way to handle this situation is simply to never enter SSL_read() if
there isn't anything to read on the socket. select() or pselect() are your
friends, here, because they'll tell you if there's data to read from the
underlying file descriptor.
I hope this helps!
-Kyle H
On Oct 5, 2017 02:58
openssl x509 -noout -text -in clientcertificate.pem
You may need to extract the client certificate from wireshark, but you
could also get it from openssl s_server.
Specifically, that error message is suggesting that there's a message
digest encoded into the certificate which is unknown to the tru
On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore wrote:
>
> It's also worth pointing out that CAs are banned from running OCSP servers
> over HTTPS anyway and it isn't needed since the responses are already signed
> - http is fine.
That argument fails when you consider that some people want the
d
Certificate serial numbers must be unique. They need not be sequential or
increasing. (Mozilla's NSS will complain and refuse to work if there are
duplicate serial numbers.)
I tend not to re-use keys, so I've found that putting 20 bytes (while
clearing the high bit) of a digest of the SubjectPub
The short answer is "no".
The long answer is, OpenSSL is not in the business of vetting trust roots.
Its business is ensuring that TLS-secured communications happen correctly
when it is used. If you want an 'endorsed' set of roots, you can find such
from other projects (that have no relation to O
e the dynamic library used by his
application on the devices it is deployed on.
-Kyle H
On Mon, Apr 3, 2017 at 6:22 PM, Viktor Dukhovni
wrote:
>
> > On Apr 3, 2017, at 8:42 PM, Kyle Hamilton wrote:
> >
> >
> > In other words, it is very unlikely that TLS 1.3 ca
Every new version of TLS requires code to be written. Sometimes it can be
implemented in a binary compatible manner, and in those situations you can
get the implementation of a new TLS version by simply replacing a DLL or
equivalent dynamic library. However, it's much more likely that the
impleme
Enhancement request:
make 'pkcs12' support -inform and -outform.
On Mon, Mar 13, 2017 at 9:26 AM, Gary L Peskin wrote:
> Thanks VERY much Michael. That did the trick. This was a homegrown CA
> cert and I needed it to sign a certificate request for testing purposes.
>
>
>
> I didn’t realize th
You cannot keep the certificate from OpenSSL, as that's the piece that you
share with the remote side. This contains the public key, and the
information bound to that public key by the CA.
However, you can keep the private key from being seen by OpenSSL. There
exists what is called an ENGINE int
disable O_NAGLE on the socket?
-Kyle H
On Sat, Dec 10, 2016 at 8:04 AM, Salz, Rich wrote:
> Heartbeats? Yuk, why.
>
>
>
> Most likely, TCP is buffering things until you get a big enough data
> packet. I don’t know how to address that.
>
> --
> openssl-users mailing list
> To unsubscribe: htt
On Thu, Sep 1, 2016 at 3:43 PM, Salz, Rich wrote:
> > The existence of the NSA agreement is a partial answer to the first
> question,
> > though it seems unclear if this license is recursively sublicensed
> through 3rd
> > parties or not.
>
> They knew they were licensing an open source toolkit.
This is compiler-dependent, and because you didn't specify what platform
you're targeting or what compiler you're using, there's no way for us to
provide an answer. Check your compiler's documentation. GCC, for example,
provides software-emulated floating point for platforms without hardware
supp
On 2/12/2016 2:03 PM, Steve Marquess wrote:
> On 02/12/2016 04:26 PM, Kyle Hamilton wrote:
>> I'm not seeing anything about openssl-fips-2.0.11 in
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
>> , so I'm not quite certain what its v
I'm not seeing anything about openssl-fips-2.0.11 in
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
, so I'm not quite certain what its validation/certificate status is?
Also, is a new Security Policy in the works integrating the new HMAC
digests for the new versions of -
f I use config script.
>
> Thanks,
> Rich
>
>
> On Wed, Feb 10, 2016 at 12:57 PM, Kyle Hamilton <mailto:aerow...@gmail.com>> wrote:
>
> ./config autodetects the platform and such, passing various
> parameters to Configure. So, after you've built the cani
till run
> "./config tips" before run the Configure script, or should I just run
> "Configure fips" instead?
>
> Thanks,
> Rich
>
> On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <mailto:aerow...@gmail.com>> wrote:
>
> My understanding i
On 2/10/2016 12:47 PM, Steve Marquess wrote:
> Since you're required to start with the official tarball, and aren't
> allowed to change the contents of the tarball, not even a teeny tiny
> little bit, there is no point in dumping the tarball contents into
> your local source code management/versi
My understanding is, you must follow the steps given in the Security
Guide *exactly*, with no deviation, in order to produce a validated
binary of the FIPS canister. In other words, you *must not* try to use
Configure when attempting to build the FIPS canister because it does not
match the steps g
On 2/9/2016 12:29 PM, Steve Marquess wrote:
> On 02/09/2016 03:19 PM, cloud force wrote:
>> Hello everyone,
>>
>> Would the FIPS Object Module v2.0 supposed to only work with the vanilla
>> openssl library? If I apply the security patches to the openssl library,
>> should the FIPS Object Module v
I think you would probably do better to contact support for wanguard
than for openssl. Possible issues could involve ABI incompatibility or
library selection incompatibility; since there's no way for us to know
how wanguard is structured (we can't track every product that uses
openssl), they're mo
OpenSSL is written in C. It is distributed as a .tar.gz file, not a
.jar file.
jar is the format used by Java and certain Java Native Interface code,
and is based on the zip file format. It's not generally to distribute C.
tar.gz is a tar archive file (tar being the 'tape archive' program of
UNI
SSL_OP_* are bitmasks.
SSL_CTX_set_options(conn->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
-Kyle H
On 11/14/2014 12:37 AM, Vaghasiya, Nimesh wrote:
>
> Hi,
>
> Thanks for the info.
>
>
>
> (a typo in previous mail).
>
> Could you please confirm whether following will ensure my SSLv23
> method
There's a fair amount of grumbling that I see on Twitter about how
SSLv23_method is confusing -- what it does is the autonegotiation
capability.
So, could it perhaps get a new name (or alias) of something like
SSLnegotiate_method?
What would be the pros and cons of such an aliasing?
-Kyle h
OpenSSL doesn't really have a lot to do with ssh-keygen (though
ssh-keygen might link against libcrypto, SSH is not SSL). You should
probably send to the OpenSSH mailing lists to get help there.
-Kyle H
On 10/12/2014 11:38 PM, Angelos Ching wrote:
> Hi,
>
> Can I always expect the following comm
Generally, a client doesn't bother checking a certificate that's in its local
trust store. The idea is, if it's in its trusted store, there's no need to
verify its integrity, because the administrator already performed that
verification.
Where this might have an impact is if your new certificat
Check the digests used for signing. Windows (after updates) may refuse MD5
signatures on certificates; I would recommend regenerating new certs with at
least SHA256.
-Kyle H
On September 22, 2014 9:34:59 AM PST, "Vellore-Arumugam, Jagdish (Svr
Automation)" wrote:
>Hi,
>
>I am getting a 'Cert
This may sound basic, but have you verified that the firewall on the server is
set up to allow communication from the client? I think Ubuntu's firewall
rejects all traffic to ports that don't match what its installed and configured
packages claim they run on, without external configuration.
-Ky
be more changes to the
>EasyRSA script than he's inclined to make. He has a working solution
>now which seems fine for his purposes.
>
>A cipher option for "openssl req -newkey" wouldn't be a bad idea, but
>it's not a high priority, so I wouldn't e
http://msdn.microsoft.com/en-us/windows/hardware/gg463180.aspx is the spec for
the Authenticode PE signature format.
http://msdn.microsoft.com/en-us/gg463119 is the Microsoft PE and COFF
Specification.
Better download them now before they disappear, they appear to be deprecated in
favor of Win
At least 3DES is *some* encryption. The issue is that peoples' computers are
usually infested with malware; it's better to assume (for a software
distribution) that the disk is compromised, and always encrypt it before
writing.
Perhaps there should be a cipher option for the req -newkey option?
I don't think this is the right place to ask on. This list is for OpenSSL
itself, not the python binding to it.
The PyOpenSSL folks may be watching this list, but this list is probably not
the official list to discuss it.
-Kyle H
On September 8, 2014 8:56:35 AM PST, Eric Chazan
wrote:
>All,
The allocated buffer needs to be sizeof(char *). What's happening is the
address of the buffer (&buffer[0]) gets written to the
pointer-to-pointer-to-char, data. If data == NULL, you're asking to write the
address of the buffer to unallocated memory.
It's done this way because the return value
important feature of OpenSSL (right after
>> actually being a secure SSL/TLSimplementation when used correctly).
>>
>> On 08/09/2014 01:15, Pierre DELAAGE wrote:
>>> Hmm...
>>> Switch strongly and definitely to C++
>>> Not for fancy object programmi
1 - 100 of 861 matches
Mail list logo