The only SSL Java implementation I know of is SSL/J from RSA.
I don't know if it's available outside the US--you might try
www.rsa.com and ask the sales department.
__
OpenSSL Project http://www.ope
If you control both the client and server, you can use Diffie-Hellman/DSA.
The US patent for DH expired in 1997. DSA is patented by the government
but can be used at no charge as long as you follow the standard.
Disclaimer: IANAL etc. Technical note: DH is somewhat less cpu-efficient
than RSA
There are a number of hardware crypto vendors, including
Spyrus, Chrsalis, nCipher. Point your browser to www.{pick}.com
I expect, however, that what you are really interested in
is "where can I get patches that integrate OpenSSL with
crypto hardware?" I d
I'm running SuSE6.0 on intel with an apache 1.3.6 server. I
built openssl-0.92, and when i do "make certificate", it
builds one of only 40-bit strength. Is there a makefile tweak
that I need to enable 128-bit certificate generation? I was
wondering where I m
I believe I'm encountering this problem and have been reading over
some of the old messages.
Question: some of the messages say that the fix involves setting
both ssl-unclean-shutdown *and* nokeepalive for MSIE browsers,
while some other messages seem to say it's ok to just use
ssl-unclean-shutd
Stop messing with huge downloads. The easiest way to install Linux
is from a bootable CD. Just put it in the drive and follow the
instructions. You can buy CD's for almost nothing from www.cheapbytes.com.
__
OpenSSL Project
You cannot apply for a patent for something that has been in
an unpatented product for more than a year, in the US (IANAL etc.).
So RC4 and RC2 are unpatented and will remain so. There was a
patent application for RC5 and that might be what you are thinking
of. I don't know if the RC5 patent was
> If you need a lot of hits/sec (a smart card can't handle
> many) you can use a hardware accelerator like the Ncipher
> (what I'm using) or Rainbow accelerators
and now I'm lost again. Surely the certificate only needs to
be loaded (and therefore the passp
> Netscape servers have PKCS11 support so you can store the key in a
> secure token (i.e. smart card). I think it would be good if modssl
> also supported something like this.
mod_ssl already _DOES_ support this ;) All you've to write is
a program for yo
> Anyway, if you have really serious SSL security
> requirements, this is the kind of stuff you have to use.
> You can't do it with pure software.
Hmm. So I end up with a slow computer which very few people
have reviewed the design of, that I still have to
Correction to previous: Canada has export regulations just like the US.
But stuff can be transferred freely between the US and Canada.
Of course you have more sense than to consider any of that as legal
advice.
IANAL, AFAIK, etc.
In Canada, my understanding is that you are in the best of possible
worlds. You don't have to worry about US export regulations, people
in the US can export to you without worrying about the regulations,
and RSA is unpatented so you don't have to deal with RSA Corp.
__
Programs that write certs and private keys out to disk
generally put some kind of password protection on them. This
makes sense in connection with client certs where the user can
be prompted for a cert store password. What about cert files
on servers? Is it
Is there anyone who can also share an experience of working
with BSAFE? How it is compared to OpenSSL? I do not mind
using BSAFE if it is reasonable. Anyway we have to pay...
Oh I think you are thinking of RSA's new SSL product, called BSAFE/SSL
or something like that.
Does anyone know the nature of the patents? When will they expire?
The relevant patent is the one on the RSA cryptography algorithm.
It expires in September 2000. It is in the US only. Outside the US,
the algorithm is not patented.
__
1. If you buy Raven, you're allowed to use it without buying further
licenses for anything. Raven has already licensed BSAFE or made other
such arrangements with RSA. The cost of the RSA license is included
in what you pay to Covalent for Raven.
2. My understanding of BSAFE is that it's a subro
My understanding is:
1) RSAREF is only licensed to be used for non-commercial purposes.
Setting up a web retail site with it, for example, is not permitted.
RSAREF as normally distributed is also extremely slow.
2) BSAFE is a library that you can use instead of RSAREF and
commercial use is OK.
Well the CA *is* preloaded and Verisign just sign a bank subordinate CA
using the global ID root. The subordinate CA can then issue global
server IDs of its own but (presumably) no further global ID CAs because
of a path length restriction.
Stephen, are you saying
But what I'm trying to do is use a (signed) public key to
encrypt some data, ship it off somewhere else, and the
destination to decrypt it with the corresponding private
key. However, it doesn't seem that I'm really able to do that
using the openssl command
>I believe Verisign has certified some US banks to issue their
>own global server IDs by siging a CA certificate with their
>global server root, and with suitable path length protection.
I don't think that helps. In order to do be a "step-up CA" you
have to
Yes, you can't use an end user certificate as a CA (well there was this
one broken one you could...) with most software because it isn't marked
as being a valid CA. Either by having the CA flag set to FALSE in
basicConstraints or implicitly because basicConstraints
> and ended up replacing it with another version a while back.
> It didn't crash but it returned incorrect values.
> So maybe that implementation is buggy. I didn't have time
> to figure out what was wrong, back then.
Perhaps you were using SHA*() instead
> Something fancier might be appropriate. There may be
> situations where a different chain is needed depending on
> the browser type. Is it even possible to detect the browser
> type before sending the cert chain?
Huh? Unless I've missed something, the c
> What do you suggest for supporting this in mod_ssl, Bodo?
> Via an explicit SSLCACertChain or whatever directive? Or implicitly?
The behaviour that makes most sense, I think, is if you just have to
append the CA certificate(s) to the usual certificate file.
Some
> Hi, I'm trying to install a GlobalID into the c2 Stronghold server,
> which uses ssleay (forerunner of openssl).
You should send your message to your vendor; [EMAIL PROTECTED] if
you are in the USA or [EMAIL PROTECTED] elsewhere.
I'm perfectly aware of that and
What is special about version 4.04,
and how can I fix things for other versions?
One difference may be that 4.04 has a different set of built-in
Verisign roots than later versions. The later browsers have newer
roots. If your client certs are in a chain signed by Verisign, it
co
[This is mostly the same message as one I just sent to the modssl
mailing list, so sorry if you've seen it twice.]
Hi, I'm trying to install a GlobalID into the c2 Stronghold server,
which uses ssleay (forerunner of openssl).
I'm having a lot of trouble and found some messages about GlobalID's
i
27 matches
Mail list logo
