ll to the
builtin function with a call to the RSA_X931_generate_key_ex() function,
and/or the struct creation function should explicitly set the rsa_keygen
method. Correct?
Thanks,
Randy
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Possibly do an asndump on a cert that has a friendly name and see what it's
really doing?
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Hopkins, Nathan
Sent: Thursday, December 01, 2011 4:36 PM
To: openssl-users@openssl.org
had
originally asked - limit the library to just "strong" ciphers - most correctly?
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Diffenderfer, Randy
Sent: Wednesday, August 18, 2010 12:43 PM
To: openssl-users@openssl.org
Subject: The best way
What is the "correct" way to limit cipher suite strength, as in get rid of
"weak" ciphers? I am contemplating building an openssl version with no support
for export ciphers, and no support for SSLv2 cipher suites. I tried the config
args of "no-ssl2" and "no-export", and got half the intended
Hi
I was curious if OpenSSL supports the creation of a CMS container and
also supports receiving and parsing a CMS container?
Thanks!!
Randy
__
OpenSSL Project http://www.openssl.org
User
rsion. If I type
'openssl version' at the command line, I see the old version. I assume I have
to change some links to point to the new version, but I'm not sure which ones.
Can anyone help?
Randy G.
Great to hear from another former TOPS-20 userI worked on TOPS back in the
early 80s, then VMS of course.
Also reverse-engineered (to some degree, more like reverse-compiled) PDP-8
paper tape. All in all, I'll take the docs. :)
Randy
On Dec 2, 2009, at 6:42 AM, Mark H. Wood wrote:
cost could
be unbounded, depending upon
how complex the source code is (i.e., explicit code, or 14 levels of
indirection and C macros that have to be understood).
It sounds like you're making the case for documentation to me....and I agree.
Randy
On Dec 1, 2009, at 2:01 PM, Graham Legge
This is an example of a relatively common use-case that I was alluding to in a
previous email...it would be nice to not have to figure this out either by
guessing, reverse-engineering something, or other sub-optimal form of
development strategy
Randy
On Nov 26, 2009, at 4:03 PM, John R
t how to update the documentation in sync with the available features
and functionality of the 1.0 release.
Randy
On Nov 26, 2009, at 3:35 PM, John R Pierce wrote:
>
>> Finally, the source code IS the only reliable source of documentation
>> (assuming you can trust your compil
organization and possibly editorial support from the core development
team, to be sufficiently usable to keep
users of the toolkit productive. And I reiterate, as a user of the toolkit, I
would be happy to contribute to such a Wiki.
Randy
On Nov 26, 2009, at 1:15 PM, Rene Hollan wrote:
>
a great idea, but would not obviate the
need for the developers of the toolkit to complete the documentation set. I've
spent a quite a bit of time with OpenSSL and would be happy to contribute to a
Wiki.
Thanks!!
Randy
On Nov 25, 2009, at 3:13 PM, Will Bickford wrote:
> IMO a wiki w
value than adding any new post 1.0 functionality that probably wouldn't be
(initially) documented either.
Thanks!!
Randy
On Nov 23, 2009, at 6:14 AM, Tim Ward wrote:
> Now solved. You iterate round the STACK_OF(X509) and add them one at a time
> with
>
> SSL_CTX_add_extra_cha
Is the OCSP response verification algorithm described below
implemented exclusively by OpenSSL, or is the algorithm an
implementation
of a particular RFC algorithm?
Thanks!
Randy
On Jul 28, 2009, at 9:41 AM, Dr. Stephen Henson wrote:
On Tue, Jul 28, 2009, Natanael Mignon - michael
That would imply that, when operating in FIPS mode, FIPS sites in the
US Govt. can't import or export certificates.
In the comment below, the phrase "Most browser output...". Is there
any browser that uses FIPS algorithms to import/export
certs?
Randy
On Jun 18, 2009,
ssl regarding
cert extensions.
In your case, because you need to stick with "unmodified" openssl
code, using a command-line operation, this may not
help you as much.
Randy
On Jun 3, 2009, at 11:00 PM, Brad Mitchell wrote:
The thing is, RFC3280 states...
Implementors are warned that
stack).
If the callback returns SUCCESS, then keep going...
If a plugin is not registered for handling unknown extensions, then
maybe the code should follow a configuration flag
that says ["fail" on unknown extension] or [ignore unknown extensions]
Randy
On Jun 3, 2009, at 10:41 P
me know. I'm not sure why Microsoft is marking these
extensions as critical.
Randy
On Jun 3, 2009, at 12:35 AM, Brad Mitchell wrote:
For anyone that cares.
I ran:
certutil –showreg policy
which gave me the registry entry for cert policies:
HKEY_LOCAL_MACHINE\SYSTEM\Curr
hic module itself is FIPS-certified,
and is accessed through the OpenSSL
engine interface, then you could say this "solution" is FIPS
certifiable.
Randy
On May 8, 2009, at 6:22 AM, Bill Colvin wrote:
Try:
export OPENSSL_FIPS=1
unset OPENSSL_FIPS
Bill
-Origin
Just for my own edification, from this thread, it sounds like OpenSSL
doesn't support password-protected
PKCS#7 bundlesis this interpreation correct?
Randy
On Apr 29, 2009, at 6:16 AM, Dr. Stephen Henson wrote:
On Wed, Apr 29, 2009, Mathieu Malaterre wrote:
On Wed, Apr 29, 20
On Apr 2, 2009, at 2:22 PM, Dr. Stephen Henson wrote:
On Thu, Apr 02, 2009, Randy Turner wrote:
Hello list,
Are the ASN.1 functions in OpenSSL "generic" enough to be used for
other
purposes besides reading/writing certificates?
Yes.
I was curious if the ASN.1 code co
, or other protocols encoded in BER/DER?
Just curious how "reusable" the OpenSSL ASN.1 was, and if it's not
"quite" as reusable as I am thinking about, is there a generic library
available? I've tried using "asn1c", but this code seems to break when
I feed
ion, can I just rebuild my application,
pointing at the FIPS openssl libraries or do the API calls into
openssl change (like adding a "FIPS_" prefix in front of each normal
openssl API call).
Thanks!
Randy
_
dencies on platform is one way
to do this, which may involve source code changes, so you would need
to re-integrate each release of openssl as it comes available.
I anxiously await a response that works within the confines of the
formal (and supported) build system, as I am interested as well.
Folks,
Am trying to sort out "mysterious" TLS setup failures within sendmail.
Are there any runtime symbols I can twiddle to cause the library to be
more forthcoming about what it's doing? Have wandered through sendmail
and he pretty much treats the openssl calls as a black box, with very
little
Openssl-users@openssl.org,
Been trying to get this working for a long time and don't seem to be making
progress.
banana >openssl s_client -connect iguscert.globalpay.com:443
CONNECTED(0003)
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Se
rver CA - Class 3/OU
Can't seem to install these correctly.
I "installed" the cer files in the root pack
ln -s C1_PCA_G3v2.cer `/usr/local/ssl/bin/openssl x509 -hash -noout -in
C1_PCA_G3v2.cer`.0
ln -s C2_PCA_G3v2.cer `/usr/local/ssl/bin/openssl x509 -hash -noout -in
C2_PCA_G3v2.cer`.0
ln -s C3_PCA_G3v2.cer `/usr/l
Title: Message
I
don't see the execution platform given here. Perhaps you might consider
doing an 'strace' (if linux)? Anything that is opened and "secretly"
imported into the program should be discernible from this.
Just a
thought...
rnd
-Original Message-From:
[EMAIL
Thanks for the reply.
So what you are saying is that if I encrypt a file with a password
according to my interpretation of PKCS#5/PBKDF2, then it might not
decrypt properly (with the same password) using the command-line openssl
function?
R.
-Original Message-
From: [EMAIL PROTECTED]
[
Ok, it looks like these values are computed from the password...
Is the algorithm for computing the key and IV from the password
published ?
R.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy Turner
Sent: Wednesday, August 23, 2006 1:40 PM
To
be used to decrypt
the file as well. Is the decryption code mentioned above able to find
the original IV used to encrypt the file somewhere in the encrypted file
itself? How does it know this?
Thanks!
Randy
__
OpenSSL Project
Title: Message
Folks,
For
the sake of closure (and finality, one would hope :-) ), the relevant Apache
configuration parameter is "ServerTokens". There is also a spiffy module
available to do just about anything you might desire here:
modsecurity.
Works
for me...
rnd
-Origina
cking the version of OpenSSL
Randy Turner wrote:
> I would probably consider the publishing of the openssl version on the web
> server announcment message as a security issue.
And some of us would laugh in your general direction ;-)
Exploiters don't need to know, they can just persist
I would probably consider the publishing of the openssl version on the web
server announcment message as a security issue.
Randy
-Original Message-
From: [EMAIL PROTECTED] on behalf of Marek Marcola
Sent: Thu 8/10/2006 2:45 PM
To: openssl-users@openssl.org
Subject: Re: CHecking the
Built once or twice, got the same problem again, can't figure it out again.
New ssl client app, just added this code and get undefined symbol.
SSL_CTX *ctx;
276 SSL *ssl;
/* Initializing OpenSSL */
SSL_load_error_strings();/* readable error message
Got it, had two different ssl.h files on the system.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy
Sent: Monday, June 26, 2006 10:12 AM
To: openssl-users@openssl.org
Subject: SSL Compile Problem II
This code compiles and links fine. If I
u21)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darryl Miles
Sent: Monday, June 26, 2006 10:14 AM
To: openssl-users@openssl.org
Subject: Re: SSL Compile Problem II
Randy wrote:
> This code compiles and links fine. If I uncomment the SSL_new l
This code compiles and links fine. If I uncomment the SSL_new line I get
"undefined symbol: ssl_x"
SSL_CTX *ctx;
// SSL_new *ssl_x;
/* Initializing OpenSSL */
SSL_load_error_strings();/* readable error messages
*/
SSL_library_init();
Got past this just by including ssl.h first.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Friday, June 23, 2006 8:16 PM
To: openssl-users@openssl.org
Subject: Re: SSL Compile problem
Hello,
> Writing an SSL socket program but wh
openssl-users@openssl.org,
Built or installed various versions of OpenSSL onto three different systems.
Writing an SSL socket program but when I include ssl.h I get the same sort
of errors on all systems like below. This happens even on a new blank c
program.
This is always the line in ssl.h
The discussion below wherein the term "you're screwed" is used seems to
indicate that there is a deadlock situation, which isn't the case. There may or
may not be performance issues associated with the scenario/use-case, but
there's no deadlock.
R
-Original Message-
From: [EMAIL PRO
Title: FW: The *right* way to get "-g" in compiler options
It would appear that the *right* way is to simply stick the '-g' option in the config argument list,
./config -g …
I thought it would be easy… :-)
rnd
-Original Message-
From: Diffenderfer, Ran
Title: The *right* way to get "-g" in compiler options
Folks,
This should be easy!
What is the *right* way to include the "-g" option in CFLAG when building openssl-0.9.8b?
I have several undoubtedly *wrong* ways I can choose, but I'd rather take the high road here…
Thanks,
rnd
Title: "Random" errors in openssl apps
Folks,
Using RedHat ES3.0 stock openssl RPM, for which "openssl version" yields 'OpensSSL 0.9.7a Fed 19 2003", I get "random" SEGVs while doing pk7out or verify operations using "openssl smime -pk7out" or "openssl smime -verify". The discouraging thin
where I need to decide one release or
the other, so I was curious if there was a pros and cons list
or other way about going forward with 0.9.7j or 0.9.8b
Thanks,
Randy
On May 4, 2006, at 7:57 AM, Dr. Stephen Henson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 0.
e surprise (to me) was that *an ASN1 structure* was what was encoded, not just the raw digest info. Hadn't run across the DigestInfo structure before in my travels. Now I know.
Hope this helps the next n00b! :-)
rnd
-Original Message-
From: Diffenderfer, Randy
Sent: Thu
Title: Using OpenSSL Command Line Apps To Generate Signed Digests
Folks,
I am trying to work out a string of command line things that can deal with signatures and any/all intermediate objects.
Using the 'dgst' app, I can generate a digest and a signed digest in either hex or binary with n
versions? (at least for now). Let me know if I have
interpreted the email incorrectly.
Thanks!
Randy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, March 08, 2006 5:33 AM
To: openssl-users@openssl.org
Subject: Re: A
When you want to operate in this special "CA filtering" mode, you
could hook the OpenSSL certificate validation logic. Your callback
could then implement it's only validation logic and return a "reject"
when you see a certificate you want to deny (even though it&#
interpretation of from what I have gleaned
from the docs and sources.
Randy
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jagannadha Bhattu G
Sent: Tuesday, February 28, 2006
1:42 AM
To: openssl-users@openssl.org
Subject: Re: calling
SSL_library_init multiple times
ck". Is this the case? I
didn't see any mutex/user callback support in stack.c.
Thanks!
Randy
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopens
I'm assuming it's also possible to statically link/bind (at build
time) engine drivers. Is this the case?
R.
On Feb 16, 2006, at 3:50 PM, Dr. Stephen Henson wrote:
On Thu, Feb 16, 2006, Lech Olmedo wrote:
My intent is trying to add as a new Engine some crypto modules from a
Coldfire dev
Is there any documentation on how I can programmatically create OCSP
requests, ready to be sent on the wire?
Thanks in advance!
Randy
__
OpenSSL Project http://www.openssl.org
User Support
Any information on API configuration of all openssl parameters (no
text files) and certificate validation on a constrained embedded
device is much appreciated.
Thanks!
Randy
__
OpenSSL Project
Hi Warrick,
For sendmail verify TLS: openssl s_client -starttls
smtp -showcerts -connect MTA.FQDN:25
~R.Gordey
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Warrick FitzGerald
Sent: Wednesday, November 09, 2005
8:38 PM
To: openssl-users@openssl.org
Joe Orton, from the mod_ssl list, submitted this perl script.
His original post:
http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
Works Great!
#!/usr/bin/perl -w
#
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.
# Run as ./mkcabundle.pl > ca-bundle.crt
#
my $c
3): see declaration of NETSCAPE_PKEY_it'
Any idesa/suggestions?
Thanks,
Randy Smothers
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Sent: Tuesday, December 09, 2003 6:00 AM
To: [EMAIL PROTECTED]
Subject: Re: misc/CA.pl -sign failing
On Mon, Dec 08, 2003, Randy Paries wrote:
> Ah-ha
> cakey.pem is empty.
>
> So what step am I missing?
>
Well CA.pl -newca isn't setting up the directory structure properly
E and it's
most definitely defined. I've set it as a temp file, I've pointed it
at the PRNGd socket. I've tried several other methods as well,
including "openssl rand" or "openssl -rand". Nothing seems to affect
the error, however.
Would som
How do I install a versign certificate using openssl? if there is a site or
if you can point me to a thread in the archive that would be great.
thanks
randy
__
OpenSSL Project http
cd /usr/local/src
Make clean
./config -no-rsaref
make
make test
make install
Does anybody know if that is correct?
Thanks,
Randy
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Hello,
I am trying to configure a Red Hat 7 server per a developers specs. The SSL
specs are:
openssl-0.9.6
Net_SSLeay.pm-1.05
He told me that I need to compile openssl without RSAREF. What are the
steps/commands to use to compile OpenSSL without RSAREF?
Thanks,
Randy Danielson
Active
ne */
struct sockaddr_in peer;/* the remote host's address */
int peerlen;/* filled in by accept() */
struct sockaddr_in myaddr;/* the remote host's address */
int mylen; /* filled in by accept() */
char myip[60];
continue;
}
pthread_mutex_unlock( &mallfree_mutex );
When I open more than three simultaneous threads, my server does a
segmentation fault and crashes. Anybody got any ideas what I need
to do?
--randy
__
Olga,
The Raven SSL module includes an RSA license to use for commercial
applications.
-Randy
> Ross,
>
> On 27-Apr-99 Ross Foard wrote:
> > Olga,
> >
> > Did you get any responses to this question? Because of
> the unclear (to me)
> > nature of the RSA l
65 matches
Mail list logo
