Hi all!
> Many public CAs suggest Extended Validation for certificates
> of web servers. [...] I had a talk with a specialist
> of technical support of Thawte [...] He also refused
> to answer how browser determines what bar to display -
> green or yellow?
See thawte Certification Practice St
Hi all,
> Which version of the ANSI Spec, and where did you get a copy?
>
> I have to rely on secondary sources and experience using
> various implementations that claim conformance.
Wikipedia http://en.wikipedia.org/wiki/ANSI_C is used to have
a link to a recent draft (free of charge) which is
Hi all!
> > If the library crashes on free(NULL), you're just making
> > people like me do this everywhere:
> >
> > if (ptr != NULL) free (ptr);
ok, if you have a test case "free (NULL)", agreed ;-)
Seems not all platforms conform to the "free(NULL) is a no-op".
I understand your example, thanks
Hi all!
* Jeffrey Walton Sent: Friday, May 25, 2012 4:39 PM
> On Fri, May 25, 2012 at 7:25 AM, Sudarshan Raghavan
> wrote:
> > Ok, I can fix the custom free to take care of this.
> > But, why is this happening in openssl 1.0.1 and not in 1.0.0 or
> > 0.9.8?
>
> I thin
> > With Git, Mercurial and other revision control systems
> > available. Why is OpenSSL still suck on CVS?
>
> Moving a mature project off of CVS is not trivial.
Also, why move at all?
People can development features with let's say GIT, even
in teams and concurrently, and then checking in to C
* Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
[...]
> >>> Or, in other words: Let's assume I have a ultimate root
> >>> (self-signed) "Root" and a branched CA "X". I would like to
> >>> trust "X" and all it's children, but not "Root". Is this
> >>> not possible?
[yes, it is not poss
> Since I wait until the SSL_connect() function succeeds I
> wanted to know if there is a better approach.
Yes, there is a better approach, for example the one mentioned
in the manual:
* http://www.openssl.org/docs/ssl/SSL_connect.html
> If the underlying BIO is non-blocking, SSL_connect() will a
> > 4. Truncate the string to your desired file name length, but not so
> > short that accidental collisions become likely (Example to
> > keep up to 16000 file names likely different, use file names with 2
*
> > log2(16000)=2*14=28 bits minimum).
Where can I learn more about this formula?
I th
> can any one please help me regarding this, like how to
> retrieve the SSL pass phrase , or assign a new pass phrase
> for the same private key.
Add all information you remember (possible parts, used characters,
length information) to a key cracking tool, run it and wait?
> > - U1, U2, U3 are end-user certificates, issued by CA1
> > - U1 is revoked, and the CRL is published (lets call it CRLg1)
>
> The problem here is that you can't trust a CRL when its
> signature key is compromised.
I think that this is not the reason.
If a signature key is compromised but
Hi all,
Hi Dominik,
> in a project I maintain I have to deal with OIDs not
> contained within OpenSSL. In particular, I use OpenSSL to
> parse ASN1 encoded data containing OIDs (using the Macros
> from asn1t.h) and do switch-case statements on the resulting
> NIDs. Until now I used to patch Op
> http://stackoverflow.com/questions/6520676/pop3s-implementatio
> n-using-openssl-library
char bf[16] = "STLS\r\n";
if (send(c->socket, bf, sizeof(bf), 0) < 1) {
fprintf(stderr, "[%d] failed writing to auth server
socket(ssl_coneect)", getpid());
}
I don't think that
* derleader mail on Monday, May 02, 2011 8:14 PM
> > But what exactly do you want to know? If you can use SSL and
> > Blowfish?
> > It does not appear in http://www.openssl.org/docs/apps/ciphers.html.
> >
> Yes the web site and the book about the OpenSSL is outdated.
Does TLS spec nowadays define
> If I decide to go with openssl and blowfish what are the
> potential threats?
Yes, heaps of.
You might consider asking more detailed.
> Is there another security mechanism that I can use with blowfish?
Of course...
But what exactly do you want to know? If you can use SSL and Blowfish?
It does
* owner-openssl-us...@openssl.org
> What is the purpose of the project?
>
> This is a open source project - I need a way to monitor a
> huge number of servers - monitor CPU load, RAM load, HDD
> load, installed packets and etc.
Why not using http://www.nagios.org/?
> The data which will gathe
* Matthew Fletcher, Wednesday, April 27, 2011 12:40 PM
> I guess that does not 100% rule out DNS/Network stuff, as SSL
> could be doing extra network lookups.
>
> Are there any more SSL diagnostics i can enable to try and
> pinpoint the problem ?
maybe checking with strace -ttt -p ... which op
Hi,
thank you for clarification, Dave!
* Dave Thompson Friday, April 22, 2011 12:34 AM:
> > so among 2^n+1 different messages, at least two of them
> > must have the
> > same 2^n bit hash (actually half because of birthday "attack").
>
> To be exact: for an n-bit or 2^n-value hash, with 2^n + 1
* Luc Perthuis:
> Hi all,
>
> I'm specially interested on finding a way to uniquely
> identify rather small data chunks (less than or equal to
> 128*1024 bytes in size) without using a byte per byte compare.
>
> Is there any theoretical proof for a "good" selection of 2
> HASH (computing the re
> -Original Message-
> > BIO_set_close(bio, 0)
> No, I haven't tried it yet, but it seems this is what I've
> been looking for- clean & neat.
Is it?
Wouldn't this mean that father process sooner or later runs out of file
descriptors?
Shouldn't the father process close(2) and the child -
Hi,
I though this was already discussed, but I cannot find pointers.
When some entity verifies a certificate, finds a valid signature
etc but the current date is not between "Valid From" to "Valid
To", meaning the certificate seems "not yet valid" or "expired",
what is recommended to do?
I think
* S Mathias wrote on Wed, Jan 19, 2011 at 03:29 -0800:
> Ok. It's a Firefox Add-on:
> https://www.eff.org/https-everywhere
> 3) Can someone trust this Add-on? Is it safe to install/use?
It isn't 100% safe. There always is a risk.
> 4) If it's so great why isn't it more prevalent?
> What's youre o
Hi!
* sandeep kiran p wrote on Wed, Aug 11, 2010 at 20:36 -0700:
> Ours is an LDAP client application that fetches LDAP server names on
> the fly using DNS SRV Resource Records. We then randomly pick one the
> servers returned from DNS, establish an SSL/TLS connection with that
> server and then p
* Kyle Hamilton wrote on Fri, Jul 23, 2010 at 20:06 -0700:
> There's a company called StartCom (http://www.startssl.com/) who will
> do 2-year validity wildcard certs, upon verification of your identity
> and verification that you have control of the domain for which you are
> requesting certificat
* Mark Parr wrote on Thu, Jul 08, 2010 at 13:42 -0500:
> I then loaded the openssl-fips-1.2.tar.gz file into a different
> directory and attempted to create a RPM install for it as well but
> have hit some issues. First off, rpmbuild complained that it could
> not find the openssl-0.9.8f.tar.gz fi
* Sebastián Treu wrote on Mon, Jul 05, 2010 at 10:39 -0300:
> if we can use a fake DNS that resolves a name as we want and
> also we can gather that certificate to be installed in the
> fake-server,
This fake-server would not have the secret key belonging to the
public key certified in the (publi
* Subra Aswathanarayanan wrote on Mon, Jun 07, 2010 at 20:44 -0400:
>Both of you mention that OpenSSL doesn't provide such an interface.
>May be this question is not appropriate for this forum, but do you
>know of any such simpler libraries that I might be able to use?
If it is just S
* Chuck Pareto wrote on Mon, May 24, 2010 at 16:12 -0700:
>Hi,
>When I run openssl rsa to display my public key info. I see this
>below. How do I convert this output to a byte array? What is this
>output? Is it ascii or base64?
it's ASCII and in the Mail potentially base64... :)
su
* Christina Penn wrote on Wed, May 05, 2010 at 07:42 -0400:
>Can you show me exactly how to break up my example code to make my
>example work? I tried removing the EVP_DecryptFinal_ex from my
>DecryptMessage function and just seeing if the first part would just
>decrypt the first 7
* Modem Man wrote on Wed, Apr 28, 2010 at 17:49 +0200:
> > Since I'm working under Windows and have Visual Studio installed, the
> > easiest way to do so will be by creating a visual studio project with
> > the source code
>
> I tried it and stopped after ~4 hours.
[...]
> Next, split makefile int
* Kenneth Goldman wrote on Sun, Apr 11, 2010 at 15:36 -0400:
> owner-openssl-us...@openssl.org wrote on 04/11/2010 01:38:14 PM:
> > * Kenneth Goldman wrote on Fri, Apr 09, 2010 at 08:12 -0400:
> > > I notice that the tarballs also include a SHA1 digest.
> > > What's the point?
> >
> > To have a che
* Kenneth Goldman wrote on Fri, Apr 09, 2010 at 08:12 -0400:
>I notice that the tarballs also include a SHA1 digest. What's the
>point?
To have a check whether the FTP download was successful to avoid
accidently using corrupt files, a file integrity check with a
checksum is quite common.
* Eisenacher, Patrick wrote on Tue, Feb 23, 2010 at 12:30 +0100:
[...]
> "The selection of a trust anchor is a matter of policy: it
>could be the top CA in a hierarchical PKI, the CA that
>issued the verifier's own certificate(s), or any other CA in
>a network PKI."
>
> And no, I don
* Sad Clouds wrote on Mon, Feb 15, 2010 at 14:52 +:
> On Mon, 15 Feb 2010 15:19:23 +0100
> "Steffen DETTMER" wrote:
> > Delegating functionality via callbacks allows arbitrary
> > implementations; I would not consider this lame
> > - but clean, strong, ortho
* Sad Clouds wrote on Mon, Feb 15, 2010 at 13:18 +:
> 2. Rationale for callbacks?
>
> Pushing some of the responsibility for locking OpenSSL internal
> structures to application developers seems a bit lame. Why not get rid
> of locking callbacks and have OpenSSL handle it transparently inside
Hi!
* Victor Duchovni wrote on Fri, Feb 12, 2010 at 15:03 -0500:
> On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote:
>
> > (So DER encoding is used, and it is allowing 128 byte long
> > length fields allowing 2^1024 [a number taking four and a half
> >
* Victor Duchovni wrote on Fri, Feb 12, 2010 at 14:20 -0500:
> The limit is not (only?) an X.509 limit, rather the SSL/TLS
> record layer cannot carry messages larger than 2^14 bytes (plus
> some overhead for compression algorithms which provably need to
> be able to make some records larger in ord
* Victor Duchovni wrote:
> The SSL/TLS record layer has a maximum record size, a
> certificate probably needs to fit into one record, so if your
> 500+ domains generate a certificate that is larger than ~16K
> bytes, you may be out of luck.
(I just ask for curiosity, not because I have any problem
* Patrick Patterson wrote on Sun, Feb 07, 2010 at 10:14 -0500:
> > A quick question here. Should the Certificate Signing Request message be
> > protected when requesting for Certificate from CA?
I think, if you want to certify that a public matches subject
description, of course you should authen
> Namrata Sorte wrote:
> > Ya to be more specific, I want to sign and verify Word Document
> > File and using command line will be fine for now.
Are you looking for something like
openssl smime -sign -in ml.doc...
openssl smime -encrypt -in in.doc...
maybe? With RSA based certificates it uses R
* Kyle Hamilton wrote on Tue, Jan 19, 2010 at 16:00 -0800:
> On Tue, Jan 19, 2010 at 6:19 AM, Steffen wrote:
> > * Kyle Hamilton wrote on Thu, Jan 14, 2010 at 15:50 -0800:
> > (assuming, that a peers identity should not change within a
> > session - but as discussed later in this mail this could be
* Kyle Hamilton wrote on Thu, Jan 14, 2010 at 12:03 -0800:
> * Steffen asked...
> > ...on this level
[thanks a lot again for all the clarifications: authentication
levels, authentication-agnostic, URI-dependent certificates,
bugfix because missed intention, MITM tricks twitter to decrypt
and disclo
* Kyle Hamilton wrote on Thu, Jan 14, 2010 at 15:50 -0800:
> On Wed, Jan 13, 2010 at 5:58 AM, Steffen DETTMER wrote:
> >> There is currently no way for even an ideal TLS implementation to
> >> detect this issue.
> >[...]
> >> Yes. Please see SSL_CTX_set_info_
* aerow...@gmail.com wrote on Tue, Jan 12, 2010 at 12:29 -0800:
> On Tue, Jan 12, 2010 at 3:12 AM, Steffen DETTMER
> The problem is this:
>
> The attacker makes a connection to a TLS-enabled server,
> sending no certificate. It sends a command that, for whatever
> reason
Hi,
thank you very much for all your explanation and to give me one
more free training :)
* Kyle Hamilton wrote on Tue, Jan 12, 2010 at 13:33 -0800:
> > Isn't it a bug in the application when it does not allow me (its
> > user) to configure it? As far as I know there is no way to tell
> > Firefox
Hi,
thank you too for the detailed explanation. But the impact on
the client certificates (and its correct validation etc) is not
clear to me (so I ask inline in the second half of this mail).
* Kyle Hamilton wrote on Mon, Jan 11, 2010 at 14:28 -0800:
> The most succinct answer is this: the serve
Hi,
thank you for your detailed explanations.
The main thing I still not understood is whether TLS by design
enforces the `bad behavior', meaning TLS cannot be used securely
at all by anyone,
- or -
if TLS just does not enforce to use is securely, meaning that TLS
relies on application code imple
Hi all!
I miss something around the Re-negotiation flaw and fail to
understand why it is a flaw in TLS. I hope I miss just a small
piece. Could anyone please enlight me?
* Kyle Hamilton wrote on Thu, Jan 07, 2010 at 16:22 -0800:
> It is also, though, undeniably a flaw in the TLS specification
> t
* Dr. Stephen Henson wrote on Tue, Jan 05, 2010 at 20:26 +0100:
> Trying both types to see which (if any) worked would be one
> strategy to handle this automatically or seeing if the initial
> SEQUENCE header looked like it covered the whole file. There
> would be exceptions to both cases though.
* Kyle Hamilton wrote on Tue, Nov 24, 2009 at 13:10 -0800:
> [startssl.com]
from the CA policy http://www.startssl.com/policy.pdf:
> > Fully qualified domain names, typically .www.domain.com. or
> > .domain.com. are validated by sending an electronic mail message
> > with a verification code to o
* Arno Garrels wrote on Sun, Oct 11, 2009 at 16:10 +0200:
> > > Why are issuers looked up by subject at all?
> > >
> >
> > Because that's what the standards (X.509, RFC3280 et al) require.
>
> Ah ok, but shouldn't name duplicates be taken into account when
> issuers are looked up, even though th
(OT)
just kidding.
* Michael S. Zick wrote on Thu, Oct 01, 2009 at 16:44 -0500:
> Everbody in the same room should be sufficiently security qualified
> to see anything typed within that room.
cheating pupils in school exams probably won't agree, neither
will people who are writing love letter SM
(OT)
* Dave Thompson wrote on Thu, Sep 24, 2009 at 19:23 -0400:
> But 'ca' by default, and thus it appears to me CA.pl
> always, also prompt for the CA key passphrase (unless
> insecurely clear), and you're not complaining about that.
I think it depends where it is stored if no passphrase is
i
* Victor Duchovni wrote on Wed, Sep 23, 2009 at 16:18 -0400:
> On Wed, Sep 23, 2009 at 10:04:48PM +0200, Michael Prinzinger wrote:
>
> > I have a somewhat curious setting (without CAs) about [...]
> >
> > > //check certificate
>
> This only verifies the server's *trust chain*, but not its
> i
* Nigel Sollars wrote on Mon, Sep 14, 2009 at 19:06 +0200:
> At the company we have an online store and we need to replicate it for
> different locales/languages. After reading some information on the net
> it seems that the RFC spec is good but the implementation ( at the time
> of the writing
(OT)
* Mark wrote on Thu, Sep 10, 2009 at 15:54 +0100:
> > No offense, but that's what the mailing list is for.
> > Granted, a search might have yielded the answer as well...
> > but if anything, the question should make you feel good
> > because it's one mess you won't be cleaning up.
>
> No off
* Anoop C wrote on Wed, Sep 09, 2009 at 18:02 +0530:
>Thanks for the quick response.
> I totally agree on your point. Our associates often used to try others
> certificate .So I want to remove that threat also by incorporating MAC
> address also into the certificates apart from the exis
* Dr. Stephen Henson wrote on Wed, Sep 02, 2009 at 15:08 +0200:
> Including a public key certificate in no way risks the
> integrity of its private key as several others have said in
> this thread.
I think this theoretically opens the possibility to brute-force
the private key.
I think that Brute
* Serge Fonville wrote on Wed, Sep 02, 2009 at 13:00 +0200:
> The chain always includes all CAs and certificates. I've done some
> googling, and it shows that you can trust 'just' the intermediate CA
> without trusting the root CA, altough this kinda obsoletes the purpose
> of the root CA.
[...]
* Victor Duchovni wrote on Fri, Aug 28, 2009 at 13:39 -0400:
> The OP is not using fixed DH keys. He is proposing to use ADH key
> exchange. This gives confidentiality, but NOT authentication.
Yes, and confidentiality without authentication usually doesn't
help much. In case of MITM, the confiden
* David Schwartz wrote on Sun, Aug 23, 2009 at 15:40 -0700:
> > My question is why _using the same code_ Windows is returning
> > WSAEWOULDBLOCK instead of WSAECONNREFUSED when my server is down?
> > while UNIX correctly returns ECONNREFUSED...
>
> Because Windows cannot tell whether your server is
* Michael S. Zick wrote on Wed, Jul 15, 2009 at 07:38 -0500:
> You can approximate that by grabbing the processor's silicon
> serial number plus grab the USB stick's silicon serial number
> plus a user input (partial) passphrase.
I assume a good virtualisation (maybe some patched VMWare or
alike)
* tito wrote on Wed, Jul 15, 2009 at 09:19 +0530:
> Now the threat is, If an agent export the certificate he
> acquired in a USB or in someother way and goes to his home pc
> or somewhere else and he imports the certificate to his
> personal PC and started doing transactions.
>
> He shouldnt be abl
* Konstantin Ivanov wrote on Sun, Jun 28, 2009 at 11:25 -0700:
> You connection to 127.0.0.1 is encrypted with 128-bit
> encryption. However, this page includes other resources which
> are not secure"
>
> Please note that I only get this message if I've placed by CA
> root certificate into Trusted
* Mirko Velic wrote on Wed, Jun 17, 2009 at 20:21 +1000:
> I was wondering if i could convert the data outputted by this command:
> openssl x509 -noout -fingerprint -text < test.cert > info.txt
>
> Back into a certificate after I modify it, as it would make it easier to
> generate certificates.
* Stephan V Bechtolsheim wrote on Fri, Jun 05, 2009 at 18:20 -0700:
> > This is hardly anything remotely resembling a formal proof,
> > of course. But it should give you the basic idea -- it's a
> > difficult problem because the numbers are big.
> Your argument only applies to "your algorithm". The
(OT)
* Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500:
> A more general solution would be:
>
> # Am I running as user 0 (root)?
> uid=$(/usr/bin/id -u) 2>/dev/null
> if [ $uid == 0 ] ; then
BTW, shouldn't it be just one "=" (to be compliant with POSIX and
/usr/bin/test)?
* loody wrote on Fri, May 22, 2009 at 21:51 +0800:
> 2009/5/22 David Schwartz :
> >
> >> Dear all:
> >> at the end of letter, I append the the public key I excerpted from my
> >> certificate by openssl x509.
> >> Since the key is 2048 bits, 256 bytes, I find the length of
> >> 00:af:..14:f7
> >
* AngelWarrior wrote on Wed, May 20, 2009 at 15:18 -0500:
> "I dont need to know with whom I am contacting but after
> contact my messages should be private."
If you sent your message to just anybody, how can it be private?
oki,
Steffen
--[ End of message ]--
* Scott Gifford wrote on Wed, May 20, 2009 at 21:52 -0400:
> AngelWarrior writes:
>
> > but this still requires a CA kind of certificate right.I dont
> > know if the client will be have a CA certificate to
> > authenticate it.If I am wrong please explain me how it can be
> > done.
>
> Regular SS
* Victor Duchovni wrote on Mon, May 18, 2009 at 13:53 -0400:
> On Mon, May 18, 2009 at 10:24:55AM -0700, Kyle Hamilton wrote:
> > 'reverse SSL'?
> >
> In other words, the TCP initiator and passive listener are not
> necessarily also the SSL client and server respectively.
I think stunnel already
* Nikos Balkanas wrote on Mon, May 18, 2009 at 15:29 +0300:
> Wikipedia is right in principle, but doesn't cover the case of TCP
> hijacking.
I think this is out of scope,
TCP is said to be reliable, not neccesarily secure.
oki,
Steffen
--[ end of message ]-
* David Loman wrote on Wed, May 06, 2009 at 11:21 +0200:
> Mods: Any way there can be some banning happening soon?
Don't feed the trolls.
oki,
Steffen
---[ end of message ]->8===
* Sever P A wrote on Mon, Apr 27, 2009 at 10:49 +0200:
> > (Steffen said:) I think stunnel could be suited well here.
>
> Maybe... but my idea was to implentent this functions in the
> C/C++ programm while the users has no computer expertise
> skills.
>
> I suddenly thought to integrate this in a
* Sever P A wrote on Sat, Apr 25, 2009 at 13:35 +0200:
> I don't reach to understand how to implement all this steps. So:
I think stunnel could be suited well here.
oki,
Steffen
About Ingenico: Ingenico is the world’s leading provider of payment solutions,
with
* tobias.sem...@diemer-ing.de wrote on Tue, Apr 14, 2009 at 15:04 +0200:
> Is there a chance to create a certification on the intern server called by
> the extern https://name.dyndns.org adress ?
It depends on the software you are using and on the setup...
If you use some non-routable IP for your
* Dr. Stephen Henson wrote on Thu, Apr 02, 2009 at 13:01 +0200:
[...]
> Under this scheme
>
> 1. Bug fix releases will change the letter.
>E.g. 1.0.0 -> 1.0.0a
>
> 2. Feature releases will change the last (minor) number.
>E.g. 1.0.0 -> 1.0.1
>
> 3. Major development will change the
Hi all!
* Nickfx wrote on Wed, Feb 11, 2009 at 08:54 -0800:
> Crazy I know. Having removed split, Openssl is now working as
> it should. It would seem that there is something screwy with
> Cygwins Split or Cat command.
I rember that I had trouble because DOS/UNIX line feed
translation was perform
Hi all,
* Charles Darwin wrote on Sun, Feb 08, 2009 at 09:27 -0500:
> Any idea?
(This is off topic here)
Shouldn't it be in /etc/sshd_config (or /etc/ssh/sshd_config)?
And if missing there, why not simply add it?!
oki,
Steffen
ps.: is this your real name or is it because of the `Darwin Year 20
Hi all!
* Dave Thompson wrote on Fri, Feb 06, 2009 at 20:59 -0500:
> > Adding the quotes didn't work because, if I understand things
> > correctly, the notion of quotes (or escaping characters with \)
> > is a shell concept - hence my attempt to force the command to run
> > under a shell.
> >
> Th
Hi all, Hi Alistair!
* Young, Alistair wrote on Fri, Feb 06, 2009 at 10:16 +:
> Ultimately I settled on the use of a shell script to act as an
> intermediary:
>
> #!/bin/bash
If you can use bash you could pass the key in \xNN form for
$'\xNN' to avoid special characters like blanks and contr
* Md Lazreg wrote on Thu, Jan 08, 2009 at 15:11 +0100:
> The problem in my case was a server one. I use a non-blocking socket for the
> server to receive information from the clients, so the server performs a
> select with a timeout of 1 second to read information. It turns out that
> when they are
* Vishnu Param wrote on Mon, Nov 17, 2008 at 16:12 +0800:
> > > s3_enc.c:(.text+0xaeb): undefined reference to `COMP_CTX_new'
>
> I am sure I am pointing to the 0.9.9 libraries/headers, because I
> wouldn't get these errors if I wasn't.
I think what you were supposed to ensure is that you have the
* prashanth s joshi wrote on Tue, Oct 07, 2008 at 21:13 +0530:
> Could anyone please tell me how to run the gdb in openssl?
> In gdb I am running the command as path_of_bin/bin/openssl s_client -connect
> ipaddress:4433.
> But i get the error as: Undefined command: "". Try "help".
> why is it so
Hi,
thanks a lot for your detailed explanation.
* Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 16:46 +0200:
> OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with
> SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt
> to add any input to it as the entropy in the p
* Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 14:22 +0200:
> > we purchased a hrng for the generation of RSA keys for instance.
> > It is an USB device an shows up as /dev/qrandom.
> >
> Note: if /dev/urandom is available, OpenSSL will read an additional amount
> of random bytes from it whether an
* Lutz Jaenicke wrote on Tue, Aug 12, 2008 at 08:47 +0200:
> Please help me with the command line to convert a DER
> Certificate to PEM Certificate.
$ openssl x509 -inform der -outform pem < certificate.der
or
$ openssl x509 -inform der -text < certificate.der
(which includes a human readable
* Konrad Kleine wrote on Fri, Jun 13, 2008 at 17:32 +0200:
> One of our principles is to have only one exit point in
> functions, so in this point we would agree with you. On the
> other hand, it is also possible to do it without "goto"s.
Yes, it is possible to `goto' without `gotos', sometimes th
* John Parker wrote on Sat, May 31, 2008 at 15:35 -0500:
> > Probability that a "proper" key falls in the space of the
> > "bad debian" keys: 2^15 / 2^2048 = 1 / 2^2033.
> >
> > That's a lot of zeros before the first non-zero digit.
>
> Put differently, if you were to start generating keys now at
* [EMAIL PROTECTED] wrote on Fri, May 30, 2008 at 06:51 -0500:
> Back in the day, DES was the de facto encryption algorithm.
[...]
> In an ideal world, I think the system should throw an exception
> then and let the calling application feed it another key.
> However, I think the general consensus
* Victor Duchovni wrote on Wed, May 28, 2008 at 21:10 -0400:
> > > Only against random attacks of course, if all attackers
> > > first check these keys, then removing them strengthens the
> > > algorithm against (non-random) brute-force attack. This
> > > said, the effort of explicitly avoiding the
* Deane Sloan wrote on Thu, May 29, 2008 at 04:47 +1200:
> stated, the overall risk of generating such a key on an unaffected
> system is (extremely?) small for the security that a 2048bit RSA private
> key is intended for?
The risk to generate one specific key of 2^16 (or how small was
the key sp
* Lutz Jaenicke wrote on Tue, Apr 22, 2008 at 09:59 +0200:
> > This rule is independent of current time. e.g. If the validity dates
> > of the parent certificate is 2008/04/18~2009/04/18 and the ones of
> > child certificate is 2008/06/18~2009/06/18 or 2008/03/18~2009/03/18,
> > the certificate cha
* Li, Yvonne wrote on Fri, Apr 18, 2008 at 23:46 -0400:
> You have lots of good points. Thank you again.
>
> I work for AOL, developing cross platform SDK for instant messaging that
> supports plugins. Plugins can be malicious. And AOL is responsible for
> protecting users' identity and privacy. C
(OT)
* Badra wrote on Fri, Apr 18, 2008 at 17:03 +0200:
> I have also unsigned char B that stores a binary value. I need to
> convert it to hexadecimal, I do:
>
> char *table = "0123456789abcdef";
> int i;
> for (i=0; i {
> B[2*i+1] = table[B[i] & 0xf];
> B[2*i] = table[(B[i] & 0
* Tomas Neme wrote on Wed, Apr 16, 2008 at 17:44 -0300:
> The problem is that SSL_pending might return 0 if there's
> stuff on the socket, but isn't enough to decode a full record.
If you want SSL to be transparent, why are you interested in
intermediate protocol-specific data which would not be
* Kyle Hamilton wrote on Thu, Apr 10, 2008 at 02:34 -0700:
> > (That means the CA remotely signs online submitted CSRs and sends
> > back a Cert immediately? Maybe such a CA would not be that
> > trustworthy...)
>
> First: it is as trustworthy as the application seems to
> require. It's not
* Kyle Hamilton wrote on Wed, Apr 09, 2008 at 14:22 -0700:
> Each peer goes through this process:
> 1) peer creates a keypair
> 2) peer generates a CSR (certificate signing request) for its public key.
> 3) peer connects to server, submits CSR along with whatever
> information necessary to determin
* Wockenfuß, Frank wrote on Wed, Apr 02, 2008 at 09:07 +0200:
> Thank you for that hint.
> I will try to rebuild the class as singleton. This could help,
> but isn't really nice.
I think you'd need multiple classes. For things done once a
program life time, a C++ class (singleton) may not be suite
* [EMAIL PROTECTED] wrote on Wed, Mar 26, 2008 at 18:26 +0100:
> For some hours now I try to find out how to create CAfile (a
> file with multiple CAs inside, the one file counterpart of
> -CApath).
>
> Could anybody please give me an example
Not sure if I understand you right, but if you want t
Hi,
in short I think in your -signkey command you need to add
-enddate.
* Andreas Grimmel wrote on Mon, Mar 24, 2008 at 17:28 +0100:
> > That depends on what you need to do by policy for renewal.
> > There is no such thing as "technical renewal" - there is only
> > policy based. Since this sounds
1 - 100 of 149 matches
Mail list logo
