;
185 PKCS11_CTX_private *ctx = slot->ctx;
186 PKCS11_OBJECT_private *pubkey;
187 PKCS11_TEMPLATE tmpl = {0};
188 CK_OBJECT_HANDLE object = key->object;
189 CK_SESSION_HANDLE session;
>
> On Tue, Jul 16, 2024 at 12:43 PM
Hi!
I'm using osslsigncode application on Debian 12 system (amd64) to sign
stuff with RSA key stored on hardware token with PKCS11 interface.
osslsigncode (https://github.com/mtrojnar/osslsigncode) seems to be
well-behaved openssl application, which uses digest BIO and PKCS7 API,
does no poking i
On Mon, 21 Dec 2015 21:29:03 -0800
Stephen Kou wrote:
> OpenSSL has the higher-level EVP_PKEY_* functions which work
> abstracts the public key cryptography algorithms. However, sometimes
> a EVP_PKEY* only has a public key. How could I check if a given
> EVP_PKEY* contains a private key? I co
On Wed, 22 Jul 2015 09:17:43 + (UTC)
Anirudh Raghunath wrote:
> Hello,
> I have used rsault -sign option to sign a text file which gives me a
> binary file. I would like to convert this to X509 so that I can use
> it in a ssl handshake. I understand the command: openssl x509 -inform
> -in -
On Tue, 21 Jul 2015 13:58:21 + (UTC)
Anirudh Raghunath wrote:
> Ah okay, that clears up quite a lot of doubts. But the certificate I
> want to load is a self signed certificate which has a private key
> attached to it. I used the XCA application to export the
> certificate-private key pair as
On Tue, 21 Jul 2015 06:58:24 + (UTC)
Anirudh Raghunath wrote:
> Hello,
> I would like to utilize the ENGINE_load_ssl_client_cert() function to
> load a certificate from my smart card. I have successfully loaded the
> engine and have also tried to play around with the
> ENGINE_load_private_key
On Fri, 17 Jul 2015 00:10:27 +
"Dr. Stephen Henson" wrote:
> On Thu, Jul 16, 2015, Anirudh Raghunath wrote:
>
> > Hello,
> >
> > I want to write a program in which I can load a certificate from a
> > smartcard instead of having it in a file on the client machine. In
>
> You may be able to
On Tue, 14 Jul 2015 20:35:31 +0200
Jakob Bohm wrote:
>
> Does ASN1_TIME_set_string() support dates outside the
> time_t range of the local libc?
Why do yo need time dates outside of 64-bit integer range?
Sun would explode into red giant sooner than that amount of time passes.
> This is import
On Mon, 13 Jul 2015 12:25:40 +0530
Nayna Jain wrote:
>
> Hi all,
>
> I am programmatically generating the self signed certificate and need
> to specify the "Not Before" and "Not After" date,
>
> Wanted to understand what all formats are acceptable by this API ?
X509_set_notAfter and X509_set_
.
I hope I am making sense.
Thanks for your help on this.
Victor Savino| z/OS Network Engineer Lead | GTI ECS Enterprise Software
Engineering (ESE) Network
J.P. Morgan Chase & Co. | 575 Wahignton Blvd, Jersey City NJ 07310, US |
Office: 201-595-5044
(victor.sav...@jpmchase.com)
From: ope
. This make sense
on the surface.
Is there a way to force the outbound to ASCII data stream (supported by z/OS on
other connections), or is there a way to install OPENSSL using ASCII under the
z/OS OMVS umbrella?
Thanks for your help,
Victor Savino| z/OS Network Engineer Lead | GTI ECS
you.
--
Victor
On Mon, Aug 01, 2011 at 02:51:19PM +, Spurr, Matthew E wrote:
> Hello I am just looking for a simple question to be answered, and
> cannot find a place to really have a discussion about it. Part of the
> ECE GF(2^m) algorithms have a patent on them. I am wondering if it is
> ok to use these
On Thu, Jul 28, 2011 at 09:14:34AM -0700, navin gopalakrishnan wrote:
> 1) When i use my own applications (client & server) which uses
> the openssl library a separate client program and a separate server
> program, both configured to use only eNULL as above. (i.e. with only
> NULL_SHA & NULL_MD5)
On Wed, Jul 27, 2011 at 02:53:09AM -0700, navin gopalakrishnan wrote:
> a) testing NULL Encryption:
>
> While building openssl i modified the macro SSL_DEFAULT_CIPHER_LIST to
> #define SSL_DEFAULT_CIPHER_LIST "eNULL"
That was unwise, don't do that.
> My understanding is the above modification?
On Fri, Jul 22, 2011 at 02:03:27PM -0700, Alex Lindberg wrote:
> I have a certificate file CAcert.pem containing two or more certificates
> between BEGIN/END blocks.
>
> the openssl command only seems to read the first certificate.
>
> How can I extract information from all certs in a single fi
On Fri, Jul 15, 2011 at 01:17:36PM +0800, Kumar, Nilesh wrote:
> I have few queries regarding OpenSSl 0.9.8 :
>
> 1. Does it have 64-bit support? If not, which version(s) support
> 64-bit arch?
Yes, on many 64-bit CPU architectures.
>
> 2. RHEL version(s) supported
None. The softw
On Wed, Jul 06, 2011 at 04:26:18PM +0300, islam wrote:
> Hi i have some problems using openssl library. I got this error :
>
> 14742:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:293:
You should give up and ask someone on your team who is more experienced
to impleme
On Tue, Jun 21, 2011 at 05:43:57AM -0500, Michael S. Zick wrote:
> > I've encountered a strange issue. It might not be related to OpenSSL itself,
> > but maybe it is.
> >
> > When sending a Client Hello message that's larger than 270 bytes (not sure
> > what the exact limit is, 255 maybe?), lots
I fixed it. The certificate was not in the right form.
On 11.06.2011 18:16, Victor Sterpu wrote:
I tried to use this command from openssl examples:
openssl cms -sign -in message.txt -text -out mail.msg -signer
./ssl1/newkey.pem
The error is:
unable to load certificate
3076057772:error
I tried to use this command from openssl examples:
openssl cms -sign -in message.txt -text -out mail.msg -signer ./ssl1/newkey.pem
The error is:
unable to load certificate
3076057772:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
TO generate
On Tue, Jun 07, 2011 at 10:42:54AM -0500, Erwin Himawan wrote:
> Thanks for your help. Once I fix my compilation environment, everything
> works ok.
Glad it works for you.
> > > When the code crashes, here are the print outs:
> > >
> > > OPENSSL_VERSION_NUMBER: 9470255
> >
> > Converted to
On Tue, Jun 07, 2011 at 10:05:19AM -0500, Erwin Himawan wrote:
> Hi Victor,
>
> If I understand these printout correctly, my compilation environment is
> mixed. However, can you confirm?
>
> When the code crashes, here are the print outs:
>
> OPENSSL_VERSION_NUMBER: 9
On Mon, Jun 06, 2011 at 06:22:53PM -0500, Erwin Himawan wrote:
> I am using Netbean 7.0 for my IDE.
> I am using cygwin: CYGWIN_NT-5.1 1.7.9(0.237/5/3) 2011-03-29 10:10 i686
>
> My host platform is WindowXP 32 bit.
> I am building the openssl ver 1.0.0d using the cygwin.
> The path to the OpenSSL
On Mon, Jun 06, 2011 at 03:18:12PM -0500, Erwin Himawan wrote:
> I am trying out the example in this
> http://www.openssl.org/docs/crypto/EVP_DigestInit.html.
>
> When I build this example using ver 1.0.0d, the example crashes at E
> VP_DigestFinal_ex. When I build this example using previous ver
On Wed, Jun 01, 2011 at 10:56:47AM -0700, Eric S. Eberhard wrote:
> The way I do things like this is to slightly modify OpenSSL (and keep track
> of the mods!)
Completely unnecessary, OpenSSL supports custom I/O layers via BIO pairs.
--
Viktor.
_
On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote:
> I'd like to know the feasibility or complexity around using my own
> socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
> BIOs to read and write would that be sufficient? How tightly integrated
> the code is with
I found that this signature is made with Microsoft cryptoapi.
Can this be read using openssl?
On 28.05.2011 21:31, Victor Sterpu wrote:
I posted the signature here
http://www.casnt.ro/FARMD_16611264_20110524_1153.smime
The signature is the only signature accepted by a server and I don't
Yes.
http://www.casnt.ro/signed.message.
On 29.05.2011 01:22, Kyle Hamilton wrote:
Could you please also post the signature which openssl can verify?
-Kyle H
On Sat, May 28, 2011 at 11:31 AM, Victor Sterpu wrote:
I posted the signature here
http://www.casnt.ro/FARMD_16611264_20110524_1153
I posted the signature here
http://www.casnt.ro/FARMD_16611264_20110524_1153.smime
The signature is the only signature accepted by a server and I don't
know how to reproduce it.
It seems is not valid.
I tried to verify it like this:
*openssl smime -inform DER -verify -in
FARMD_16611264_2011052
I'm trying to reproduce the signature in the attached file.
I believe is smime PKCS7 but when I execute
openssl smime -verify -in FARMD_16611264_20110524_1153.xml I get the message
Error reading S/MIME message
31662:error:2107A087:PKCS7 routines:SMIME_read_PKCS7:no content
type:pk7_mime.c:296:
C
On Tue, May 17, 2011 at 02:22:46AM -0700, G S wrote:
> 1. Generate a random key and initialization vector to encrypt the block of
> text.
> 2. Encrypt that random key with the RSA public key.
> 3. Encrypt the data payload with the random key and IV, using Blowfish or
> other encryption.
> 4. Send
On Mon, May 16, 2011 at 11:56:41AM +0100, Mike Bell wrote:
> Thanks Viktor,
>
> I hadn't properly understood the relationship between the certificate
> and the cipher, so I'll look at that now. I think I'm also confusing
> the OpenVPN?& OpenSSL relationship.
>
> OpenVPN does appear to be using TL
On Sat, May 14, 2011 at 12:55:44PM +0400, A.B.COKO/\OB wrote:
> > For example:
> > subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> > will produce an error but the equivalent form:
> > subjectAltName=@subject_alt_section
> > [subject_alt_section]
> > subjectAltName=URI:ldap://somehost.co
On Fri, May 13, 2011 at 06:36:34PM +0100, Mike Bell wrote:
> I had originally put
> cipher AES-128-CBC
> in SERVER.OVPN & CLIENT.OVPN, not OPENSSL.CNF files (it's been a long week!)
I am not familiar with your VPN product, so you'll have to figure out
what configuration options are applicable. I
On Fri, May 13, 2011 at 05:41:52PM +0100, Mike Bell wrote:
> However I keep getting a "no shared cipher" error.
>
> In my client & server openssl.cnf files I've specified
> cipher AES-128-CBC
This is not an EC cipher, and if you configure an EC cert, but specify
a cipher that is one of the ones
On Wed, May 11, 2011 at 08:39:49AM -0700, Eric S. Eberhard wrote:
> I have found that fork() on modern machines as a negligible affect on
> performance and in fact I almost always use inetd instead of writing my own
> servers, mainly because it is dead reliable, easier to code, and again
> seem
On Thu, May 05, 2011 at 02:29:07PM -0400, Alona Rossen wrote:
> Please list all encryption algorithms supported by OpenSSL 0.9.8e,
> 0.9.8m and 1.0.0d.
To list all ciphers
$ openssl ciphers -v ALL:eNULL:@STRENGTH
just use the appropriate openssl(1) binary to find which ciphers are
supporte
On Thu, Apr 07, 2011 at 04:50:19PM +, Lou Picciano wrote:
> Friends, I must admit we've never had to do it before - Can we query
> the expiration date directly from a certificate, perhaps by using the
> ASN structure code? (Is there a map of the currently-vailable structure
> codes, as used by
On Tue, Mar 29, 2011 at 10:15:04AM +0200, Aarno Syv?nen wrote:
> HI,
>
> what would error OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start
> line mean ?
A PEM file was expected, but the input was not a PEM file, specifically,
it had no "-BEGIN ...-" line.
--
Viktor.
On Tue, Mar 22, 2011 at 08:47:55PM -0700, Claus Assmann wrote:
> On Tue, Mar 22, 2011, Victor Duchovni wrote:
>
> > > client() has some code like this:
> > > SSL_CTX_set_ex_data(a_ctx->a_ssl_ctx, myidx, a_ctx->cb_arg);
> >
> > No, don't do
On Mon, Mar 21, 2011 at 08:49:09PM -0700, Claus Assmann wrote:
> On Mon, Mar 21, 2011, Victor Duchovni wrote:
>
> > Can you explain a bit more clearly why you can't initialize an
> > integer index or two when the application starts?
>
> I can, but that's n
On Sun, Mar 20, 2011 at 07:13:18PM -0700, Claus Assmann wrote:
> On Sun, Mar 20, 2011, Victor Duchovni wrote:
>
> > once, ... so there needs to be some once-only code in your application,
>
> That's trivial to do and already working fine.
>
> > and setting a
On Sun, Mar 20, 2011 at 10:42:28AM -0700, Claus Assmann wrote:
> It seems the official way to use an application
> context is via:
>
> int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
>CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
> int SSL_set_ex_data(SSL *
On Thu, Feb 24, 2011 at 08:15:47AM +0100, Mounir IDRASSI wrote:
> Your analysis is not true because the original poster says he has dmp1,
> dmq1 and iqmp, not only p and q.
Yes, naturally if the OP has "d" (or equivalently d mod (p-1) and (q-1),
which are presumed co-prime), he can recover "e" i
On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote:
> Just to be clear, below is not the actual code, but what I would *like*
> to be able to do (or something close).
What you are asking to do is not possible, not because of API limitations,
but as a matter of principle (m
On Fri, Feb 18, 2011 at 01:22:44AM -0800, kalpesh07 wrote:
>
> hi,
> I am trying to create digital signature for pdf document by openssl commands
> from php file.
>
> I write these two commands first in php file
> exec("openssl req -x509 -nodes -days 365 -subj
> '/C=In/ST=Mumbai/L=Maharashtra/CN
On Mon, Feb 14, 2011 at 04:36:07PM +, Martin Nicholes wrote:
> I am also interested in the ability to allow non-root certs, but my
> company is not planning on distributing OpenSSL.
Callbacks are implemented in the application, not in the OpenSSL library.
> Therefore a custom verification ca
On Fri, Feb 11, 2011 at 05:04:11PM -0500, Jean-Michael Cyr wrote:
> I have some difficulties to make openssl work to crypt my email.
Email encrypt is generally done via S/MIME. OpenSSL provides an
smime(1) command.
http://www.openssl.org/docs/apps/smime.html
--
Viktor.
On Thu, Feb 10, 2011 at 05:03:05PM +0100, Mounir IDRASSI wrote:
> I think you misunderstood Matthias's question? He is not asking about how
> to make his own CA accepted (from his post, it appears he already knows how
> to do that), but he is rather asking how to make an end entity server
> cer
On Tue, Jan 11, 2011 at 11:51:47PM +0100, Ron Arts wrote:
> I just renewed my Thawte webserver certificate. This certicifate seems to
> work fine with various browsers I tried, but it curl, wget on CentOS 5.5
> are not able to verify it:
Browsers often have a fairly large set of trusted roots an
On Tue, Jan 04, 2011 at 04:34:05PM +0100, Richard Koenning wrote:
> A further (very
> quick) survey shows that Thawte too supports additional subjectAltNames,
> but here it comes with a price (http://www.thawte.com/ssl/index.html).
> A more intensive survey will probably show up further CAs supp
On Mon, Dec 20, 2010 at 07:21:54PM -0500, Bhola Ray wrote:
> I have noticed the above flag in our openssl code in several c and h files.
>
> If I use
>
> #define OPENSSL_NO_COMP 1
>
> in the right include file, and build the libcrypto.a and libssl.a
> then in that build
>
Do not do
On Mon, Dec 20, 2010 at 10:49:57AM -0800, travis+ml-open...@subspacefield.org
wrote:
> libnss, at least on Linux, checks that the signing cert (chain) is valid
> at the time of signature - as opposed to present time. (It may check
> present time as well - not sure on that)
>
> This makes for pr
On Fri, Dec 17, 2010 at 01:24:40PM -0500, Jeff Saremi wrote:
> d1-srvr.c:
> int dtls1_accept(SSL *s)
>
> I cannot be 100% sure what changes on the client or on the server in
> between. But the low-level client socket and ssl connections are exactly
> the same in both scenarios. Also both use Open
On Fri, Dec 17, 2010 at 03:11:54PM +0530, Kingston Smiler wrote:
> Is there any way to identify whether the other end supports TLS or not.
Only if the application protocol supports a way to negotiate TLS (e.g.
SMTP, IMAP, telnet, ... with STARTTLS), or the service in question is
layered over TLS
On Wed, Dec 15, 2010 at 11:14:59AM -0500, Jeff Saremi wrote:
> So under situations that are not entirely clear, a call to
> SSL_get_peer_certificate() returns null after a successful SSL accept is
> done on the server.
>
> My question is if there are conditions under which one cannot rely on
> th
On Tue, Dec 14, 2010 at 09:52:58AM -0500, Kenneth Goldman wrote:
> Question:
>
> OPENSSL_VERSION_TEXT is undocumented. Can I count on it being there and
> up to date, or is it for internal use only?
>
> Request:
>
> OPENSSL_VERSION_NUMBER varies between a long and an int constant, Could
> i
On Tue, Dec 14, 2010 at 09:55:26PM -0800, Kannan J wrote:
>
>
> From my relentless search on the internet I hit upon this webpage
> http://www.mobilefish.com/services/rsa_key_generation/rsa_key_generation.php
> which accepts prime values and generates the rest of the exponents and
> coefficien
On Tue, Dec 14, 2010 at 09:46:11PM -0800, Kannan J wrote:
> I'm copying and pasting the text from the smart card guide. It is too
big to attach.
Please use plain-text (non-HTML) email when sending mail to lists.
> The following convention applies for the P, Q, DP1, DQ1, and PQ parameters:
> P is
On Tue, Dec 14, 2010 at 07:30:33PM -0800, Kannan J wrote:
> I have a private key that I need to load onto the smart card.
> The PIV User Guide says PQ = P-1 mod Q
Instead of re-interpreting it is best to provide a direct reference,
or at least an unedited quote of the specificied requirements wi
On Tue, Dec 14, 2010 at 05:05:06PM -0800, John R Pierce wrote:
> but didn't openssl get its
> start with that same openbsd crypto code?
No. From the information-free OpenBSD mailing list message:
It is alleged that some ex-developers (and the company they worked
for) accepted US governm
On Tue, Dec 14, 2010 at 04:14:01PM -0800, Mike Mohr wrote:
> How do you mean, an additional 0 byte is prepended? I generated
> several DH parameters and exported them to C code ( -C ), some of
> which has the MSB set. It looks like BN_bin2bn is used directly on
> the raw bytes of the prime witho
On Tue, Dec 14, 2010 at 06:20:54PM +1100, Corin Lawson wrote:
> Hi All,
>
> Is it possible to establish an SSL connection with no compression? How?
OpenSSL 1.0.0 provides a new option that can be set via
SSL_CTX_set_options() or SSL_set_options().
SSL_OP_NO_COMPRESSION
> While I'm at it, i
On Thu, Dec 09, 2010 at 01:07:14PM +0200, Yannay Alon-BAY004 wrote:
> Hi
>
> Is there a file/location that lists all openssl #ifdef preprocessor
> identifiers (e.g. OPENSSL_NO_SSL2, OPENSSL_NO_IDEA, OPENSSL_NO_MD5) with
> possibly an explanation of each?
Options that enable/disable features at
On Mon, Dec 06, 2010 at 11:36:01AM -0600, Mike Brennan wrote:
> It seems that Openssl doesn't always obey the server's priority
s/doesn't always obey/never by default obeys/
> ordered list of ciphers (set with SSL_set_cipher_list()), even when
> that list is syntactically correct
On Fri, Dec 03, 2010 at 01:43:17PM -0500, Victor Duchovni wrote:
> I don't understand the code in BN_nist_mod_192(), which calls
> nist_cp_bn(), it has rather obscure pointer manipulation:
>
> /*
> * we need 'if (carry==0 || result>=modulus) resul
On Fri, Dec 03, 2010 at 12:06:22PM -0800, Marcus Carey wrote:
> openssl ecdhtest
What is "openssl ecdhtest"?
> Must use the -no_ecdhe flag.
> openssl.exe s_server -no_ecdhe
With what cert/key? Any other options? What client invocation? ...
>> openssl.exe!nist_cp_bn(unsigned int * buf=0x00acea8
On Fri, Dec 03, 2010 at 09:10:41AM -0800, Marcus Carey wrote:
> I am still have issues with the default ECDH parameters in 1.0.0c.
kEECDH handshakes appear to work.
> The key generation with NIST Prime-Curve P-192 crashes.
How do you reproduce this?
> static void nist_cp_bn(BN_ULONG *buf, BN
On Fri, Dec 03, 2010 at 09:50:49AM -0500, Erik Tkal wrote:
> That's a pretty bold statement and doesn't always apply in a product
> environment.
I have a production environment. The non-security issues in the unpatched
1.0.0b release create substantial interoperability issues with servers
and cli
On Thu, Dec 02, 2010 at 03:03:02PM -0500, Erik Tkal wrote:
> Can someone point to details on CVE-2010-4180 and CVE-2010-4252?
> CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any
> references to the other two.
1.0.0c contains important non-security bug fixes for 1.0.0b, so yo
On Mon, Nov 29, 2010 at 02:34:29AM -0800, A. N. Alias wrote:
> As an example, IE may connect and send a ClientHello.? The server responds
> with
> a ServerHello on the same socket.? IE then replies with
> ClientExchange/ChangeCipherSpec/Finished, but not necessarily on the same
> socket.?
Thi
On Fri, Nov 26, 2010 at 11:20:36AM +0100, Mounir IDRASSI wrote:
> Contribution are usually done by sending a patch to r...@openssl.org. The
> subject of the email must start with "[PATCH]".
> The patch should be against the latest stable sources or CVS head of the
> branch/branches you are targe
I am finding some TLS enabled SMTP servers that don't appear to like
the TLSv1 sesion ticket extension.
With session tickets enabled:
$ openssl s_client -starttls smtp -msg -tlsextdebug -connect 192.0.2.1:25
CONNECTED(0003)
>>> TLS 1.0 Handshake [length 00cb], ClientHello
On Thu, Nov 25, 2010 at 01:37:10PM +0100, Dr. Stephen Henson wrote:
> Thanks, I'd missed that one. I've simulated the issue here and committed a
> slightly different patch which works for me:
>
> http://cvs.openssl.org/chngview?cn=20089
>
> Let me know of any problem.
I wroted and tested a patc
On Thu, Nov 25, 2010 at 12:02:26AM +0100, Mounir IDRASSI wrote:
> This is a known issue for which I have sent a patch (under ticket #2240) on
> April 25th 2010. OpenSSL wrongly returns an error if the ServerHello is
> missing the Supported Point Format extension whereas it should interpret it
>
I see intermitten failures to complete an SMTP STARTTLS handshake
with some servers. This happens when on entry into
ssl_check_serverhello_tlsext() the server proposes a kEECDH
cipher, say:
(gdb) p *(s->s3->tmp.new_cipher)
$7 = {valid = 1, name = 0x2a95a0ceea "ECDHE-RSA-DES-CBC3-SHA", id = 50
On Mon, Nov 22, 2010 at 12:30:10PM +0200, r rubin wrote:
> Thank you Victor for the detailed answer. I still don't understand: Does the
> vulnerability affect TLS *cliens*?
>
> > In the vulnerability detail, it is mentioned that:
> > - Any OpenSSL based TLS *server* is
On Sun, Nov 21, 2010 at 04:40:09PM +0200, r rubin wrote:
> Hello,
>
> In the vulnerability detail, it is mentioned that:
> ?Any OpenSSL based TLS *server* is vulnerable".
> Does this mean that OpenSSL-based TLS *client* applications aren't
> vulnerable at all?
>
> Sorry if this is an obvious qu
On Thu, Nov 18, 2010 at 11:12:11AM -0600, William A. Rowe Jr. wrote:
> On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote:
> >
> > A 1.0.0c release is planned in the next few days. We're just seeing if any
> > other issues arise before the release: a couple have been fixed already.
>
> Have any ob
On Tue, Nov 16, 2010 at 11:36:50PM +0100, Mounir IDRASSI wrote:
> Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under
> Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error.
>
> I don't see anything OS specific in the changes introduced in t1_lib.c or
> s3_srvr.c. Could
On Tue, Nov 16, 2010 at 03:48:13PM -0500, Victor Duchovni wrote:
>
> Anyone know why I am seeing the below errors:
>
> ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem
> -no_dhe -num 10 -f -time
> Available compression methods:
> NONE
>
Anyone know why I am seeing the below errors:
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem
-no_dhe -num 10 -f -time
Available compression methods:
NONE
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA
ERROR in SERVER
182902820544:e
On Wed, Nov 10, 2010 at 11:02:05PM +, Dimitrios Siganos wrote:
> > You can turn the can't find local issuer error for B, into an
> > OK in the verification callback by specifically whitelisting
> > the the fingerprint of B, or finding B in a suitable store.
>
> So the solution is:
> 1) Mainta
On Wed, Nov 10, 2010 at 10:10:48PM +, Dimitrios Siganos wrote:
> Hi,
>
> Is there a way to instruct openssl to treat an intermediate CA as a
> trusted CA, which need not have its issuer checked i.e. it will be the
> last certificate of the certificate chain.
>
> It seems that openssl insists
On Tue, Nov 09, 2010 at 09:34:42PM +0100, Stef Hoeben wrote:
> Hi,
>
> using the openssl tool, we generated an Elliptic Curve key pair
> and put it into a pkcs8 file:
>
>0 48: SEQUENCE {
>32: INTEGER 0
>6 48: SEQUENCE {
>86: OBJECT IDENTIFIER ecPublicKey (1 2
On Tue, Nov 09, 2010 at 01:31:40PM -0500, josh kirbey wrote:
> Thanks Viktor for your quick response. Even I am contesting the unnecessary
> usage of 3072 bit sized key.
>
> Surprisingly, in the given scenario, if I write this line of code before
> modifying the certificate it works like a charm.
On Tue, Nov 09, 2010 at 11:42:14AM -0500, josh kirbey wrote:
> Hi All,
>
> We are required to upgrade the sizes of private/public key pairs to 3072
> bits from 1024 bits.
Welcome to bureaucratic insanity. There is no rational basis for
this requirement. Even 2048 bits is excessively conservative
On Tue, Nov 09, 2010 at 01:45:15PM +, Bruce Stephens wrote:
> Michael Str??der writes:
>
> > Bruce Stephens wrote:
>
> [...]
>
> >> Ah, my fault. Obvious in retrospect: Debian's openssl finds the root
> >> cert because it's in the ca-certificates package!
> >
> > Did you use -CAfile as in
On Mon, Nov 01, 2010 at 01:06:50PM -0500, Eichenberger, John wrote:
> I have been looking at OpenSSL version 1.0.0a source code in order to
> determine how to use it in an application where EAP TLS is used. It
> seems like this application would be working correctly if only the
> "privatekey" fie
On Thu, Oct 14, 2010 at 06:48:58AM -0400, L. Michael Asher wrote:
> Sorry, I meant to say that appears to be an error generated by the parent
> library whenever the SMTP server says it doesn't accept TLS (or won't on that
> specific port at least). It may be that the OpenSSL libs are not even b
On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote:
> Does BIO support 64 bit IO (large files)? If so would the rest of
> OpenSSL (such as the ssl itself) support those BIOs?
> I configured the build with 64bit support and didn't see any noticeable
> changes.
> Specifically, I'd like to
On Mon, Sep 20, 2010 at 02:42:08PM +0400, Sergey Sedov wrote:
> Hi,
>
> My ISP provides to me .p12 file containing certs for using TLS for wifi
> connection.
> I can install it under Windows and use it.
> But when I try to install it under Linux I have some troubles.
> NetworkManager wants 3 cert
On Fri, Sep 17, 2010 at 10:40:45AM -0400, Tom Cocagne wrote:
> I've been searching for a way to set up an encrypted SSL connection
> that doesn't require the use of certificates. Ideally, I'd like to use
> SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly
> available, I'd like to
On Tue, Sep 14, 2010 at 11:27:09AM -0400, Allan E. Johannesen wrote:
> I noticed that our CA store (/usr/local/ssl/cacert.pem) was pretty old, with
> some expired certificates in it, etc.
>
> I exported the certificate list out of a Windows firefox and put that in place
> and I thought things wer
On Thu, Sep 02, 2010 at 11:02:21PM +0200, Dr. Stephen Henson wrote:
> On Thu, Sep 02, 2010, Victor Duchovni wrote:
>
> >
> > It is my impression that enabling tls extensions breaks binary
> > compatibility, so I cannot replace a "no-tlsext" shared library wi
The 0.9.8[no] SSLv3 client code sends the SCSV cipher even when built
with "no-tlsext" and is then unable to process the server response if
the server returns tls extensions.
It is my impression that enabling tls extensions breaks binary
compatibility, so I cannot replace a "no-tlsext" shared lib
In changes:
http://cvs.openssl.org/chngview?cn=19759
http://cvs.openssl.org/chngview?cn=19760
http://cvs.openssl.org/chngview?cn=19761
http://cvs.openssl.org/chngview?cn=19762
a bug is fixed in AES_wrap_key(), but the same bug remains unchanged
in AES_unwrap_key.
What is the imp
On Mon, Jul 12, 2010 at 04:16:13PM +0200, Jakob Bohm wrote:
> On 10-07-2010 20:13, Jeffrey Walton wrote:
>>> The general approach is to encrypt data using a symmetric cipher (e.g.,
>>> AES-256) with a randomly-generated key, and then encrypt that symmetric
>>> key
>>> with the RSA (public) key.
>
On Fri, Jul 09, 2010 at 12:26:46PM -0500, Michael S. Zick wrote:
> On Fri July 9 2010, Suryya Kumar Jana wrote:
> > Hello,
> Would any one please let me know whether the following ciphers are supported
> > in 0.9.8m?
> >
> > 1. EXP1024-DHE-DSS-DES-CBC-SHA
> > 2. EXP1024-RC4-SHA
> > 3. DHE-DSS-RC
1 - 100 of 891 matches
Mail list logo
