On Mon, Aug 01, 2011 at 02:51:19PM +, Spurr, Matthew E wrote:
> Hello I am just looking for a simple question to be answered, and
> cannot find a place to really have a discussion about it. Part of the
> ECE GF(2^m) algorithms have a patent on them. I am wondering if it is
> ok to use these
On Thu, Jul 28, 2011 at 09:14:34AM -0700, navin gopalakrishnan wrote:
> 1) When i use my own applications (client & server) which uses
> the openssl library a separate client program and a separate server
> program, both configured to use only eNULL as above. (i.e. with only
> NULL_SHA & NULL_MD5)
On Wed, Jul 27, 2011 at 02:53:09AM -0700, navin gopalakrishnan wrote:
> a) testing NULL Encryption:
>
> While building openssl i modified the macro SSL_DEFAULT_CIPHER_LIST to
> #define SSL_DEFAULT_CIPHER_LIST "eNULL"
That was unwise, don't do that.
> My understanding is the above modification?
On Fri, Jul 22, 2011 at 02:03:27PM -0700, Alex Lindberg wrote:
> I have a certificate file CAcert.pem containing two or more certificates
> between BEGIN/END blocks.
>
> the openssl command only seems to read the first certificate.
>
> How can I extract information from all certs in a single fi
On Fri, Jul 15, 2011 at 01:17:36PM +0800, Kumar, Nilesh wrote:
> I have few queries regarding OpenSSl 0.9.8 :
>
> 1. Does it have 64-bit support? If not, which version(s) support
> 64-bit arch?
Yes, on many 64-bit CPU architectures.
>
> 2. RHEL version(s) supported
None. The softw
On Wed, Jul 06, 2011 at 04:26:18PM +0300, islam wrote:
> Hi i have some problems using openssl library. I got this error :
>
> 14742:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:293:
You should give up and ask someone on your team who is more experienced
to impleme
On Tue, Jun 21, 2011 at 05:43:57AM -0500, Michael S. Zick wrote:
> > I've encountered a strange issue. It might not be related to OpenSSL itself,
> > but maybe it is.
> >
> > When sending a Client Hello message that's larger than 270 bytes (not sure
> > what the exact limit is, 255 maybe?), lots
On Tue, Jun 07, 2011 at 10:42:54AM -0500, Erwin Himawan wrote:
> Thanks for your help. Once I fix my compilation environment, everything
> works ok.
Glad it works for you.
> > > When the code crashes, here are the print outs:
> > >
> > > OPENSSL_VERSION_NUMBER: 9470255
> >
> > Converted to
On Tue, Jun 07, 2011 at 10:05:19AM -0500, Erwin Himawan wrote:
> Hi Victor,
>
> If I understand these printout correctly, my compilation environment is
> mixed. However, can you confirm?
>
> When the code crashes, here are the print outs:
>
> OPENSSL_VERSION_NUMBER: 9470255
Converted to h
On Mon, Jun 06, 2011 at 06:22:53PM -0500, Erwin Himawan wrote:
> I am using Netbean 7.0 for my IDE.
> I am using cygwin: CYGWIN_NT-5.1 1.7.9(0.237/5/3) 2011-03-29 10:10 i686
>
> My host platform is WindowXP 32 bit.
> I am building the openssl ver 1.0.0d using the cygwin.
> The path to the OpenSSL
On Mon, Jun 06, 2011 at 03:18:12PM -0500, Erwin Himawan wrote:
> I am trying out the example in this
> http://www.openssl.org/docs/crypto/EVP_DigestInit.html.
>
> When I build this example using ver 1.0.0d, the example crashes at E
> VP_DigestFinal_ex. When I build this example using previous ver
On Wed, Jun 01, 2011 at 10:56:47AM -0700, Eric S. Eberhard wrote:
> The way I do things like this is to slightly modify OpenSSL (and keep track
> of the mods!)
Completely unnecessary, OpenSSL supports custom I/O layers via BIO pairs.
--
Viktor.
_
On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote:
> I'd like to know the feasibility or complexity around using my own
> socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
> BIOs to read and write would that be sufficient? How tightly integrated
> the code is with
On Tue, May 17, 2011 at 02:22:46AM -0700, G S wrote:
> 1. Generate a random key and initialization vector to encrypt the block of
> text.
> 2. Encrypt that random key with the RSA public key.
> 3. Encrypt the data payload with the random key and IV, using Blowfish or
> other encryption.
> 4. Send
On Mon, May 16, 2011 at 11:56:41AM +0100, Mike Bell wrote:
> Thanks Viktor,
>
> I hadn't properly understood the relationship between the certificate
> and the cipher, so I'll look at that now. I think I'm also confusing
> the OpenVPN?& OpenSSL relationship.
>
> OpenVPN does appear to be using TL
On Sat, May 14, 2011 at 12:55:44PM +0400, A.B.COKO/\OB wrote:
> > For example:
> > subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> > will produce an error but the equivalent form:
> > subjectAltName=@subject_alt_section
> > [subject_alt_section]
> > subjectAltName=URI:ldap://somehost.co
On Fri, May 13, 2011 at 06:36:34PM +0100, Mike Bell wrote:
> I had originally put
> cipher AES-128-CBC
> in SERVER.OVPN & CLIENT.OVPN, not OPENSSL.CNF files (it's been a long week!)
I am not familiar with your VPN product, so you'll have to figure out
what configuration options are applicable. I
On Fri, May 13, 2011 at 05:41:52PM +0100, Mike Bell wrote:
> However I keep getting a "no shared cipher" error.
>
> In my client & server openssl.cnf files I've specified
> cipher AES-128-CBC
This is not an EC cipher, and if you configure an EC cert, but specify
a cipher that is one of the ones
On Wed, May 11, 2011 at 08:39:49AM -0700, Eric S. Eberhard wrote:
> I have found that fork() on modern machines as a negligible affect on
> performance and in fact I almost always use inetd instead of writing my own
> servers, mainly because it is dead reliable, easier to code, and again
> seem
On Thu, May 05, 2011 at 02:29:07PM -0400, Alona Rossen wrote:
> Please list all encryption algorithms supported by OpenSSL 0.9.8e,
> 0.9.8m and 1.0.0d.
To list all ciphers
$ openssl ciphers -v ALL:eNULL:@STRENGTH
just use the appropriate openssl(1) binary to find which ciphers are
supporte
On Thu, Apr 07, 2011 at 04:50:19PM +, Lou Picciano wrote:
> Friends, I must admit we've never had to do it before - Can we query
> the expiration date directly from a certificate, perhaps by using the
> ASN structure code? (Is there a map of the currently-vailable structure
> codes, as used by
On Tue, Mar 29, 2011 at 10:15:04AM +0200, Aarno Syv?nen wrote:
> HI,
>
> what would error OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start
> line mean ?
A PEM file was expected, but the input was not a PEM file, specifically,
it had no "-BEGIN ...-" line.
--
Viktor.
On Tue, Mar 22, 2011 at 08:47:55PM -0700, Claus Assmann wrote:
> On Tue, Mar 22, 2011, Victor Duchovni wrote:
>
> > > client() has some code like this:
> > > SSL_CTX_set_ex_data(a_ctx->a_ssl_ctx, myidx, a_ctx->cb_arg);
> >
> > No, don't do
On Mon, Mar 21, 2011 at 08:49:09PM -0700, Claus Assmann wrote:
> On Mon, Mar 21, 2011, Victor Duchovni wrote:
>
> > Can you explain a bit more clearly why you can't initialize an
> > integer index or two when the application starts?
>
> I can, but that's n
On Sun, Mar 20, 2011 at 07:13:18PM -0700, Claus Assmann wrote:
> On Sun, Mar 20, 2011, Victor Duchovni wrote:
>
> > once, ... so there needs to be some once-only code in your application,
>
> That's trivial to do and already working fine.
>
> > and setting a
On Sun, Mar 20, 2011 at 10:42:28AM -0700, Claus Assmann wrote:
> It seems the official way to use an application
> context is via:
>
> int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
>CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
> int SSL_set_ex_data(SSL *
On Thu, Feb 24, 2011 at 08:15:47AM +0100, Mounir IDRASSI wrote:
> Your analysis is not true because the original poster says he has dmp1,
> dmq1 and iqmp, not only p and q.
Yes, naturally if the OP has "d" (or equivalently d mod (p-1) and (q-1),
which are presumed co-prime), he can recover "e" i
On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote:
> Just to be clear, below is not the actual code, but what I would *like*
> to be able to do (or something close).
What you are asking to do is not possible, not because of API limitations,
but as a matter of principle (m
On Fri, Feb 18, 2011 at 01:22:44AM -0800, kalpesh07 wrote:
>
> hi,
> I am trying to create digital signature for pdf document by openssl commands
> from php file.
>
> I write these two commands first in php file
> exec("openssl req -x509 -nodes -days 365 -subj
> '/C=In/ST=Mumbai/L=Maharashtra/CN
On Mon, Feb 14, 2011 at 04:36:07PM +, Martin Nicholes wrote:
> I am also interested in the ability to allow non-root certs, but my
> company is not planning on distributing OpenSSL.
Callbacks are implemented in the application, not in the OpenSSL library.
> Therefore a custom verification ca
On Fri, Feb 11, 2011 at 05:04:11PM -0500, Jean-Michael Cyr wrote:
> I have some difficulties to make openssl work to crypt my email.
Email encrypt is generally done via S/MIME. OpenSSL provides an
smime(1) command.
http://www.openssl.org/docs/apps/smime.html
--
Viktor.
On Thu, Feb 10, 2011 at 05:03:05PM +0100, Mounir IDRASSI wrote:
> I think you misunderstood Matthias's question? He is not asking about how
> to make his own CA accepted (from his post, it appears he already knows how
> to do that), but he is rather asking how to make an end entity server
> cer
On Tue, Jan 11, 2011 at 11:51:47PM +0100, Ron Arts wrote:
> I just renewed my Thawte webserver certificate. This certicifate seems to
> work fine with various browsers I tried, but it curl, wget on CentOS 5.5
> are not able to verify it:
Browsers often have a fairly large set of trusted roots an
On Tue, Jan 04, 2011 at 04:34:05PM +0100, Richard Koenning wrote:
> A further (very
> quick) survey shows that Thawte too supports additional subjectAltNames,
> but here it comes with a price (http://www.thawte.com/ssl/index.html).
> A more intensive survey will probably show up further CAs supp
On Mon, Dec 20, 2010 at 07:21:54PM -0500, Bhola Ray wrote:
> I have noticed the above flag in our openssl code in several c and h files.
>
> If I use
>
> #define OPENSSL_NO_COMP 1
>
> in the right include file, and build the libcrypto.a and libssl.a
> then in that build
>
Do not do
On Mon, Dec 20, 2010 at 10:49:57AM -0800, travis+ml-open...@subspacefield.org
wrote:
> libnss, at least on Linux, checks that the signing cert (chain) is valid
> at the time of signature - as opposed to present time. (It may check
> present time as well - not sure on that)
>
> This makes for pr
On Fri, Dec 17, 2010 at 01:24:40PM -0500, Jeff Saremi wrote:
> d1-srvr.c:
> int dtls1_accept(SSL *s)
>
> I cannot be 100% sure what changes on the client or on the server in
> between. But the low-level client socket and ssl connections are exactly
> the same in both scenarios. Also both use Open
On Fri, Dec 17, 2010 at 03:11:54PM +0530, Kingston Smiler wrote:
> Is there any way to identify whether the other end supports TLS or not.
Only if the application protocol supports a way to negotiate TLS (e.g.
SMTP, IMAP, telnet, ... with STARTTLS), or the service in question is
layered over TLS
On Wed, Dec 15, 2010 at 11:14:59AM -0500, Jeff Saremi wrote:
> So under situations that are not entirely clear, a call to
> SSL_get_peer_certificate() returns null after a successful SSL accept is
> done on the server.
>
> My question is if there are conditions under which one cannot rely on
> th
On Tue, Dec 14, 2010 at 09:52:58AM -0500, Kenneth Goldman wrote:
> Question:
>
> OPENSSL_VERSION_TEXT is undocumented. Can I count on it being there and
> up to date, or is it for internal use only?
>
> Request:
>
> OPENSSL_VERSION_NUMBER varies between a long and an int constant, Could
> i
On Tue, Dec 14, 2010 at 09:55:26PM -0800, Kannan J wrote:
>
>
> From my relentless search on the internet I hit upon this webpage
> http://www.mobilefish.com/services/rsa_key_generation/rsa_key_generation.php
> which accepts prime values and generates the rest of the exponents and
> coefficien
On Tue, Dec 14, 2010 at 09:46:11PM -0800, Kannan J wrote:
> I'm copying and pasting the text from the smart card guide. It is too
big to attach.
Please use plain-text (non-HTML) email when sending mail to lists.
> The following convention applies for the P, Q, DP1, DQ1, and PQ parameters:
> P is
On Tue, Dec 14, 2010 at 07:30:33PM -0800, Kannan J wrote:
> I have a private key that I need to load onto the smart card.
> The PIV User Guide says PQ = P-1 mod Q
Instead of re-interpreting it is best to provide a direct reference,
or at least an unedited quote of the specificied requirements wi
On Tue, Dec 14, 2010 at 05:05:06PM -0800, John R Pierce wrote:
> but didn't openssl get its
> start with that same openbsd crypto code?
No. From the information-free OpenBSD mailing list message:
It is alleged that some ex-developers (and the company they worked
for) accepted US governm
On Tue, Dec 14, 2010 at 04:14:01PM -0800, Mike Mohr wrote:
> How do you mean, an additional 0 byte is prepended? I generated
> several DH parameters and exported them to C code ( -C ), some of
> which has the MSB set. It looks like BN_bin2bn is used directly on
> the raw bytes of the prime witho
On Tue, Dec 14, 2010 at 06:20:54PM +1100, Corin Lawson wrote:
> Hi All,
>
> Is it possible to establish an SSL connection with no compression? How?
OpenSSL 1.0.0 provides a new option that can be set via
SSL_CTX_set_options() or SSL_set_options().
SSL_OP_NO_COMPRESSION
> While I'm at it, i
On Thu, Dec 09, 2010 at 01:07:14PM +0200, Yannay Alon-BAY004 wrote:
> Hi
>
> Is there a file/location that lists all openssl #ifdef preprocessor
> identifiers (e.g. OPENSSL_NO_SSL2, OPENSSL_NO_IDEA, OPENSSL_NO_MD5) with
> possibly an explanation of each?
Options that enable/disable features at
On Mon, Dec 06, 2010 at 11:36:01AM -0600, Mike Brennan wrote:
> It seems that Openssl doesn't always obey the server's priority
s/doesn't always obey/never by default obeys/
> ordered list of ciphers (set with SSL_set_cipher_list()), even when
> that list is syntactically correct
On Fri, Dec 03, 2010 at 01:43:17PM -0500, Victor Duchovni wrote:
> I don't understand the code in BN_nist_mod_192(), which calls
> nist_cp_bn(), it has rather obscure pointer manipulation:
>
> /*
> * we need 'if (carry==0 || result>=modulus) resul
On Fri, Dec 03, 2010 at 12:06:22PM -0800, Marcus Carey wrote:
> openssl ecdhtest
What is "openssl ecdhtest"?
> Must use the -no_ecdhe flag.
> openssl.exe s_server -no_ecdhe
With what cert/key? Any other options? What client invocation? ...
>> openssl.exe!nist_cp_bn(unsigned int * buf=0x00acea8
On Fri, Dec 03, 2010 at 09:10:41AM -0800, Marcus Carey wrote:
> I am still have issues with the default ECDH parameters in 1.0.0c.
kEECDH handshakes appear to work.
> The key generation with NIST Prime-Curve P-192 crashes.
How do you reproduce this?
> static void nist_cp_bn(BN_ULONG *buf, BN
On Fri, Dec 03, 2010 at 09:50:49AM -0500, Erik Tkal wrote:
> That's a pretty bold statement and doesn't always apply in a product
> environment.
I have a production environment. The non-security issues in the unpatched
1.0.0b release create substantial interoperability issues with servers
and cli
On Thu, Dec 02, 2010 at 03:03:02PM -0500, Erik Tkal wrote:
> Can someone point to details on CVE-2010-4180 and CVE-2010-4252?
> CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any
> references to the other two.
1.0.0c contains important non-security bug fixes for 1.0.0b, so yo
On Mon, Nov 29, 2010 at 02:34:29AM -0800, A. N. Alias wrote:
> As an example, IE may connect and send a ClientHello.? The server responds
> with
> a ServerHello on the same socket.? IE then replies with
> ClientExchange/ChangeCipherSpec/Finished, but not necessarily on the same
> socket.?
Thi
On Fri, Nov 26, 2010 at 11:20:36AM +0100, Mounir IDRASSI wrote:
> Contribution are usually done by sending a patch to r...@openssl.org. The
> subject of the email must start with "[PATCH]".
> The patch should be against the latest stable sources or CVS head of the
> branch/branches you are targe
I am finding some TLS enabled SMTP servers that don't appear to like
the TLSv1 sesion ticket extension.
With session tickets enabled:
$ openssl s_client -starttls smtp -msg -tlsextdebug -connect 192.0.2.1:25
CONNECTED(0003)
>>> TLS 1.0 Handshake [length 00cb], ClientHello
On Thu, Nov 25, 2010 at 01:37:10PM +0100, Dr. Stephen Henson wrote:
> Thanks, I'd missed that one. I've simulated the issue here and committed a
> slightly different patch which works for me:
>
> http://cvs.openssl.org/chngview?cn=20089
>
> Let me know of any problem.
I wroted and tested a patc
On Thu, Nov 25, 2010 at 12:02:26AM +0100, Mounir IDRASSI wrote:
> This is a known issue for which I have sent a patch (under ticket #2240) on
> April 25th 2010. OpenSSL wrongly returns an error if the ServerHello is
> missing the Supported Point Format extension whereas it should interpret it
>
I see intermitten failures to complete an SMTP STARTTLS handshake
with some servers. This happens when on entry into
ssl_check_serverhello_tlsext() the server proposes a kEECDH
cipher, say:
(gdb) p *(s->s3->tmp.new_cipher)
$7 = {valid = 1, name = 0x2a95a0ceea "ECDHE-RSA-DES-CBC3-SHA", id = 50
On Mon, Nov 22, 2010 at 12:30:10PM +0200, r rubin wrote:
> Thank you Victor for the detailed answer. I still don't understand: Does the
> vulnerability affect TLS *cliens*?
>
> > In the vulnerability detail, it is mentioned that:
> > - Any OpenSSL based TLS *server* is vulnerable".
> > Does this
On Sun, Nov 21, 2010 at 04:40:09PM +0200, r rubin wrote:
> Hello,
>
> In the vulnerability detail, it is mentioned that:
> ?Any OpenSSL based TLS *server* is vulnerable".
> Does this mean that OpenSSL-based TLS *client* applications aren't
> vulnerable at all?
>
> Sorry if this is an obvious qu
On Thu, Nov 18, 2010 at 11:12:11AM -0600, William A. Rowe Jr. wrote:
> On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote:
> >
> > A 1.0.0c release is planned in the next few days. We're just seeing if any
> > other issues arise before the release: a couple have been fixed already.
>
> Have any ob
On Tue, Nov 16, 2010 at 11:36:50PM +0100, Mounir IDRASSI wrote:
> Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under
> Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error.
>
> I don't see anything OS specific in the changes introduced in t1_lib.c or
> s3_srvr.c. Could
On Tue, Nov 16, 2010 at 03:48:13PM -0500, Victor Duchovni wrote:
>
> Anyone know why I am seeing the below errors:
>
> ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem
> -no_dhe -num 10 -f -time
> Available compression methods:
> NONE
>
Anyone know why I am seeing the below errors:
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem
-no_dhe -num 10 -f -time
Available compression methods:
NONE
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA
ERROR in SERVER
182902820544:e
On Wed, Nov 10, 2010 at 11:02:05PM +, Dimitrios Siganos wrote:
> > You can turn the can't find local issuer error for B, into an
> > OK in the verification callback by specifically whitelisting
> > the the fingerprint of B, or finding B in a suitable store.
>
> So the solution is:
> 1) Mainta
On Wed, Nov 10, 2010 at 10:10:48PM +, Dimitrios Siganos wrote:
> Hi,
>
> Is there a way to instruct openssl to treat an intermediate CA as a
> trusted CA, which need not have its issuer checked i.e. it will be the
> last certificate of the certificate chain.
>
> It seems that openssl insists
On Tue, Nov 09, 2010 at 09:34:42PM +0100, Stef Hoeben wrote:
> Hi,
>
> using the openssl tool, we generated an Elliptic Curve key pair
> and put it into a pkcs8 file:
>
>0 48: SEQUENCE {
>32: INTEGER 0
>6 48: SEQUENCE {
>86: OBJECT IDENTIFIER ecPublicKey (1 2
On Tue, Nov 09, 2010 at 01:31:40PM -0500, josh kirbey wrote:
> Thanks Viktor for your quick response. Even I am contesting the unnecessary
> usage of 3072 bit sized key.
>
> Surprisingly, in the given scenario, if I write this line of code before
> modifying the certificate it works like a charm.
On Tue, Nov 09, 2010 at 11:42:14AM -0500, josh kirbey wrote:
> Hi All,
>
> We are required to upgrade the sizes of private/public key pairs to 3072
> bits from 1024 bits.
Welcome to bureaucratic insanity. There is no rational basis for
this requirement. Even 2048 bits is excessively conservative
On Tue, Nov 09, 2010 at 01:45:15PM +, Bruce Stephens wrote:
> Michael Str??der writes:
>
> > Bruce Stephens wrote:
>
> [...]
>
> >> Ah, my fault. Obvious in retrospect: Debian's openssl finds the root
> >> cert because it's in the ca-certificates package!
> >
> > Did you use -CAfile as in
On Mon, Nov 01, 2010 at 01:06:50PM -0500, Eichenberger, John wrote:
> I have been looking at OpenSSL version 1.0.0a source code in order to
> determine how to use it in an application where EAP TLS is used. It
> seems like this application would be working correctly if only the
> "privatekey" fie
On Thu, Oct 14, 2010 at 06:48:58AM -0400, L. Michael Asher wrote:
> Sorry, I meant to say that appears to be an error generated by the parent
> library whenever the SMTP server says it doesn't accept TLS (or won't on that
> specific port at least). It may be that the OpenSSL libs are not even b
On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote:
> Does BIO support 64 bit IO (large files)? If so would the rest of
> OpenSSL (such as the ssl itself) support those BIOs?
> I configured the build with 64bit support and didn't see any noticeable
> changes.
> Specifically, I'd like to
On Mon, Sep 20, 2010 at 02:42:08PM +0400, Sergey Sedov wrote:
> Hi,
>
> My ISP provides to me .p12 file containing certs for using TLS for wifi
> connection.
> I can install it under Windows and use it.
> But when I try to install it under Linux I have some troubles.
> NetworkManager wants 3 cert
On Fri, Sep 17, 2010 at 10:40:45AM -0400, Tom Cocagne wrote:
> I've been searching for a way to set up an encrypted SSL connection
> that doesn't require the use of certificates. Ideally, I'd like to use
> SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly
> available, I'd like to
On Tue, Sep 14, 2010 at 11:27:09AM -0400, Allan E. Johannesen wrote:
> I noticed that our CA store (/usr/local/ssl/cacert.pem) was pretty old, with
> some expired certificates in it, etc.
>
> I exported the certificate list out of a Windows firefox and put that in place
> and I thought things wer
On Thu, Sep 02, 2010 at 11:02:21PM +0200, Dr. Stephen Henson wrote:
> On Thu, Sep 02, 2010, Victor Duchovni wrote:
>
> >
> > It is my impression that enabling tls extensions breaks binary
> > compatibility, so I cannot replace a "no-tlsext" shared library wi
The 0.9.8[no] SSLv3 client code sends the SCSV cipher even when built
with "no-tlsext" and is then unable to process the server response if
the server returns tls extensions.
It is my impression that enabling tls extensions breaks binary
compatibility, so I cannot replace a "no-tlsext" shared lib
In changes:
http://cvs.openssl.org/chngview?cn=19759
http://cvs.openssl.org/chngview?cn=19760
http://cvs.openssl.org/chngview?cn=19761
http://cvs.openssl.org/chngview?cn=19762
a bug is fixed in AES_wrap_key(), but the same bug remains unchanged
in AES_unwrap_key.
What is the imp
On Mon, Jul 12, 2010 at 04:16:13PM +0200, Jakob Bohm wrote:
> On 10-07-2010 20:13, Jeffrey Walton wrote:
>>> The general approach is to encrypt data using a symmetric cipher (e.g.,
>>> AES-256) with a randomly-generated key, and then encrypt that symmetric
>>> key
>>> with the RSA (public) key.
>
On Fri, Jul 09, 2010 at 12:26:46PM -0500, Michael S. Zick wrote:
> On Fri July 9 2010, Suryya Kumar Jana wrote:
> > Hello,
> Would any one please let me know whether the following ciphers are supported
> > in 0.9.8m?
> >
> > 1. EXP1024-DHE-DSS-DES-CBC-SHA
> > 2. EXP1024-RC4-SHA
> > 3. DHE-DSS-RC
On Mon, Jun 07, 2010 at 04:07:06PM -0400, Jason Fister wrote:
> Hello folks,
>
> I have a service to which people can send data. My service then stores the
> data and returns the SHA checksum for the data back to the client. I also
> store the checksum I computed and the offset at which it was co
On Mon, Jun 07, 2010 at 03:03:28PM +0100, David Woodhouse wrote:
> On Thu, 2010-06-03 at 21:35 -0400, Victor Duchovni wrote:
> > The problem is that only the application knows which names are those of
> > the peer it tried to reach.
>
> True, but the app could easily provid
On Fri, Jun 04, 2010 at 03:50:21PM -0400, jeff wrote:
> yes it's 0.9.8
> I'll do a test with 1.0 before Monday and i'll let everyone know
The fact that 0.9.8 does NOT support checking name constraints was
mentioned multiple times in this thread. It is not polite to waste
list members' time in thi
The declaration of "EXP-ADH-DES-CBC-SHA" in s3_lib.c (OpenSSL 0.9.6m,
0.9.7m, 0.9.7n, 1.0.0) seems to suggest that this cipher has a 128-bit key
/* Cipher 19 */
{
1,
SSL3_TXT_ADH_DES_40_CBC_SHA,
SSL3_CK_ADH_DES_40_CBC_SHA,
SSL_kEDH,
SSL_aNULL,
On Fri, Jun 04, 2010 at 01:04:42PM -0400, jeff wrote:
> I tried the following and it created more interesting results.
> It now fails on the good certificate -- the one that matches the
> nameConstraint.
> The error it returns is:
> error 34 at 1 depth lookup:unhandled critical extension
>
On Fri, Jun 04, 2010 at 01:19:52AM +0100, David Woodhouse wrote:
> On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote:
> > Generally, OpenSSL does not verify peer names, only the certificate
> > trust chain, and peername checks are left up to applications.
>
> Which
On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote:
> Hodie III Non. Iun. MMX, Victor Duchovni scripsit:
> > On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote:
> >
> > > > I would expect such constraints to only apply when
> > > > certifi
On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote:
> > I would expect such constraints to only apply when
> > certificates are being *verified*. There seems to be
> > little point in preventing a CA from attempting to sign
> > violating certificates.
>
> Yes I later tried to "verify" and
On Thu, Jun 03, 2010 at 09:36:56AM -0400, jeff wrote:
> I have an example, detailed below, that specifies permitted and excluded
> subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate
> requests adhering to and violating the name constraints both, even
> though the nameConstrai
On Wed, May 26, 2010 at 07:20:12PM -0500, Dallas Clement wrote:
> One small piece of additional info: I'm trying to avoid the use of
> any certificates. Is that even possible with OpenSSL?
Yes. If both server and client support aNULL ciphers, and list these
above any other ciphers, or the serve
On Sat, May 01, 2010 at 06:11:05AM -0500, Michael S. Zick wrote:
> Those very large numbers are called _pseudo_ primes for a reason.
>
> Because there is no known __practical__ method for proving they
> are prime. If that could be proven, then "pseudo" would not be
> a qualifier in their descrip
On Fri, Apr 30, 2010 at 06:32:30PM +0200, Michael T?xen wrote:
> On Apr 30, 2010, at 9:29 AM, denot...@libero.it wrote:
>
> > Hi all.
> > I need to generate a BIGNUM C that is relatively prime with a BIGNUM N(
> > GCD
> > (N,C)=1 )
> > is there a pre-built function in openssl library ??
>
>
On Sun, Apr 25, 2010 at 06:58:06PM -0700, Thomas J. Hruska wrote:
> Running 'openssl s_client' on 0.9.8n without any additional arguments
> crashes openssl.exe.
On a Linux system it reports a connection refused (to localhost:4433)
...
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
setsockopt(3,
On Sun, Apr 18, 2010 at 07:09:09PM +0100, Luigi Auriemma wrote:
> I have noticed that a client ssl connection initialized with the
> classical SSLv23_method no longer works in OpenSSL 1.0.0.
Postfix TLS client SSL context is always created via:
SSL_CTX *client_ctx = SSL_CTX_new(SSLv23_client
On Fri, Apr 16, 2010 at 10:11:20AM +, Kaila, Ashish wrote:
> Hi,
>
> I just built Openssl 1.0.0 on a Win32 platform, after building when
> I try and run the binary openssl.exe I get a warning message "Cant
> open Config file: /usr/local/ssl/openssl.cnf" , I don't have a sample
> configuration
On Wed, Apr 07, 2010 at 06:58:05PM +0100, David Woodhouse wrote:
> As you can see, the results all got much faster once I got back in time
> to about mid-2007. Using 'git-bisect' I was able to find the offending
> commit which had caused the performance degradation:
> http://git.infradead.org/user
On Tue, Apr 06, 2010 at 09:17:01PM +0200, Dr. Stephen Henson wrote:
> > Has the guidance to developers who use OpenSSL for TLS/SSL rather than
> > as general-purpose cryptography toolkit changed wrt. library initialization?
>
> [...]
>
> I suppose it makes sense to add the SHA2 algorithms to SSL_
http://cvs.openssl.org/chngview?cn=19536
-SSL_library_init() only registers ciphers. Another important initialization
-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
-be performed separately.
+SSL_library_init() mainly adds ciphers and digests used directly by S
1 - 100 of 729 matches
Mail list logo
