ll to RSA_public_encrypt fails if i use any
> of the other PADDING optionsi am assuming this is
> because my msg(to be encrypted) is as big as the key.
>
> What are the dangers/consequences of using
> RSA_NO_PADDING ?
>
>
> --- "Wade L. Scholine" <[EMAIL PRO
Title: RE: ciphertext should match length of key?
sharun santhosh asks:
> In openssl-0.9.6g/demos/maurice/example2.c
>
> why is a check performed after calling
> RSA_public_encrypt
>
>
> if (len != EVP_PKEY_size(pubKey))
> {
> fprintf(stderr,"Error: ciphertext should matc
Title: RE:
sharun santhosh asks:
> I want to use RSA_public_encrypt() to encrypt my
> certificate which means I need to populate an RSA
> structure.
> is there a function that populates the structure given
> a pem file with the key.
PEM_read_RSAPublicKey()
Title: RE: Strange rsa_lib application
Nils Larsch wrote:
>
{ snip }
>
> I guess you know that a 120 bit modulus is not really secure :-)
>
I knew that was coming.
120 bits is good enough for this application.
> The typical error message in case of PKCS#1 error (in your case) wo
Title: RE:
Compared to symmetric ciphers, asymmetric ciphers tend to be very slow. Typically asymmetric ciphers are used to encrypt a few tens of bytes of data, to protect a key for a symmetric cipher session, or to prove that user of the asymmetric cipher knows some secret.
RSA is a block c
Title: Strange rsa_lib application
I have an application where I want to encrypt a small (15 octets) plaintext to a ciphertext of the same size. I was trying to do this with a 120-bit modulus and calling RSA_private_encrypt() with RSA_NO_PADDING, but some values of the plaintext cause RSA_R_DA
My guess is that you have a bad client cert.
-Original Message-
From: Matt Wright [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 10, 2000 1:43 PM
To: [EMAIL PROTECTED]
Subject: Simple Working Client/Server?
As a complete novice to SSL, I was hoping someone could send me a
minimal wor
When I made myself a client cert to mess around with client auth, I was able
to get the issuer cert into NS4.7 by importing a pkcs12 that had my client
cert chained with the root cert.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 24, 2000
You need to be a little more specific. Is there some specific cipher you
require, or are you just trying to comply with export control regulations?
Probably the easiest approach, if the latter is true, is to do something
like this:
SSL_CTX *sslctx;
.
.
.
/* figure out your SSL_METHOD a
It's beginning to look like your problems have to do with basic C
programming competancy. You need to get up to speed on how to make your
compiler work before you can ask for help here.
-Original Message-
From: Albert Serra [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 20, 2000 1:28
Well, on the UNIX system I use, I can open 2 xterms. In one of them I run
the serv program. This makes the shell prompt go away as serv waits for a
client connection. In the other xterm I run the cli program. It connects to
the server and both sides print out some messages. On my system the result
cli.cpp and serv.cpp are minimal programs that establish an SSL session.
What this means is that they are the simplest possible programs that can do
that. (Actually that's a lie. The server could be slightly simpler.)
They don't do client authentication, just server authentication.
What sorts
openssl asn1parse -in req.pem
Make sure that the file starts with the CSR and not the key.
> -Original Message-
> From: mark schoneman [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 16, 2000 3:38 PM
> To: [EMAIL PROTECTED]
> Subject: RE: embarrassing question
>
>
>
> I think this wil
Sorry, you restarted the debate.
What do you hope to accomplish by reading the password from a file?
Either host access control is good enough, or it's not.
If host access control (e.g. file permissions) is good enough, you can leave
the key unencrypted.
If host access control is not good enou
openssl req
Look at CA.sh, in the -newreq) branch of the case.
> -Original Message-
> From: Marcio Cesar Pompermayer [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 02, 2000 7:54 AM
> To: [EMAIL PROTECTED]
> Subject: User´s Keypair
>
>
> Hi, I'm statrting with OpenSSL and SSL in genera
You haven't trusted the server cert. Use the -CAfile option on s_client. The
argument for the -CAfile option is the path to a file containing the
PEM-format *issuer* cert for the *signer* of the server cert.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent:
This is a FAQ. See http://www.openssl.org.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 1:06 PM
> To: [EMAIL PROTECTED]
> Subject: update: SSL_accept error error:0B07C065 - help !!!
>
>
>
>
> Hi Guys,
>
> I was able to do s
Is anybody else getting lots and lots of copies of mail fom this guy?
> -Original Message-
> From: Raaj Krissna [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 22, 2000 7:56 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Shall you help me!
>
>
> I installed openssl-0.9.5a on Li
> -Original Message-
> From: sanjay reddy gogula [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 22, 2000 7:56 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: error set to X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
>
> Hi All,
>
> I am facing strange problems in authenticati
> -Original Message-
> From: Ossama Othman [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 17, 2000 1:00 PM
> To: [EMAIL PROTECTED]
> Subject: SSL_CTX_load_verify_locations() necessary?
>
>
> Hi,
>
> Is a call to SSL_CTX_load_verify_locations() necessary if I explicitly
> use SSL_CTX_
openssl-0.9.5a/CHANGES for detailed notes
openssl-0.9.5a/NEWS for terse descriptions
> -Original Message-
> From: Alexander 'Alfe' Fetke [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 11, 2000 10:20 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Version history
>
>
> -Original Message-
> From: Daniel van der Zee [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 03, 2000 3:15 PM
> To: [EMAIL PROTECTED]
> Subject: OpenSSL/IIS/no-rsa?
>
>
> Hi,
>
> I am trying to build some openssl based client code that connects to a
> standard MS-IIS web server (en
> -Original Message-
> From: Brian Wotring [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 27, 2000 2:03 PM
> To: [EMAIL PROTECTED]
> Subject: X509 kept in memory
>
>
>
> I have a client app that I wish to load a cert from disk on
> startup, then
> keep it in memory and use that s
The server code in that demo is a little misleading. It always says that
there is no client cert, because the server never asks for one. This is
because of sloppy programming on the part of the last guy who touched it.
> -Original Message-
> From: Mark [mailto:[EMAIL PROTECTED]]
> Sent: T
This needs to be a FAQ I think.
Probably what you want to do is have the private key be decrypted. You can
do this with the "openssl rsa" command (if you're using an RSA private key,
which you probably are).
Make sure you understand the security implications of this move.
> -Original Messag
I am getting ready to update from 0.9.2b to 0.9.5 on my toy CA system. I
configured 0.9.5 with --prefix=/usr/local, and my 0.9.2b install is in
/usr/local/ssl, like this:
/usr/local/ssl:
total 14
drwxr-xr-x9 root sys 1024 Apr 27 1999 .
drwxrwxrwx 28 hadi software
The "Client does not have certificate" message is from serv and is expected
if you're using cli as the client. It's not part of your error.
What exactly are you using as arguments for SSL_set_cipher_list()? The old
SSLeay_add_ssl_algorithms() was supposed to do that... It looks as though
you hav
I am going to write a FAQ on this.
To see source for a minimal SSL client and server, see the demos/ssl
directory.
To see source for a program that does lots more, including client cert
authentication, look at the s_client and s_server programs in the apps
directory.
You will want to build th
verify_locations() or its equivalent is to tell the local end
where to find the CA certs it will use to verify the cert from the peer.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, March 19, 2000 11:21 AM
> To: Wade L. Scholine
> C
If you go to http://oem.netscape.com/eng/ssl3 you will find the answers to
your questions.
> -Original Message-
> From: Kalpesh U. Patel [mailto:[EMAIL PROTECTED]]
> Sent: Friday, March 17, 2000 5:03 PM
> To: [EMAIL PROTECTED]
> Subject: Certificate encryption question
>
>
>
>
> hi,
>
The demos are intended to be *minimal* SSL programs. If it had client
verification it wouldn't be minimal anymore, now, would it? If you want to
see how client authentication works, examine apps/s_server.c and look at
what happens when you specify -verify. Keep an eye open for
SSL_CTX_set_verify()
Are you doing a SSL_CTX_set_client_CA_list() in the server?
> -Original Message-
> From: Mario Bai [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 22, 2000 4:52 PM
> To: [EMAIL PROTECTED]
> Subject: Certificate dilemma
>
>
> Wondering if anyone ran into this or has a quick response
There was a bit of a food fight about this subject here last year.
What you need to have for unattended startup is an unencrypted private key.
There are obvious security implications.
Skye Poier is supposed to have written:
>
> What function do you call to avoid the 'Enter PEM pass
> phrase:'
> -Original Message-
> From: Dr Stephen Henson [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 04, 2000 9:25 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Can't load client's private key ?
>
>
> > Dennis Xu wrote:
> >
{ snip }
>
> You are probably missing an SSLeay_add_all_algorithm
> -Original Message-
> From: Herve Regad-Pellagru
> [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, September 19, 1999 1:29 PM
> To: [EMAIL PROTECTED]
> Subject: server/client authentication with stunnel
>
>
> Hi all !
>
> After trying many hours to get client/server authentication via
> c
Do you have a copy of CAcert.pem someplace on the client, and have you told
the client-side stunnel where it is?
> -Original Message-
> From: Herve Regad-Pellagru
> [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, September 19, 1999 1:29 PM
> To: [EMAIL PROTECTED]
> Subject: server/client authe
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 09, 1999 3:58 PM
> To: [EMAIL PROTECTED]
> Cc: Wade L. Scholine
> Subject: Re: Using multiple CA certs for client verification
>
>
> Wade L. Scholine
I thought I had seen somplace in OpenSSL some routines for comparing certs
to see whether or not they are the same. Do such routines exist or was I
hallucinating? I can't find them now.
__
OpenSSL Project
Too many people are heedlessly sending messages to multiple OpenSSL lists.
These lists are busy enough as it is, I am getting tired of slogging through
the same things on the -users, -dev, and -bugs lists every day. Please give
a little thought to where your message would be most appropriate, and
> -Original Message-
> From: Leland V. Lammert [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 26, 1999 11:35 AM
> To: [EMAIL PROTECTED]
> Subject: Re:
>
>
> At 12:56 AM 8/27/99 , you wrote:
> >anybody
>
> somebody
everybody?
___
> -Original Message-
> From: Bodo Moeller [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 18, 1999 1:35 PM
> To: [EMAIL PROTECTED]
> Subject: Re: read-ahead & select()
>
>
> On Wed, Aug 18, 1999 at 12:42:53PM -0400, Wade L. Scholine wrote:
>
> &
I know of a couple of places (Thawte, VeriSign) where I can get sample SSL
server certs for test purposes. I'd like to find as many of these as I can
to confirm that my server works the way I think it will. Does anyone
have/know of a list or web page that lists lots of SSL server CAs that offer
sa
We are using SSL-C to conform to US patent laws. It is based on
SSLeay-0.9.0. I was able to develop my app with OpenSSL 0.9.2b and rebuild
with SSL-C 1.0.0 just by changing the -I and -L macros in my makefile.
> -Original Message-
> From: Ray Hodel [mailto:[EMAIL PROTECTED]]
> Sent: Frida
What's the format of an rfc822Name? Is it name@fqdn, or something else?
The X.509 doc doesn't seem to say.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 10, 1999 11:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: How to add a new x509 extens
What is the unstructuredName item in the req_attributes section? I made a
CSR with one, and signed it. It seems not to be in the final cert.
__
OpenSSL Project http://www.openssl.org
User Support M
What does OpenSSL need in the way of action on my part to make good random
numbers? Anything?
I ask because I noted that /usr/local/ssl/lib/openssl.cnf has a line in it
that says "#RANDFILE = $ENV::HOME/.rnd" which is to say it's commented out.
What would a good RANDFILE look like?
TIA * 10E6.
_
Has anyone looked at the API for RSA's "BSAFE SSL-C" library? I heard that
was basically a "productized" SSLeay. Does anybody know differently?
__
OpenSSL Project http://www.openssl.org
User Support
> -Original Message-
> From: Holger Reif [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 03, 1999 7:52 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Handshake protocol query
>
>
> Wade L. Scholine schrieb:
> >
> > I'm looking at the
> -Original Message-
> From: Francois Orsini [mailto:[EMAIL PROTECTED]]
> Sent: Friday, April 30, 1999 7:31 PM
> To: [EMAIL PROTECTED]
> Subject: Re: DES-128 bits ?
>
>
> Hi Paul,
>
> I had the same understanding as you and unfortunately the
> author of the
^
> article ex
Programs that write certs and private keys out to disk generally put
some kind of password protection on them. This makes sense in connection
with client certs where the user can be prompted for a cert store password.
What about cert files on servers? Is it common for them to not use password
prot
> -Original Message-
> From: Pascal Gienger [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, March 27, 1999 1:29 PM
> To: [EMAIL PROTECTED]
> Subject: "library has no ciphers"...
>
>
> Surely, I am a fool, but I can't find the error why
> SSL_CTX_new does not
> work for me.
>
> I tried a v
Erwann ABALEA writes:
>
> On Thu, 4 Mar 1999, Wade L. Scholine wrote:
>
> > I am trying to use s_server -Verify to learn some stuff about client
> > authentication. I'm using Netscape 4.5 as a client, and I
> have a couple of
> > free certs from Entrust
This is sort of about 2/3 off-topic, but I am going to ask about it anyway.
I am trying to use s_server -Verify to learn some stuff about client
authentication. I'm using Netscape 4.5 as a client, and I have a couple of
free certs from Entrust and Verisign. When I try to connect to s_server I
get
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Is anyone on this list knowledgeable about Entrust products? I am
trying to figure out where they fit in the scheme of things.
I have been looking at their web site and the products that they
advertise there. In particular, I am wondering about Entru
54 matches
Mail list logo
