at
will try to copy the source directly to the dest (PKCS7_BINARY) which just
reads 1k and
writes 1k ... the output is buffered through BIO_f_buffer() which uses a 4k
buffer ...
may be the buffering is buggy? so that the data gets corrupted every 4k?
Any idea or hints are welcome ...
André Weber
ads to SMIME_crlf_copy(..) that
will try to copy the source directly to the dest (PKCS7_BINARY) which just reads 1k and
writes 1k ... the output is buffered through BIO_f_buffer() which uses a 4k buffer ...
may be the buffering is buggy? so that the data gets corrupted every 4k?
Any idea or hints are welcome ...
André Weber
uestion remains: How to handle this issue?
Thanks In Advance
--
Christian Weber
Am 28.01.2022 um 13:58 schrieb Russ Housley:
RFC 3161 says:
2.3. Identification of the TSA
The TSA MUST sign each time-stamp message with a key reserved
specifically for that purpose. A TSA MAY have disti
Thanks in advance
--
Christian Weber
--
Christian Weber
(X509AT_ATTRIBUTE)
What's the proper substitute in 1.1.1c?
Thanks in advance
-- Christian Weber
Am 27.06.2017 um 14:18 schrieb Salz, Rich via openssl-users:
1.0.2 does not have full RSA-PSS support; you can’t use it.
Thanks Rich, in my case it works, because we partially do the
verification (and algo selection) work externally.
We just need to access the public key which is rsa in bot
ue to time limitation we avoid updating to 1.1.0 as we assume that
there will be several adaptations neccessary ...
-- Christian Weber
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
hanks
--
Christian Weber
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
se
measures or even successfully
using verification with indirect crls?
BTW: The current version, 1.0.1g, seems to make no difference in
behavior since the relevant
portions of the code seem to be untouched.
Thanks in advance
--
Christian Weber
--
openssl-users mailing list
To uns
Sorry, my fault. The file to de signed couldn't be hashed correctly due
to an error while applying a patch
to the original sources.
Please ignore the issue.
--
Christian Weber
Am 09.03.2016 um 15:13 schrieb we...@infotech.de:
Dear openssl users,
we're using openssl since quite a l
ning this issue within the users mailing
list nor we traced down
the issue itself.
Heard about this issue before? Any idea?
Thanks in advance
--
Christian Weber
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Am 09.01.2015 um 01:11 schrieb Matt Caswell: On 09/01/15 00:05,
Christian Weber wrote:
Thanks Matt, i just assumed the BIGNUMs were the coordinates without any
projection - obviously that assumption was wrong - mislead by the funtions name.
What interests me is to how you accessed the BIGNUMs
rrow.
MfG
-- Chris
Am 08.01.2015 um 22:43 schrieb Matt Caswell :
>
>
> On 08/01/15 17:16, Christian Weber wrote:
>> Dear OpenSSL-Users,
>>
>> recently i found a pitfall using EC_KEY_get0_public_key(key->pkey.ec).
>> The function just returns a copy to a pointer
Dear OpenSSL-Users,
recently i found a pitfall using EC_KEY_get0_public_key(key->pkey.ec).
The function just returns a copy to a pointer to key->pub_key which is a
EC_POINT pointer.
The key itself is taken from a certificate using EVP_PKEY *key =
X509_get_pubkey(cert);
Fine, i assumed, these
gly the dlls do contain the code for multiple platforms like fat
libraries under osx.
Thank you
--
Christian Weber
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
erated for VC-WIN32.
The compiled libraries remain being build against the 32-bit versions.
So what am i missing? Is there any real support for Win64?
Thanks in advance
--
Christian Weber
Security Software
Abteilungsleiter Entwicklung
mailto:we...@infotech.de
--
Infotech Gesellschaft für
Informa
cating the lookup to init_ssl_connection in apps/s_cerver.c?
Any opinions about possible security weakening against implementing
the lookup within the callback?
TIA
-- Christian Weber
__
OpenSSL Project
_INFO, professionOIDs, ASN1_OBJECT),
Steve.
Yes, your're absolutely right. Applying your definition, the proposed path
becomes obsolete.
Thank you.
--
Christian Weber
__
OpenSSL Project http://www.openss
(), just as in the old manner, but then the contents happens to
be processed twice (hash calculation and signature processing) when the
data is written, because the output routine heavily depends on the new
auxiliary asn1 callback.
Any hint? What am i missing?
TIA
--
Christian Weber
revised.
If the former, i would appreciate to see them in the mainstream.
Christian Weber wrote on 10.03.2011 at 18:40:
...
--- C:/wrk/openssl-1.0.0d/crypto/asn1/tasn_dec.cTue Jun 15
18:25:06 2010
+++ S:/Build/SAK-2.1/openssl-1.0.0d/crypto/asn1/tasn_dec.cThu Mar
10 01:26:40 2011
@@ -188,6
if (opt) return -1;
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
goto err;
We wonder if this critical in any aspect? With the patch the lib st
On 02/15/2011 05:01 PM, Dr. Stephen Henson wrote:
It can be done in the openssl.cnf file but not in general for all
openssl utility subcommands.
Steve.
Thanks, that worked. In my engines section I can write:
MY_PARAMETER = value
MY_PARAMETER2 = EMPTY
One additional (meta-)question:
Who should
Hello,
I have written a dynamic engine that implements digest algorithms. The
engine got an entry in the openssl.conf file to make it replace the
default digest implementation:
./openssl dgst -sha1 my_file.dat
I also added support for some command-line parameters in the engines
code. Now I w
server certificxate, but I
don't have the web server private key, nor do I have a usable CSR.
Original Message
Subject: how can I sign a public key?
Date: Thu, 18 Jun 2009 22:46:17 +0200
From: Christoph Weber-Fahr
Hello,
Apparently I can't find a way to create an
dded boxes that only export a
csr and accept a certificate. But they are broken - they do not
include the domain in the CN, so any access with fqdn creates
an error.
Any idea how to tackle this?
Regards, and TIA for any suggestion,
Christoph
Dear OpenSSL users,
lately I ran into a problem when trying to parse attributecertificates (ACs).
ACs contain a sequence of attributes which look like x509v5 attributes.
I've decided to use parts of the AC implementation from Daniel Díaz-Sánchez
(downloable at http://www.it.uc3m.es/dds/swRelease/
Hi,
up to now the error message is still the same - thats the last lines of
repeater before the repeat thread crashes
Server: bytesReceived: 1024 / bytesSent: 1024 / sumS: 1022335
Server: bytesReceived: 1024 / bytesSent: 1024 / sumS: 1023359
Server: bytesReceived: 1024 / bytesSent: 1024 / sumS
ill make the other endpoint give up with a
> "decryption_failed" or "bad_record_mac" alert. (I still can't figure
> out why you'd be seeing an unexpected_message alert.)
>
> -Kyle H
>
> On Fri, Oct 31, 2008 at 4:04 AM, Weber Antonio
> <[EMAIL P
Hi,
> Yes, the code is prone to deadlock. The code implements the "I will not
> start doing X until I finish doing Y" logic. This is known to cause
> deadlocks in proxies, as one end or the other of the connection proxied
> inevitably has an "I will not start doing Y until I finish doing X" logic
Hello list,
I write a application which acts like a proxy/repeater between two ssl -
endpoints. For my app I use OpenSSL 0.9.8g.
The two endpoints connect to the app and idenfity themselves using a id (Both
use the matrixssl implementation for ssl handling).
Two matching id's start the repeatin
Dear participators,
trying to add some x509v3 extension awareness tu openssl
we've become a bit short for solutions.
x509 extensions are as versatile as asn1 permits. As extension
to certificates there are an object id and a critical flag
followed by whatsoever.
If it comes to unknown oids at l
Hi again,
sorry, we just found the error in using the Macros.
When an asn structure is being parsed, the pointer to the funding
ASN_OCTET_STRING becomes modified and thus points no no freeable
memory.
Christian Weber schrieb am 10.07.2008 13:41:
...
To implement a validity checking which is
valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?
Any hints?
TIA
--
Christian Weber
___
ps at check_issued, but the search was in vain.
Any hints?
TIA
--
Christian Weber
mailto:[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listop
he issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different f
d in opensslconf.h which in turn is included in pq_compat.h
so the PQ_64BIT remains undefined.
Is this a typo in ph_compat.h?
How is BN_LLONG to be read? If defined
- BNs shall be used instead of native 64-bit integers - or -
- use native 64-bit integers (that are hopefully supported)?
TIA
-
Hi All,
I developed an SSL-enabled web server. I'm firing up SSL on incoming
connections with SSL_accept().
Now, if someone connects to my webserver not using SSL, but sending the
"GET ..." without the SSL handshake, I get an SSL Error
(error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http r
Sorry again I missed to write that openssl asn1parse does work on the file.
The file has been generated esternally (i.e. by german telesec), so
we need to know what's wrong with the data to openssl.
Marco Roeland wrote:
> On Friday September 2nd 2005 Christian Weber wrote:
>
>
&
5lF+dR4/JioXiYxVdgBLPXDp95xNUXC2etx4gtKDNtgVXA6BlyjvNZ6CrMV+32Uv
C6ozizLMGeQzS+lM6jEA
-END PKCS7-
TIA
--
Christian Weber
mailto:[EMAIL PROTECTED]Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de/
__
OpenSSL
r by rearranging the code in
> that module, but it's a hit and miss approach. Upgrading to a newer
> compiler should fix the problem (since this builds fine under VC6 and up).
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf O
chnical Support command on the Visual C++
> Help menu, or open the Technical Support help file for more information
> NMAKE : fatal error U1077: 'cl' : return code '0x2'
> Stop.
Is there any cure known?
TIA
--
Christian Weber
ma
K/oixe9GJksDm+bi3tRhVueZfDLFlMApuBqwsqSXkVJJSD++3NOWQJkvTRAH7
nnG1d9aULRodW3iVbSkSOPXsECPb7u9D5WWs8OS3TZ7PvEKHEmVt3Qmd44hJsbXW
2yfLUrptSC1DcGrvvc9eRSb2g1o=
.
-- snapp --
Thanks in advance
--
Christian Weber
mailto:[EMAIL PROTECTED]Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de/
_
SOLVED, thank you Michael D'Errico
Cutaway
Michael D'Errico wrote:
>> g++ -o hasher hasher.o form1.o moc_form1.o -L/usr/qt/3/lib
>> -L/usr/X11R6/lib -lqt -lXext -lX11 -lm
>
>
> You need to add -lcrypto and maybe -lssl.
>
> Mike
> _
I am not sure why I am geting the following errors when I try to call
functions that are included by OpenSSL. I basically copied the code out
of the O'Reilly OpenSSL book, so the code should be okay. I have
included the OpenSSL EVP headers (and even tried to include all the
digest headers) but I st
approach is the signature itself. How about integrating
the metadata within the signature's ASN structure? Do you hava any
recommendation for location and propoer OIDs? Any hint to RFCs
concerning this topic?
TIA
--
Christian Weber
mailto:[EMAIL PROTECTED]Tel: 02361/91300
For information on Inf
lib into the borland projects.
Since the latest version 0.9.7e of 10/25 we get
an error message from the linker:
"Unresolved external EVP_sha1"
EVP_md5() and EVP_dss() both do work (with the same lib.
Is this a known problem? Any Solution?
Thanks in advance
--
Christian Weber
mai
==
thanks in advance again
--
Christian Weber
mailto:[EMAIL PROTECTED]Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de/
__
OpenSSL
GFCsDM+Zux986oT
fFvcPomn1rnR+m/mmoZGxDRMM4Nwt7+YPJ83u7+7LGnEM3uueyx4z/nu5LFAyIHE
uEdaVNnjdem40j/6hjxd64ayBB6CuZyVC5I5GWE7TYjr5kP/hu9E1w4tzrP08C5V
kb7vu2Cz
Sorry, i had to code it this way to get it into the list.
Thanks in advance
--
s
as mentioned above?
Thanks for hints.
--
Christian Weber
mailto:[EMAIL PROTECTED]Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de
__
OpenSSL Project http://www.openssl.org
agation of
the memory data through the filter BIO be triggered?
Thanks in advance
--
Christian Weber
mailto:[EMAIL PROTECTED]Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de
__
OpenS
After building openssl for HPUX11 using aCC, I get the
following error when running the test suite:
bash-2.04$ ./bntest > /dev/null
test BN_add
test BN_sub
test BN_lshift1
Left shift one test failed!
The last few lines (with stdout included) are:
test BN_lshift1
D300D319B78ABD19B78ABDB200B
On Fri, Oct 06, 2000 at 03:46:01PM -0400, Aram Khalili wrote:
> So I've read RFC2459 to some enlightenment, as I now use
>
> crlDistributionPoints=DNS:crl.name.com, cRLIssuer:issuer, DNS:cert.name.com
>
> or
>
> crlDistributionPoints=DNS:crl.name.com, fullName:issuer, DNS:cert.name.com
>
>
Hello OpenSSL-Developers !
While playing with "ca" in openssl-SNAP-2209 i recognize that the value
of days is not printed correct during certification, e.g.:
Using the following command to sign a request
openssl ca -in req.pem -out cert.pem -outdir certs \
-startdate 000212121212
On Thu, Oct 21, 1999 at 11:13:07AM +0200, Florian Baier wrote:
> Hi Steve,
>
> The two files causing trouble are attached.
>
> Greets, Florian
>
> At 13:10 20.10.99 +0100, you wrote:
> >Florian Baier wrote:
> >>
> >> Hello,
> >>
> >> i tried to find a q
On Tue, May 11, 1999 at 06:13:16PM -0800, Michael wrote:
> Can someone point me to a more comprehensive description of the
> openssl command line documentation. The stuff on the web site is not
> very illuminating.
I don´t think that there is such a description. But you can do
something like "
On Wed, May 12, 1999 at 04:46:37PM +0200, Massimiliano Pala wrote:
> >
> > Than you just have to set the wanted ca-section by
> >
> > openssl ca -name Server_CA ...
> >
> > So you can use one config-file for several ca´s and their different extensiosn.
> >
>
> But using the -name, you do load
On Tue, May 11, 1999 at 07:02:51PM +0100, Dr Stephen Henson wrote:
> Massimiliano Pala wrote:
> >
> >
> > 1. ca -extensions
> > =
> >
> > I've been trying to issue different kind of certificates such as servers,
> > clients, CAs, but the only way to set correctly the extensions
On Fri, May 07, 1999 at 02:04:25PM +, Michael Ströder wrote:
> Hmm, but most times the client does not have OpenSSL to calculate that.
> Most times you have Netscape Communicator or something like this on the
> requester's side. I think PKIX proposes to send a master secret to the
> request
On Fri, May 07, 1999 at 12:28:33AM +0200, Massimiliano Pala wrote:
> > 1) Fingerprint for requests
> >
> > It would be nice to see an option "fingerprint" for the "req" application,
> > like in the "x509" application.
> >
> > For example:
> >
> > openssl req -fingerprint -in req.pem
> >
> >
Hello everybody !
I have some (late) suggestions for the next OpenSSL-Release:
1) Fingerprint for requests
It would be nice to see an option "fingerprint" for the "req" application,
like in the "x509" application.
For example:
openssl req -fingerprint -in req.pem
This should calculate
[EMAIL PROTECTED] wrote:
>
> Lars Weber wrote:
>
> > i have attached an earlier posting to ssl-users. This program works fine
> > with SSLeay-0.8.1, maybe you have to make some modifications to compile
> > it with OpnSSL.
> >
> > Ciao,
&g
On Mon, Mar 29, 1999 at 11:17:35AM +0200, Lars Weber wrote:
> On Fri, Mar 26, 1999 at 08:59:48PM +0100, [EMAIL PROTECTED] wrote:
>
> > I have the need to revoke a certificate, anyway I cannot find the revoke
> > facility to manage the job ( including altering the index.txt t
On Fri, Mar 26, 1999 at 08:59:48PM +0100, [EMAIL PROTECTED] wrote:
> I have the need to revoke a certificate, anyway I cannot find the revoke
> facility to manage the job ( including altering the index.txt that I think
> is used to manage the CRL (??)).
>
> Where do I find it?? ( command line to
Axel Findling wrote:
>
> Hello,
>
> Netscape use the Content-Type application/x-pkcs7-crl for import a CRL in
> the Browser (Netscape 4).
>
> Hwo can I generate a Content-Type-application/x-pkcs7-crl-conform CRL with
> OpenSSL 0.9.1c?
>
> I've tried it with
> opennssl crl2pkcs7 -outform DER -i
65 matches
Mail list logo
