ture)
I've had no trouble with this for a good long time; if there are
existing connections they continue to run on the previous www_context
until they close. New connections come off the new one. You just have
to run a mutex to make sure that you don't try to create a new
connecti
minate, and new ones are fine
as well.
This appears to be be ok with the current code; I've yet to have it blow
up in my face although at present the certs in question are reasonably
long-lived. Whether it's robust enough to handle very short-term
certificates I do not know.
--
Karl
t's not how it works.
You post and reference a corporate email address, which he did, /you
just took the action under the banner of the company./
Akamai is entirely _*and justifiably*_ exposed to being "canceled" on
that basis.
--
Karl Denninger
k...@denninger.net <mailto:k...
On 2/12/2020 12:59, Michael Leone wrote:
>
>
> On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger <mailto:k...@denninger.net>> wrote:
>
> On 2/12/2020 11:32, Michael Leone wrote:
>> So we are mostly a MS Windows shop. But I use a Linux openssl as
>> my
ty, and you
can sub-delegate intermediates as well.
Just note that when an end entity certificate is validated the entire
chain back to the root of trust (which is self-signed) has to be able to
be verified.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
n what you're
doing now.
I'm trying to understand the workflow you are attempting to implement,
and why, because I suspect you may be going about this the hard way.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
same
capability against the server so it can verify that the server it thinks
it is talking to is actually the one it's communicating with.
--
-- Karl Denninger
/The Market-Ticker/
S/MIME Email accepted and preferred
smime.p7s
Description: S/MIME Cryptographic Signature
On 5/14/2019 09:48, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
>> Karl Denninger
>> Sent: Monday, May 13, 2019 16:32
>> On 5/13/2019 16:44, Christopher R wrote:
>>> All I want is whatever remnants of t
en
create a new one under the same common name. Since the index file is a
flat file you can edit it, but you also have to make sure the other
places it references are also updated or the software can get confused.
The better choice when an error is made is to revoke the bad cert, which
p
h
Looks like a unified context diff.
done
--
Karl Vogel / I don't speak for the USAF or my company
"Auntie Em: hate you, hate Kansas, taking the dog." -Dorothy
--bumper sticker
--- sparcv9a-mont.pl.orig 2017-05-25 08:54:34.0
have a reverse IP
mapped for itself but that's web server and OS dependent. It may also
be that the hostname is not defined in the server's configuration file.
Without knowing what the web server in question is all I can do there is
guess as to exactly what is missing, but in any event the issue is in
the web server application configuration and not OpenSSL.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
].fd, SHUT_RDWR);
close(slave_socket[x].fd);
. Clean up the rest of the things you need to do
when the connection ends
Since the next connection may come from a different peer I do not use
SSL_clear but rather SSL_free.
The call to shutdown() tells
According to RFC8446, Section C.4 “Servers SHOULD issue new tickets with every
connection”.
Yet, in file ssl/statem/extensions_srvr.c, method tls_parse_ctos_psk,
s->ext.ticket_expected = 0, preventing the NST from being sent.
This appears to be a bug – or am I missing something?
Thanks,
K
- TLS_AES_256_GCM_SHA384 TLSv1.3
Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
However, when I try to do a speed test on this algorithm
openssl speed -evp TLS_AES_256_GCM_SHA384
speed: TLS_AES_256_GCM_SHA384 is an unknown cipher or digest
What am I missing?
Thanks,
Karl
--
openssl-users mailing list
To
Thanks
On 4/5/18, 2:35 PM, "openssl-users on behalf of Viktor Dukhovni"
wrote:
> On Apr 5, 2018, at 2:29 PM, Henderson, Karl via openssl-users
wrote:
>
>> TLS 1.3 unifies session tickets with (external) PSKs, perhaps you should
recast your app
i"
wrote:
> On Apr 5, 2018, at 2:02 PM, Henderson, Karl via openssl-users
wrote:
>
> Is it possible to use 5077 with a key wrapping key in a Needham-Schroeder
scenario:
>
> • A is a Key Server
> • C is say a web server
> • A has a relation
mean without modification to the server C.
Thanks,
Karl
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Thanks for the response - yes, I do understand I'm re-purposing this mechanism
in a creative way. At this time, it's just for experimental purposes.
On 4/3/18, 5:34 PM, "Viktor Dukhovni" wrote:
> On Apr 3, 2018, at 11:00 AM, Henderson, Karl vi
. And then I’d
like to use this and create a valid context and hmac so that I can have a 0-RTT
startup.
Are there any good examples on how this might be done?
Note, I’m running 1.1.0 with opaqueness, so I’ll need to use CTX accessor
functions.
Thanks,
Karl
smime.p7s
In this use case, I may want to have yet another client D that wants to talk to
B using the same session ticket. This way, B doesn't need to keep a cert per
client. This may pose some security risks but at this point, I'm just trying to
make it work.
On 3/28/18, 1:50 PM, "Viktor Dukhovni" wro
p
Since there exists a reference implementation, and the source code is
available, why not start there? The symmetric key protocol is the basis of
Kerberos.
- M
On Wed, Mar 28, 2018 at 9:26 AM, Henderson, Karl via openssl-users
wrote:
Need some help with RFC5077 ticket const
?
The problem I think I’m having the most difficulty with is understanding what I
need to put into the encrypted_state portion of the session ticket.
Thanks,
Karl
smime.p7s
Description: S/MIME cryptographic signature
--
openssl-users mailing list
To unsubscribe: https
was also wondering if I should just try to perform an
> encrypt-decrypt sequence using the pair I have, and use the success of
> that as confirmation that my ssl connection will work later, as far as
> the certs are concerned. Would that be the right way to go about it?
>
IMHO see above
On 1/10/2018 14:07, Benjamin Kaduk wrote:
> On 01/10/2018 08:41 AM, Karl Denninger wrote:
>> We start with a context that I load a dhparam file to (so I can take a
>> DH connection) along with an edh curve, then set an acceptable cipher
>> list for it to use.
>>
>
my understanding correct?
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
; so the caller *should* free the underlying object when finished with it.
>
> I've now confirmed with a quick test program and valgrind.
>
> Oops,
> -Dave
Thanks.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted ema
to keep that X509 structure around
that got allocated by the d2i_X509 call or do I free it after I've
pushed it into the store?
The docs are silent on this as far as I can tell but some example code
I've seen floating around doesn't free it.
--
Karl Denninger
k...@denninger.net &l
ction I think you want is PEM_read_PrivateKey.
>
I'll look in there; my assumption was that I could trivially convert a
PEM file into an internal DER representation by stripping the flag lines
from the front and rear and then decoding the base64 piece.
Thanks; I'll figger it out :-)
On 12/28/2017 16:57, Karl Denninger wrote:
> On 12/28/2017 16:15, Karl Denninger wrote:
>> On 12/26/2017 14:07, Kurt Roeckx wrote:
>>> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>>>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>&g
On 12/28/2017 16:15, Karl Denninger wrote:
> On 12/26/2017 14:07, Kurt Roeckx wrote:
>> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>>> So if you put locks around the SSL_CTX object whe
On 12/26/2017 14:07, Kurt Roeckx wrote:
> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>> So if you put locks around the SSL_CTX object when it’s used, then you
>>> can use the set private
On 12/26/2017 14:07, Kurt Roeckx wrote:
> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>> So if you put locks around the SSL_CTX object when it’s used, then you
>>> can use the set private
eKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, long
len);
And likewise, I can just bytewise load a DER file (e.g. read() it into a
memory buffer) and then pass that as it's simply a binary copy of the
Base64 contained within the markers (plus the EC parameters if it's an
ECDSA key)?
penSSL calls (from a
"C" program, not from the command line; we'll assume I have the key and
cert files already.)
TIA
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME C
In short ssl is not the same as a raw socket fd because of the intervening
protocol.
That's all
Original Message
From: michel.sa...@free.fr
Sent: October 8, 2017 4:34 PM
To: openssl-users@openssl.org
Reply-to: openssl-users@openssl.org
Subject: Re: [openssl-users] Graceful shutdown of T
ok. This also complies with the ballot that Rich mentioned since
you have more entropy than required.
At least I think that meets the requirements
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ed.
Do be aware of the semantics and exceptions (which you must handle -- or
else) described in the documentation however -- especially for
non-blocking sockets. Due to the potential for renegotiations and
similar failing to pay attention to those can result in some pretty
interesting "surpr
unding factors, since the protocol itself implements window control
(size of outstanding transmissions that are allowed), sACK can come into
play, latency of the circuit and routing points in the middle get
involved, etc. For wide-area connections (think Internet) slow-start
congestion control (wh
- as is the case with a
public CA. (In other words someone has to tell the CA it was stolen so
the CA can issue the revocation, and the application must check that
revocation resource.)
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encry
f you
choose to load said keys) along with the ECDH cipher set. For a server
you also have to consider whether you're going to multiplex or
multithread as OpenSSL requires some additional attention at the
programming level (for locking) in a threaded application.
--
Karl Denninger
k...@denn
Thus, if you manage to steal a set of login credentials
unless you *also* steal the certificate and key associated with it what
you managed to get your hands on is worthless.
I've got #2 working and am working on #1; it doesn't look all that awful
to implement.
On 1/13/2016 06:50, Mic
On 1/10/2016 21:43, Viktor Dukhovni wrote:
> On Sun, Jan 10, 2016 at 08:20:41PM -0600, Karl Denninger wrote:
>
>> I found the problem... for an unexplained reason either the certificate
>> or key were corrupt; I have added checking to make sure they're
>> coher
.cs.odu.edu/~cs772/ssl/c-examples/NSopenssl/common.c
> <http://www.cs.odu.edu/%7Ecs772/ssl/c-examples/NSopenssl/common.c>
>
> look for "post_connection_check".
>
> This is just something I remember from reading. I have no experience
> with it.
>
> On Sun, Jan 10, 2016 at
<https://mta.openssl.org/mailman/listinfo/openssl-users>
>
>
>
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
Karl Denninger
k...@denninger.net <mailto:k
07, Judson Wilson wrote:
> On the client side, double check that you are creating the SSL object
> from the context AFTER you set the client cert for the context, and
> not the other way around.
>
> On Sun, Jan 10, 2016 at 2:18 PM, Karl Denninger <mailto:k...@denninger.net>>
routine
is never called (!) and when I attempt to get the peer certificate with
SSL_get_peer_certificate() so I can walk through it and check the
returned attributes (I wish to use the subjectAltName field among
others) I get back a NULL.
This has to be something stupid on my part, becaus
people making decisions about changes in the OpenSSL library
J> and project.
"Arrogance" would be slamming the changes in without discussion or
notification and saying "like it or lump it". Haven't seen that.
--
Karl Vogel I don&#
ions and business logic
are not aware of.
* It presents potential security risks, as unmaintained code can be
reached (especially in Web applications, where tweaking parameters
may trigger something you never intended).
OpenSSL is a critical part of security in too many places for
nks to /usr/bin/i86/ksh93, which doesn't handle
local variables properly. Using "typeset" fixes it; the patch is below.
--
Karl Vogel I don't speak for the USAF or my company
vogelke at p
use two CRL DP is that I want to provide the
> CRL in both DER and BASE64 formats.
--
****
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax
Hi, Experts,
Is there a solution for the issue of misunderstanding concerning the
authorityKeyIdentifier? (i.e. misunderstanding between MS and the rest of
the world, including openSSL)
Best regards,
Michael
--
Karl
_
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
*
t; __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Karl-M
till people using the old Apple Unix solution?
intersting!
Best regards,
Michael
--
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax +43 (1)328 1992 14
[EMAIL PRO
ael
P.S.: There is some rudimentary information concerning this in the man of
pkcs12.
--
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
e using OpenSSL...
>
> And no - FreeRADIUS would currently not be an option anywhere else in the
> company except where I am :-)
>
> Thanks!
--
****
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43
ode? If so, what is the correct way to do this?
>
> Thanks in advance for any help - my poor ASCII brain is feeling
> overwhelmed :-)
--
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax +43 (1)328 1992 14
[EMAIL PROTECTED], [EMAIL PROTECTED]
*
Oblio" unter <[EMAIL PROTECTED]>:
>>
>>> Does anyone know what to do with a PKCS#10 cert request?
>>>
>>> Oblio
>>>
>>> __
>>> OpenSSL Project
[EMAIL PROTECTED]
--
****
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax +43 (1)328 199
ficates.
> It must be like this:
>
> Description="C=/N=/D=[/R=]
>
> Example
> Description=C=Werzowa/N=Karl-Michael/D=01-01-1980
>
> When we use only single character "/" or "=" it's OK
>
> Exampledescription=C=Werzowa OK
>
Where can we found something about this?
Thank you.
CALinux Staff.
--
****
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax +43 (1)328 1992 14
[EMAIL PROTECTED], [EMAIL PROTECTED]
t;C=""/N=""D="
but OpenSSL don't accept this character, in fact when we put =/ it believe that is a second field with different value.
There is same special escape character?
Where can we found something about this?
Thank you.
CALinux Staff.
--
**
Web Hosting - Let the expert host your web site
--
****
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax +43 (1)328 1992 14
[EMAIL PROTECTED], [EMAIL PROTECTED]
ne being the CEO!
thanks!
wally winzer jr.
--
****
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax +43 (1)328 1992 14
[EMAIL PROTECTED], [EMAIL PROTECTED]
thanks!
wally winzer jr.
--
****
Karl-Michael Werzowa
A-1190 Wien, Paradisgasse 28/4/6
+43 (664)302 4511, fax +43 (1)328 1992 14
[EMAIL PROTECTED], [EMAIL PROTECTED]
ace of this kind of
> service. All they have is try or buy for ~$400 for a year.
>
--
Karl-Michael Werzowa
A-1190 Wien,
AIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Karl-Michael Werzowa
A-1190
available for standard-extensions.
Best regards,
Michael
Am 2002-10-18 20:27 Uhr schrieb "Dr. Stephen Henson" unter
<[EMAIL PROTECTED]>:
> On Fri, Oct 18, 2002, Karl-Michael Werzowa wrote:
>
>> Hello, helpful experts,
>>
>> How do I add a custom extension to
Hello, helpful experts,
How do I add a custom extension to openssl?
Just adding the extension to openssl.cnf (into the right section) does not
work:
mycustomextension=DER:01:01:FF
(Would be nice to input the asn.1 + OID in some oid-file ;-)
Thanks in advance,
Michael
--
***
hello, Fred
easiest would be to insert the extension
crlDistributionPoints=URI:http://your.server.com/your.crl
in the section [usr_cert] of your working openssl.cnf.
If you need ldap-URIs, create a subsection for the URIs.
Best regards,
Michael
Am 2002-08-23 20:31 Uhr schrieb "Reimer, Fred" unt
Hello,
You have to use "/" instead of the "," inside the LDAP-URI, because
the "," delimits the URIs. The "?" does not do any harm, you can use
it without change.
(Besides, some time ago I read in a comment that openssl would not
support ldap-URIs because of the commas inside the ldap-URI. Wh
OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Karl-Mic
Hello,
We are using openssl since more than a year for an internal pki solution.
Now we wanted to add the crlDistributionPoint - ext. to the certificates.
When adding a line with "crlDistributionPoint= URI:..." to the openssl.cnf
into the c3_ca stanza (... for ca-certs of sub-CAs), there is an e
???
Many thanx and best regards,
Karl-Heinz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
ccomplishes. Once the private key is
compromised you may as well self-generate your own key.
--
--
Karl Denninger ([EMAIL PROTECTED]) Internet Consultant & Kids Rights Activist
http://www.denninger.netCost-effective solutions on the Internet
http://children
ata
> to web server.
What's complicated about it? It works exactly like a POST does to a
non-secure web server from a programming point of view :-)
(When I got APACHE+MODSSL set up I changed some of my webforms stuff to
secure by just modifying the prefix from "http" to "https"
Well, the "rsa" command is there in MY copy of openssl :-)
--
--
Karl Denninger ([EMAIL PROTECTED]) Web: http://childrens-justice.org
Isn't it time we started putting KIDS first? See the above URL for
a plan to do exactly that!
On Sun, Mar 12, 2000 at 10:45:21AM -0700, To
77 matches
Mail list logo
