If i dont have key ageement and key exchange. Can my symetric cipher work?. My understanding is that the symetric key used for both encryption and decryption is the agreed key between the client and server after key agreement has been done. For key agreement to work i thought you need a private key
For some reason i cannot let the client know the server has shutdown. I read the documents about ssl_shutdown() and it said if the return value is 1 then its successful. I checked this on the server side using get_shutdown() and it retrurned "1" which i believe to be the correct value. When i use g
yeah you would think that but it doesnt for some strange reason.Girish Venkatachalam <[EMAIL PROTECTED]> wrote: Looks like I have not understood your problem. Why do you have to do an SSL_read() to figure out ifit has closed? SSL_write() will fail it the other sidecloses...--- michael D
Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) { int err, nwritten;
I am trying to send the client a shutdown message. I use set shutdown on the server side and then i do ssl_shutdown.the return value from ssl_shutdown is 1 so i thought if i do get_shutdown() function on the client side that i should be able to get a return value that signals i have shutdow
If the server returns an error my client does not shut down the connection. I think i have to use SSL_Read and then if the return value is less than or equal to 0 then i just break. The problem is that when i use SSL_Read then my SSL_write does not seem to work...why is that.or is there
one is the ephemeral keying one and thats about all i know..any help would be great thanks.Girish Venkatachalam <[EMAIL PROTECTED]> wrote: Kyle is the best person to explain these things toyou. However I will make an attempt. Please findanswers inline.--- michael Dorrian <[EMAIL PROTECT
I make a client and server certificate and then sign it with the root cert.Are these generated certificates the public keys?. I can attach small data to an RSA key but usually RSA is not used for actually encrypting the data. Is that right?. A specified cipher suite(e.g sha1 for hashing etc.) is u
-- if it'sUNKNOWN_CA, then you can present a dialog to the user. This happensbefore any actual application data is transmitted on the wire.-Kyle HOn 3/30/06, michael Dorrian <[EMAIL PROTECTED]>wrote:>> This is
the scenario. I have a root CA which i use to sign both the client>
I am not talking about the pem pass phrase here. I want a last line of authentication from the client. I want the server to have a list of common names of clients it trusts. With these client names also a client password will be stored on the server side. At runtime the server asks for this passwor
ify return code -- if it'sUNKNOWN_CA, then you can present a dialog to the user. This happensbefore any actual application data is transmitted on the wire.-Kyle HOn 3/30/06, michael Dorrian <[EMAIL PROTECTED]>wrote:>>
This is the scenario. I have a root CA which i use to sign both the clie
The way openssl is set up you load the CAs you trust and if they dont match an unknown CA error happens...is it possible to not have this as an error but a warning and then the user can decide whether to break the connection or not.
New Yahoo! Messenger with Voice. Call regular phones from yo
sorry typo client CA = client cert.michael Dorrian <[EMAIL PROTECTED]> wrote:This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip addre
This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip address in the certificate but the certificate and ip address could be anyones?. There
Thanks alot for the response. It helped alot. Bernhard Froehlich <[EMAIL PROTECTED]> wrote: michael Dorrian wrote:> Is this correct or is there a simpler way. I have to revoke all my > client,server and root files and then basically create everything over > again?. It depends on
Is this correct or is there a simpler way. I have to revoke all my client,server and root files and then basically create everything over again?. I am sure i can just use the same commands i used to make the root cert and then sign the client and server files and by doing this just overwrite all th
sorry was a typo in the last post.. # openssl ca revoke file.pem # openssl ca -gencrl -out revokefile.crl # openssl crl -in revokefile.crl -noout -CAfile file.pemmichael Dorrian <[EMAIL PROTECTED]> wrote:try this: # openssl ca revoke file.pem # openssl ca -gencrl -out revokefile.crl #
try this: # openssl ca revoke file.pem # openssl ca -gencrl -out revokefile.crl # openssl crl -in exampleca.crl -noout -CAfile file.pem[EMAIL PROTECTED] wrote: HelloI built a web server with apache 2.xx. Access is secure with SSLVerifyClient directiveWhen I revoke a certificate and then generat
e (untrusted) which I want to make trusted if possible.regardsAndrew On 3/20/06, michael Dorrian <[EMAIL PROTECTED]> wrote:what exactly do you mean?. Have you made a self signed certificate yourself which is untrusted or what type of certificate have you now that is "untrusted"
what exactly do you mean?. Have you made a self signed certificate yourself which is untrusted or what type of certificate have you now that is "untrusted". Andrew Madu <[EMAIL PROTECTED]> wrote:Hi, I have created a selcert certificate, under java 1.5, which I need to convert to a trusted one.
gned by my root CA it gave a certificate chain error. A valid subCA signed by a valid root CA cannot be trusted as far as i can see. Or maybe i misunderstood?. "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: On Fri, Mar 17, 2006, Olaf Gellert wrote:> Dr. Stephen Henson wrote:>
The root CA can sign another CA. So you can have as many CA's as you like. But when the root sign another CA why can't that CA act as a trusted CA. For example i made my root CA then i created another server CA which i had signed by the root CA. I tried to load the Server CA cert as my trusted CA c
I think David may have a point here. On the client side you have a list of CA's you trust so therefore other CA's will not be accepted. It is a big problem that you can revoke other Certs with the same CN though.David Schwartz <[EMAIL PROTECTED]> wrote: > ...except that it's not.>> A later certifi
I think David may have a point here. On the client side you have a list of CA's you trust so therefore other CA's will not be accepted. It is a big problem that you can revoke other Certs with the same CN though.David Schwartz <[EMAIL PROTECTED]> wrote: > ...except that it's not.>> A later certifi
Here is another thread that converts the time to a string. It may be helpful in the future http://www.securitybuzz.org/buzz/emails/id/276651/vipin rathor <[EMAIL PROTECTED]> wrote:hi DS and all, i was just searching the mail archive and fortunately i got the conversation between "Tan Eng T
Stephan, This function "X509_get_notBefore(cert));" returns a ASN1_TIME pointer so u cannot print out the results using %d which is for integers or maybe it prints out something but not correct. Now just call like this: ASN1_TIME *cert_time; char *pstring; cert_time = X509_get_notBefore(cert));
ed, Mar 15, 2006, michael Dorrian wrote:> First of all thank you for your reply. I read one of your previous replies> to the following post and this seems to be what i need.> http://www.mail-archive.com/openssl-users@openssl.org/msg20673.html X509_AUX> is a "trusted certificate" for
ed. "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: On Tue, Mar 14, 2006, michael Dorrian wrote:> Thanks for your reply. It makes sense that it does not trust any authority> by default. I will try to research these functions a little more but it may> be difficult to fi
is the source -- I'd suggest picking apartthe SSL_CTX_load_verify_locations() and figure out how it creates andsets the store.-Kyle HOn 3/14/06, michael Dorrian <[EMAIL PROTECTED]>wrote:> I know
SSL_CTX_load_verify_locations() loads the CAs you trust from a pem> file that you store
yes is the anwer to that. If you download the code for this book from this site http://www.opensslbook.com/code.html. It will unzip to a folder called "NSw0-1.3". Go into this folder and in this folder there is one subfolder called "ssl". Run that makefile in that folder. It creates two ca's one ro
I know SSL_CTX_load_verify_locations() loads the CAs you trust from a pem file that you store locally on your client machine but i cannot use this function as i dont want to read a pem file on the client side. I want to know if you can check to see if the server certificate presented was signed by
Help is at hand. This is a really good explanation of how to set up certificates on Apache. I dont think it tells you how to revoke out of date certificates but i can help you with that if you want. Hope this helps. http://www.flatmtn.com/computer/Linux-SSLCertificatesApache.htmlEtienne Chove <[EM
Here is a function to do what you want that i just wrote today. At least i hope its what you want. Good luck!. void ShowCerts(SSL* ssl){ X509 *cert; char buf[100]; /* get the server's certificate */ cert = SSL_get_peer_certificate(ssl); if ( cert != NULL ) { /* issuer */ X509_NAM
sounds brilliant. I may have needs for that shortly. Where can i get it?Frank Laub <[EMAIL PROTECTED]> wrote: I've just recently put together a C# class library that wraps the crypto DLL via PInvoke. I was wondering if anyone here would be interested in such a thing or if perhaps I should just cre
I would just like to have the same security as somebody connecting to a https server(certificate does not need to be a trusted one). I cannot use any client keys or certs. I know that i have to present my server certificate to the client and then the client decides whether or not to connect to the
I want to create a sample program which connects to the server and reads in various information to verify that this server is trustworthy and then when i verify its the correct one ,connect and transfer data. I have only seen client and server examples which use a client and server pair made by a C
36 matches
Mail list logo
