Re: server key exchange signature behavior

Thank you JJK and everyone!! Jan, that was it! Never thought to check the key size. Just too close to it I guess. I could handle the 2,048 bit keys but set a fixed maximum register size of 4,096 bits. Well, it needs 6,144 bits to do the 3,072 bit math. My bad as they say. I do have a ToDo in the c

Re: server key exchange signature behavior

Jan, Use Wireshark all of the time. In fact I've used it since before it was Wireshark. But now... I can't remember what it was called before. Great tool. You, though, may have hit on something in pointing out the 3072 bit key. I will check on that. It was a design decision in developing this con

Re: server key exchange signature behavior

On 25/06/20 20:02, Bruce Cloutier wrote: I agree that I am not being explicit regarding my terminology. I don't mean to confuse. I just cannot get anywhere on this in a vacuum. So, I need to reach out. Specifically, the Signature covering the EC Diffe-Hellman Server Params in the server_key_exch

Re: server key exchange signature behavior

I agree that I am not being explicit regarding my terminology. I don't mean to confuse. I just cannot get anywhere on this in a vacuum. So, I need to reach out. Specifically, the Signature covering the EC Diffe-Hellman Server Params in the server_key_exchange message that I eventually receive in m

RE: server key exchange signature behavior

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Bruce Cloutier > Sent: Thursday, June 25, 2020 12:10 > > By "If OpenSSL fails to validate this particular digital signature that > would be the case." I meant to question whether or not OpenSSL is in > fact doing the va

Re: server key exchange signature behavior

less than the best that the latestbig-brand browsers support" with no consideration for servers that try to provide compatibility for older clients in addition to the latest hype. As for the signature on the key exchange in SSL3/TLS1.0/TLS1.1/TLS 1.2 and the final signature in TLS1.3, those ar

Re: server key exchange signature behavior

Sorry, By "If OpenSSL fails to validate this particular digital signature that would be the case." I meant to question whether or not OpenSSL is in fact doing the validation? In the case that the signature is being ignored then clients wouldn't complain. They wouldn't notice. Bruce On 6/25/20 1:

Re: server key exchange signature behavior

Yeah. I doubt it is an OpenSSL issue directly as Apache might be feeding the wrong key. Just need confirmation that there isn't a default key configuration setting for OpenSSL that might be taking precedence for who knows why. I can connect successfully with the browser so I cannot rule out that m

RE: server key exchange signature behavior

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Bruce Cloutier > Sent: Thursday, June 25, 2020 10:11 > > Has anyone thought about this question? From your description, it sounds like an Apache issue, not an OpenSSL one. I don't know enough about Apache configuratio

Re: server key exchange signature behavior

Has anyone thought about this question? The site is https://jnior.com if anyone wants to hit it. For me the digital signature in the server_key_exchange does not verify. Is there a site diagnostic that might report on this? I suspect that we have not fully configured the change in certificates. Has

Re: server key exchange signature behavior

Hi, see comments/questions inline On 23/06/20 14:03, Bruce Cloutier wrote: Hello, We administer a server (Windows) with a Bitnami stack for a Wordpress implementation and that uses Apache Httpd and OpenSSL. Separately I am developing the TLS ECC aspect of a controller device implementation and

server key exchange signature behavior

Hello, We administer a server (Windows) with a Bitnami stack for a Wordpress implementation and that uses Apache Httpd and OpenSSL. Separately I am developing the TLS ECC aspect of a controller device implementation and note a problematic behavior with the server_key_exchange for ECDHE_RSA. The de

Re: Help on Diffie Hellman key exchange

Thanks Rich, On Wed, Nov 13, 2019 at 12:34 PM Salz, Rich wrote: > *>*For using 1.1.0, we only need to call RAND_bytes() ? > > > > Yes. But do check the return value of RAND_bytes. >

Re: Help on Diffie Hellman key exchange

On Wed, Nov 13, 2019 at 12:23:37PM -0500, Jason Qian via openssl-users wrote: > Here is the code for creating the key (openssl-0.9.8h) Is this is a new question? It seems to no longer be related to DH key agreement. > int AESCipher::createKey(unsigned char *buf, int keySize) { > char seed[256];

Re: Help on Diffie Hellman key exchange

>For using 1.1.0, we only need to call RAND_bytes() ? Yes. But do check the return value of RAND_bytes.

Re: Help on Diffie Hellman key exchange

Thanks Rich and Tomas, Here is the code for creating the key (openssl-0.9.8h) int AESCipher::createKey(unsigned char *buf, int keySize) { char seed[256]; ::sprintf(seed, "%ldXXX_XXX_H__x__xxx_x_xxx__INCLUDED_", MiscUtils::generateId()); RAND_seed(seed, ::strlen(seed)); RAND_bytes

Re: Help on Diffie Hellman key exchange

> On Nov 12, 2019, at 3:14 AM, Tomas Mraz wrote: > > Could it be a padding issue? I.E. use DH_compute_key_padded() instead. Do we have an open issue to document DH_compute_key_padded(3)? It should be documented right next to DH_compute_key(3), with some words to suggest that the caller needs to

Re: Help on Diffie Hellman key exchange

>RAND_seed(seed, ::strlen(seed)); >RAND_bytes(buf, keySize / 8); I don’t know where you are getting the seed, but it is typically binary data, not a C string. If you are using 1.1.0 or later, you do not need to seed things.

Re: Help on Diffie Hellman key exchange

hanks Tomas, > > > > I will try that. > > > > On Tue, Nov 12, 2019 at 3:14 AM Tomas Mraz > > wrote: > > > On Mon, 2019-11-04 at 17:34 -0500, Jason Qian via openssl-users > > > wrote: > > > > Hi > > > > > > > >

Re: Help on Diffie Hellman key exchange

019-11-04 at 17:34 -0500, Jason Qian via openssl-users wrote: >> > Hi >> > >> >We have an application that does the Diffie Hellman key exchange >> > (OpenSSL/1.1.0f). >> >It works fine, but under heavy loaded conditions, sometimes an >> > inv

Re: Help on Diffie Hellman key exchange

Thanks Tomas, I will try that. On Tue, Nov 12, 2019 at 3:14 AM Tomas Mraz wrote: > On Mon, 2019-11-04 at 17:34 -0500, Jason Qian via openssl-users wrote: > > Hi > > > >We have an application that does the Diffie Hellman key exchange > > (OpenSSL/1.1.0f). >

Re: Help on Diffie Hellman key exchange

On Mon, 2019-11-04 at 17:34 -0500, Jason Qian via openssl-users wrote: > Hi > >We have an application that does the Diffie Hellman key exchange > (OpenSSL/1.1.0f). >It works fine, but under heavy loaded conditions, sometimes an > invalide secret been generated and o

Help on Diffie Hellman key exchange

Hi We have an application that does the Diffie Hellman key exchange (OpenSSL/1.1.0f). It works fine, but under heavy loaded conditions, sometimes an invalide secret been generated and other side couldn't decrypt the data (the secret seems offset by one). The client side is c++ an

Re: [openssl-users] Server-side visibility of signature algorithm and key exchange properties?

> these are not implied by the ciphersuite, to determine the signature >>> algorithm (and curve for ECDSA), the hash algorithm and key exchange >>> public key (with bit count for DH or curve name for ECDSA)? >> >> I don't believe we currently expose the signature algo

Re: [openssl-users] Server-side visibility of signature algorithm and key exchange properties?

> > algorithm (and curve for ECDSA), the hash algorithm and key exchange > > public key (with bit count for DH or curve name for ECDSA)? > > I don't believe we currently expose the signature algorithm selected on > the server side. It's held in s->s3->tmp

Re: [openssl-users] Server-side visibility of signature algorithm and key exchange properties?

On 09/11/2018 08:38, Viktor Dukhovni wrote: > On the client side of a TLS connection, I'm easily able to find all > the primary parameters of interest: > > * The cipher used. > * The server signature algorithm (digest, and public key) > * The server key exc

[openssl-users] Server-side visibility of signature algorithm and key exchange properties?

On the client side of a TLS connection, I'm easily able to find all the primary parameters of interest: * The cipher used. * The server signature algorithm (digest, and public key) * The server key exchange algorithm (public key) enabling logging such as: TLS conne

Re: [openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

implement fixed DH > support. Are you sure the requirement is stated correctly? EDH is incompatible with fixed DH, with EDH you use RSA or ECDSA to authenticate the key exchange. As for using DH keys, they should just work, but you need to load the certificate before setting the private key, be

Re: [openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

I understand your point and also agree with you. I am not in a position to explain the requirement. This is important and we need to provide the support. The system supports only DH and EDH. So could you please help me and give me pointers on how to implement fixed DH support. -- Sent fro

Re: [openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

> On Jan 12, 2018, at 1:57 AM, Bharathi Prasad > wrote: > > Let me rephrase my question. > > How to support fixed Diffie Hellman key agreement in my application. > > OpenSSL 1.0.2 supports fixed DH. > We are currently referring to TLS 1.2 standard and hence need to extend > support for fixed

Re: [openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

Thank you for the reply. Let me rephrase my question. How to support fixed Diffie Hellman key agreement in my application. OpenSSL 1.0.2 supports fixed DH. We are currently referring to TLS 1.2 standard and hence need to extend support for fixed DH and ephemeral DH. I was able to enable EDH but

Re: [openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

On 11/01/2018 10:35, Bharathi Prasad wrote: Hello, I want to use static Diffie Hellman key exchange with RSA authentication (DH_RSA) in my application. I am currently using OpenSSL version 1.0.2n. I understand that from version 1.0.2 openSSL supports fixed DH. Here is what I have tried so far

Re: [openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

> On Jan 11, 2018, at 4:35 AM, Bharathi Prasad > wrote: > > I want to use static Diffie Hellman key exchange with RSA authentication > (DH_RSA) in my application. > > I am currently using OpenSSL version 1.0.2n. I understand that from version > 1.0.2 openSSL support

[openssl-users] How to enable Fixed Diffie Hellman key exchange mechanism

Hello, I want to use static Diffie Hellman key exchange with RSA authentication (DH_RSA) in my application. I am currently using OpenSSL version 1.0.2n. I understand that from version 1.0.2 openSSL supports fixed DH. Here is what I have tried so far. Trial 1: I created DH server and client

Re: [openssl-users] Adding new key exchange to OpenSSL

Thankyou, the SSL_*_set_psk_*_callback functions look like they're exactly what I need. I just need to work out which callbacks to use. On 19/01/17 15:06, Salz, Rich wrote: > Look at the PSK ciphers; the callbacks should be able to call your > generator... > > -- > Senior Architect, Akamai Tec

Re: [openssl-users] Adding new key exchange to OpenSSL

Look at the PSK ciphers; the callbacks should be able to call your generator... -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Adding new key exchange to OpenSSL

o insert my key generator into the system using the cypher description to modify the key exchange, rather than EDH for example. Any pointers in the right direction would be greatly appreciated. -- Richard Collins Senior Research Associate in Networks University of Bristol MVB G0.01 Bristol Emai

Re: [openssl-users] server key exchange use case in ECDSA-ECDHE-AES-SHA

Thanks Salz for the reply. I do understand the server key exchange is used to involve even the server in the key exchange process to send the ECDHE public key with the EC domain parameters so that the client creates the ECDHE public key and the pre master secret. But even if there is no server key

Re: [openssl-users] server key exchange use case in ECDSA-ECDHE-AES-SHA

You have asked two very basic questions about cryptography. I suggest you start doing a literature search; for example, Wikipedia. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/l

[openssl-users] server key exchange use case in ECDSA-ECDHE-AES-SHA

Hello, I have used ECDSA-ECDHE-AES-SHA as the cipher suite in my client- server communication. To use ECDHE key exchange algorithm I used ECDHE parameters and what I see is an additional server key exchange in my SSL handshake process. What does that imply? Does that increase the security

Re: [openssl-users] Getting the current key exchange algorithm mode from an SSL_CIPHER

> On Jan 20, 2016, at 1:13 PM, Eric Erhardt wrote: > > What is the most appropriate way to programmatically get the following > information about an SSL_CIPHER? > > Currently, we need to read: > > · Which cipher algorithm is being used > · Whic

Re: [openssl-users] Getting the current key exchange algorithm mode from an SSL_CIPHER

On Wed, Jan 20, 2016, Eric Erhardt wrote: > What is the most appropriate way to programmatically get the following > information about an SSL_CIPHER? > > Currently, we need to read: > > > * Which cipher algorithm is being used > > * Which key excha

Re: [openssl-users] Getting the current key exchange algorithm mode from an SSL_CIPHER

The most portable, and longest-lasting, way is probably to get the name and then use that as a key to look up things in your own table of characteristics. A PR that adds API's (and doc) for extracting various things, and returning them as nid's or oid's or something, would be helpful. __

[openssl-users] Getting the current key exchange algorithm mode from an SSL_CIPHER

What is the most appropriate way to programmatically get the following information about an SSL_CIPHER? Currently, we need to read: * Which cipher algorithm is being used * Which key exchange algorithm is being used * Which MAC hash algorithm is being used The way

Re: Fwd: Client Key Exchange Message

"how I can change it " No comment Le 03/09/2014 18:13, md intekhab shaukat a écrit : Reminder. -- Forwarded message -- From: *md intekhab shaukat* <mailto:shaukat.mdintek...@gmail.com>> Date: Thu, Aug 28, 2014 at 3:56 PM Subject: Client Key Exchange

RE: Client Key Exchange Message

aukat Sent: Wednesday, 03 September, 2014 12:14 To: openssl-users@openssl.org Subject: Fwd: Client Key Exchange Message Reminder. -- Forwarded message -- From: md intekhab shaukat mailto:shaukat.mdintek...@gmail.com>> Date: Thu, Aug 28, 2014 at 3:56 PM Subject: Client Key Exc

Fwd: Client Key Exchange Message

Reminder. -- Forwarded message -- From: md intekhab shaukat Date: Thu, Aug 28, 2014 at 3:56 PM Subject: Client Key Exchange Message To: openssl-users@openssl.org Hi, I am a Master student and as case study regarding OpenSSL, I have to find out what all information are being

RE: Client Key Exchange Message

There is no tutorial or walk-through of the OpenSSL code. You should start my reading the TLS RFC and make sure you really understand it; then you can figure out what the code is sending. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me

Client Key Exchange Message

Hi, I am a Master student and as case study regarding OpenSSL, I have to find out what all information are being sent in CLIENT-KEY-EXCHANGE and how I can change it. I have downloaded the code. But, I am not able to figure it out. Could you please help me that in which function has it been

Re: Extracting of key exchange (DH / DHE) parameters of a connection

On Mon, Apr 07, 2014, Hanno Bck wrote: > Hi, > > I wanted to ask if anyone is aware of a simple way to extract the > parameters of a key exchange. > > On an SSL connection protected with either Diffie Hellman or Elliptic > Curve Diffie Hellman usually the server should s

Extracting of key exchange (DH / DHE) parameters of a connection

Hi, I wanted to ask if anyone is aware of a simple way to extract the parameters of a key exchange. On an SSL connection protected with either Diffie Hellman or Elliptic Curve Diffie Hellman usually the server should send the parameters of the key exchange to the client. What I'd like to

RE: key exchange error for lighttpd webserver ob beaglebone black running arago file system

>From: owner-openssl-users On Behalf Of Kiran G >Sent: Wednesday, October 30, 2013 00:13 >This is the openssl client output from my desktop: >$ openssl s_client -connect 192.168.3.152:443  -debug >CONNECTED(0003) >write [v3format ClientHello with record and max ver 0300 and no extensions] W

Re: key exchange error for lighttpd webserver ob beaglebone black running arago file system

56v1 which is okay; did you set ssl.ec-curve to something else? *From:*owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Kiran G *Sent:* Tuesday, October 29, 2013 06:32 *To:* openssl-users@openssl.org *Subject:* key exchange error for lighttpd webserver ob beagl

RE: key exchange error for lighttpd webserver ob beaglebone black running arago file system

lto:owner-openssl-us...@openssl.org] On Behalf Of Kiran G Sent: Tuesday, October 29, 2013 06:32 To: openssl-users@openssl.org Subject: key exchange error for lighttpd webserver ob beaglebone black running arago file system Hi, I am trying enable ssl in lighttpd web server. My OS is "Arago linux"

key exchange error for lighttpd webserver ob beaglebone black running arago file system

r (Camellia-256-CBC instead of AES-256-CBC) shouldn't matter in that stage of the connection, but I guess the ECDHE-RSA key exchange could be the problem. You could try to disable elliptic curves with|ssl.cipher-list|. Also I don't think this is a bug in lighttpd; it probably is somewher

TLS client aborts ECDH key exchange due to EC_R_UNKNOWN_GROUP when OpenSSL is built with no-ec2m option

nt list of elliptic curves - it begins with sect571r1 (0x000e). Then, in the Server Key Exchange message the server indicates that it picked the first named curve offered by the client (0x000e). However, because sect571r1 is a "characteristic-2 field" curve - and therefore is co

query reg disabling hanshake and key exchange mechanism openssl

Hi, I am a network security researcher. We have designed and developed a multifactor authentication and secure key exchange protocol that can counter man in the middle attack. I want to integrate my protocol with SSL on apache. I have written my own protocol for authentication and key exchange

SSL Key Exchange

Hi, I am writing client and server program using ssl3/TLS1. i had created both server and client certificate and signed by CA and exchaning the data. further I need to implement the below steps on the program, 1. Key Exchange(DHE-RSA-AES256-SHA) 2. Encryption using AES. I need to use the Diffie

Re: ECDH-RSA key exchange support (rfc 4492)

On 08/16/2011 02:58 PM, Dr. Stephen Henson wrote: > Can you give me a more complete report? I detailed my situation in a previous recent thread ( Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian) ). Briefly: - I want to use ECDSA+SHA512 for OpenVPN authenticatio

Re: ECDH-RSA key exchange support (rfc 4492)

On Tue, Aug 16, 2011, Gaglia wrote: > On 08/14/2011 03:53 PM, Dr. Stephen Henson wrote: > > Should be fixed by this: > > > > http://cvs.openssl.org/chngview?cn=21247 > > Hi and thanks, it would solve all my problems too! Unfortunately, it > doesn't seem to work for me :( Can you give me a more

Re: ECDH-RSA key exchange support (rfc 4492)

On 08/14/2011 03:53 PM, Dr. Stephen Henson wrote: > Should be fixed by this: > > http://cvs.openssl.org/chngview?cn=21247 Hi and thanks, it would solve all my problems too! Unfortunately, it doesn't seem to work for me :( __ Open

Re: ECDH-RSA key exchange support (rfc 4492)

On Fri, Aug 12, 2011, Dave Thompson wrote: > > 1.0.0 allows any cert sig alg whose name includes "WithRSA". > > Adjacent in the code, 1.0.0 like 0.9.8 allows kECDH*e* only for cert > signed ECDSA+SHA1, though 1.0.0 otherwise handles ECDSA+SHA2family. > That probably needs a similar upgrade. >

Re: ECDH-RSA key exchange support (rfc 4492)

On 08/13/2011 04:28 AM, Dave Thompson wrote: > Adjacent in the code, 1.0.0 like 0.9.8 allows kECDH*e* only for cert > signed ECDSA+SHA1 Now, this is interesting. I have tried an OpenVPN setup using elliptic curves certificates generated with OpenSSL 1.0.0, and in fact I've found that I couldn't u

RE: ECDH-RSA key exchange support (rfc 4492)

> From: owner-openssl-us...@openssl.org On Behalf Of John Foley > Sent: Thursday, 11 August, 2011 15:10 > Is there a known bug with ECDH_RSA key exchange cipher suites in > 0.9.8r? For instance, using cipher suite ECDH-RSA-AES128-SHA > in 0.9.8r > does not work. But it d

ECDH-RSA key exchange support (rfc 4492)

Is there a known bug with ECDH_RSA key exchange cipher suites in 0.9.8r? For instance, using cipher suite ECDH-RSA-AES128-SHA in 0.9.8r does not work. But it does work in 1.0.0d. This is tested using the following command: ssltest -tls1 -cert servercert.pem -key serverkey.pem -cipher ECDH-RSA

Re: DH key exchange issue

Yes I used the same generator,'5'. So that means I need to use the same prime too for both the parties On 4/22/11, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Prashant Batra >> Sent: Thursday, 21 April, 2011 09:16 > >> Hi, I tried the dhtest sample p

RE: DH key exchange issue

> From: owner-openssl-us...@openssl.org On Behalf Of Prashant Batra > Sent: Thursday, 21 April, 2011 09:16 > Hi, I tried the dhtest sample provided in the test folder of openssl-0.9.8g. > What it does is- > Creates 2 DH objects using a single prime and generator valu

DH key exchange issue

Hi, I tried the dhtest sample provided in the test folder of openssl-0.9.8g. What it does is- Creates 2 DH objects using a single prime and generator value. It then calculates the public, private keys pairs using the 2 DH's. Then computes the secret for each DH using the public key of the other DH.

RSA key exchange

Hello list, I've questions about how (temporary) RSA keys will be used in a SSL/TLS handshake. I understand that DH key exchange is the preferred and standard way to exchange the shared secret. Nevertheless 1) When will RSA key exchange be used? Is this a configuration of the server? 2) Ar

Parse the ECC server key exchange?

I am trying to understand the server key exchange message. It would be nice if I could compare and understand an actual packet while looking at RFC 4492. I am using openssl s_server and s_client for my experimenting. There is a lot of stuff in that message. struct

Re: Diffie-Hellman key exchange : Preventing MITM attack

* Victor Duchovni wrote on Fri, Aug 28, 2009 at 13:39 -0400: > The OP is not using fixed DH keys. He is proposing to use ADH key > exchange. This gives confidentiality, but NOT authentication. Yes, and confidentiality without authentication usually doesn't help much. In case o

Re: Diffie-Hellman key exchange : Preventing MITM attack

Note that there is one case which falls more into the 'shared secret' category than the 'trusted introducer' category, and that is the case where you have two entities which share self-signed certificates. Even though what they share aren't secrets, they still have to do it through a mechanism that

RE: Diffie-Hellman key exchange : Preventing MITM attack

> No. Without a previously arranged shared secret and no trusted introducer, > authentication is *impossible*. Authentication is an act of recognizing > a party that posesses something you can verify. You CAN NOT generate > authentication secrets on the fly. > Viktor. Or, to put it in simp

Re: Diffie-Hellman key exchange : Preventing MITM attack

Victor Duchovni wrote: > Bootstrapping authentication requires an out-of-band secure channel for > key exchange (or initial delivery of keys of trusted introducers). > Agreed. __ OpenSS

Re: Diffie-Hellman key exchange : Preventing MITM attack

s implicit. Either OOB or > via a trusted directory service, or a cert binding the identity > of a principal to a pubkey suffice. The OP is not using fixed DH keys. He is proposing to use ADH key exchange. This gives confidentiality, but NOT authentication. The OP would be better off with

Re: Diffie-Hellman key exchange : Preventing MITM attack

Victor Duchovni wrote: > No. Without a previously arranged shared secret and no trusted introducer, DH doesn't require anything but mutual knowledge of public keys, since the shared secret is implicit. Either OOB or via a trusted directory service, or a cert binding the identity of a principal t

Re: OpenSSL with Anonymous DH key exchange - sample program available ?

L_CTX_set_cipher_list(ctx,"ADH-AES256-SHA"); >> >> This should be enough for a very basic anonymous DH client/server program >> >> Regards >> >> Ramg >> >> >> >> On Fri, Aug 28, 2009 at 7:42 AM, Josue Andrade Gomes < >>

Re: Diffie-Hellman key exchange : Preventing MITM attack

On Fri, Aug 28, 2009 at 09:39:18AM -0400, Ram G wrote: > Hello Users, > > I would like to run a design by you. The requirement (and the constraint) is > that I have to design a secure communication channel without using > certificates. I'm trying out DH key exchange. > &g

Re: Diffie-Hellman key exchange : Preventing MITM attack

Ram G wrote: > I would like to run a design by you. The requirement (and the constraint) is > that I have to design a secure communication channel without using > certificates. I'm trying out DH key exchange. An unfortunate, if common, misnomer. DH key agreement is a better

Diffie-Hellman key exchange : Preventing MITM attack

Hello Users, I would like to run a design by you. The requirement (and the constraint) is that I have to design a secure communication channel without using certificates. I'm trying out DH key exchange. My proposed design is a two step process for communication: 1) Use Anonymous D

Re: OpenSSL with Anonymous DH key exchange - sample program available ?

s > > Ramg > > > > On Fri, Aug 28, 2009 at 7:42 AM, Josue Andrade Gomes < > josue.gomes.honey...@gmail.com> wrote: > >> I'm also interested in such sample program. Anyone? >> >> >> >> On Thu, Aug 27, 2009 at 4:39 PM, Ram G wrote: >>

Re: OpenSSL with Anonymous DH key exchange - sample program available ?

getting clearer as I dig deeper. The book "Network Security >> with OpenSSL" by John Viega et al has some explanation of how the DH key >> exchange takes place. >> >> With that knowledge, I went through the source code and found that >> DH_Compute_Key() is being

Re: OpenSSL with Anonymous DH key exchange - sample program available ?

On Thu, Aug 27, 2009, Ram G wrote: > Hello, > > Going through various posts, I have come across references to Bodo Moeller's > example code showing SSL communication without certificates and using > anonymous DH key exchange. If anybody has that sample, can you please > f

Re: OpenSSL with Anonymous DH key exchange - sample program available ?

I'm also interested in such sample program. Anyone? On Thu, Aug 27, 2009 at 4:39 PM, Ram G wrote: > Things are getting clearer as I dig deeper. The book "Network Security with > OpenSSL" by John Viega et al has some explanation of how the DH key exchange > takes place.

Re: OpenSSL with Anonymous DH key exchange - sample program available ?

Things are getting clearer as I dig deeper. The book "Network Security with OpenSSL" by John Viega et al has some explanation of how the DH key exchange takes place. With that knowledge, I went through the source code and found that DH_Compute_Key() is being called in s3_clnt.c and s3_

OpenSSL with Anonymous DH key exchange - sample program available ?

Hello, Going through various posts, I have come across references to Bodo Moeller's example code showing SSL communication without certificates and using anonymous DH key exchange. If anybody has that sample, can you please forward it ? I have written a client and server taking help fro

Re: a question about Diffie-Hellman key exchange mode

nssl-us...@openssl.org] *On Behalf Of *William Cai > *Sent:* Monday, July 06, 2009 3:25 AM > *To:* openssl-users@openssl.org > *Subject:* Re: a question about Diffie-Hellman key exchange mode > > Thanks Michael! Could you please share me some information about

RE: a question about Diffie-Hellman key exchange mode

[mailto:owner-openssl-us...@openssl.org] On Behalf Of William Cai Sent: Monday, July 06, 2009 3:25 AM To: openssl-users@openssl.org Subject: Re: a question about Diffie-Hellman key exchange mode Thanks Michael! Could you please share me some information about when/how to agree upon p & g? Th

Re: a question about Diffie-Hellman key exchange mode

Thanks Michael! Could you please share me some information about when/how to agree upon p & g? Thanks, William From: Michael Sierchio To: openssl-users@openssl.org Sent: Sunday, July 5, 2009 11:58:42 PM Subject: Re: a question about Diffie-Hellman

Re: a question about Diffie-Hellman key exchange mode

William Cai wrote: > According to my understanding, Diffie-Hellman algorithm is based on > something like this, > 1. public prime number, p > 2. public base, g > 3. Side A's private key, a > 4. Side A's public key, A = g ^ a mod p > 5. Side B's private key, b > 6. Side B's public key, B = g ^ b mo

a question about Diffie-Hellman key exchange mode

Hi list, I get a question regarding Diffie-Hellman key exchange of SSL. Not sure if this is the right place for such question. But this could be an easy one for those who are familiar with SSL protocol. :-) Below is cited from William Stallings' paper. - cited

Creating certs with dh key exchange?

have created certificates for them to work and it works, but the problem is with the DHE certificates. As far as I have been able to learn is that the DHE-RSA cipher suites use DH for key exchange and RSA for authentication, and the DHE-DSS cipher suites use DH for key exchange and DSA for

RE: perform a key exchange (key negotiation) using asymmetric keys(no certifications!)

Manuel Sahm wrote: > could anybody explain me how to modify this programm, > to use only keys instead of certificates ? > Thanks to all. I'm sorry to say, I don't see any easy way to do this with OpenSSL. You have two choices: 1) Roll your own on top of SSL, using algorithms similar to those i

perform a key exchange (key negotiation) using asymmetric keys (no certifications!)

Hello, could anybody explain me how to modify this programm, to use only keys instead of certificates ? Thanks to all. - /* serv.cpp - Minimal s

Qestions on Doing DH Key Exchange with BSAFE

Hi there, I am trying to do a DH key exchange between BSAFE and OpenSSL. The server side uses BSAFE to generate DH parameters and server's public/private key, and my client uses received DH parameters to generate its keys. Now my problem is that I cant parse out the DH parameters proper

Delay in sending out 'Client Key Exchange'

Hi, My application tries to make multiple SSL connections to a server in a persistent TCP Connection. The client will establish for once a TCP connection and later on attempt n number of SSL connections in the same TCP connection. In a particular case where the client times out ['select' is use

Re: TLS server key exchange message

Hello, > $ openssl s_server -key key.pem -cert crt.pem -debug -state -cipher > ACCEPT <-- waiting for client connection Should be: $ openssl s_server -key key.pem -cert crt.pem -debug -state -cipher EXP-DES-CBC-SHA Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ___

Re: TLS server key exchange message

Hello, > RFC 4346 says the server key exchange message is only sent when > DHE_DSS, DHE_RSA, or DH_anon is used as the cipher suite. It further > says the server key exchange message can contain RSA or DH public > components. I am confused. If DHE_DSS, DHE_RSA, or DH_anon is used,

TLS server key exchange message

RFC 4346 says the server key exchange message is only sent when DHE_DSS, DHE_RSA, or DH_anon is used as the cipher suite. It further says the server key exchange message can contain RSA or DH public components. I am confused. If DHE_DSS, DHE_RSA, or DH_anon is used, then DH is used for key

RE: RSA Key exchange and FIPS compliance

This helps a lot. Thanks for the clarification. -Geoff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Marquess Sent: Thursday, April 19, 2007 4:48 PM To: openssl-users@openssl.org Subject: Re: RSA Key exchange and FIPS compliance Gatfield

  1   2   >