Hello list,
I've questions about how (temporary) RSA keys will be used in a SSL/TLS
handshake. I understand that DH key exchange is the preferred and standard way
to exchange the shared secret. Nevertheless
1) When will RSA key exchange be used? Is this a configuration of the server?
2) Are the
Hello Jakob,
On 12.10.2011 22:21, Jakob Bohm wrote:
>> I know that to sign, i have to take a hash of some document or message but,
>> theoretically, i could encrypt any document? The padding scheme would shrink
>> the message and them could reveal the same message after deciphering?
> The padding
Thanks,
On 14.10.2011 13:16, Jakob Bohm wrote:
>>
> Unfortunately not, I am a security engineer, not a fully trained
> cryptographer/cryptanalyst.
>
> As an engineer I am aware that attacking an algorithm such as RSA is easier
> the
> more the
> attacker knows or can control about the input, an
Hello,
is there somewhere a release schedule for version 1.0.1 published?
Thanks
Dirk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.or
Hello,
I have a problem with the saving SSL_SESSION objects. As there seems to be no
SSL_SESSION_dup function I have created one:
SSL_SESSION* SSL_SESSION_dup (SSL_SESSION *sslSession)
{
SSL_SESSION *newSession = (SSL_SESSION *) ASN1_dup ((int(*)(void
*in,unsigned char **pp)) i2d_SSL_SE
Can anybody help me?
Thanks
> -Ursprüngliche Nachricht-
> Von: "Dirk Menstermann"
> Gesendet: 09.12.09 18:22:46
> An: openssl-users@openssl.org
> Betreff: Question to SSL_SESSION
> Hello,
>
> I have a problem with the saving SSL_SESSIO
Hi,
when I generate DH parameters with:
int bits = 1024;
DH *params = DH_generate_parameters (bits, DH_GENERATOR_5, NULL, NULL);
Can I then later read the value of the bits parameter from the DH struct?
Thanks
Dirk
__
OpenSSL Pr
Thank you Dave!
Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Dirk Menstermann
>> Sent: Wednesday, 10 March, 2010 10:57
>
>> when I generate DH parameters with:
>>
>> int bits = 1024;
>> DH *params = DH_generate_parameter
Hi,
on https://developer.mozilla.org/en/Security_in_Firefox_2 I found that FF 2 does
support only curves with 256, 384, and 521. Maybe this is the same for FF 3 and
your 160 bit curve is not supported.
Bye
Dirk
Alex Birkett wrote:
> Hi,
>
> Firefox 3.6.2 supports the TLS_ECDHE_ECDSA_WITH_AES_2
Hello Steve,
On 26.04.2012 15:50, Dr. Stephen Henson wrote:
>
> What DH parameters are you using? You can get better performance by tweaking
> the parameters.
>
Can you explain how to tweak the parameters and if this reduces security.
Thanks
Dirk
__
Hello,
are the sassumptions below correct?
For 0.9.8 I have to use fips123
For 1.0.1 I have to use fips2
For 1.0.0 there isn't a fips implementation.
Thanks
Dirk
__
OpenSSL Project http://www.op
Hello,
Would anybody be so kind to explain me how I can read the digest algorithm
(sha1, sha256, other) from a X509 struct that was used by a CA when issuing the
certificate (I am using version 0.9.8).
Thanks
Dirk
__
OpenSSL Proj
Thanks,
unfortunately I forget to include the information that I need to know it from a
c programm, not from the shell. Do you also know the solution here?
Thanks
__
OpenSSL Project http://www.o
Thank you Steve!
Bye
Jens
On 18.06.2012 19:42, Dr. Stephen Henson wrote:
> On Mon, Jun 18, 2012, Dirk Menstermann wrote:
>
>> Thanks,
>>
>> unfortunately I forget to include the information that I need to know it
>> from a
>> c programm, not from the shell
'
Stop.
Can anybody help me? With which versions is it supposed to work (win 7 64 bit)
Thanks a lot
Dirk
On 15.05.2012 22:18, Steve Marquess wrote:
> On 05/15/2012 12:03 PM, Dirk Menstermann wrote:
>> Hello,
>>
>> are the sassumptions below correct?
>>
>>
Anybody able to help me?
Thanks a lot
Dirk
On 27.06.2012 14:42, Dirk Menstermann wrote:
> Hello,
>
> I tried to build the FIPS version (openssl-fips-2.0.1) on win7 and VS2005
> (command line prompt) using the build target debug-VC-WIN64A and option
> no-asm.
>
&g
Anybody able to help me (problem posted below some days ago)?
Thanks a lot
Dirk
On 27.06.2012 14:42, Dirk Menstermann wrote:
> Hello,
>
> I tried to build the FIPS version (openssl-fips-2.0.1) on win7 and VS2005
> (command line prompt) using the build target debug-VC-WIN64A and opti
Subject: FIPS in 1.0.1 windows 7 64 bit compile / link problems
>>
>> Anybody able to help me (problem posted below some days ago)?
>>
>> Thanks a lot
>> Dirk
>>
>> On 27.06.2012 14:42, Dirk Menstermann wrote:
>> > Hello,
>> >
>> >
Hello Steve,
On 02.07.2012 19:37, Dr. Stephen Henson wrote:
>
> As I indicated HEAD wont work as it isn't currently FIPS capable.
OK - I will concentrate on 1.0.1c!
The (largely
> internal use) functions like FIPS_corupt_aes are not exported from the Windows
> DLL at present: do you have a sp
Hello Steve,
do you see another way to force the error state?
Thanks
Dirk
On 03.07.2012 10:49, Dirk Menstermann wrote:
> Hello Steve,
>
> On 02.07.2012 19:37, Dr. Stephen Henson wrote:
>
>>
>> As I indicated HEAD wont work as it isn't currently FIPS capable.
&g
Hello list,
is there a way to use ENGINEs in a non-blocking way - meaning for a network
operation (remote HSM) the thread can do something else instead of waiting for
the IO operation to complete?
Thanks
Jens
__
OpenSSL Project
Anybody?
Thanks
On 02.10.2012 15:58, Dirk Menstermann wrote:
> Hello list,
>
> is there a way to use ENGINEs in a non-blocking way - meaning for a network
> operation (remote HSM) the thread can do something else instead of waiting for
> the IO operation to complete?
>
Thank you Stephen.
On 04.10.2012 17:34, Dr. Stephen Henson wrote:
> On Tue, Oct 02, 2012, Dirk Menstermann wrote:
>
>> Hello list,
>>
>> is there a way to use ENGINEs in a non-blocking way - meaning for a network
>> operation (remote HSM) the thread can do som
Hi,
I'm playing around with "EVP_aes_128_gcm". This works, but it seems that EVP_*
does not include padding. Is this expected/needed or did I miss a step?
Thanks
Dirk
__
OpenSSL Project http://www.
Thank you Matt!
On 08.02.2013 16:33, Matt Caswell wrote:
> It is a feature of GCM that the ciphertext (excluding the authentication tag)
> is
> identical length to the plaintext. Therefore no padding is required.
>
> Matt
>
> On 8 February 2013 14:27, Dirk Mensterm
Hi,
I just recognized that openssl 1.0.1 prevents setting of alloc, re-alloc and
free functions if compiled with FIPS support. Can anybody give the background,
why this was changed (compared to 0.9.8)?
Thanks a lot
Dirk
__
OpenSS
Hi,
I’m using OpenSSL 1.1.1 to issue a certificate and include the AKI by defining
authorityKeyIdentifier = keyid,issuer:always
The issued certificate contains the AKI afterwards with 3 values:
KeyID: issuer's key id
Serial: issuer's serial
Issuer: the issuer’s issuer, not the issuer’s subje
Hello,
I did few experiments with early data but was not successful in solving my
exotic use case: "Using early data dependent on the SNI"
I control the server (linux, supports http2) based on OpenSSL 111q and use a
recent firefox as client:
1) Setting SSL_CTX_set_max_early_data in the SSL_CTX*
:12, Benjamin Kaduk wrote:
On Sat, Nov 05, 2022 at 11:50:18AM +0100, Dirk Menstermann wrote:
Hello,
I did few experiments with early data but was not successful in solving my
exotic use case: "Using early data dependent on the SNI"
I control the server (linux, supports http2) based
Hi,
seconds after I send the previous mail, I found the bug in my code. It is
working with Benjamin's suggestion.
Thanks
Jens
On 12/11/2022 11:18, Dirk Menstermann wrote:
Hi Benjamin,
thanks for your response. I updated to 111s and replaced the SNI callback with
the ClientHello callba
Hello,
I try to understand which function will be called in FIPS mode to generate an
RSA key. While looking trough the code I found two candidates:
RSA_X931_generate_key_ex (in rsa_x931g.c)
rsa_buildin_keygen in (rsa_gen.c)
They seem to use different algorithms, but both contains FIPS-checks lik
Hello,
which API function can I use to obtain the bit strength of the key exchange
(size of the DH or ECDH parameters)?
There is the function SSL_get_cipher_bits, but this is only for the symmetric
cipher, not including the key exchange.
Thanks
Dirk
__
Very helpful. Thank you Steve.
Dirk
On 25.03.2015 16:35, Dr. Stephen Henson wrote:
> On Wed, Mar 25, 2015, Dirk Menstermann wrote:
>
>> Hello,
>>
>> which API function can I use to obtain the bit strength of the key exchange
>> (size of the DH or ECDH parameters
Hi Steve,
as far as I can see this works only if the application embedding openssl is the
ssl client; but how can this be achieved from the server's point of view?
Thanks
Dirk
On 25.03.2015 16:35, Dr. Stephen Henson wrote:
> On Wed, Mar 25, 2015, Dirk Menstermann wrote:
>
Hi,
I'm using openssl 1.0.2 (as web server application) and utilize the APLN
callback to react on protocols offered by the client. In this callback I need a
way to get the list of ciphers that the client sends within the client_hello.
Background is that http2 should only be negotiated if client s
Anybody able to help?
Thanks
Dirk
On 10.11.2015 17:09, Dirk Menstermann wrote:
> Hi,
>
> I'm using openssl 1.0.2 (as web server application) and utilize the APLN
> callback to react on protocols offered by the client. In this callback I need
> a
> way to get the list of
Hi,
I've trouble with the newest OpenSSL as I'm operating a webserver application
that answers with HTTP1.x and HTTP2.
I registered the ALPN callback and in this the cipher list was adjusted
"SSL_set_cipher_list (ssl, "ECDHE-RSA-AES128-GCM-SHA256")" if H2 was negotiated.
With versions < OpenSSL
Hi,
can anybody share example code to add more than 1 CRL distribution point to a
certificate?
The below works only for one URI:
X509_EXTENSION *ext = X509V3_EXT_conf_nid (NULL, &v3ctx,
NID_crl_distribution_points, (char*) "URI:http://exmaple.com/crl";);
X509_add_ext (certificate, ext, -1);
Tha
Thanks Dave,
It seems that I do something wrong when filling the STACK_OF(DIST_POINT):
X509_NAME_ENTRY *nameEntry = X509_NAME_ENTRY_new();
X509_NAME_ENTRY_set_data (nameEntry, V_ASN1_IA5STRING /*MBSTRING_ASC*/, (const
unsigned char*) "http://example.com/";, 19);
S
GEN_URI, and
> whose value (as an IA5String) is the url you want, and then point
> distpoint->name.fullname at the GENERAL_NAMES.
>
> And, as before, you can do this multiple times and add additional DIST_POINTs.
>
> Good luck,
> -Dave
>
>
>> On Nov 23, 2
40 matches
Mail list logo
