Documentation pointers

I have just started to learn OpenSSL, and I am having troubles finding documentation that is helpful. www.openssl.org seems to have lots of reference documentation, but not too much in usage documentation, e.g., what are the typical contents expected in the SAN for a CA cert vs. those of a server

RE: Documentation pointers

On 10/4/2013 at 9:52 PM Dave Thompson wrote: |> From: owner-openssl-us...@openssl.org On Behalf Of Mike. |> Sent: Friday, October 04, 2013 16:28 | |> I have just started to learn OpenSSL, and I am having troubles |> finding documentation that is helpful. |> |> www.openssl.org

Re: [openssl-users] good riddance to PayPal

yright owners you can rescind license permissions as you wish. Contact this person: https://www.irs.gov/uac/Commissioner-John-Koskinen and give them 30 days to purge any and all use of OpenSSL from the irs.gov network. A specific license withdrawal. You should at least be able to start a useful con

Re: Build fails on Solaris 5.6

It is trying to run the command "crypto" which it cannot find in your current path. Mike Fred Leeflang wrote: > > I try to compile openssl-0.9.6 on Solaris 5.6 and I get an error > message when I run ./config: > > [fleeflng@mink1 openssl-0.9.6]$ ./config > Oper

Re: Build fails on Solaris 5.6

I should have been less obtuse. I would guess your bash shell path doesn't include the current directory while the sh one does. A simple test would be to edit the crypto command to be ./crypto or make sure your path includes the current directory. Mike Fred Leeflang wrote: > >

ssleay.cnf

find any reference to any config files other than the usual Apache httpd.conf stuff. The directory /usr/local/ssl/lib doesn't even exist on this box. Obviously, I'm missing a step here somewhere... what is it? Thanks, Mike ___

RE: ssleay.cnf

No, that isn't it. :( locate ssleay only finds the binary /usr/sbin/ssleay and the .gif files... I've tried removing the RPM and re-installing it from the CD and it is still the same. >Nuno Miguel Neves[SMTP:[EMAIL PROTECTED]] >It may be that they've put the configuration file in /etc. >See if

Re: [Fwd: Compiling Squid with ssl enable]

On Wed, Sep 29, 2010 at 16:04, wrote: > Why has no nobody attended to me, i need solution urgently. then higher a consultant -mike __ OpenSSL Project http://www.openssl.org User Support Mail

sometimes coredumps via apache-openssl-malloc

, 0, ff2084f8, 1) libc.so.1`_lwp_start(0, 0, 0, 0, 0, 0) Any ideas how to repeat or fix ? Mike

Wrong cipher selected in handshake?

HA priority: 19: EXP-EDH-DSS-DES-CBC-SHA priority: 20: EXP-DES-CBC-SHA priority: 21: EXP-RC2-CBC-MD5 priority: 22: EXP-RC2-CBC-MD5 priority: 23: EXP-RC4-MD5 priority: 24: EXP-RC4-MD5 Any idea why my custom lis

Re: Wrong cipher selected in handshake?

That is nice to know. Thank you! That fixed my problem. > > On Mon, Dec 06, 2010 at 11:36:01AM -0600, Mike Brennan wrote: > > > It seems that Openssl doesn't always obey the server's priority > > s/doesn't always obey/never by default obeys/ >

Using DH parameters from OpenSSL

me? Thanks for any clarification, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

Re: Using DH parameters from OpenSSL

How do you mean, an additional 0 byte is prepended? I generated several DH parameters and exported them to C code ( -C ), some of which has the MSB set. It looks like BN_bin2bn is used directly on the raw bytes of the prime without any padding. Mike On Tue, Dec 14, 2010 at 12:54 PM, Erik Tkal

Re: do i need a dedicated ip address for https?

of the hostname during SSL negotiation, but I have no references. Plus any such change would require years or decades to propogate throughout all clients on the Internet. Mike On Tue, Dec 21, 2010 at 10:53 PM, S Mathias wrote: > http://help.godaddy.com/article/1054 > > "# Set up S

components of RSA keys?

ction these values play: exponent1: ?? exponent2: ?? coefficient: ?? Can someone explain? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-

Re: components of RSA keys?

Thanks much for the clarification. I'm interested in re-implementing RSA for my own education; can someone point me to the location in the openssl sources where the RSA keys are actually generated (so I can see how the BIGNUMs are manipulated)? Thanks, Mike On Thu, Dec 23, 2010 at 1:

Re: must 'x' in g^x be a prime number

Although the generator g can be any number, it is typically 2 or 5. In fact, this is all that OpenSSL supports (values 2 or 5 for g). The typical situation is this: (1) Alice and Bob generate random secret values a and b. If a or b happen to be prime, that is fine - but they need not be. (2) Ali

Re: How to verify that DH private and public key have been generated ?

Try checking the bit count of the structure members. The private and public keys should be similar in size to p. On Mar 23, 2011 10:27 AM, "ikuzar" wrote: > Hello, > I 'd like to know how to verify that DH private and public key have been > generated ? > In my DH struct, p and g had been generated

Re: How to verify that DH private and public key have been generated ?

h->priv_key is not NULL\n"); > Before computing key, I have got priv_key is NULL. After computing, priv_key > is not NULL > > I 'm wondering what happens... could you tell me more about bit counting ? I > do not understand "The private and public keys should be similar i

Re: (DH) how to send dh->pub_key to peer

ikuzar, You cannot send the public key to a peer as-is. The DH structure contains bignums which must be serialized prior to transmission. Do you understand that DH is subject to a MITM attack unless the messages are signed or encrypted somehow? If you insist on using the low-level objects, I'd

Re: DH session Key length

k its assertions are invalid or outdated. The paranoid tinfoil hat crowd can probably take twice the maximum bit count from section 8 (620x2=1240) and be happy. Mike On Mon, Apr 18, 2011 at 8:01 AM, ikuzar wrote: > Hello, > I 'd like to know the length of DH session key generated by

Re: DH session Key length

imes >> are warranted.  Most systems use small generators (e.g., 2). >> >> - M >> >> On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr wrote: >> > You might take a look at RFC 3526: >> > >> > http://tools.ietf.org/html/rfc3526 >> > >>

Re: some questions about openssl

em, which is incompatible with GPL3. Mike On Wed, Apr 20, 2011 at 12:39 AM, loody wrote: > hi all: > My quesitons about openssl are below: > 1. I want to take advantage of RSA and SHA in openssl  for secure booting. > Can they run as standalone program, that means they can run without

Re: DH session Key length

ntil you have a firm grasp on the basic concepts. Any code you write now is nearly guaranteed to be incorrect. You should take a few months to read the book I linked you to earlier and really understand the basic concepts. You will get much better support from this mailing list once you do.

openssl dgst using ecdsa-with-SHA384

Hi all, I'm having a problem using ecdsa with SHA 384 when creating a message digest. I will admit I'm not too familiar with openssl and digests, but I have code that works using -ecdsa-with-SHA1. I need to change that to use ecdsa-with-SHA384. I looked at the release notes to see that this

Setting x509 Certificate algorithm

the impossible here? Thanks, Mike m...@buddytv.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

RE: openssl dgst using ecdsa-with-SHA384

Thanks for the response, using -sha384 appears to be working and verifies correctly. Mike -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Sunday, April 24, 2011 4:17 AM To: openssl-users@openssl.org

Re: Setting x509 Certificate algorithm

That did it! Thank you, I'm neck deep into code that I don't fully understand, I greatly appreciate the help. Mike On Wed, Apr 27, 2011 at 3:54 PM, re est wrote: > Hi, > Have you tried changing this >         if (!X509_sign(x,pk,EVP_sha1())) > to >         if (!

Problem with unknown CA

ed certificate or is it a problem with the certificate from the server? The server is supposed to be returning a self signed certificate as well. Am I missing a call somewhere to allow the server to use self signed certificates? Thanks, Mike _

Re: Problem with unknown CA

Thanks, We're still learning a lot about how this all works. Tracked this down to a different issue in our code base. 2011/4/30 Ziyu Liu : > > At 2011-04-30 04:33:43，"Mike Markley" wrote: > >>I'm trying to establish an SSL connection with a server and my

Asynchronous read/write streams in Objective-C

I/O? thanks, Mike m...@buddytv.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

Problem with x509 certificate created using OpenSSL on iOS

c code? Thanks Mike m...@buddytv.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

no shared cipher:s3_srvr.c

remote client so I don't have any way of debugging from that side of the equation. Thanks, Mike m...@buddytv.com __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: no shared cipher:s3_srvr.c

So the problem could be that my cert chain is not correct and I'm chasing down the wrong path by looking at the ciphers? On Tue, May 10, 2011 at 3:08 PM, Dr. Stephen Henson wrote: > On Tue, May 10, 2011, Mike Markley wrote: > >> I'm working on an OpenSSL based server

Re: no shared cipher:s3_srvr.c

ff out. On Tue, May 10, 2011 at 3:46 PM, Dr. Stephen Henson wrote: > On Tue, May 10, 2011, Mike Markley wrote: > >> So the problem could be that my cert chain is not correct and I'm >> chasing down the wrong path by looking at the ciphers? >> > > Not the chain,

No shared cipher error using ECDSA

Hi, I’m trying to create a VPN using OpenVPN over OpenSSL encrypted with AES and using an elliptical curve DSA. However I keep getting a “no shared cipher” error. The full error log is :- MULTI: multi_create_instance called Re-using SSL/TLS context Control Channel MTU parms [ L:1557 D:138 EF:

No shared cipher error using ECDSA

Hi, I’m trying to create a VPN using OpenVPN over OpenSSL encrypted with AES and using an elliptical curve DSA. However I keep getting a “no shared cipher” error. The full error log is :- MULTI: multi_create_instance called Re-using SSL/TLS context Control Channel MTU parms [ L:1557 D:138 EF

Re: No shared cipher error using ECDSA

urity people are insisting on AES and either EC DSA, DSA or RSA as the signature algorithm, but with a preference for ECDSA.   Thanks   From: Victor Duchovni To: "openssl-users@openssl.org" Sent: Friday, 13 May 2011, 17:56 Subject: Re: No shared cipher error using ECDSA On Fri, May

Re: No shared cipher error using ECDSA

cify    tls-cipher ECDHE-ECDSA-AES256-SHA in CLIENT.OVPN and SERVER.OVPN config files, but got the same error.   Thanks for your help, you've given new ideas to research.       On Fri, May 13, 2011 at 06:36:34PM +0100, Mike Bell wrote: > I had originally put > cipher AES-128-CBC >

Re: cross compiling for ARM running Android

Please have a look at the NDK documentation. You need to extract the toolchain using a provided script which targets the appropriate API level. The codesourcery toolchain does not target the correct libc. On Jun 16, 2011 9:43 AM, "Nahid Alam" wrote: > Hi, > > I am using OpenSSL 0.9.8k to write a

Can't load openssl-1.0.0d when building php-5.3.6 on CentOS x64

I get the following error: /usr/bin/ld: /usr/local/ssl/lib/libcrypto.a(x86_64cpuid.o): relocation R_X86_64_PC32 against `OPENSSL_cpuid_setup' can not be used when making a shared object; recompile with -fPIC I built openssl by: ./config no-shared -fPIC

RE: Can't load openssl-1.0.0d when building php-5.3.6 on CentOS x64

Fixed it by building a shared library and making sure the proper links were in /usr/local/ssl/lib. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mike Peters Sent: Sunday, June 19, 2011 11:10 AM To: openssl-users@openssl.org Subject: Can't

Why do these 12 lines of Win32 code work on XP but hang forever in Vista and Windows 7?

This Delphi code starts a minimal SSL server: WSAStartup(MakeWord(1,1), WData); SSL_library_init; SSL_load_error_strings; ctx := SSL_CTX_new(SSLv23_server_method); SSL_CTX_use_certificate_chain_file(ctx, 'cert.pem'); SSL_CTX_use_PrivateKey_file(ctx, 'key.pem', 1); SSL_CTX_check_private_key(ctx); b

Re: OpenSSL 1.0.1 released

TLS v1.2 and TLS v1.1. > o Preliminary FIPS capability for unvalidated 2.0 FIPS module. > o SRP support. i don't see mention of ABI compat changes, and it seems to not be compatible. did someone forget to update the version string in crypto/opensslv.h ? it still says

trying to replicate ECC signing with openssl

ooks to be much longer than the private key i have above ? -mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated

trying to replicate ECC signing with openssl

encoded key looks to be much longer than the private key i have above ? -mike signature.asc Description: This is a digitally signed message part.

Re: Parameters for EC key generation

gt; 7. k3: 7 > 8. k2: 6 > 9. k1: 3 (k1, k2, and k3 specify the field pentanomial x^m + x^k3 + x^k2 + > x^k1 + 1) http://marc.info/?t=12472506313&r=1&w=2 -mike __ OpenSSL Project h

Re: Parameters for EC key generation

likely to > produce the same signature. the ecsign utility requires you provide the random seed. it doesnt seem like openssl does, so the source will need hacking for that i guess. -mike __ OpenSSL Project

Re: openssl decrypting unknown whether DES or AES encrypted

Mike Trent wrote: > > Moving from DES to AES encryption and all new encryption will be AES. > However some existing strings were encrypted in DES. Is there a way to > determine if a string is encrypted in DES or AES? Will the decrypt AES > fail on a DES encrypted string always

FIPS_mode_set(1) - FIPS_mode_set(0) - FIPS_mode_set(1)

It seems that after setting FIPS mode off one cannot set it back on again in the same executable. I have a test program which does: FIPS_mode_set(1) - works ok indicated by a return true. FIPS_mode_set(0) - to turn off and works ok, at least the FIPS_mode() call returns 0, so it seems to be off

Re: FIPS_mode_set(1) - FIPS_mode_set(0) - FIPS_mode_set(1)

Mike Trent wrote: > > It seems that after setting FIPS mode off one cannot set it back on again > in the same executable. > > I have a test program which does: > > FIPS_mode_set(1) - works ok indicated by a return true. > FIPS_mode_set(0) - to turn off and works ok

Re: FIPS_mode_set(1) - FIPS_mode_set(0) - FIPS_mode_set(1)

This is a problem for us with FIPS module 1.2.0. wolfoftheair wrote: > > Is this still present in FIPS module 1.2.0? > > -Kyle H > > On Mon, Aug 24, 2009 at 11:55 AM, Mike Trent > wrote: >> >> >> >> Mike Trent wrote: >>> >>> It s

Re: Static libraries with fPIC on 32bit system

bit system with fPIC > is a bad idea? pic adds a lot of overhead with x86 due to register pressure -mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopen

Re: Static libraries with fPIC on 32bit system

your .so will have textrels and thus prevent sharing of the text region, openssl will run faster. -mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-

Re: problem about static link libssl.a libcrypto.a to my application(linux platform)

defined reference to `SSL_library_init' your link order is wrong. the libraries have to come after all your source files. you also shouldnt use full paths. use the normal -lssl style -- the -static flag will select the right library. -mike _

Re: Another "memory growing" on AIX

lloc wrapper functions, valgrind and purify. I'll try. Currently all the functionality is in a library that wraps openssl, but I should be able to make single test program. I'll be out of the office until Monday, and will try to get to it

Re: Another "memory growing" on AIX (fwd)

using a > > combination of the malloc wrapper functions, valgrind and purify. > > I'll try. Currently all the functionality is in a library that > wraps openssl, but I should be able to make single test program. > I'll be out of the office until Monday, and will try

Re: Another "memory growing" on AIX (fwd)

enssl has been so widely used for so long that it is bound to be pretty solid by now. -Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listop

FIPS 140_2 mode for mod_proxy in apache

Is a patch for FIPS 140-2 support available for apache mod_proxy when running SSL? FIPS 140-2 is supported in apache SSL when in server mode with this patch: https://issues.apache.org/bugzilla/show_bug.cgi?id=46270 https://issues.apache.org/bugzilla/show_bug.cgi?id=46270 However when running

Re: compilation problem for xscale.

GPL symbols) err, openssl doesnt provide any linux kernel modules (that i'm aware of). what module exactly are you trying to load ? and where did you get it from ? -mike __ OpenSSL Project

RE: won't compile on hp ux 11.23 itanium

to the 0.9.8g env. -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of gryzman.mac Sent: Friday, May 02, 2008 1:32 PM To: openssl-users@openssl.org Subject: Re: won't compile on hp ux 11.23 itanium as suggested, I used gcc instead, and got this: gm

RE: [FWD] request UP UX openssl A.00.09.07l

. See: http://oss-institute.org/fips-faq.html#a6 for a list of algorithms supported in FIPS mode. Regards, -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent: Monday, June 30, 2008 12:04 AM To: openssl-users@openssl.org Cc: Soverini

SSL without alias specified

When I created my private key I never specified an alias. I used: openssl genrsa -des3 -out domain.com.key 1024 Then my CSR was created with: openssl req -new -config openssl.cnf -key domain.com.key -out domain.com.csr I sent to Verisign and received my certificate. The problem is that Verisig

RE: Error when creating certificate in HPUX

=OPENSSL11I -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tan, Liao Sent: Wednesday, September 03, 2008 5:52 AM To: openssl-users@openssl.org Subject: Error when creating certificate in HPUX Folks, Im trying to find solution for this issue. When running

Change the DES Code for myself

a fprintf(stderr) or a fopen/fwrite command.) I think this source is not use if I execute "make" and "make install". I think the asm/perl code is used in the subdirectory. Does someone know how I could disable the asm code, in a way that the the enc_des.c file would be

Creating a PKCS7 file

I have a binary file that needs to be digitally signed in a PKCS7 format. I've looked at some of the openssl documentation and I see commands that can be used to look at PKCS7 formated files but not ways of creating them. Does openssl have a program that will do this for me? I want to hand openss

Re: Creating a PKCS7 file

uited to handle binary files like this? Or am I doing something wrong here? Thanks. On Mon, Dec 15, 2008 at 9:47 AM, Dr. Stephen Henson wrote: > On Mon, Dec 15, 2008, Victor Duchovni wrote: > > > On Mon, Dec 15, 2008 at 09:02:34AM -0600, Mike J wrote: > > > > > I hav

Re: Creating a PKCS7 file

15, 2008 at 12:07 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Mon, Dec 15, 2008 at 12:40:39PM -0500, Victor Duchovni wrote: > > > On Mon, Dec 15, 2008 at 11:37:04AM -0600, Mike J wrote: > > > > > It looks like the smime utility is what I&#

SSLVerifyClient in apache + openssl

hi, Is it a bug ? This is scenarion for CentOS 5.3 (apache 2.2.3 + openssl-0.9.8e) 1. Simple httpd.conf (nothing special) + ssl part, selfsigned certs + CA: SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 SSLSessionCache shmcb:/var/cache/mod_ssl/ssl_scache

McAfee Claims TLS Vulnerability

dy at the higest version. Any suggestions appreciated. Thanks, -- Mike Hoy

Re: McAfee Claims TLS Vulnerability

> > Use a SSL/TLS scanner to verify SSL is not available; and TLS ciphers > are available. How would I verifity that SSL is not available and TLS ciphers are available? > Since you are using a FIPS build, MD5 and lesser > friends should not be available. You can use "#openssl ciphers" shows tha

Re: FIPS Mode

I've googled around for that and for a layman like myself I didn't find anything that 'held my hand' through the process. If you know how to do this could you elaborate on how to disable Diffie-Hellman key exchanges? Thanks, Mike Hoy On Sun, Jul 8, 2012 at 3:33 PM, wr

Re: Recommended/allowed private key lengths Reg.

installations where key material must have high assurance. Last I heard, the largest key which has been publicly factored was 768 bits. Unless practical quantum computers become available, a 2048-bit key should be more than sufficient for most use cases. Mike On Thu, Feb 21, 2013 at 11:38 PM, Ashok C

Why openssl disabling SO_KEEPALIVE for wrapped sockets?

ALIVE on has any known security implications? Is it done because some code in openssl can't work reliably with that option enabled (as so it's better to leave it disabled)? Am I wrong about that particular code path and should look for something else disabling keepalives - openssl doesn

Re: PKCS#1 key vs PKCS#8...

Remove On Jun 5, 2013 9:08 AM, "Dr. Stephen Henson" wrote: > On Tue, Jun 04, 2013, sanjaya joshi wrote: > > > Hello, > > I am using strongswan(v_4.5.3) for ipsec, that uses my X509 certificate > > and RSA private key. > > If i use RSA private key(un-encrypted) that is PKCS#8 encoded, then > >

Re: Cross compiling 1.2.2 for the Analog Devices Blackfin -- FIPS_text_start()/FIPS_text_end() returns 0 on the target

Hi folks, I'm almost out of my depth, and really need help on the next step. I've that the in-system fingerprint comparison fails with a "FINGERPRINT_premain: FIPS_signature mismatch" error incore DEBUG=1 output gives: = TARGET: elf32-bfinfdpic

Re: Cross compiling 1.2.2 for the Analog Devices Blackfin -- FIPS_text_start()/FIPS_text_end() returns 0 on the target

Hi Stacy, sorry, should have included that: On Fri, Jan 17, 2014 at 12:17 PM, Stacy Devino wrote: > Are you compiling for the uclinux distro or something similar? ucLinux -- 2.6.34 > Are you using the 16 or 32-bit arch? The blackfin is a 32-bit little-endian machine > Are you utilizing the

Re: Cross compiling 1.2.2 for the Analog Devices Blackfin -- FIPS_text_start()/FIPS_text_end() returns 0 on the target

Hi folks, I've patched fips_canister.c to properly retrieve the blackfin instruction pointer. When I run openssl on the target now, I now get reasonable numbers (though they still don't match incore). === root:/> OPENSSL_FIPS=1 openssl ciphers

Re: OpenSSL version 1.0.1g fails to link on Win32

they will tell us will probably be that the earth is no longer the center of the universe. -mike On Thu, Apr 10, 2014 at 1:52 AM, Thomas J. Hruska < shineli...@shininglightpro.com> wrote: > On 4/9/2014 8:03 PM, Jeremy Farrell wrote: > >> Googling "check_winnt" sugges

Re: OpenSSL 1.0.1h for android ?? Please help.

Openssl does not directly support Android AFAIR. You can try some manual changes to e.g. CC or write your own make file. On Jun 23, 2014 11:18 AM, "Abhishek Gupta" wrote: > Hello Users, > > I am at task to compile OpenSSL 1.0.1h for android platform and link it > with an application. > > Can some

Re: OPenssl 20140909 issues

Is the top-level "rehash" target not getting executed? It should be a dependency of "test" (via the "tests" target). Mike On Tue, Sep 9, 2014 at 1:41 AM, The Doctor wrote: > Just found this in the latest openssl 1.0.2 snapshot > > > Script started on Mo

Re: Still one outstanding issue sine 20140909 releases

tered during my build system work. Mike On Thu, Sep 11, 2014 at 2:20 PM, The Doctor wrote: > > Script started on Thu Sep 11 11:27:05 2014 > doctor.nl2k.ab.ca//usr/source/openssl-1.0.2-stable-SNAP-20140911$ make test > testing... > (cd ..; make DIRS=crypto all) > making all

[openssl-users] 1.0.1 upgrade issue

ust keeps displaying successive progress indicators. I can do Ctrl-C and it will exit. I don't think so but are there any dependency changes from 1.0.0 to 1.0.1? I noticed 1.0.2 has been released so tried that as well but have the same result as 1.0.1 Mike

Re: [openssl-users] 1.0.1 upgrade issue

Thanks for the suggestions Jay but am still not having much luck. Does 1.0.1 have any minimum requirements for the libc version or kernel version? I am currently building against libc version 2.5 with the kernel at 2.6.30. Mike -- Forwarded message -- From: Jay Foster To

Re: [openssl-users] 1.0.1 upgrade issue

Thanks Jay. My build script is doing the same. Not sure where to go next except to update libc to a newer version. Due to the toolchain (not created by me) it may be a major undertaking. Mike From: Jay Foster To: openssl-users@openssl.org Cc: Date: Wed, 18 Feb 2015 10:30:40 -0800 Subject: Re

Re: [openssl-users] 1.0.1 upgrade issue

2.13 due to constraints with the Busybox version I am using. Thanks for the help and suggestions. Mike On 2/18/2015 8:03 AM, Mike Collins wrote: My build script is doing the same. Not sure where to go next except to update libc to a newer version. Due to the toolchain (not created by me) it

Re: [openssl-users] Stand alone AES-CTR module

The task of implementing AES should not be undertaken by a novice programmer. Please save the world another heartbleed and pick something more in line with your skill level. On May 10, 2015 11:48 AM, "konstantinos Alexiou" wrote: > Dear Sirs, > > > I am new to C programming and i am trying to cr

Re: [openssl-users] Stand alone AES-CTR module

urtured and not shunned. > > OK, I'll get off my soapbox now. Have a great week everyone. > > On May 10, 2015, at 5:58 PM, Mike Mohr wrote: > > The task of implementing AES should not be undertaken by a novice > programmer. Please save the world another heartbleed a

Re: [openssl-users] Regarding the security of the keys

Securing a system against this kind of attack can be done in several ways, depending on the level of assurance you desire. You might start out with Tripwire: https://en.wikipedia.org/wiki/Open_Source_Tripwire http://www.tripwire.org/ You could also implement mandatory access control and ACLs usi

Re: [openssl-users] Regarding the security of the keys

Actually that isn't quite right. A properly configured and tuned RBAC policy, when combined with PaX , can very effectively limit all userspace activity (including root access!). It

Re: [openssl-users] Regarding the security of the keys

On Tue, Jul 21, 2015 at 9:46 PM, Salz, Rich wrote: > > > Actually that isn't quite right. A properly configured and > tuned RBAC policy, when combined with PaX, can very effectively limit all > userspace activity (including root access!). > > How do you know that the module is installed and actu

Re: [openssl-users] using a random number file for generation of keys/certificates

Once you've written the random data to secondary storage you've permanently compromised the integrity of any cryptographic secrets generated from it. Depending on your threat model, underlying storage media, filesystem, and other factors the data files may be recoverable indefinitely (especially if

Re: [openssl-users] glibc detected *** xxx: double free or corruption (!prev): 0x097b8750

You'll need to rebuild your application and openssl with debugging symbols and no optimization, then run it inside gdb to produce a more useful stack trace. Since you don't include any context or source code snippets it isn't really possible to help. Can you produce a reduced test case with source

Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

During the final linking stage, when the shared object is built, the compiler is free to insert functions from compiled object files anywhere it sees fit in the final shared object's code segment. The object file is fundamentally transformed by this process; information which was present in the or

Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

During the linking process, parts of fipscanister.o are removed (discarded) by the linker. Also, jumps and call instructions have their operands changed (addresses are filled in or relocation information is added) and the machine code is fundamentally altered. Imagine the linking process as someth

Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

There isn't necessarily any embedded signature in a shared object. In many cases, there won't be one. If your shared object was built with a new enough version of GCC, hasn't been fully stripped, and its note section has not been removed during the build process, you can get a SHA-1 checksum from

[openssl-users] TLS 1.2 Client hello missing SessionTicket

variable in openssl that I might want to put a data breakpoint on so I can see the call stack that led to the problem. A wireshark trace shows that the SessionTicket length is zero when the problem occurs. Thanks for any suggestions, Mike -- openssl-users mailing list To unsubscr

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

Have you considered using GMP as a big integer backed for openssl? It has support for several arm variants using handwritten assembly code and the developers go to great lengths to find optimize runtime on all supported platforms. On Feb 7, 2017 2:26 PM, "Vijay Chander" wrote: Andy, 1:2.5 is

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

> x86 etc. Most of it written by Andy Polyakov. > > His response about what can and cannot be done on various ARM CPU > models is most probably a result of this work. > > Also, OpenSSL has a more permissive license than the GMP, so using > GMP in OpenSSL would cause problems

Re: [openssl-users] BN_MUL_MONT for ARM64 v8

t written by Andy Polyakov. > > His response about what can and cannot be done on various ARM CPU > models is most probably a result of this work. > > Also, OpenSSL has a more permissive license than the GMP, so using > GMP in OpenSSL would cause problems for many OpenSSL using > a

  1   2   3   >