Callong FIPS_mod_set() before/after SSL_library_init()

but before connecting to the remote host? FIPS_mode_set function must be called before SSL_library_init()? Thanks, -- robert <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part

Re: Apache's SSL server side keeps crashing

I'm not an openssl expert, but as far as I remember I have Apache 1.3.9 with mod-ssl patch 1.3.7 using openssl 0.9.4 running using a Thawte certificate under Redhat Linux 6.0 with no problems. I'm sure there are people that can help you if you provide more information on your configuration. Rob

Re: apache's ssl side fails to be stable

On Linux look at /etc/logrotate.conf and /etc/logrotate.d/ for any apache, httpd or httpsd activity. Robert Sandilands On Wed, 26 Jan 2000, Aaron Gelner wrote: > Date: Wed, 26 Jan 2000 16:36:41 -0600 > From: Aaron Gelner <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTE

Re: demos/ssl/serv.cpp

fied version of serv.cpp for Borland C++ Builder 4.0. Any ideas would really be apreciated. Robert Sandilands > From: Lutz Jaenicke <[EMAIL PROTECTED]> > Subject: Re: demos/ssl/serv.cpp > > On Thu, Mar 16, 2000 at 11:19:16AM +0200, [EMAIL PROTECTED] wrote: > > On Wed, 15

RE: demos/ssl/serv.cpp

the e-mail? Maybe I want to be able to verify the clients cert against a hardcoded cert/CA in the program? I have looked at those functions and tried them, but then I get messages saying that the client did not provide a key to verify. Robert Sandilands > The demos are intended to be *minim

RE: demos/ssl/serv.cpp

hs. A question. Are we looking at solving the same question? I want the client to provide me with a key.. I do not neccesarily want to compare the key with a key stored in a directory or verify it against a CA stored somewhere. Robert Sandilands > > > -Original Message- >

win32 issue's with multiple openssl server

clearinghouse.   Thanks   Robert

win32 cnf file question

Hi   to the openssl win32 subgroup.   Is there documentation the explain the cnf file layout?  From the break down of the test.bat's i can see that there can be amalgamations.    Are there site like a 'gamelan' that deal with coding ms vc++, cgi, sql server?   Is there anyone interested in

Re: win c_print.c hosed on lastest snapshot 04/13/01 * long long problem

D]> Sent: Friday, April 13, 2001 3:07 PM Subject: Re: win c_print.c hosed on lastest snapshot 04/13/01 * long long problem > From: [EMAIL PROTECTED] (robert) > > robert> Just a thought. Why do u release version's of openssl that u > robert> suspect will not compile for win32 n

win32 example error

eft)   thanks robert lambert

Re: Windows & Open SSL

- Original Message - From: "Andrew W. Gray" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 02, 2001 12:26 PM Subject: Re: Windows & Open SSL > >) The visual c++ way using the IDE. I have used this approach > >nd was able to build/test/debug the tools. Unfortunately, I

Re: Problem compiling s_client and s_server

- Original Message - From: "agray" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, April 16, 2001 4:01 PM Subject: Re: Problem compiling s_client and s_server > Best bet: You are linking against the incorrect c-runtime - use /MD > (multithreaded dll) > Me

win32 verifry_callback error

lback); The Error: SSLClient.cpp G:\Program Files\PhoneCard\SSLClient.cpp(599) : error C2664: 'SSL_CTX_set_verify' : cannot convert parameter 3 from 'int (int,struct x509_store_ctx_st *)' to 'int (__cdecl *)(int,struct x509_

Re: SSL reconnect problem

- Original Message - From: Lutz Jaenicke <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 05, 2001 4:29 AM Subject: Re: SSL reconnect problem > On Thu, Jul 05, 2001 at 10:38:09AM +0800, Ng Ying Chyn wrote: > > The SSL client is able to connect for the first time, but whe

Re: CPS object in certificates - unsupported?

Hi George The file u sent, contained pem format file. I write ssl client & server software. Are u shore that u wanted to send me what could be the master secret??? Thanks Robert - Original Message - From: George Staikos <[EMAIL PROTECTED]> To: <[EMAIL PRO

Re: CPS object in certificates - unsupported?

Hi George Sorry about the last email. I was corresponding with a George x who spells his last name 1 letter different then your. He was also sending proprietary stuff. I thought u were him Robert - Original Message - From: George Staikos <[EMAIL PROTECTED]> To: <[EMAIL

NT with msvc 5/6 non MFC Wapper Class

Hi All   About a 15 months ago i asked if there were any developers interested in creating a C++ wrapper class library using openssl for NT non MFC and coexisting with IIS, STL and Sql Server.  If Interested please drop me a line robert    

Re:win32

pper around openssl functions.  During the handshaking phase should my application point to the same RANDOM.* seed file to create the random number used as input to the key generation process.   robert

re: CRYPTO_malloc_init()

Hi   Will CRYPTO_mallic_init() set the memory allocation methods if i use C++ new() &  delete()?   robert

Q about SSL_CTX_set_default_passwd_cb

Can anyone explain how to use SSL_CTX_set_default_passwd_cb(). The callback takes 4 params.  How and what initialized those params?   robert

Re: Problems compiling openssl 9.6c on win2000 with vc6.0

Hi Did u set ur environment vcbat32.bat or what ever it is on 2000 robert - Original Message - From: "Peter Cesarz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 07, 2002 10:47 AM Subject: Re: Problems compiling openssl 9.6c on win2000 with

Re: nonblocking sockets and FTP

Hi Have u tried BIO_set_nbio(). If so what was your setup & experience. Maybe this is only for client side? Robert - Original Message - From: "Tomas Svensson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 07, 2002 11:58 AM Subject: n

RE: RAND functions

Hi   Has anyone tried the RAND functions with an C++ application.  Like RAND_screen() etc... If so what was your setup & experience.   robert

RE: client-server Handshake

nd port.  Can the server verify that its my domain from the socket                         connection? maybe doing a reverse lookup?   Robert

RE:Self-signed certs

Hi   In the SSLLeavy cookbook is states when making a ss cert do not use the domain name of server in the common name for the DN.  Is this still true?   robert

FIPS module determination

Is there a way to determine if OpenSSL binaries were compiled with the FIPS "certified" module v1.2.x ? Compiling OpenSSL FIPS test module gives me the same results using fips_test_suite. Thanks, Robert Zamora

Capturing Enter PEM pass phrase prompt

pture the "Enter PEM pass phrase:" prompt from a Java program as described above. But my question for this list is, please explain how the "Enter PEM pass phrase:" prompt is written, including where

Re: getting unrecognized command line option "-m486"

Vivek, I believe the correct argument would be -march= or -mtune= Thanks, - Robert On Sat, 2009-06-13 at 16:52 +0530, Vivek Katakam wrote: > Hi All, > while compiling openssl-0.9.7 on SUSE11-32, I am getting the following error: > > gcc -I. -I.. -I../include -DOPENSSL_THREADS

Re: getting unrecognized command line option "-m486"

You mean, "Pilot error"? :P Robert On Sat, 2009-06-13 at 13:44 -0500, Michael S. Zick wrote: > On Sat June 13 2009, Vivek Katakam wrote: > > Hi Robert/Mike, > > I gave the option -march=i386, it worked well. > > > > It is sometimes called: "Coc

Email Address change

Hi all, I'm making the switch from @tampabay.rr.com to @gmail.com, and I'm wondering how one would change over their OpenSSL email notifications from one email address to another.. P.S. This should probably be in another group, but.. Thanks, Robert

ssl handshake failure: s23_l.c:188

I'm having a problem with Firefox connecting to a web site at work. I found that openssl also has problems with it. I can connect with other browsers like IE, Chrome, and Safari. There is a Firefox bug report, but no one is working on it. See: https://bugzilla.mozilla.org/show_bug.cgi?id=44

SSL crypto library

Hello, Is there a programmatic way to give a list of available cypher names (eg AES-128-ECB...)? i.e a list of the names that could be supplied to EVP_get_cipherbyname(). Thanks, Bob Doncaster --

openssl-0.9.8l,crypto library using the EVP api & ivec.

Hello, Looking at test/evp_test.c and the test data test/evptests.txt for encryption/decryption, I don't understand how the initialisation vector ('iv' variable) is used. The test data in evptests.txt is expressed as Hex strings which are then translated to bit patterns before use: cipher:

Integrating OpenSSL as a DLL in Windows

something like an API documentiation which describes how to call OpenSSL functions from this DLL. Could someone assist me in this? Sincerely, Robert __ OpenSSL Project http://www.openssl.org Us

Re: Integrating OpenSSL as a DLL in Windows

have a look at this wrapper. However - for training purposes - I would like to integrate the libeay32.dll into my C# application by myself. I will post my sample code so maybe someone will notice what's wrong :-) Cheers, Robert __

Re: Integrating OpenSSL as a DLL in Windows

own > application (C#). That is: decrypting with a private key and > building hashsums. As far as I understood I need the > libeay32.dll to achieve this. However I cannot find something > like an API documentiation which describes how to c

FIPS_mod_set() before/after SSL_library_init() ?

but before connecting to the remote host? FIPS_mode_set function must be called before SSL_library_init()? Thanks, -- Robert Sicoie <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User

Centos 4.4 x86_64 make test Fails

Hi All, I'm trying to compile on a Centos 4.4 x86_64 system. ./config -t gives: Configuring for linux-x86_64 /usr/bin/perl ./Configure linux-x86_64 make test gives: bntest.c:1: sorry, unimplemented: 64-bit mode not compiled in make[1]: *** [bntest.o] Error 1 Is there any way to g

Re: I want you to do my homework for me.

ver bridge you crawled out from under, and go back to scaring little kids and being afraid of goats. Yeah, I'm going to likely get flamed and removed from the newsgroup, but oh well. It was worth it. Robert On Sat, 2009-05-02 at 07:19 -0700, Miguel Ghobangieno wrote: > I'd like to

Re: I want you to do my homework for me.

Haha. Phuq that, and phuq you. *middle finger* Go to hell, you smelly, stinky troll. Robert On Sun, 2009-05-03 at 00:14 -0700, Miguel Ghobangieno wrote: > Libssl should be rewritten in java on ruby upon rails (the bottom rail, which > is now on top). This is not a suggestion. It is a

Re: I want you to do my homework for me.

No. I was trying to be polite, asshole. Fuck you and your shitty fucking attitude. Are we satisfied now? Do you want a fucking cookie? Go back to scaring little kids from underneath your damned bridge. Got it? Robert On Sun, 2009-05-03 at 23:24 -0700, Miguel Ghobangieno wrote: > Using &q

Re: I want you to do my homework for me.

er, however had exhibited restraint due to the fact that this -is- a public mailing list. Though, what I'd posted was more from frustration than anything else. Once again, I apologize for -my- behavior. - Robert On Mon, 2009-05-04 at 10:16 +0100, a.l.m.bu...@lboro.ac.uk wrote: > Hi, >

Results of AES_set_encrypt_key differing depending on compilation target

elper to easily verify differences. If anyone has any ideas I would be very grateful // Robert debug.sh: #!/bin/bash make clean && \ gcc -std=c99 -lssl -m32 bug.c -o test && ./test > m32.log && \ make clean && \ gcc -std=c99 -lssl -m64 bug.c -o test &&

Re: error while generating Certificate Signing Request

Hello, Not sure this will help, but at first glance it seems that you have made a mistake is setup; c:/tmp_open_ssl;/ssl/openssl.cnf => Try this instead c:/tmp_open_ssl/ssl/openssl.cnf and ofc, check that that's where your config file is. Regards 2012/10/23 Sanford Staab > It looks like

Understanding -x509 option

I am rather good on theory of x509 certs, but quite short on practice of making them. The few times I did, I used templates, but this time around I am trying better to understand what is being created. Oh, I am creating a mailserver (postfix) cert. I am looking at a couple templets. The one

Re: Understanding -x509 option

On 12/20/2012 03:44 AM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 19 December, 2012 22:24 ... I am trying better to understand ... creating a mailserver (postfix) cert. I am looking at a couple templets. The one at postfix.org

Re: Understanding -x509 option

Left out response to -nodes option... On 12/20/2012 03:44 AM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 19 December, 2012 22:24 ... I am trying better to understand ... creating a mailserver (postfix) cert. I am looking at a

Re: Understanding -x509 option

On 12/20/2012 06:52 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Thursday, 20 December, 2012 08:24 Left out response to -nodes option... On 12/20/2012 03:44 AM, Dave Thompson wrote: openssl req -new -nodes -keyout foo-key.pem -out foo

Displaying cert content

OK. I am swamped. What is the command to display the cert content? I see openssl asn1parse -in file.cert but although I can read ASN1 cruft, I would like a nicer output. thanks __ OpenSSL Project

Re: Displaying cert content

On 12/20/2012 08:49 PM, Patrick Patterson wrote: Hi Robert: On 2012-12-20, at 8:05 PM, Robert Moskowitz wrote: OK. I am swamped. What is the command to display the cert content? openssl x509 -in cert.pem -text -noout. Great just what I was looking for

problem with self-signed crt in Apache

Hello, I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25 I am creating my cert with: openssl req -new -outform PEM -out certs/test.htt-consult.com.crt -newkey rsa:2048 -nodes -keyout private/test.htt-consult.com.key -keyform PEM -days 3650 -x509 This prompts me for the cont

Solved - Re: problem with self-signed crt in Apache

7; in how the DN is displayed. Firefox shows DN content how I would expect it. On 12/31/2012 05:01 PM, Robert Moskowitz wrote: Hello, I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25 I am creating my cert with: openssl req -new -outform PEM -out certs/test.htt-consult.com.crt -ne

BasicConstraints - Re: problem with self-signed crt in Apache

: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Monday, 31 December, 2012 17:02 I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25 I am creating my cert with: openssl req -new -outform PEM -out certs/test.htt-consult.com.crt -newkey rsa:2048 -nodes -keyout

Re: BasicConstraints - Re: problem with self-signed crt in Apache

On 01/02/2013 11:45 PM, Dave Thompson wrote: From: Robert Moskowitz [mailto:r...@htt-consult.com] Sent: Wednesday, 02 January, 2013 12:12 As I indicated, part of my problem is the default ssl.conf for apache points to localhost.crt (built at firstboot) and I changed my hostname which does not

Got "FIPS routines:FIPS_drbg_init:selftest failure", how do I work around it?

acWithSHA384". In run time however, the FIPS_mode_set(1) function returned "error:2D073087:FIPS routines:FIPS_drbg_init:selftest failure". What did I do wrong? How to solve/work-around this problem? My OpenSSL version is 1.0.1c, and OpenSSL/FIPS version is 2.0.2. Thank

RE: Got "FIPS routines:FIPS_drbg_init:selftest failure", how do I work around it?

That worked! Thanks a lot for your quick help. Robert -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, March 28, 2013 10:11 AM To: openssl-users@openssl.org Subject: Re: Got "

Displaying cert with ecdsa

I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with: openssl x509 -in x509-ca.pem -text -nameopt multiline -noout I get errors: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Unable to load Public Key 1406612

Re: Displaying cert with ecdsa

On 08/14/2013 05:37 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 14 August, 2013 15:49 I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with: openssl x509 -in x509-ca.pem -text -nameopt

Client certificate authentication

___ Robert Ionescu *The information contained in this message is confidential and may be legally privileged. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, or

Re: Client certificate authentication

sed on this reported issue https://github.com/haproxy/haproxy/issues/693 ___ Robert Ionescu *The information contained in this message is confidential and may be legally privileged. The message is intended solely for the

Re: Client certificate authentication

? ___ Robert Ionescu *The information contained in this message is confidential and may be legally privileged. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, or reproduction is strictly

Re: Client certificate authentication

? ___ Robert Ionescu *The information contained in this message is confidential and may be legally privileged. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, or reproduction is strictly prohibited

Creating an X25519 client certificate

I have created my X25519 pub/priv keypair with: openssl genpkey -algorithm X25519\     -out $dir/private/$clientemail-X.key.$format And displays properly with: openssl pkey -in $dir/private/$clientemail-X.key.$format -text -noout So now to make the csr with: openssl req -config $dir/openssl-

Re: Creating an X25519 client certificate

On 3/17/21 7:22 PM, Viktor Dukhovni wrote: On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote: I have created my X25519 pub/priv keypair with: openssl genpkey -algorithm X25519\     -out $dir/private/$clientemail-X.key.$format Are you sure you didn't want ed25519 in

Re: Creating an X25519 client certificate

On 3/17/21 8:17 PM, Viktor Dukhovni wrote: On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote: I have created my X25519 pub/priv keypair with: openssl genpkey -algorithm X25519\     -out $dir/private/$clientemail-X.key.$format Are you sure you didn't want ed25519 in

Re: Creating an X25519 client certificate

On 3/17/21 9:48 PM, tincanteksup wrote: On 18/03/2021 01:22, Robert Moskowitz wrote: On 3/17/21 8:17 PM, Viktor Dukhovni wrote: Well, CSRs are self-signed, and X25519 does not support signing, so you CANNOT have an X25519 CSR. Slap myself on the forehead Of course I know that

Compiling v0.9.8y on windows x64 with capi

2.dll ssleay32.dll So, where's my fault in the configuration ? Thanks, Robert __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@o

fips_hmac.c(91): OpenSSL internal error, assertion failed: j <= sizeof ctx->key Abort

ey Abort I am using openssl-0.9.8e-27.el5_10.3 and openssl-devel-0.9.8e-27.el5_10.3 on a 64-bit CentOS 5.10 system. -- Robert Heller -- 978-544-6933 Deepwoods Software-- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com

fips_hmac.c(91): OpenSSL internal error, assertion failed: j <= sizeof ctx->key Abort

ey Abort I am using openssl-0.9.8e-27.el5_10.3 and openssl-devel-0.9.8e-27.el5_10.3 on a 64-bit CentOS 5.10 system. -- Robert Heller -- 978-544-6933 Deepwoods Software-- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com

Re: fips_hmac.c(91): OpenSSL internal error, assertion failed: j <= sizeof ctx->key Abort

At Wed, 23 Jul 2014 17:15:55 + openssl-users@openssl.org wrote: > > On Wed, Jul 23, 2014 at 11:10:28AM -0400, Robert Heller wrote: > > > What am I doing wrong? > > > > [...] > > EVP_DigestInit_ex(&mdctx,(const EVP_MD *)EVP_sha256,NULL); > &g

[openssl-users] Custom OID strange characters

I am trying to build a certificate request with a custom OID and it is encoding strange characters in the certificate. For example I specify the following line in the .cnf file: bla_policy = ASN1:PRINTABLESTRING:blabla Then I get the following when I dump the csr: 1.2.3.4.5.6.7:

Re: [openssl-users] Custom OID strange characters

So this leads to the next question: How do I teach OpenSSL the format of the value for a custom extension without writing code? I have been poring over man pages and I don’t find anything obvious. Robert > On Aug 11, 2015, at 2:24 PM, Wim Lewis wrote: > > On Aug 11, 2015, at 9:24 A

Re: [openssl-users] Custom OID strange characters

behavior ;-) It seems like I don’t really have a choice. If it does not make sense, it is okay, it is not intended to make sense. It just implies that I don’t like either of my alternatives. Robert > On Aug 11, 2015, at 5:49 PM, Wim Lewis wrote: > > > On Aug 11, 2015, at 2:0

[openssl-users] Crypto Module Config

Hello, I am working on building a new crypto module that works with openssl. I have looked through the source code and found the /crypto/ folder which would be where this module would reside. However, if I duplicate a folder such as md5 within the /crypto/ folder and rename it to say “helloworl

[openssl-users] Properly Reseeding RAND_bytes()

Hello, I’m a little unsure on the recommended way to properly reseed the RAND_bytes() function. My output provides random numbers, but only the first 16 bytes. The output of byte 16 and on is just some period of the first 16 bytes and therefore has several duplicated numbers. My inputs are fou

[openssl-users] RAND_bytes() Properly Reseeding

Hello, I’m a little unsure on the recommended way to properly reseed the RAND_bytes() function. My output provides random numbers, but only the first 16 bytes. The output of byte 16 and on is just some period of the first 16 bytes and therefore has several duplicated numbers. My inputs are fo

[openssl-users] Linker error when adding new cipher to crypto folder

Hello, I am attempting to add a new cipher into the crypto library. I have done the following so far… 1. Added my code to the openssl/crypto folder 2. Created a build.info for make to compile my code (created this based off of openssl/crypto/dh’s build.info

[openssl-users] build.info documentation

Hello, Can anyone here point me in the direction to some documentation on build.info files? For the most part I’m creating mine using examples from other crypto ciphers but could use some more in depth explanation of what is going on when it is being parsed. More specifical

[openssl-users] Inserting cipher into speed.c

Hello, Thanks to everyones help here I was able to insert a new cipher into OpenSSL. However, for performance reasons I'd like to begin testing the speed of my cipher and compare to other already implemented ciphers. I went ahead and started editing the ./apps/speed.c file to insert the new

[openssl-users] Integrate EVP Cipher into OpenSSL Speed Sest

Hello, I successfully managed to integrate an encryption cipher into the EVP and has been tested to work and now I'd like to get some speed tests of the cipher using openssl's integrated speed test via the command line with the "-evp" flag. What I've done so far to try and integrate it into

[openssl-users] scripting creating a cert

I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req Where, for example: your_host_tld=z9m9z.test.htt-consult.com Thing is that this then

Re: [openssl-users] scripting creating a cert

/docs/manmaster/man5/ Not easy enough for me. But I will have to read it some more. For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz 'Fuller' is putting it mildly. :) PS -- find me in Chicago and I can answer questions, Robert :) Plan on it! Bob -- openssl-use

Re: [openssl-users] scripting creating a cert

Jan, On 03/09/2017 08:06 PM, Jan Danielsson wrote: On 03/10/17 00:49, Robert Moskowitz wrote: [---] Is there some 'simple' way to provide these answers? Like with env variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat

Re: [openssl-users] scripting creating a cert

Viktor, On 03/09/2017 08:17 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote: I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650

Re: [openssl-users] scripting creating a cert

On 03/09/2017 08:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the private keys for Apache. (and

Re: [openssl-users] scripting creating a cert

Very nice. But this looks like it as part of the whole easyRSA effort, not something I can easily feed into the openssl command to create the cert. It would take a fair bit of digging to dig out what I need for now. Definitely something I will look into soon, as providing a simple PKI for a

Re: [openssl-users] scripting creating a cert

Viktor, On 03/09/2017 05:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the private keys for Apache

[openssl-users] EDDSA certificates

Does any version of OpenSSL provide support for EDDSA, particularly creating and displaying the content of them? Right now my interest is seeing what is involved in creating them with EC25519 and evaluating their size and how they parse. Or meet me at the IETF and talk to me about them. than

Re: [openssl-users] EDDSA certificates

On 03/16/2017 04:04 PM, Salz, Rich via openssl-users wrote: Does any version of OpenSSL provide support for EDDSA, particularly creating and displaying the content of them? Not yet. EDDSA for 25519 and 448 would be great to have in the next relese, tho. Let's talk about it at IETF. --

[openssl-users] Adding EVP cipher into SSL library

Hello, Can anyone give some insight on how to implement a new EVP symmetric cipher into the SSL library? I have the cipher integrated into the EVP and tested as working. I know it's old but I followed AES's integration from this commit: https://github.com/openssl/openssl/commit/deb2c1a1c58fb738b3

[openssl-users] Integrating New Cipher Suite

Hello, I'm attempting to integrate a customized cipher suite for TLS 1.2, however no matter what I try I always seem to end up with this error (client side): SSL routines:ssl_cipher_list_to_bytes:no ciphers available:ssl/statem/statem_clnt.c:3567 Can anyone give some further explanation on this?

Re: [openssl-users] Integrating New Cipher Suite

x27; to > openssl-users-requ...@openssl.org > > You can reach the person managing the list at > openssl-users-ow...@openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > >

Re: [openssl-users] Integrating New Cipher Suite

Suite Message-ID: <20170411185409.ga23...@openssl.org><mailto:20170411185409.ga23...@openssl.org> Content-Type: text/plain; charset=us-ascii On Tue, Apr 11, 2017, Schmicker, Robert wrote: Added a define in include/openssl/ssl.h: # define S

Re: [openssl-users] openssl-users Digest, Vol 29, Issue 20

After some debugging (exactly as mentioned above) it appears that the cipher suite does not show up in the ClientHello using the s_client/s_server. I modified the cipher for testing to use 512 bits instead of 64 so that it is ranked highest. Error server side: SSL routines:tls_post_process_cli

[openssl-users] Documentation for Integrating New Cipher Creation Request

Hello, Over the past several months through trial and error I have at last been able to integrate a new symmetric cipher into OpenSSL. After following this email chain for these past months I’ve noticed that once in a blue moon other users would ask how to integrate a new cipher into both libcr

[openssl-users] forking server question

Please excuse what is a simple question: what is the proper way to clean up in the parent and child when writing a forking server using OpenSSL? (I expected this would be a FAQ, but I couldn't find it.) I have code which works, but I have the nagging feeling that I'm leaking on the parent side. He

Re: [openssl-users] EDDSA certificates

Rich, Meant to ask you about this at IETF. Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to produce these??? And, relatedly, what do you think about CBOR encoding rather than ASN.1? Kill ASN.1 in constrained devices and save on transmission costs? Thanks Bob On 03/16

Re: [openssl-users] EDDSA certificates

19 thanks. On 07/27/2017 10:45 AM, Benjamin Kaduk wrote: On 07/27/2017 09:18 AM, Robert Moskowitz wrote: Rich, Meant to ask you about this at IETF. Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to produce these??? There is code to validate them,

Re: [openssl-users] EDDSA certificates

Ah, thanks for the explanation Rich. On 08/08/2017 11:19 AM, Salz, Rich via openssl-users wrote: We don't add features to released versions, just bug-fixes. Ladar has posted a patch for 1.0.2 for those do-it-yourselfers who are so inclined. The 'master' branch, which will become 1.1.1 at som

[openssl-users] Howto to create a PKI with Openssl command line

I want to build a PKI structure of a root CA, intermediate CA(s), and user and server certs. So I went looking for some guidance and found: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html Anything else out there? The certs will all be ECDSA, P256 SHA256. L

  1   2   3   4   5   >