Another amen.
I am a professional programmer. I am grateful for OpenSSL. At the same
time, each time I have to use it directly (as opposed to use a few of the
good C++ wrappers) I know I will be going down to hell and fight for my
life, and when I will come back, my hairs will be grayer :-)
Lack
On Tue, 13 Nov 2012 14:11:17 -0700
t...@terralogic.net wrote:
This is just a NORMAL way for a programmer to work IMHO. I HATE
comming into undocumented code years after its been written and IMHO
its a big booby trap because its very easy to miss something and that
creates hard to find bugs.
We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1)
and I'd like to test out this set of assumptions (or maybe they are
'assertions')
- In the context of OpenSSL, FIPS compliance is all about algorithm
choice. In FIPS mode (FIPS_mode_set() returns success),
On Tue, Nov 13, 2012 at 4:26 PM, mclellan, dave dave.mclel...@emc.com wrote:
We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1)
and I’d like to test out this set of assumptions (or maybe they are
‘assertions’)
- In the context of OpenSSL, FIPS compliance is
The term 'FIPS compliant' does not refer to the software capability, but to the
implementation used to perform the cryptographic operations. If only one end
of your connection is in FIPS mode then the full end to end path is not
necessarily FIPS compliant. In fact, without some out-of-band
Thank you for this answer, and by the way to all others who have answered, and
thanks in advance to all who might still.I'm now getting a better picture
from the variety of answers.
Apologies again for the repeated post (due to a problem with my subscription to
openssl-users)
On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote:
Hi,
At one place, we are using following logic for generating self-signed
certificate:
#define SEED_SIZE 128
k = RAND_status();
while(k == 0)
{
// custom logic for getting random numbers from system variables
...
It’s interesting that this article shows that LACK OF GOOD DOCUMENTATION and
POOR API DESIGN are at the heart of this problem.
I have noticed over the years that much of our society has changed its very
idea of what a good application is.
It used to be that if something could not be easily
In the case of openssl, a big gain would be to simply document the command
line interface better and create a doc centric forum for people to add their
lessons learned filed around the particular feature area of openssl.
WORKING EXAMPLES would be REAL cool. Does anyone on this alias want to
Hello --
I have been working on the creation of a MITM plugin of sorts using OpenSSL
v1.0.1.c. My code basically is handed stream payloads (e.g. in this case
full SSL/TLS packets or groups of packets). I must then MITM them and
extract application data as required. I cannot use sockets directly
That article is unbelievably scary, and your analysis is spot on.
I admit it: I sometimes assume that if the C compiler “likes” (matches to a
declaration) what I have coded then it must be correct – given the absence of
documentation. Did you see the example in the article of the API where a
From: Jeffrey Walton [mailto:noloa...@gmail.com]
On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com
wrote:
...
#define SEED_SIZE 128
...
//RAND_seed(buf, SEED_SIZE);
RAND_add(buf, SEED_SIZE, (20/100) * SEED_SIZE);
k = RAND_status();
}
I'm not sure 20%
WORKING EXAMPLES would be REAL cool.
You kind of have it with the source code to openssl.exe.
Crypto++ had the same way back when (its a C++ crypto library, and its
not nearly as popular as OpenSSL). Users did not check cryptest.exe
for API usage (cryptest.exe is the equivalent of openssl.exe).
On Thu, Nov 15, 2012 at 09:52:49AM -0500, Sanford Staab(Gmail) wrote:
In the case of openssl, a big gain would be to simply document the command
line interface better and create a doc centric forum for people to add their
lessons learned filed around the particular feature area of openssl.
Sanford Staab(Gmail) sanfo...@gmail.com wrote:
I think it is high time for a v2 of openssl, a rewrite almost from scratch, removing
support for older protocols and ciphers and simplifying it down with full TDD from
start to finish to really correct this problem.
So why don't you simply
On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote:
CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS
apr_generate_random_bytes(buf, SEED_SIZE); // On Linux OS
Speaking of poor
16 matches
Mail list logo