Re: I can't believe how much this sucks

Another amen. I am a professional programmer. I am grateful for OpenSSL. At the same time, each time I have to use it directly (as opposed to use a few of the good C++ wrappers) I know I will be going down to hell and fight for my life, and when I will come back, my hairs will be grayer :-) Lack

Re: I can't believe how much this sucks

On Tue, 13 Nov 2012 14:11:17 -0700 t...@terralogic.net wrote: This is just a NORMAL way for a programmer to work IMHO. I HATE comming into undocumented code years after its been written and IMHO its a big booby trap because its very easy to miss something and that creates hard to find bugs.

OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions

We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1) and I'd like to test out this set of assumptions (or maybe they are 'assertions') - In the context of OpenSSL, FIPS compliance is all about algorithm choice. In FIPS mode (FIPS_mode_set() returns success),

Re: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions

On Tue, Nov 13, 2012 at 4:26 PM, mclellan, dave dave.mclel...@emc.com wrote: We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1) and I’d like to test out this set of assumptions (or maybe they are ‘assertions’) - In the context of OpenSSL, FIPS compliance is

RE: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions

The term 'FIPS compliant' does not refer to the software capability, but to the implementation used to perform the cryptographic operations. If only one end of your connection is in FIPS mode then the full end to end path is not necessarily FIPS compliant. In fact, without some out-of-band

RE: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions

Thank you for this answer, and by the way to all others who have answered, and thanks in advance to all who might still.I'm now getting a better picture from the variety of answers. Apologies again for the repeated post (due to a problem with my subscription to openssl-users)

Re: Need input for Certificate generation

On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote: Hi, At one place, we are using following logic for generating self-signed certificate: #define SEED_SIZE 128 k = RAND_status(); while(k == 0) { // custom logic for getting random numbers from system variables ...

Re: I can't believe how much this sucks

It’s interesting that this article shows that LACK OF GOOD DOCUMENTATION and POOR API DESIGN are at the heart of this problem. I have noticed over the years that much of our society has changed its very idea of what a good application is. It used to be that if something could not be easily

Re: I can't believe how much this sucks

In the case of openssl, a big gain would be to simply document the command line interface better and create a doc centric forum for people to add their lessons learned filed around the particular feature area of openssl. WORKING EXAMPLES would be REAL cool. Does anyone on this alias want to

MITM with OpenSSL v1.0.1c and BIOs

Hello -- I have been working on the creation of a MITM plugin of sorts using OpenSSL v1.0.1.c. My code basically is handed stream payloads (e.g. in this case full SSL/TLS packets or groups of packets). I must then MITM them and extract application data as required. I cannot use sockets directly

RE: I can't believe how much this sucks

That article is unbelievably scary, and your analysis is spot on. I admit it: I sometimes assume that if the C compiler “likes” (matches to a declaration) what I have coded then it must be correct – given the absence of documentation. Did you see the example in the article of the API where a

RE: Need input for Certificate generation

From: Jeffrey Walton [mailto:noloa...@gmail.com] On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote: ... #define SEED_SIZE 128 ... //RAND_seed(buf, SEED_SIZE); RAND_add(buf, SEED_SIZE, (20/100) * SEED_SIZE); k = RAND_status(); } I'm not sure 20%

Re: I can't believe how much this sucks

WORKING EXAMPLES would be REAL cool. You kind of have it with the source code to openssl.exe. Crypto++ had the same way back when (its a C++ crypto library, and its not nearly as popular as OpenSSL). Users did not check cryptest.exe for API usage (cryptest.exe is the equivalent of openssl.exe).

Re: I can't believe how much this sucks

On Thu, Nov 15, 2012 at 09:52:49AM -0500, Sanford Staab(Gmail) wrote: In the case of openssl, a big gain would be to simply document the command line interface better and create a doc centric forum for people to add their lessons learned filed around the particular feature area of openssl.

Re: I can't believe how much this sucks

Sanford Staab(Gmail) sanfo...@gmail.com wrote: I think it is high time for a v2 of openssl, a rewrite almost from scratch, removing support for older protocols and ciphers and simplifying it down with full TDD from start to finish to really correct this problem. So why don't you simply

Re: Need input for Certificate generation

On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote: CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS apr_generate_random_bytes(buf, SEED_SIZE); // On Linux OS Speaking of poor