Re: [openssl-users] Lattice Ciphers

Have you submitted a bug report for Apache (not honouring server config cipher order) if one doesn't exist? As for resistant to quantum computers, given the current aim is for systems that can calculate things that would currently take the age of the universe to calculate, resistance is futile ;)

Re: [openssl-users] Existing connections on certification expires

hi, > 2) How can i get the list of ciphers supported by openssl 01.01.0f ? openssl ciphers -v ??? > These question looks to be very basic but i could not find any concrete > information regarding the same googling. Google provides the answers if your question is well formed. or you could

Re: [openssl-users] Is there a "Golden" CA makefile?

https://github.com/google/easypki , http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a simple similar system when using OpenVPN years ago. it was (IMHO) very good but the powers that be decided that OpenVPN wasn't the way to go and so money was spent on a (inflexible and

Re: [openssl-users] How many SAN entries...?

confirmed, i've seen dozens on one cert - far more preferable to do that and have such numbers than a single wildcard cert (which has issues on all sorts of platforms for various purposes). alan On 26 April 2017 at 18:24, Blumenthal, Uri - 0553 - MITLL wrote: > > It’s been

Re: The no-stdio and NO_FP_API options

+1 for keeping the features (I use AmiSSL ;) ) alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Heart bleed with 0.9.8 and 1.0.1

hi, Will client respond for heart beat request even if server doesn't support heart beat . ? no. both systems need to have some heartbeat code present. Which version of ssl this heart beat in introduced ? same as all the original advisories have said 1.0.1 - fixed in 1.0.1g but patches to

Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

It seams that there is another difference between the two openssl versions then only the heartbleed bugfix. err, yes. The g release is a new minor release. I'd ALWAYS advise reading the changelog before deploying. .. You'd then have seen the new features (this is why vendors such as redhat

Re: OpenSSL Security Advisory

https://www.openssl.org/news/changelog.html 1.0.1 introduced the heartbeat support. 1.0.0 and earlier are fortunate in that they didnt have it.but then they didnt have things to stop you from being BEASTed so some you win, some you lose. ;) alan

Re: CVE 2014-0160 -- disabling the heartbeat

...or take the upstream fix...apply to your older version and keep the heartbeat functionality. Which is what I believe the very latest redhat/centos patches do Alan

Re: CVE 2014-0160 -- disabling the heartbeat

But its the apps that need these features. The app should either have the option to disable features of not needed. .. or be coded to not accept such extensions if it doesn't utilise them (which I believe is the correct way) alan

Re: ssh-add refuses to use the key on my USB thumb drive

Use Google? ;) mount_msdosfs -u x -m 700 /dev/usbdevice /mnt/ where -u is the uid of your required user. alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: How can I enable aes-ni in openssl on Linux

Hi Likely to be already using it and you can verify this by running some benchmarks - this is on a massive host and not virtualised platform? I guess a related question is how to ensure that those functions are used by openssl whenever possible. ... eg required openssl config in software that

Re: I can't believe how much this sucks

Hi, I am not criticising the documentation for openssl, and will not; but I would encourage those who are responsible for maintaining and improving openssl to not neglect the documentation.  It would be a mistake to leave it is an Open Source project - thus there is also an onus on

Re: I can't believe how much this sucks

Hi, Nonsense.  No-one knows better how the code ought to be working than the folk who developed it.  I begin with the assumption that all my coders are i'd cite the cathedral and the bazaar ...or the 'many eyes make all bugs shallow' views - if you are given the API and the documents,

Re: Wild card SSL; use on multiple Apache servers

The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. alan

Re: OpenSSL -- Squid !

hi, this isnt OpenSSL or its config - this is an application question. you need to check your squid.conf configuration file - if you were already doing CA verification with old cert, the old config will be there - otherwise you will need to check with the squid documentation on how to do it.

Re: virus or hoax in test/asn1test.exe ?

Hi, I just compiled openssl-1.0.0g on a Win7 box using MingW. All went well, except I got a virus alert from Avira for 'TR/Graftor.10418.101' found in the file .../openssl-1.0.0g/test/asn1test.exe. That virus was added to the Avira VDF file on 2012-01-18. Avira denies access to it, so that

Re: Removing a cipher

Hi, In an application that you use or one that you've written? Ie where is this low cipher being seen? alan

Re: TLS Overhead

hi, you are using cryptodev with that Atom rather than just using software-only OpenSSL? alan __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: Tracking amount of Time spent on a computation

Hi, Hey List, I am using Openssl for experimenting with the cryptographic accelerator on Sun machine. I am using this command openssl speed -engine pkcs11 -evp aes-128-cbc to have the results and this gives me number of bytes that are communicated between the processor and

Re: howto be my own CA for my new certificates

Hi, Thank you! But now I'm spending my time with another issue with this: I cannot create certificate longer than I month: This is my CA certificate validity: ... Not Before: Aug 3 10:07:14 2011 GMT Not After : Aug 2 10:07:14 2012 GMT ... This

Re: slow https conenctions

Hi, Thanks for the input guys, however the 15 second pause exists even if i explicitly disable reverse lookups in apache 'Hostnamelookups Off' in httpd.conf and my server is operating on an internal network in a company so although i cant say for sure i doubt there is much IPV6 stuff

Re: slow https conenctions

Hi, On 04/26/11 3:06 AM, Matthew Fletcher wrote: I've come to this list in search of help with slow https conenctions (via the subversion, apache and finally mod_ssl lits). There is a 15 second ish delay whenever a client connects using https, 15 seconds sounds to *me* like a DNS

Re: First time attempting PostgreSQL SSL

Hi, I’m new as can be with creating SSL certificates on my own.  I downloaded the openssl binary and installed it.  The instructions and tutorials on the website don’t help me much in terms of steps A,B,C; this could also be due to a lack of familiarity with technical terms used

Re: Geode on-chip AES 128-bit crypto accelerations but OpenSSL doesn't use it

Hi, Hi, Since we are on the subject of hardware enhanced cryptography, does the HiFn chips used in the Soekris devices, have support in openssl?. yes - for some time now. i happen to have a vpn1401 next to me which I used in a FreeBSD box alan

Re: Geode on-chip AES 128-bit crypto accelerations but OpenSSL doesn't use it

Hi, Hello everybody, The AMD Geode LX800 CPU has an on-chip AES 128-bit crypto accelerations block and a true random number generator, but OpenSSL is not using it. Please see the below link for test reports and openssl outputs http://debian.pastebin.com/faeff2a3 Is there anybody that

Re: UltraSPARC T2 - OpenSSL - PKCS11 ???

hi, your pkcs11 on the Sparc system is fast(!) its just the verification that seems a little b0rked/slow :-| alan __ OpenSSL Project http://www.openssl.org User Support Mailing List