.@openssl.org on behalf of m...@openssl.org> wrote:
>
>
>On 11/02/16 01:03, Alex Chen wrote:
>> I tried to build openssl 1.0.2f on MacOS with the following
>> configuration options "Configure no-bf" but it failed because there is
>> no header file blowfish.h
I tried to build openssl 1.0.2f on MacOS with the following configuration
options "Configure no-bf" but it failed because there is no header file
blowfish.h in include/openssl directory.
This does not happen in 1.0.2d where include/openssl/blowfish.h is a
symbolic link to
. that are defined in
ob_jmac.h.
What I would like to know is how the names are related to NIST's
recommendation list?
Is there a convention?
Thanks
On 11/11/2015 1:08 PM, Jakob Bohm wrote:
On 11/11/2015 21:02, Alex Chen wrote:
I see there is a list of recommended list by NIST in
http://csrc.nist.gov/groups
I see there is a list of recommended list by NIST in
http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf, but
it is very old (1999)
Is there a up to date list of elliptic curves approved or recommended
for government use in OpenSSL?
Is NID_X9_62_prime256v1 the strongest?
Thanks
I assume SSL_OP_NO_TLSv1 affect TLS v1.0 only but not TLS v1.x in general?
Alex
I want to disable SSv2 support in OpenSSL and use the flag -DOPENSSL_NO_SSL2
when configuring OpenSSL. It builds fine and passes all tests during 'make
test' phase.
However there a quite a few of SSLv2 tests and they all seem to have passed, or
at least do not indicate 'not supported' errors.
I downloaded OpenSSL 1.0.1e and tried to build it for both 32-bit and 64-bit
with release and debug configurations but it failed on 64-bit debug
configuration.
There are only darwin-i386-cc, debug-darwin-i386-cc and
darwin64-x86_64-cc in 'Configure' of 1.0.1e:
# MacOS X (a.k.a. Rhapsody or
/11/2012 2:30 AM, Florian Weimer wrote:
On 12/11/2012 02:44 AM, Alex Chen wrote:
I want to set up SSL so it does not use SSL v2 or older, just like that
Apache has in its httpd-ssl.conf
SSLProtocol all -SSLv2
What is the equivalent API to do this?
After reviewing existing documentation and code
I want to set up SSL so it does not use SSL v2 or older, just like that
Apache has in its httpd-ssl.conf
SSLProtocol all -SSLv2
What is the equivalent API to do this?
Thanks.
__
OpenSSL Project
Thanks to Mr. Hohnstaedt and Dr. Henson for answering my questions. It
was very useful.
Alex
On 12/6/2012 4:38 AM, Dr. Stephen Henson wrote:
On Thu, Dec 06, 2012, Christian Hohnstaedt wrote:
On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote:
I am trying to change the password
I am trying to change the password of a private key with 'openssl rsa'
command. The original key file, server.key.enc has the following format:
-BEGIN ENCRYPTED PRIVATE KEY-
-END ENCRYPTED PRIVATE KEY-
When I used the command openssl rsa -in server.key.enc -passin
Of Alex Chen
Sent: Friday, 12 October, 2012 21:31
The 'openssl cipher -v' command shows the following cipher suites:
snip
If both the client and server uses the sample version of openssl
library and they only calls OpenSSL_add_all_algorithms()
to initialize the cipher list.
I assume
The 'openssl cipher -v' command shows the following cipher suites:
$ openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256)
that is different from what is already done by OpenSSL?
Alex
On Sep 25, 2012, at 3:49 AM, Klaus Darilion wrote:
On 24.09.2012 23:56, Alex Chen wrote:
Sorry I did not use new mail command to start a new topic. Let me start
over again.
I remember seeing somewhere that OpenSSL supports Intel AES
I remember seeing somewhere that OpenSSL supports Intel AES instruction set.
If so, which release is that and what flag is needed to enable it.
Does the 'no-asm' flag in 'Configure' disable the use of these instructions?
Alex
Sorry I did not use new mail command to start a new topic. Let me start over
again.
I remember seeing somewhere that OpenSSL supports Intel AES instruction set.
If so, which release is that and what flag is needed to enable it.
Does the 'no-asm' flag in 'Configure' disable the use of these
When FIPS mode is turned on, I assume OpenSSL will only use FIPS 140-2
approved encryption algorithms for network traffic encryptions as well,
correct?
Alex
__
OpenSSL Project
Thanks, Steve.
Alex
On 7/6/12 4:36 PM, Steve Marquess marqu...@opensslfoundation.com wrote:
On 07/05/2012 12:43 PM, Alex Chen wrote:
Thanks for the information, Steve. I do have some questions about the
FIPS
module.
1. What does 'support' mean? Does it involve source code change
the same flags and
defines specified in the Makefile, will the resulting library still be
consider valid, assuming it passes all the tests that come with the source
code?
Alex
On 7/4/12 6:05 AM, Steve Marquess marqu...@opensslfoundation.com wrote:
On 07/03/2012 07:35 PM, Alex Chen wrote:
I
I assume this module will work with both OpenSSL 1.0.0 and 1.0.1?
On 6/25/12 7:03 AM, Steve Marquess marqu...@opensslfoundation.com
wrote:
The OpenSSL FIPS Object Module 1.2 has been extended to include support
for the iOS and Mac OS X operating systems, as the newly released
revision 1.2.4.
mechanism. These two do not provide the protection
you are looking for. They enable message protection by providing the crypto
keys needed by S/MIME, TLS, DTLS, and IPSec to protect the message.
Erwin
On Wed, May 2, 2012 at 4:46 PM, Alex Chen alex_c...@filemaker.com wrote:
I want
I want to send encrypted information from a client to the server via non-SSL
connections without using hardcode encryption key, i.e. a typical scenario.
Both client and server have their private key and certificate. (RAS key, PEM
format)
I am thinking of two options to exchange the encryption
There is a 'rand' command in the openssl command line tool to generate 'pseudo'
random number generator. But I cannot find the API from either the 'ssl' or
'crypto' man pages.
Can someone point me to the API page if it is available?
Is this RNG implementation different in the regular
Steve,
Unfortunately it has been four weeks and the status is still stuck in
'coordination'.
Well, we all know the government pace is a 'little slower' than the rest of the
industry.
There is a 'finalization' status after 'coordination', what is involved in that
status?
When an application
Thanks for the response, Steve.
Alex
On Apr 4, 2012, at 4:58 PM, Steve Marquess wrote:
On 04/04/2012 07:17 PM, Alex Chen wrote:
Steve,
Unfortunately it has been four weeks and the status is still stuck in
'coordination'. Well, we all know the government pace is a 'little
slower' than
When the padding is disabled by setting the padding size to 0 in
EVP_CIPHER_CTX_set_padding(), is the output data block size the same as the
input block size?
Will this reduce the encryption strength?
Alex
__
OpenSSL Project
My mistake in the subject line in previous mail. What I have actually
downloaded is FIPS 2.0.
The questions below are still valid.
Alex
On Mar 16, 2012, at 6:48 PM, Alex Chen alex_c...@filemaker.com wrote:
I have downloaded the OpenSSL 1.0.1 and FIPS object module v2.0. Both will
build
I have downloaded the OpenSSL 1.0.1 and FIPS object module v1.2. Both will
build a libcrypto.a library. I have some questions and hope someone can
clarify them for me.
This FIPS thing is totally new so please if forgive me if the questions are off
the target.
1. Is the crypto code in FIPS a
When can we expect the final release of OpenSSL 1.0.1?
Does FIPS 2.0 only work with OpenSSL 1.0.1 but not 1.0.0?
There is a document,
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf, of
pending FIPS certificate and OpenSSL object module is there.
Is that for FIPS 2.0? When
I downloaded OpenSSL 0.9.8t and tried to build it under Mac OS X 10.6.8. I want
to build a dynamic library with both 32-bit and 64-bit (Universal binary). I
tried various flag with the Configure script but failed.
Here are the parameters I feed to 'Configure':
./Configure threads shared no-hw
Thanks for the information Jakob. I cannot find such module from OpenSSL
source download page.
Alex
On Feb 17, 2012, at 2:19 AM, Jakob Bohm wrote:
On 2/16/2012 10:28 PM, Alex Chen wrote:
From what I saw in OpenSSL site and the user guide, the
FIPS object module is only compatible
From what I saw in OpenSSL site and the user guide, the FIPS object module is
only compatible with OpenSSL 0.9.8, not 1.0. Is that still valid? Does that
mean if I cannot use that module to work with OpenSSL 1.0?
The FIPS 140 certification number 1051 is for source code module and from what
I
I am reading the OpenSSL FIPS user guide and the first thing I notice is
that it says it only supports openssl 0.9.8j and up but not openssl 1.0.0.
We are currently using openssl 1.0.0. Does that mean we cannot use the
FIPS module? Do we have to move back to 0.9.8 branch?
Alex
?
Alex
On Aug 10, 2010, at 10:44 AM, Erwann ABALEA wrote:
Hodie IV Id. Aug. MMX, Alex Chen scripsit:
I am only a end user and not familiar with SSL internal. If I
understand the replies correctly, OpenSSL 1.0.x currently supports
SHA-2 in certificates but not in the cipher suites used
for sha256, sha384, etc., too, correct?
Alex
On 9/1/2010 4:28 PM, Alex Chen wrote:
So if I want to use SHA-2 in my certificates, how do I choose on from the
available SHA-2 family?
The only thing I see in the config file we use is
default_md = md5
and the generated pem file has
, August 11, 2010 9:11 PM
To: openssl-users@openssl.org
Cc: Alex Chen
Subject: Re: Cipher selection
No, OpenSSL chooses the cipher from the argument to
SSL[_CTX]_set_cipher_list(3ssl) called on the SSL or the SSL_CTX structure.
On 8/11/10 4:57 PM, Alex Chen wrote:
Does openssl choose the cipher
Does openssl choose the cipher from the pem file? If so, which section of the
following pem file sets the cipher for communication?
Certificate:
Data:
Signature Algorithm: md5WithRSAEncryption
Issuer: .
Validity
Not Before: ...
Not After :
Bohm wrote:
On 08-08-2010 01:13, Dr. Stephen Henson wrote:
On Fri, Aug 06, 2010, Alex Chen wrote:
Is SHA-2 supported in OpenSSL 1.0 or the latest version?
From my search in Google, I found the following entry in openssl-dev
mailing list:
List: openssl-dev
Subject:Re: SHA-2 support
Is SHA-2 supported in OpenSSL 1.0 or the latest version?
From my search in Google, I found the following entry in openssl-dev mailing
list:
List: openssl-dev
Subject:Re: SHA-2 support in openssl?
From: smitha daggubati smithad123 () gmail ! com
Date: 2009-11-18 9:56:55
was generated with MD5 hash instead
of SHA hash, correct? How do we set the hash function to SHA instead
of MD5?
Alex
On May 7, 2009, at 12:46 PM, Victor Duchovni wrote:
On Thu, May 07, 2009 at 10:54:50AM -0700, Alex Chen wrote:
How does openssl decide which SHA function to use if we
verification, but
not in any other crypto suite used
for traffic?
And do we 'enable' the all algorithm? Any man page for more
information?
Thanks.
Alex
On May 8, 2009, at 11:40 AM, Victor Duchovni wrote:
On Fri, May 08, 2009 at 10:11:22AM -0700, Alex Chen wrote:
Thanks
How does openssl decide which SHA function to use if we simply uses
ssl connection, i.e. what control the use of different SHA function?
Is there a way users can select it?
Alex
__
OpenSSL Project
We are using OpenSSL 0.9.7e and would like to know if it supports SSL 3.0?
Alex
The header file crypto/pqueue/pq_compat.h does not have the following
directive
#ifndef HEADER_PQ_COMPAT_H
#define HEADER_PQ_COMPAT_H
#enedif
The effect is that we get warnings about PQ_64BIT being redefined
because ssl.h includes ssl3.h, which includes pq_compat.h, and
dtls1.h,
That is great news, Dr. Hensen.
In our test with openssl 0.9.7e, the behavior of certificate expiration
date calculation does not seem to be consistent across different OS.
For instance, when we use openssl to generate pem files on Windows and
MacOS X with system time set beyond 2012, we get
In OpenSSL 0.9.8i, if I try to get the openssl build information, I get
C:\OpenSSL\0.9.8i\ms\releaseopenssl
OpenSSL version
OpenSSL 0.9.8i 15 Sep 2008
OpenSSL version -h
usage:version -[avbofp]
error in version
OpenSSL version -d
OPENSSLDIR: /usr/local/ssl
Apparently the '-d' flag is missing in
Seriously, if we use openssl version 0.9.7 to generate a certificate
on MacOS and set the end day to from now, i.e. set 'default_days'
to but do not have 'default_enddate' in the config,
we get
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not
When we use openssl to generate the certificate, we add a certain time,
i.e. thirty years, to the time when the certificate is created.
It is 2008 now and this makes the expiration date 2038. Unfortunately
this triggers the infamous year 2038 problem
I am updating OpenSSL from 0.9.7e to 0.9.8i. There are some new files
and some files are moved. Most noticeably, there is a new 'engines'
directory that seems to host
some files previously was under crypto/engine, or their equivalent.
I first followed the instruction in INSTALL.WIN32
I downloaded OpenSSL 0.9.8i on my Vista machine and tried to build it
without any changes but failed.
I have Cygwin and gcc installed on my machine. I ran 'config' on the
top level and then ran 'make' to build.
The build process stopped with the following error:
gcc -I.. -I../..
I am trying to setup SSL connections between
Java and C for HTTPS, i.e. between tomcat and
gSOAP, which uses openssl to handle the SSL part.
The java side uses keytool to generate the keystore and export its
certificate.
In openssl side, it can generate its certificate and keys.
Java's keytool
51 matches
Mail list logo