Re: ssl handshake with multiple tcp connect?

On 8/25/2011 6:04 AM, Arjan Filius wrote: Hello, today i ran into a situation, where i notice firefox/chrome and gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl s_client takes only one. one tcp session is what i expect, and i hope someone may have an explanation.

Re: Simple question: Maximum length of PEM file?

On 7/26/2011 10:16 PM, Katif wrote: Can you tell me what are the application dependency factor here so we'll be able to chase a limit? It is used as an RSA key exchange certification/private key pairing. Thanks... Maximum RSA key size supported. Extensions supported. DS

Re: Simple question: Maximum length of PEM file?

On 7/26/2011 4:38 AM, Katif wrote: I need to know in advance the maximum length of the following three PEM formatted files (excluding the -BEGIN/END lines): It's application-dependent. There is no answer in general. DS

Re: Query Regarding usage of SSL_Connect()

On 7/14/2011 6:17 AM, Amit Kumar wrote: Hi team, I am using SSL_Connect() in one of my projects and this SSL_connect is returning a value of -1. With SSL_get_error() i can see it is *SSL_ERROR_WANT_READ ?* * * * Now i am not understanding why this can come and if this is there then

Re: SSL_read returns SSL_ERROR_WANT_READ

On 7/11/2011 3:18 PM, Carla Strembicke wrote: The server recieves the encrypted data and sends to the lower level and where it is pumped into the SSL structure ( which is using these memory buffers) using the BIO_write call ( I acutally see that bytes are written into it) and the buffer looks

Re: Replacement of functions that operate with sockets

On 6/21/2011 2:40 AM, ml.vladimbe...@gmail.com wrote: The fourth function is SSL_EncryptUserData, which encrypt our own application data before we can send their to secure channel: int SSL_EncryptApplicationData(char *buf_in, int buf_in_len, char buf_out, int buf_out_len, int

Re: Replacement of functions that operate with sockets

On 6/21/2011 2:53 AM, ml.vladimbe...@gmail.com wrote: Jim, for me the main goal to replace functions that operate with sockets is performance. I want to use OpenSSL with Windows IO Completion ports. The method that you suggest is very interesting but the main is not achieved - OpenSSL is still

Re: Replacement of functions that operate with sockets

On 6/22/2011 3:20 AM, ml.vladimbe...@gmail.com wrote: Where can I find this example with BIO pairs? I can't understand only with openssl's documentation how to work with BIO pairs. I will be grateful for the help. Look in ssl/ssltest.c, in the doit_biopair function. DS

Re: Replacement of functions that operate with sockets

On 6/15/2011 11:57 AM, ml.vladimbe...@gmail.com wrote: Hello. By default OpenSSL itself works with sockets. I would want to implement operation with sockets without admitting it to OpenSSL. I.e. for example, when OpenSSL wants to write down something in a socket, it should cause my function and

Re: Why my SSL_Connect() hangs at times?

On 6/11/2011 8:52 AM, kali muthu wrote: I have Linux Server which has been connected with a Windows XP client using SSL Sockets. I am able to read and write through those sockets. Good. Recently my calls to SSL_Connect() waits for long time. And yes I am using in Blocking mode. My search on

Re: SSL Communication using BIO

On 5/23/2011 1:59 AM, Harshvir Sidhu wrote: David, So are you suggesting that i change the approach in my Code. Hard for me to give you a useful answer without seeing your code. If your code tries to treat OpenSSL as a filter, expecting input and output to correlate, then yes. If your

Re: SSL Communication using BIO

On 5/22/2011 5:10 PM, Harshvir Sidhu wrote: Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that.

Re: How do calculate the

On 5/18/2011 3:27 AM, G S wrote: I'm probably being obtuse here, but I don't see how encrypting your request with a public key would help you with your original problem. What stops a rogue app from doing the same encryption? They can't see what the parameters are. So what are

Re: Multiple connection from 1 client

On 5/9/2011 1:45 PM, Eric S. Eberhard wrote: int setblock(fd, mode) int fd; int mode; /* True - blocking, False - non blocking */ { int flags; int prevmode; flags = fcntl(fd, F_GETFL, 0); prevmode = !(flags O_NDELAY); if (mode) flags = ~O_NDELAY; /* turn blocking on */ else flags

Re: Clients glomming onto a listener

On 5/10/2011 2:10 AM, John Hollingum wrote: I have a service written in Perl, running on Linux that presents a very simple SSL listener. When this service is hit, it identifies the connecting node from its certificate/peer address and just sends some xml to them containing data from some files

Re: Multiple connection from 1 client

On 5/9/2011 6:27 AM, Harshvir Sidhu wrote: Also i suspect, that if i change the socket to non blocking, then my current read write code will not work. i mean the one in which i use FD_SET and select to perform operations. Thanks. It's very easy to get things wrong and it won't work

Re: OpenSSL and multithreaded programs

On 5/5/2011 10:01 AM, Chris Dodd wrote: Is the OpenSSL library supposed to be at all reentrant? I've had odd problems (intermittent errors) when trying to use OpenSSL in a multithreaded program (multiple threads each dealing with independent SSL connections), and have apparently solved them by

Re: RSA_private_decrypt across processes

On 5/4/2011 9:14 AM, Ashwin Chandra wrote: Okay I read the complete bug report and it looks like there is a fix in the latest openssl. However I checked it out and it limits the maximum time RAND_poll will take to a second. 1000ms. Is there any other way to speed this up? Populate the OpenSSL

Re: How to create threaded pool with OpenSSL

On 5/3/2011 11:31 AM, derleader mail wrote: Hi, I found OpenSSL server code which uses threds in order to process clients. Is it possible to create connection pool with OpenSSL. There is no information about this on openssl.org How I can add threaded pool to this code?

Re: Cannot encrypt text - need help

On 5/1/2011 1:34 AM, derleader mail wrote: I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part We mean application protocol. while (1) { sock = accept(listensock, NULL, NULL); printf(client connected to child thread %i with

Re: Cannot encrypt text - need help

On 5/1/2011 3:31 AM, derleader mail wrote: So I need a high performance solution that can handle many connections with little server load. 1. SSL is a good solution but is not high performance - it's more suitable for encryption of a web page. When establishing connection more that 100

Re: Cannot encrypt text - need help

On 4/30/2011 10:48 AM, derleader mail wrote: Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen(). Is there other solution? Are you

Re: Combining MD5 and SHA-1 to reduce collision probability

On 4/20/2011 1:18 AM, Luc Perthuis wrote: Hi all, I'm specially interested on finding a way to uniquely identify rather small data chunks (less than or equal to 128*1024 bytes in size) without using a byte per byte compare. Is there any theoretical proof for a good selection of 2 HASH

Re: RSA key

On 4/13/2011 2:35 AM, pattabi raman wrote: *1. If I can't use sprintf then how can I copy the enrypted message to a character buffer. Bcoz so far I am sending the request to middleware in Char Buffer using TCP /IP socket. How can I able to achieve now.* ** If you don't know how to copy bytes

Re: RSA key

On 4/11/2011 6:36 PM, Adrian D. Sacrez wrote: I'm fairly new to OpenSSL. How do I convert the rsa generated ry rsa_keygen_ex() into a public and private key? Is there a way to do that? I assume you mean RSA_generate_key_ex. It already is. The purpose of this function is to generate a new

Re: does OpenSSL call locking-callback/thread-id-callback from any internal threads?

On 4/10/2011 3:03 PM, Anton Vodonosov wrote: The question: if I provide locking_callback, will it be called only from the threads where I invoke OpenSSL functions, or OpenSSL may call it from some private/internal threads not created by me? Since there's no callback to create a thread,

Re: BIO_do_accept() + fork() is leaking 64B?

On 3/25/2011 3:50 AM, Michał Stawiński wrote: //freeing popped client BIO in parent would disconnect client in child, //so I can not free it, which will cause 64B memory leak //parent: BIO_free ( b=client_bio ) : 1 //??? I don't know of any elegant solution. But there's a way that works.

Re: BIO_do_accept() + fork() is leaking 64B?

On 3/25/2011 2:33 PM, Michal Stawinski wrote: 2011/3/25 David Schwartzdav...@webmaster.com: I don't know of any elegant solution. But there's a way that works. Open a file descriptor or socket you don't care about (for example, open /dev/null). Then 'dup2' that file descriptor over

Re: Examples to encrypt/decrypt

On 3/25/2011 4:17 PM, Jeremy Farrell wrote: From: Jeffrey Walton Sent: Friday, March 25, 2011 8:45 PM On Fri, Mar 25, 2011 at 3:56 PM, Anthony Gabrielsonagabriels...@comcast.net wrote: This will do what you want:

Re: How to handle Expired or not yet valid X.509 certificates - or simply is the system date wrong?

On 3/22/2011 9:07 AM, Steffen DETTMER wrote: When some entity verifies a certificate, finds a valid signature etc but the current date is not between Valid From to Valid To, meaning the certificate seems not yet valid or expired, what is recommended to do? It depends what you're doing. I

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 5:00 AM, ikuzar wrote: The problem : when I print data, I have got : HELLO��y0�y 0�y��y i`�

0�y ������L���L��-M etc... instead of HELLO. in MYrecv, when I make L = 5, it works what should I do to read just the right size so that when I print I get HELLO, GOODBYE, etc

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 6:40 AM, ikuzar wrote: Why do we expect \r\n ? why not \0 ? That's why you need to implement a protocol. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 7:43 AM, ikuzar wrote: I am confused. When I used a simple c++ program which uses SSL functions for the first time, I need not implement a protocol. when I tell SSL_write( ) to send 5 bytes and tell SSL_read( ) to read 10 bytes, the last reads 5 bytes ! ( doesn't it ? am I wrong ?

Re: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

On 3/7/2011 2:45 PM, Yan, Bob wrote: My question is that if my Reader thread gets a SSL_ERROR_WANT_WRITE error from SSL_read function call, can my Writer thread do the SSL_write operation right after the Reader’s SSL_read operation? Yes. Or, if my Writer thread gets a SSL_ERROR_WANT_READ

Re: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

On 3/7/2011 4:19 PM, Yan, Bob wrote: Thank you very much, David, In general, if the application use select/poll system function to check the readable of underline BIO and invoke the SSL_read/SSL_write only if there are data available on the socket, can the deadlock still happened? Not

Re: BN_mod_mul_montgomery() causing cpu spike

On 3/2/2011 10:23 AM, prakgen wrote: I've enabled fips in sshd (OpenSSH 5.5p1) Why? and linked it against openssl-fips-1.2. Everytime time sshd is spawned, the cpu utilization shoots up and remains high (40% to 90%) for around 5 seconds. Doctor, it hurts when I do that. Then don't do

Re: BN_mod_mul_montgomery() causing cpu spike

On 3/5/2011 6:23 AM, prakgen wrote: and linked it against openssl-fips-1.2. Everytime time sshd is spawned, the cpu utilization shoots up and remains high (40% to 90%) for around 5 seconds. Doctor, it hurts when I do that. Then don't do that. Well Doctor, I need to do that. Then it's

Re: SSL_connect( ) want read

On 3/3/2011 6:50 AM, ikuzar wrote: Hello, I have got a SSL_ERROR_WANT_READ after a call to SSL_connect. I 'd like to know what should I do exactly ? Thanks Retry the connect operation later, ideally after confirming that the underlying socket is readable. DS

Re: SSL_write( ) fails

On 3/2/2011 9:55 AM, ikuzar wrote: 3) I come back to the SSL_write( ). He wants to read( ). The doc says : Caveat: Any TLS/SSL I/O function can lead to either of *SSL_ERROR_WANT_READ* and *SSL_ERROR_WANT_WRITE*. In particular, |SSL_read()| or |SSL_peek()| may want to write data and

Re: Registration

On 2/25/2011 11:59 AM, Michael S. Zick wrote: On Fri February 25 2011, Ricardo Custodio wrote: Veja www.icp.edu.br Interesting, I get a server certificate fails authentication from the above address. You haven't chosen to trust the CA that issued it. Keep in mind that when the person

Re: Registration

On 2/25/2011 5:03 PM, John R Pierce wrote: the root certificate in question is not in either Google Chrome's list of CAs, or in Mozilla Firefox's list. AC-SSL da ICPEDU is the Root CA, issuing a certificate to www.icp.edu.br The Root Certificate appears to be one locally generated...

Re: Expiration date of a STARTTLS certificate

On 2/20/2011 6:42 PM, Bharani Dharan wrote: Hi, I want to find following details but getting error. Errors are highlighted in RED. Kindly advise. # echo | openssl s_client -connect server:25 -starttls smtp certificate gethostbyname failure connect:errno=0 Presumably the name of the

Re: problem in ssl connection with server

On 2/2/2011 9:13 PM, praveen kumar wrote: i got this error,they configured port 8000 for ssl but still i cant get problem where it is? Can any one help me where is the exact problem? Their server doesn't correctly support SSL negotiation. You can make it work by disabling TLS1

Re: [FWD] problem in privete key

On 1/31/2011 12:25 AM, Lutz Jaenicke wrote: Dear friend This is praveenkumar working as a app developer from Linkwell telesystems,hyderabad,India. i have a problem in ssl while hitting the server with the certificate provided by server.i am using openssl tool in linux. When

Re: RSA_generate_key function

On 1/31/2011 5:37 PM, Ashwin Chandra wrote: I would like to call this function to generate the same public/private key everytime. I thought all I had to do was create the same seed using RAND_seed each time, however I still keep getting different key pairs. Is there any way to have

Re: Intermediate CA

On 1/12/2011 3:19 PM, Jijo wrote: Hi All, I hope this a basic question for you guys.. I'm trying to setup TLS connection between Client and Server. In the server i did following things, 1. Created a selfsigned rootCA 2. Created IntermediateCA and signed with rootCA. 3. Create a Server

Re: [openssl-users] Re: How to disable index and serial?

On 1/12/2011 6:48 AM, Mark H. Wood wrote: Oh, now I'm curious. How do they test the randomness of a single sample? 1 is every bit as random (or nonrandom) as 0xdcb4a459f014617692d112f0942c89cb. They don't validate the number itself, they validatet hat the method by which the number was

Re: How to disable index and serial?

On 1/11/2011 7:02 AM, Fredrik Strömberg wrote: (For the curious: I don´t need serial because I only identify with CN, and I don´t need a database because I will never revoke any certificates.) The problem is, everybody else identifies by serial. So unless you don't plan to interoperate with

Re: openssl socket

On 12/29/2010 1:11 AM, Esimorp E wrote: Hi all, I tried changing the one-to-one socket type in OpenSSL to one-to-many by changing SOCK_STREAM to SOCK_SEQPACKET and it compiled fine but while trying to run other program on it I had the following error: bss_dgram.c(236): OpenSSL internal error,

Re: SSL cert chain validation timestamp issues

On 12/20/2010 10:49 AM, travis+ml-open...@subspacefield.org wrote: So a friend ran into this lately; libnss, at least on Linux, checks that the signing cert (chain) is valid at the time of signature - as opposed to present time. (It may check present time as well - not sure on that) This is

Re: How to find the other end can support SSL or not

On 12/17/2010 1:41 AM, Kingston Smiler wrote: Is there any way to identify whether the other end supports TLS or not. There is no way we could know the answer to this question. We have no idea what your other end is, who designed it, or how. My requirement is like this. If the other end

Re: SSL shutdown

On 12/2/2010 2:36 AM, Aarno Syvänen wrote: Hi List, I have problem with SSL_shutdown. Advice seems to be to call it again, if the return value is 0. However, this means that shutdown can hang forever. Can I just call SSL_shutdown and go on ? You can go do other things and try to shut the

Re: Handshake split across multiple TCP connections

On 11/29/2010 2:34 AM, A. N. Alias wrote: I've been using IE, Chrome and Firefox as clients for a test SSL/TLS server. This works fine with Firefox, which uses a single TCP connection for the TLS handshake and subsequent communication. However, IE and Chrome seem often to send different parts

Re: problem with pem file, no start line. centos.

On 11/18/2010 12:50 AM, Steve yongjin Shin wrote: -BEGIN RSA PRIVATE KEY- ...omitted.. -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- ...omitted... -END CERTIFICATE-

Re: Question regarding OpenSSL Security Advisory

On 11/18/2010 7:26 AM, Pandit Panburana wrote: I am not clear about the condition that vulnerability when using internal session caching mechanism. Is it the same thing as TLS session caching or this is some thing different? The internal session caching mechanism caches TSL session

Re: Question regarding OpenSSL Security Advisory

On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote: Hi, I had some questions about the latest security advisory. I understand that this applies to multi-threaded application while using ssl sessions. Correct. If the application is written thread safe using CRYPTO_set_locking_callback

Re: Force ASN.1 encoding routines to keep existing encoding

On 11/6/2010 7:44 AM, Martin Boßlet wrote: I just tested, whether the BER-encoding is preserved if I do not alter any of the contents. Unfortunately, it seems as if the encoding is not preserved. I did the following: d2i_PKCS7_bio(file,p7); and then directly i2d_PKCS7_bio(file2, p7); again.

Re: SSL_connect and SSL_accept deadlock!

This may be a stretch, but did you confirm the socket is within the range of sockets your platform allows you to 'select' on? For example, Linux by default doesn't permit you to 'select' on socket numbers 1,025 and up, though you can have more than 1,024 file descriptors in use without a

Re: SSL_connect and SSL_accept deadlock!

On 11/2/2010 6:25 PM, Md Lazreg wrote: r=select(m_sock_fd + 1, fds, 0, 0, ptv); if (r = 0 (Errno == EAGAIN || Errno == EINTR))/*if we timed out with EAGAIN try again*/ { r = 1; } This code is broken. If 'select' returns zero, checking errno is

Re: FIPS mode - fails to read the RSA key

On 10/6/2010 5:01 AM, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any

Re: Set Time out for SSL read

On 9/30/2010 11:39 PM, Raj wrote: Can you please let me know how can I set time out as a whole. I think you are mentioning about SSL_CTX_Set_timeout function. If it is so then I have set the time out using this function, and sadly I didn't get the expected result. There are a lot of ways. The

Re: Set Time out for SSL read

On 9/29/2010 11:41 PM, Raj wrote: Hi All Is there any method to set time our for SSL _read function. As from the Open SSL document SSL_read will not return if there is no data to read from the socket You really shouldn't need this. If you know for sure that it's the other side's turn to

Re: where is the memory being held

On 9/27/2010 4:13 PM, Scott Neugroschl wrote: As David said, yes. On the other hand, you could re-implement malloc() and free() for your platform. There's really no way to make that help very much. It might help a little, but the fundamental problem is this: If you want to implement each

Re: Does OpenSSL have any plans of supporting SSL_read / SSL_write on the same SSL_S from multiple threads?

On 9/25/2010 9:31 AM, Jayaraghavendran k wrote: (a) Does OpenSSL plan to support this feature in any of it's future releases? (Or does any of the releases already support it? I went through the Change Logs, but couldn't find anything), If no, why not? I can't answer whether there are any

Re: where is the memory being held

On 9/26/2010 11:14 PM, zhu qun-ying wrote: Does it mean that it is hard to change the behavior? Yes, because it's not implemented in any one particular place. It's a fundamental design assumption throughout OpenSSL that it's aimed at general-purpose computers with virtual memory subsystems.

Re: where is the memory being held

On 9/24/2010 11:05 AM, zhu qun-ying wrote: I think I should clarify something here. The app is running in a small device that does not have virtual memory (no swap space) and the memory is limited (256/512 M). In peek connections, it may use up to 90% of the system memory, and when

Re: Creating Extended Validation SSL Certificates

On 9/23/2010 7:16 AM, Gumbie wrote: Can someone explain what is needed to create and EV (Extended Validation) Certificate? I have been trying to research this and have found limited information on this. Only one document that was of any help

Re: where is the memory being held

On 9/23/2010 11:42 AM, zhu qun-ying wrote: Hi, I have an SSL apllication, that it suppose to run for a long time. After some time of running, I found the usage of the memory is growing. I stop all SSL connections and checked all SSL * has been freed but it could not release the memory back

Re: SHA-1 Hash Problem with i2d_Pubkey()

On 9/12/2010 11:38 PM, Raj Singh wrote: issuer_pubkey_len = i2d_PUBKEY(pubKey, NULL); issuer_pubkey = malloc(issuer_pubkey_len); i2d_PUBKEY(pubKey, issuer_pubkey); memory_dump(issuer_pubkey, issuer_pubkey, issuer_pubkey_len); The problem, is issuer_pubkey buffer is different each time, I run

RE: Connection Resetting

Sam Jantz wrote: It's multi threaded with non-blocking I/O.  I'm not sure exactly what you mean by socket discovery, but I think you are asking how my program determines when something is ready?  If that's the case then my program uses a select statement to watch the file descriptor to see

RE: Connection Resetting

I'm writing a SSL proxy (which is working great except for this issue) and every time I got to attach a file in an email the connection resets, and it gets caught in an infinite retransmit loop. There are two totally different ways you can make an SSL proxy, and to figure out your issue, we

RE: Man in the middle proxy - Not working

Raj wrote: I have tried one more method to read the data from the socket, which was partially successful it is defined as follows do { dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); // Gets the data from the server side

RE: SSL/TLS with server names picked from DNS

Sandeep Kiran P wrote: We dont have any control on how the server generates its certificates. As said earlier, we only control the client portion of SSL/TLS. Sites where our client application runs, is handed over the location where trusted CA certs are stored and thats all we have.  

RE: Man in the middle proxy - Not working

Raj wrote: Thanks for all the response 1. I was able to do the handshaking successfully with the browser. On receiving the request from the browser I will send HTTP OK response back to the browser, I was able to do the handshaking and read the actual GET request. 2.

RE: Man in the middle proxy - Not working

Alexey Drozdov wrote: Hi! When your setup proxy setting for browsers, they using HTTP CONNECT method for establish pure tcp-connection via proxy (not for local resources). It's seems like: Client send HTTP-request to proxy CONNECT remotehost:port HTTP/1.1 Host:

RE: Man in the middle proxy - Not working

Rene Hollan: Oh! I totally misunderstood this. I thought OP wanted to MITM SSL sessions (which is possible, if (a) the traffic is decrypted, (b) certs are reissued and resigned, and (c) the client TRUSTS the modified cert chain (typically its root cert)). This is just HTTPS Proxy. In

RE: Why does my browser give a warning about a mismatched hostname

I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP

RE: handling SSL_ERROR_ZERO_RETURN from SSL_read

Amit Ben Shahar wrote: Hi, The documentation specifies that SSL_ERROR_ZERO_RETURN is returned if the transport layer is closed normally. My question is, how should i handle this return code? specifically should i call SSL_free normally to free resources, or are resources already freed?

RE: question about max length string to encrypt with rsa 2048

Chuck Pareto wrote: My group is using RSA with a key thats 2048 in size. We want to encrypt strings that are longer then this key size gives. If we switch to a key that is 4096 what is the max string length we can encrypt? is it double? No, no! You are doing this all wrong! RSA is an

RE: Smime decrypting passin argument with windows shell

fatalfr fatalfr wrote: Thank you for your reply. Actually I use -passin (email editing problem ?) Complete command line working fine in cmd is the following one :   openSSL smime -decrypt -in OUT\TEST_OK.TXT -out OUT\OK.TXT -inkey SBE\sbe-test.key.pem -passin pass:tn!;bg+xy:tABrP1YZK  

RE: blowfish failing after around 1k input data...

Charlie wrote: His algorithm has one part that doesn't seem right to me, but changing it made things even worse. It seems weird that the Final function is inside the main for loop. It seems like final should mean... final. (ie: after the looping is done). It's quite common that fixing one

RE: Segfault when encrypting

Hannes Schuller wrote: I'm very puzzled here. Why do you sign the reply and then sign a hash of the signature? You say Message encryption successful, but that's a signature you're doing, not an encryption. I was under the impression that RSA_private_encrypt and RSA_public_encrypt do

RE: Segfault when encrypting

Hannes Schuller wrote: hash = (unsigned char *)malloc(RSA_size(rsa) * sizeof(unsigned char)); ciphertext = (char *)malloc(RSA_size(rsa) * sizeof(char)); signature = (char *)malloc(RSA_size(rsa) * sizeof(char)); if (ciphertext != NULL signature != NULL hash != NULL) {

RE: max length to encrypt

Chuck Pareto wrote: I'm not sure what you mean by shouldn't be using public-key encryption, why? Because you don't understand its properties, so there's no way you can know whether or not it meets your security requirements. It seems like .Net sets up a nice class that is easily

RE: OpenSSL Error Handling

Pankaj Aggarwal wrote: I am able to think about the following approaches :   1. Keep a record a threads which are spawned.   2. Expose a function from our library for cleanup when the thread exits  Is there any other way to avoid the memory leak caused by error queues ? There are several:

RE: compilation problem for xscale.

Rusty Carruth wrote: I would have thought that OPENssl, for which I have the source, would have met the requirements to use the _GPL symbols in the kernel. The requirement is that the module claim that it is available under the GPL by containing a specific license declaration. You can fix this

RE: max length to encrypt

Chuck Pareto wrote: if my public key is 256 bytes long, what is the max length of the string I can use to encrypt? Is it 256? If the output is exactly 256 bytes, there are (in theory) 2^(256*8) possible outputs. That means there can be at most 2^(256*8) possible inputs. There are more than

RE: AES-256 CBC encrypt/decrypt usage problem

Kunal Sharma wrote: What I see happening is this: ENCRYPT - size of /etc/rgconf on disk is 157043 bytes ENCRYPT - size of /etc/rgconf_encrypted on disk is 157044 bytes. BROWSER saves the file to disk - size is 136 bytes (How ???) You called 'strlen' on something that was not a string, so it

RE: AES-256 CBC encrypt/decrypt usage problem

Kunal Sharma wrote: void encode2(char *inbuf,char *outbuf) { unsigned char key32[] = As different as chalk and cheese; unsigned char iv[] = As dark as pitch; AES_KEY aeskey; memset(outbuf, 0, sizeof(outbuf)); AES_set_encrypt_key(key32, 32*8,

RE: openssl enc block size

Johannes Baeuer wrote: Why would a 16 byte block need to be padded by one byte to 17 bytes? Is it really not immediately obvious? No encrypted output for one or more bytes of input can be less than 16 bytes. Thus the smallest possible output sequence is 16-bytes. The number of possible

RE: Is it not possible to decrypt partial AES messages?

Christina Penn wrote: Hello David,   Can you show me exactly how to break up my example code to make my example work? It's really simple. When you want to decrypt a message, call EVP_DecryptInit_ex. For each chunk of data you want to decrypt that is part of the message, call

RE: Is it not possible to decrypt partial AES messages?

Christina Penn wrote: Here is some example code of me trying to decrypt a partial AES message. It doesn't work.. is there a way I can do something like this? It only works if I call DecryptMessage() with the entire encrypted string. Why? Your DecryptMessage function is specifically designed

RE: Verisign client requirements

Piper Guy1 wrote: This is precisely what a browser does. Again, using the https://www.amazon.com; example, OpenSSL takes care of getting the certificate from the server, making sure the certificate is valid, checking that the server owns the certificate, and making sure the

RE: Multi Threaded questions

Sad Clouds wrote: 1) According to the FAQ, an SSL connection may not concurrently be used by multiple threads. Does this mean that an SSL connection can be used by different threads provided access is limited to one at a time? I assume that having a mutex for each SSL object would

RE: Verisign client requirements

Piper.guy1 wrote: Hi, Please understand I'm a newbie to security if my question sounds rather elementary. The embedded product I'm working on requires a secure connection to our server that uses a Verisign certificate to authenticate. I've been porting the OpenSSL examples from the

RE: Pre Master Secret Regarding

Aravinda babu wrote: During SSL/TLS handshake,a pre master secret is sent from client to the server by encrypting pre master secret with server's public key. From that both client and server derive master secret and finally one symmetric key. My doubt is, why both cannot use pre master

RE: Random Numbers

P Kamath wrote: I said it is an RNG, not cryptographic RNG. By adding current time source, however crude, and doing a sha1/md5, why should it not be cryptoPRNG? What properties should I look for? You should look for a cryptographically-secure random number generator. Seriously, you

RE: Shorten the timeout for openssl s_client?

Todd Thatcher wrote: Using the command  “openssl s_client –connect gmail.google.com:443” openssl gets the certificate information and stays connected until I enter QUIT, or the timeout is hit -- about 2 minutes later.   I want to script certificate expiration date checks for out servers. Is

RE: Sign an SSL certificate with mutile trusted roots?

Rene Hollan wrote: I guess I'm just dense and stupid. Won't that fail since the CA IC cert won't be signed by the CA cert identified as it's issuer? Yeah, I think you're right. I made the same mistake I was trying to convince the OP not to make -- thinking that CAs sign certificates. The

RE: Sign an SSL certificate with mutile trusted roots?

Shaun Crampton wrote: Is there any way to accomplish this while using only one domain? Can you be very precise about what you mean by only one domain? For example, you can do it by pointing www.example.com and www-x.example.com at the same IP and having the server issue a different certificate

  1   2   3   4   5   6   7   8   9   10   >