Re: [openssl-users] Selection of DHE ciphers based on modulus size of DH

s listed in the RFC. > > > On 08/06/2018 12:15, Sanjaya Joshi wrote: > >> Hello, >> Thank you Matt and Jordan. So, it seems that it's possible to modify my >> client to accept/reject the DH group key length. But i have one more issue >> to be clarified. >>

Re: [openssl-users] Selection of DHE ciphers based on modulus size of DH

Hello, Thank you Matt and Jordan. So, it seems that it's possible to modify my client to accept/reject the DH group key length. But i have one more issue to be clarified. Is it possible that if a client does not accept the DH group key length used by the server, then, a different possible cipher

Re: [openssl-users] Selection of DHE ciphers based on modulus size of DH

ore allowed, for which i didn't find a good reasoning. Regards, Sanjaya On Thu, Jun 7, 2018 at 8:52 AM, Jordan Brown wrote: > On 6/6/2018 12:11 PM, Sanjaya Joshi wrote: > > I understood that when DHE ciphers are tried to be used between two > entities, it's only the server that pl

[openssl-users] Selection of DHE ciphers based on modulus size of DH

Hello, I understood that when DHE ciphers are tried to be used between two entities, it's only the server that plays a role about selection of the DH parameters. This is not negotiable with the client. For e.g., the server can freely use a very low not-recommended DH group with 512 bit key length

Re: [openssl-users] Binding the socket to a source IP address before connect

Hi, Thanks Michael. I'll check if your proposal fits my requirement. Regards, Sanjaya On Wed, Jan 10, 2018 at 7:55 PM, Michael Richardson <m...@sandelman.ca> wrote: > > Sanjaya Joshi <joshi.sanj...@gmail.com> wrote: > > Is there a BIO family of API that

[openssl-users] Binding the socket to a source IP address before connect

Hello, Is there a BIO family of API that OpenSSL provides to bind to a specific source IP address before creating a socket connection (using for e.g. BIO_new_connect()) ? My application does not need to rely on the kernel-provided source IP address and hence the need for this. Regards, Sanjaya --

Re: [openssl-users] Compatibility between different openssl versions

Hi, Thank you Salz Rich. It's clear now. Regards, Sanjaya On Mon, Nov 27, 2017 at 6:42 PM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > >- Whether openssl 1.0.x and 1.1.x can interwork ? > > > > Yup. As long as they share a TLS version, no problem. > > -- >

Re: [openssl-users] Compatibility between different openssl versions

Thank you for the confirmation Matt. Regards, Sanjaya On Mon, Nov 27, 2017 at 3:50 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 27/11/17 08:47, Sanjaya Joshi wrote: > > Hello, > > Whether openssl 1.0.x and 1.1.x can interwork ? > > That is, whether T

[openssl-users] Compatibility between different openssl versions

Hello, Whether openssl 1.0.x and 1.1.x can interwork ? That is, whether TLS client on top of openssl 1.1.x and TLS server on top of openssl 1.0.x (or vice versa) can interwork efficiently ? Regards, Sanjaya -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Segmentation fault ssl23_connect()

Thanks. I'll try that. Regards, Sanjaya On 18 Apr 2017 15:27, "Matt Caswell" <m...@openssl.org> wrote: > > > On 16/04/17 20:17, Sanjaya Joshi wrote: > > Hello, > > > > I use openldap_2.3.39 to initiate secure LDAP connection (starttls) to > &g

[openssl-users] Segmentation fault ssl23_connect()

Hello, I use openldap_2.3.39 to initiate secure LDAP connection (starttls) to external LDAP server. The used openssl version is 1.0.2k. While establishing the secure connection from client, i observe the following segmentation fault occasionally (Not always reproducible). Any pointers please ?

Re: [openssl-users] Reg, TLS over SCTP (SOCK_SEQPACKET)

Hi, Thanks for the pointers. We will consider that option. Regards, Sanjaya On Wed, Mar 1, 2017 at 6:59 PM, Michael Tuexen < michael.tue...@lurchi.franken.de> wrote: > > On 1 Mar 2017, at 06:34, Sanjaya Joshi <joshi.sanj...@gmail.com> wrote: > > > &g

Re: [openssl-users] Reg, TLS over SCTP (SOCK_SEQPACKET)

Hi, Thank you Salz Rich for the confirmation. So, whether application can perform manual TLS handshakes when SOCK_SEQPACKET is used ? Regards, Sanjaya On Tue, Feb 28, 2017 at 7:03 PM, Salz, Rich wrote: > > But these calls don't work when SOCK_SEQPACKET (one-to-many

[openssl-users] Reg, TLS over SCTP (SOCK_SEQPACKET)

Hello, I understand that when implementing TLS over SCTP, if socket is opened with SOCK_STREAM (one-to-one connection), then normal openssl calls (SSL_accept, SSL_connect) can be used for TLS handshakes in a client/server program. But these calls don't work when SOCK_SEQPACKET (one-to-many

[openssl-users] Clarification regarding CVE-2016-2178 for openssl 1.0.2 i and 1.0.2 j

Hello, 1) In openssl1.0.2i, the release note says, there is a fix for CVE-2016-2178: " *) Constant time flag not preserved in DSA signing Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA

[openssl-users] Reg. SHA512WithRSAEncryption support in TLSv1.0

my client does not support SHA512 ? I use TLSv1.0. Could someone please let me know, if SHA512 is not supported by TLSv1.0 ? Thanks in advance. Regards, Sanjaya Joshi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listin

Re: Reg. type of certificate - CA / EE based on X509_check_ca().

. Regards, Sanjaya On Tue, Jul 8, 2014 at 2:16 AM, Kyle Hamilton aerow...@gmail.com wrote: On 7/7/2014 2:40 AM, Sanjaya Joshi wrote: Hello, My application uses openssl 1.0.0, and it uses X509_check_ca() to find out if an X509 certificate is a CA certificate, or an End-entity (EE

Reg. type of certificate - CA / EE based on X509_check_ca().

Hello, My application uses openssl 1.0.0, and it uses X509_check_ca() to find out if an X509 certificate is a CA certificate, or an End-entity (EE) certificate. The below are the possible return codes. /* return codes of X509_check_ca(): * 0 not a CA * 1 is a CA

Re: PKCS#1 key vs PKCS#8...

() to get PKCS#1 encoded key in openssl 1.0.0 ? Note: In openssl 0.9.8, PEM_write_PrivateKey() provides a PKCS#1 encoded key. Regards, Sanjaya On Wed, Jun 5, 2013 at 6:33 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Jun 04, 2013, sanjaya joshi wrote: Hello, I am using strongswan

Re: Change in behavior of api PEM_write_PrivateKey() between 0.9.8 and 1.0.0

Thanks Dave for the clarifications. Regards, Sanjaya On Thu, Jun 6, 2013 at 2:11 AM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of sanjaya joshi Sent: Wednesday, 05 June, 2013 01:27 I have few queries wrt the RSA private key generation

PKCS#1 key vs PKCS#8...

Hello, I am using strongswan(v_4.5.3) for ipsec, that uses my X509 certificate and RSA private key. If i use RSA private key(un-encrypted) that is PKCS#8 encoded, then strongswan is not able to load the key. But it works, if i use a traditional PKCS#1 encoded RSA key. Could anyone explain,

Convertion of pkcs8 to pkcs1 key...

Hello, Could anyone let me know which is the suitable openssl command to convert PKCS#8 key to traditional PKCS#1 key in openssl_1.0.0? I used the below command, and it works in openssl_1.0.0:- openssl rsa -in pkcs8.pem -out pkcs1.pem But if i use the below command, it doesn't work in

Change in behavior of api PEM_write_PrivateKey() between 0.9.8 and 1.0.0

Hello, I have few queries wrt the RSA private key generation and writing using openssl. Could anybody please clearify. (1). Has the behavior of api PEM_write_PrivateKey() has been changed between openssl 0.9.8 and 1.0.0 ? (2). The above api uses PKCS#8 encoding (while writing) by default in

CMP key update - Which key to be used?

Hello, I need to update my end entity certificate using CMP key update request. There are 2 possibilities for the private key to be used - 'existing' or 'new'. RFC 4210 says: When a key pair is due to expire, the relevant end entity MAY request a key update; that is, it MAY request that the

Re: X509 V1 intermediate CA vs end-entity

: On Tue, Sep 25, 2012, sanjaya joshi wrote: We can conclude an X509 V1 certificate to be a root ca using (EXFLAG_V1|EXFLAG_SS). Similarly, is there a way to know whether an X509 V1 certificate is an intermediate CA or end-entity certificate ? You can't: there is nothing in a V1