On Thu, Jul 24, 2003 at 03:43:43PM -0700, David Schwartz wrote:
Please check this url:
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
Server authentication, step 4
The only difference is that netscape just check domain name.
Does the domain name in the server's
Once upon a time, I heard Dr. Stephen Henson say:
Its PKCS#7 signedData. You can use the smime utility with -inform DER
or programatically d2i_PKCS7().
Thanks, it works well this way...
But what is meant by the MD5 sum for this key? I wasn't abel to
reproduce it neither with openssl nor with
Hello Alain,
where did you see the certificate status option? from my IE6 browser,
it indicates only indicates that the certificate isn't verified by a
trusted CA... not to mention I see the SSL symbol (locked padlock
icon) which indicates that 128-bit encryption is enabled...
any more
-Original Message-
From: Bob DeBolt [mailto:[EMAIL PROTECTED]
Sent: 14 July 2003 18:35
To: [EMAIL PROTECTED]
Subject: RE: Signing a CSR from JetDirect
It seems to me that it is in the best interest of the major
CAs to not offer wildcard certificates; that way, they can
On 2003-07-24 at 18:43, David Schwartz wrote:
Please check this url:
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
Server authentication, step 4
The only difference is that netscape just check domain name.
Does the domain name in the server's certificate match
Hi!
I probably have a very basic question, but I need to describe my problem
in detail to make sure everybody understands what I'm seeking for,
because I may not possibly use the correct terminology. I want to have
this kind of organizational structure (OU = Organizational Unit):
Root-CA
|
On Fri, Jul 25, 2003 at 09:18:52AM -0400, Jue (Jacky) Shu wrote:
On 2003-07-24 at 18:43, David Schwartz wrote:
Please check this url:
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
Server authentication, step 4
The only difference is that netscape just check
This is what I'm trying to prevent. after shake-hand and authentication
by SSL, it is still not safe enough. because other poople and I share
some common secrets (key and certificate), but if secrets are comprised,
(I know that people don't like this idea of losing key, but it happened
David Schwartz wrote:
This is not a MITM. A Man-in-the-middle attack assumes a party on the
wire, witnessing all communication and able to insert arbitrary text.
Exactly. That's a MITM.
If I connect to 'www.amazon.com' through a MITM, that MITM can do one of
two things. He can
Title: ???
Morning, can someone tell me what this error code means when I do the following, also were can I find a list of all the error codes.
[EMAIL PROTECTED] admin]$ openssl s_client -connect 192.168.188.243:443
connect: Connection refused
connect:errno=29
Thanks in Advance
mike
[EMAIL PROTECTED] admin]$ openssl s_client -connect 192.168.188.243:443
connect: Connection refused
connect:errno=29
It means that there is nothing listening in port 443 on the remote host,
so the kernel over there rejected your attempt to connect.
For more details, try man 2 errno
/r$
The case of connecting to a different party (hijacking) has nothing
whatsoever to do with MITM.
A MITM is a different party! No offense, but do you have any idea
what
you're talking about?
Back to school, David. MITM is used by cryptographers to refer to
an interposer who
Brian Hatch wrote:
Ahha! I know what we'll do, we'll require certificate authentication!
Ok, assuming I have a list of the major CAs and the the certificate
verified correctly
You're missing the point. A hijack or redirect is not a MITM
attack. These words have specific meaning, which you are
Ahha! I know what we'll do, we'll require certificate authentication!
Ok, assuming I have a list of the major CAs and the the certificate
verified correctly
You're missing the point. A hijack or redirect is not a MITM
attack. These words have specific meaning, which you are abusing.
Hi, I have an SSL client/server application,
on randomly basis, I got this error in my ssl server. When it does the
SSL_accept, it sometimes got following problem.
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not
01
Then the handshake is failed. I am using SSLv3, and
Brian Hatch wrote:
Ahha! I know what we'll do, we'll require certificate authentication!
Ok, assuming I have a list of the major CAs and the the certificate
verified correctly
You're missing the point. A hijack or redirect is not a MITM
attack. These words have specific meaning,
Hi,
On July 25, 2003 01:45 pm, David Schwartz wrote:
Hijacks and redirects are all within the scope of what a MITM can do.
No, they only within the scope of what an attacker can do. The attacker
becomes a MITM if they can do it without you knowing anything's wrong.
Note doing it without
Thanks for the suggestion! I tried it and it didn't work.
I think Umesh's eMail below (note he works for HP) hit the nail on the head. I tried his suggestion (below), and then did:
openssl x509 -req -in hplj4600dn1.csr -CA ultimeth.pem -days 3650 -set_serial 01 -out hplj4600dn1.crt
but the
David Schwartz wrote:
Hijacks and redirects are all within the scope of what a MITM can do.
That's a Humpty-Dumpty argument, not the definition used by cryptographers.
You're simply confused, or are immune to education.
You want a simple definition of a MITM? Here it is -- you think you have:
No, they only within the scope of what an attacker can do. The attacker
becomes a MITM if they can do it without you knowing anything's wrong.
And SSL/TLS does not itself let you know anything is wrong.
SSL/TLS provides the *ability* for you to know something is wrong
*if* the developers
Sorry David, but your definition of MITM is wrong. Or, more accurately,
it is not aligned with how cryptographers and security analysts
generally conceive it.
In an MITM attack, the adversary sits between A and B and is able to
intercept and/or modify the communications between the two of
In an MITM attack, the adversary sits between A and B and is able to
intercept and/or modify the communications between the two of them
without their knowledge. Server certificates and the DN's CN must be
the FQDN (sic:) help prevent MITM.
Yes, they help. They do a damned good job of
Hi,
On July 25, 2003 03:13 pm, Brian Hatch wrote:
SSL/TLS provides the *ability* for you to know something is wrong
*if* the developers correctly used the tools available to them.
Without enforcing certificate authentication and/or CN matching,
the user will not know anything is wrong. This
On Fri, Jul 25, 2003, Wu Junwei wrote:
Hi,all
I have a question on certificate verifying.
In X509_verify_cert(), after checking the prupose (my understanding is to
check the extension of the V3 certificate),
it checks the so-called trust :
if (ctx-trust 0) ok = check_trust(ctx);
And this is precisely the crux of why I think this thread is a waste of
bandwidth.
Agreed.
I'll end, promising to shut up after this, with the following summary
1) SSL/TLS has the capabilities to be immune to MITM attacks.
2) These capabilities may be used in any number
I got it to work; the command below just needs:
-extfile ../openssl.cnf -extensions usr_cert
I had ASSUMED that since openssl req and openssl ca can find the openssl.cnf file, that openssl x509 could also.
-- Dean
Dean Gibson (System Administrator) wrote on 2003-07-25 11:49:
Thanks for the
David Schwartz wrote:
Hijacks and redirects are all within the scope of what a
MITM can do.
That's a Humpty-Dumpty argument, not the definition used by
cryptographers.
You're simply confused, or are immune to education.
No, I am not at all confused. You are confused and
Hi,
On July 25, 2003 01:45 pm, David Schwartz wrote:
Hijacks and redirects are all within the scope of what a
MITM can do.
No, they only within the scope of what an attacker can do. The attacker
becomes a MITM if they can do it without you knowing anything's wrong.
The MITM
David Schwartz wrote:
No, I am not at all confused. You are confused and immune to education and
based on the number of emails I've gotten about this thread from
professional security people, I'm pretty sure I'm right
David, I am a security professional, and I have the greatest respect
Sorry David, but your definition of MITM is wrong. Or, more accurately,
it is not aligned with how cryptographers and security analysts
generally conceive it.
I don't see how. I just went to 35 sites that defined MITM and all of them
defined them the way I did.
In an MITM attack,
SSL/TLS plus good authentication methods is immune to MITM attacks.[1]
[1] Depending on everyone you trust being trustworthy. What if I'm
a verisign employee and can manage to generate a verisign-signed
cert for www.microsoft.com? I can MITM, and no alerts will occur
No, I am not at all confused. You are confused and immune to
education and
based on the number of emails I've gotten about this thread from
professional security people, I'm pretty sure I'm right
David, I am a security professional, and I have the greatest respect for
Rich Salz, and I
32 matches
Mail list logo
