message peek callback with SSL_set_msg_callback() function.
Look at examples in apps/ directory.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support
() function.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
that transport certificates, for example you may
do
something like that:
$ wget http://www.some.server/cacert.der
(in C program of corse).
This is one of many ways of getting CA certificate.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
application.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
something reasonable after decryption.
You must ensure that encrypting public key and decrypting private key
are from the same pair.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
?
Try to initialize OpenSSL library with:
SSL_library_init();
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
$ openssl s_client -cipher aNULL
connection will be established properly.
Of course commands:
$ openssl s_server -nocert -cipher ALL
$ openssl s_client -cipher ALL
works too.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
:
Code Signing
then Firefox will treat this certificate as invalid.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
, keyEncipherment,
keyAgreement
Next generate new certificate and test.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
support are
failing
because zlib.h can't be found.
How do I tell ./config where zlib.h is located ?
With Configure you may add something like:
--with-zlib-lib=/path
--with-zlib-include=/path
Best regards,
--
Marek Marcola [EMAIL PROTECTED
without doing that.
You may just use:
$ ./Configure zlib --with-zlib-lib=/path --with-zlib-include=/path mingw
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http
strlen() here. Use base64 decoded length.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
Hello,
Anyone can send a reference to the rsa-oaep-mgf1p algorithm?
Look at PKCS#1 document from RSA.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
();
/* Set up the SSL context */
ctx = SSL_CTX_new(SSLv23_client_method());
printf(%s,ctx);
Add SSL_library_init() call and if you want to print context pointer
use:
printf(%p\n,ctx);
Best regards,
--
Marek Marcola [EMAIL PROTECTED
is not released after this error occur, some filedescriptors
not closed or even threads not cleared.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User
(and intermediate certs if exists).
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
be equal.
If this keys differ then there may be situation where signed data is
bigger
then public key modulus.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
/certificate with openssl options -key and -cert.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
will not
be able to saturate network because of CPU bottleneck.
Also i need details about the transmittred handshake data amount..
Just use:
$ openssl s_client -conenct ip:port -msg
to look how big handshake messages you have.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
you should get padded ASN1 structure.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
rsa_test13.c
Description: Binary data
no clue at this point.
You may have duplicated IP address in your network.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Hello
The code compiles and links. Using it, however, produces different
results than using
echo some string | openssl dgst -md5
Echo command adds new line characters.
Try someting like echo -n on linux or \c on hpux
to disable this.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
Hello,
If Your application is multithreaded you should free
the error queue. For current thread just add line:
ERR_remove_state(0);
More information:
http://www.openssl.org/docs/crypto/ERR_remove_state.html#
Best regards,
--
Marek Marcola [EMAIL PROTECTED
SSL_CTX_set_cipher_list() if you writing
your own application using OpenSSL.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
0x033A
SSL3 and TLS1 are very similar protocols so I think this is ok.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing
Hello,
Change line:
returnvalue=RSA_private_decrypt(8,pubenc,recovered,mykey,RSA_PKCS1_OAEP_PADDING);
to someting like that:
returnvalue=RSA_private_decrypt(RSA_size(mykey),pubenc,recovered,mykey,RSA_PKCS1_OAEP_PADDING);
Best regards,
--
Marek Marcola [EMAIL PROTECTED
/random, /opt/openssl/prngd/prngd
but has no /dev/random, /dev/urandom installed by default
-hpux11iv2(11.23) - /dev/urandom, /dev/random, /opt/openssl/prngd/prngd
has /dev/random, /dev/urandom installed as kernel module by default
Best regards,
--
Marek Marcola [EMAIL PROTECTED
, shared keys and this type of data
is encrypted with RSA ... usually :-)
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
: write,
SSL_alert_type_string_long(val),
SSL_alert_desc_string_long(val));
}
}
end than set callback with:
SSL_CTX_set_info_callback(ctx, tls_connection_info_cb);
This example connection callback is not mine but is very useful.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
).
Especially, careful check word size (32/64 bit)
and byte oreder (BIG/LITTLE endian) of target system.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
) - application protocol
0301 - TLS1 version
0020 - record length (32 bytes)
So, this looks like TLS1.
Best regards.
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http
Hello,
Hi, I have tried to run some test:
Try someting like that:
# file ts-20060225-0_9_8a-patch.gz
# head ts-20060225-0_9_8a-patch.gz (may see some garbage)
# od -c ts-20060225-0_9_8a-patch.gz
to see what this file look like.
Best regards,
--
Marek Marcola [EMAIL
()/RSA_public_decrypt() functions which will
be 2 page long. And may be called from Python.
If someone really wants this functionality of course :-)
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL
/openssl/test/ca.bak/newcerts/01.pem
Removing aNULL on any side will break TLS handshake.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing
)) {
ERR_print_errors_fp(stderr);
goto err;
}
..
..
On client side:
- add code to initialize SSL_CTX structure:
if(!SSL_CTX_set_cipher_list(ctx,ADH)) {
ERR_print_errors_fp(stderr);
goto err;
}
Best regards,
--
Marek Marcola [EMAIL PROTECTED
.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
will find there answers to your questions.
Worth to buy.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
depends the blocksize on password,
No, not depends,
or strlen is not a good way to know the blocksize?
Is not good way for this.
Of course all this is true if you use AES_ecb_encrypt().
It is only my guess.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
Hello,
Thats my problem, the connection from a client to s_server is not working -
thats where i stuck...
Run s_server with -debug -msg -state options to get more information.
Try to add -bugs to workaround some SSL compatibility problems.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
are cryptography secure.
If return code is 0 this means that internal structures
are not seeded and self seeding was not possible.
(For example there was no source of entropy)
Best regards,
--
Marek Marcola [EMAIL PROTECTED
socket,
byte 4 and 5 have length of record data. Than if you know (encrypted)
data length you must read rest of data until you have all octets
or socket error. Reading may be in chunks (it depends how peer
is writing to socket).
Best regards,
--
Marek Marcola [EMAIL PROTECTED
(for example man s_client).
Best regars,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
this with OpenSSL API
you may use RSA_verify() function (with RSA key from certificate).
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing
command using SMIME
you may find some good examples at:
http://www.openssl.org/docs/apps/smime.html#
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Hello,
unfortunatly is not smime.
I can't understand which command way they have used to obtain the output
You should give more information, certificate is not enough.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
of
multiple clients from connecting from multiple ip's.)
If you have established SSL object:
SSL_get_fd();
getpeername();
gethostbyaddr();
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
is not compiled in.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
) and coresponding certificate file (eg cert.pem)
you may display these numbers from files and check if they are
equal:
$ openssl rsa -in key.pem -text -noout
$ openssl x509 -in cert.pem -text -noout
Best regards,
--
Marek Marcola [EMAIL PROTECTED
, SSL_VERIFY_NONE, NULL);
You should check your code or simply use ssldump to check
if your ssl server sends CertificateRequest packet.
If yes, this may help.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
){
error();
}
is not good.
Just my guess :-)
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Hello,
We're not sure why right now but we think a piece of network equipment
(e.g. a firewall) is detecting an FTP session but gets confused when
the encrypted data starts and kills the connection.
Cisco routers with IDS enabled do things like that.
Best regards,
--
Marek Marcola [EMAIL
Key Derivation Functions (PKCS#5) and than only parameters of this
functions must be known on both sides.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Hello,
Which algorithm is use for test a generated possible prime random
number? (openssl rsa) (Atkin-Morain ; Miller-Rabin ...etc)
Miller-Rabin.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
Host: abc enter
these have no sense in HTTP protocol but if your client
understands QUIT you will be disconnected after second
enter if not, after third one you will get errors from http server.
Just for test.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
-in mycert.crtmymod.txt works but is no
good from a shell command in a program.
With openssl x509 you can't write modulus to file because it is
always printed to stdout.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
| openssl s_client -connect ssl_host:443
Maybe there should be added something like renegotiation_rate ?
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User
renegotiate_rate_limit) has to use his private RSA key
(if we use RSA) witch is very time consuming.
All this happens within one tcp connection.
Application layer do not see this.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL
.(in this test case, don't use client and
server certification file)
Try eNULL.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
, maybe there should be mechanism
to check minimum values of this parameters when renegotiation
may occur.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
== EVP_PKEY_DSA) {
// DSA
else {
// NOT RSA AND NOT DSA :-)
}
EVP_PKEY_free(pkey);
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support
encryption, but data integrity mechanism (MAC)
is not dependent on encryption and may be used without it.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User
without changing the rest of
the BIO operations. sounds nice if this is possible.
It is possible, good example you can find in Victor Duchovni post:
http://www.nabble.com/Re%3A-Use-ssl-only-certification--p4364592.html
(no encryption, data integrity with SHA)
Best regards,
--
Marek Marcola [EMAIL
:8e:cf:27:43:df:56:db:13:
45:95:71:cc:5d:6e:98:ee:4a:9a:f8:90:de:05:86:
29:3e:47
coefficient:
64:4a:c0:45:83:3a:14:15:ef:7c:23:34:85:9c:55:
8b:b6:4c:96:92:4c:4c:d5:76:c0:b7:68:88:26:8d:
32:18
Of course this script must be modified for real use :-)
Best regards,
--
Marek Marcola
in Makefile line:
*DSO_DLFCN*) sfx=so;;
to:
*DSO_DLFCN*) sfx=sl;;
and rerun make install (temporary workaround).
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
structure and use for verify.
But I'm sure that there should be some more simple way :-)
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing
040 2409 242e a379 5d61 b487 a430 fe8d 64f9
060 c0ea e72c e7d3 48fd 6875 9879 d341 298a
100 9724
102
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http
(workaround).
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List
might be the best route but maybe there is a
better way.
You must generate new private key (longer) for CA
and self certify. Next you should publish your new
CA certificate.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
://csrc.nist.gov/cryptval/140-1/140sp/140sp642.pdf
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl
, there is no such thing
like exit(0).
but then the SSL connection which is an exact copy of the parent gets
also deinitialized.
Maybe there is some logic error ?
To read from ssl file descriptors you need more than only
system file descriptor.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
Hello,
I'm looking for a way to extract a RSA public key form an x509 certifcat.
Ps: I'm programming with C.
X509_get_pubkey()
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
IS found in server database but is not associated
with SSL object you will get this error.
Maybe this comment is not very clear, but seems that
your client reuses session.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL
should provide more information.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
padding type, for example
suggested for new application PKCS1 OAEP with is not recognized
(for now) with CertificateVerify.
Maybe you can trace this with ssldump and send decrypted
CertificateVerify packet ?
Best regards,
--
Marek Marcola [EMAIL PROTECTED
the traffic becomes encrypted?
Yes.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
padding with
RSA_padding_check_PKCS1_type_1() will fail and RSA_public_decrypt()
will fail.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support
Hello,
Is there any effort underway to implement Datagram TLS (DTLS) in
OpenSSL?
It is implemented.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
).
And sorry for my mistake in previous post:
In TLS1 length of ClientVerify data is also 16+20 bytes.
Length of Finished packet data is 12 bytes.
Too many numbers :-)
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
bad configured client) - but this may only
complicate things.
There are some SSL record layer callbacks in OpenSSL which
may be used but this is bad solution :-)
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL
Best regards,
So where's the documentation?
Look at apps/s_server.c and apps/s_client.c for an example.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http
key_exchange. Are you setting
private RSA keys, certificate, and CA certificate also in SSL context ?
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User
and check what happens.
If connection will not be successfully established than there
is some problems in your OpenSSL build.
If this test will be successful, try to connect with your SSL client
to openssl s_server.
If there will be some problems, send debug messages.
Best regards,
--
Marek Marcola
and this seems to work on 0.9.8a and 0.9.8b.
Try to run this on your system and check for errors.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support
/libc.so.6 (0x0067c000)
/lib/ld-linux.so.2 (0x0065e000)
.
.
In your case, if you want to use static OpenSSL libraries
just remove -lssl -lcrypto.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
Best regards,
--
Marek Marcola [EMAIL PROTECTED
,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
foo.key, and want to
use bf-cfb to encrypt the input file using the key file. What kind of
command should I use?
openssl bf-cfb -in foo.in -out foo.out
-kfile_with_passphrase_in_first_line.txt
Best regards,
--
Marek Marcola [EMAIL PROTECTED
that take place within the same TCP connection.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
Hello,
Is it possible to decrypt a recorded SSL session, if the attacker gains
access to the RSA private keys at a later point in time?
If key_exchange was done with RSA and server RSA private key
was compromised ... without problem.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
;
SSL_free(_my_struct-ssl);
/*freeing up the rest of my_data struct*/
..
Check http://www.openssl.org/support/faq.html#PROG13
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
,things are getting better,but after an unpredictable
interval there
will still be some leaks.
Just add before pthread_exit() ERR_remove_state(0).
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
Hello
What version of OpenSSL you use ?
I do not remember exactly but in one version
there was memory leak after general release.
(I do not remember version).
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
Hello,
ENGINE_cleanup();
CONF_modules_unload();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);
This should by removed from your code.
Best regards,
--
Marek
as argument
to SSL_CTX_set_verify().
You may read more at:
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project
:E3295A7F558C3D78D3 ...
135:d=1 hl=2 l= 3 prim: INTEGER :010001
and you should make digest of this file:
$ cat pub_key.der | openssl dgst -sha1
f8aa13223180643bf899eaa6faac94c2aa7bdd73
Best regards,
--
Marek Marcola [EMAIL PROTECTED
,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
pthread_exit()
ERR_remove_state(0) in children thread should be enough.
ERR_free_strings() removes error text description and when you
will want (in the feature) to print errors you will have only
numbers.
Best regards,
--
Marek Marcola [EMAIL PROTECTED
601 - 700 of 773 matches
Mail list logo