.
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of mclellan, dave
Sent: Tuesday, November 13, 2012 4:26 PM
To: openssl-users@openssl.org
Subject: OpenSSL/FIPS Object Module
Eh, I had it right all along, but when I dumped it via x509 later it showed a
strange OID; seems the directory I was in had an old 0.0.8e OpenSSL.exe...
*face palm*
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner
to be set into the X509 somehow?
In the sig_alg member? How is this done (the ASN1 macro stuff makes it hard
to decode)? I see a X509_get_signature_type(), but no corresponding _set_
method.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original
What if the server has an ECDH certificate? Would that then be the appropriate
set of suites?
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf
I think Steve posted a while back that those ciphers require special handling
and do not work with the enc command yet.
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf
the assumption be that you are
now on the leading edge of the compatibility issue and are using a 1.0.1
binary?
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org
the previous behaviour that
allowed this as well, though we can't tell if it's the s_client app or the
OpenSSL cert store functionality that changed this.
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us
.
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 12:36 PM
To: openssl-users@openssl.org
Subject: openssl on a home LAN
I am
sure you are setting those options on
the SSL_CTX before you create an SSL session from that context.
Erik
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jahn
.
Erik Tkal
Juniper OAC/UAC/Pulse Development
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List
to figure out is how to tell OpenSSL that the client agrees to
use this version, whereas now it generates a fatal alert. I cannot use an
SSLv2 handshake, as this is inside EAP-TLS.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message
I don't believe OpenSSL has any mechanism to directly calculate P and Q; this
requires an iterative process. Once you have those, however, calculating the
rest are simple calculations using the BN library.
Erik Tkal
Juniper OAC/UAC/Pulse Development
Erik Tkal
Juniper OAC/UAC/Pulse Development
On Fri, Aug 03, 2012, Steve wrote:
OK, you've got the parameters explicitly encoded instead of using a named
curved. When you generate the key try calling:
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
Steve.
--
Dr Stephen N. Henson. OpenSSL
;
EC_GROUP_free(ecgroup);
Is there something I am doing incorrectly to generate the EC key?
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Erik Tkal
EwJVU4IDANMnMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATA7BgNV
HR8ENDAyMDCgLqAshipodHRwOi8vbG9jYWxob3N0L3BraXRvb2wvZXJvb3QxL2Vy
b290MS5jcmwwCgYIKoZIzj0EAwIDSAAwRQIhANIwDV9cYUXvI6WuBDrKUNCgVMrO
kxy3igQZs5/ttBvwAiAze1W9uN/K5ULbSeMjivldawnSsRPIYEYLmVeATe8ZQg==
-END CERTIFICATE-
Erik Tkal
Juniper OAC/UAC/Pulse
CONNECTION CLOSED
Erik Tkal
Juniper OAC/UAC/Pulse Development
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl
In your client app are you setting the options on the SSL_CTX *before* you call
SSL_new()?
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Sebastian Raymond
Sent
If you build the OpenSSL crypto as a static library you should be able to
utilize it without including everything else in your app, depending on your
compiler/linker options.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From
and 1.0.0 are binary compatible (only the
sub-releases that are lettered).
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of exvance
Sent: Monday, June
In fact a quick compare of x509.h shows that the X509_sign_ctx entry point is
new in OpenSSL 1.0.1.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org
What's the output of 'which openssl' and 'openssl version'?
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of exvance
Sent: Saturday, June 09
are generated using Ephemeral
Diffie-Hellman, signed using RSA (since DH is subject to MitM attacks).
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf
Hi Bin,
The OpenSSL names for P-256 and P-384 are prime256v1 and secp384r1.
Erik
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Bin Lu
Sent: Monday, March 05, 2012
server is sending the list incorrectly. I once used a product that
just sent the certs in the order contained in the configured .PFX file, so the
easiest workaround was to repackage the .PFX.
Erik
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner
the handshake to generate
the master key to be used elsewhere (e.g. for proprietary encryption), then you
can get it from the SSL_SESSION object (not sure if there's a get method).
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org
the handshake to generate
the master key to be used elsewhere (e.g. for proprietary encryption), then you
can get it from the SSL_SESSION object (not sure if there's a get method).
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org
Hmmm, but he said he was writing both the client and server components and
assuming both are using OpenSSL (I know, when you *assume*...) the mechanism
would be the same...
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org
.
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of y...@inbox.lv
Sent: Monday, July 18, 2011 2:10 PM
To: openssl-users@openssl.org
Subject: Re: revoking crt
is that really
...
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of andre505
Sent: Monday, May 16, 2011 9:29 PM
To: openssl-users@openssl.org
Subject: OpenSSL - Great Project
Hello
I think
OpensSSL supports TLS; you need to parse the EAP packets in your own
application and feed the TLS bits into OpenSSL.
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Neo
.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of John R Pierce
Sent: Wednesday, May 11, 2011 12:47 PM
To: openssl-users@openssl.org
Subject: Re
I think that means you have not enabled the cipher or hash that is required at
that point. Did you forget to call something like OpenSSL_add_all_algorithms()
in your app?
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner
the second of the following would
work:
openssl md5 user.pem (wrong format input)
openssl md5 user.cer
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Matt C
Sent
110419141516Z = 2011 04(April) 19th 14:15:16Z(UTC)
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Matt C
Sent: Tuesday, April 19, 2011 5:19 PM
To: openssl-users
WinZip handles it just fine...
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Paul Suhler
Sent: Tuesday, April 12, 2011 11:53 AM
To: openssl-users@openssl.org
Subject
instead of RAND_bytes to avoid the conversion...
Regards,
Erik
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Viktor Krikun
Sent
You can use the -config option to specify a desired config file.
...
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of felix farcas
Sent: Friday
DER encoding of numeric data should always be network byte order MSB...LSB.
Note that if the high order bit is set then an additional 0 byte is prepended.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us
That's a pretty bold statement and doesn't always apply in a product
environment.
I have not deployed 1.0.0b (because of the pending issues); I'm still at 1.0.0a
and have to decide whether to patch the vulnerabilities, or risk updating
OpenSSL completely and retesting all of its consumers.
Go to http://www.openssl.org/support/community.html
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Richard Buskirk
Sent: Friday, December
Can someone point to details on CVE-2010-4180 and CVE-2010-4252? CVE-2010-3864
was the reason 1.0.0b was released, but I cannot find any references to the
other two.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner
Some zip programs do not restore the links properly. Regardless, when you
first build, those header files should be recreated from their actual locations
(e.g. openssl-1.0.0b/ssl/ssl.h).
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message
Are you linking with ws2_32.lib?
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of g A b R i E L
Sent: Friday, November 12, 2010 10:56 AM
To: openssl-users@openssl.org
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Michael Ströder
Sent: Wednesday, November 03, 2010 12:23 PM
To: openssl-users@openssl.org
Subject: openssl verify fails
HI
Maybe that's a bug in OpenSSL 0.9.8o? The docs for verify say It is an error
if the whole chain cannot be built up.
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us
How about using the d2i_ functions?
Erik Tkal
Juniper OAC/UAC/Pulse Development
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Leandro Santiago
Sent: Friday, October 29, 2010 7:26 AM
Hi Vivek,
There is no x509 format in that context; an x509 certificate encoding can be
represented in DER (binary) or PEM (text) mode.
Try:
openssl x509 -in TestCryptPublic.cert -inform DER -text
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner
method for more performance.
Thanks
On Thu, 02 Sep 2010 03:30:20 +0530 wrote
OpenSSL 1.0.0a has aes_ctr.c in the crypto/aes directory.
Erik Tkal
Subject: AES in counter mode
no support in openssl
hi all,
I was working on the Openssl1.0.0 version for AES cryptographic support in
counter mode
Hi John,
Your CAfile must contain the chain that issued your cert (i.e. the
intermediate(s) and the root). The error is indicating that it is unable to
locate the issuer of the intermediate.
Erik Tkal
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl
-AES days).
Erik Tkal
Hi,
Is it possible to have AES 512 bit encryption in latest release of openssl.
Regards,
Uday,
OpenSSL 1.0.0a has aes_ctr.c in the crypto/aes directory.
Erik Tkal
Subject: AES in counter mode no support in openssl
hi all,
I was working on the Openssl1.0.0 version for AES cryptographic support in
counter mode i.e; AES-CTR mode. I did not find any support added to the
openssl1.0.0
the cipher suite list, and the server picks one
of these.
Also note that you cannot modify the cipher suite list in the Client Hello in
flight, as that would be detected in the handshake processing.
Erik Tkal
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner
fails. Should the code really be more tolerant and handle a client
that does not send the certificate message at all?
Erik Tkal
Funk Software, inc
replies to etkal(at)funk(dot)com
__
OpenSSL Project
53 matches
Mail list logo