[mailto:openssl-users-boun...@openssl.org] On Behalf Of
Steve Marquess
Sent: January-20-15 8:17 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS
(1.0.1)
On 01/19/2015 12:42 PM, Nou Dadoun wrote:
The scenario that we're contemplating
[mailto:openssl-users-boun...@openssl.org] On Behalf Of
Steve Marquess
Sent: January-16-15 2:26 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS
(1.0.1)
On 01/16/2015 04:23 PM, Nou Dadoun wrote:
We are currently using FIPS and non-FIPS
?
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Matt Caswell
Sent: October-20-14 4:08 PM
To: openssl-users@openssl.org
Subject: Re: TLSv1.1 and TLSv1.2
On 20/10/14 23:59, Nou Dadoun wrote:
This should be a short question
This is the first time I've seen this point of view expressed but it does make
evident sense - after all, the whole idea of falling back is to find a mutually
acceptable version. However it conflicts with some of the previous advice I've
seen on the list which recommended that
-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Nou Dadoun
Sent: Monday, October 20, 2014 7:08 PM
To: openssl-users@openssl.org
Subject: RE: SSL_MODE_SEND_FALLBACK_SCSV option
This is the first time I've seen this point of view expressed
: SSL_MODE_SEND_FALLBACK_SCSV option
On 20/10/14 21:10, Nou Dadoun wrote:
Well I think I'm completely confused about this option now; always when you
fall back seems to suggest that falling back is an application level
operation (as opposed to openssl-implemented behaviour), is it? i.e. is the
onus on the client
This should be a short question (for a change), am I correct in assuming that
the earliest version of openssl which provided support for TLSv1.1 and TLSv1.2
is openssl 1.0.1?
i.e. there's no support for those in 0.9.8 (soon to be deprecated) or 1.0.0?
One of our products uses 0.9.8 for the
Since this is the users list (as opposed to the dev list) I’m a little confused
about point 2 there; my understanding from the sketchy descriptions I’ve read
is that the fallback to a lower version is automatically done by openssl on
connect failure as opposed to something similar to the code
A few short (simple) questions about the use of TLS_FALLBACK_SCSV since we’re
currently upgrading to the latest openssl releases.
We don’t establish sessions with any other products than our own clients and
servers.
We’ve already disabled the use of SSLv3 in both our client and server releases
But my understanding is that it requires the same content to be submitted
repeatedly within a single session with manipulations to the padding to
incrementally decrypt the content; we use ssl to protect our session
establishment - think of a SIP call, SIP INVITE (offer) in one direction and
mode is desired; it
wouldn't take much modification to delay loading the fips function pointers
until the POST is complete as long as the client code doesn't choke on a not
ready yet return code.
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: Steve Marquess
Openssl FIPS certifications
although it appears that our current certification remains valid.
Sorry if this has been discussed previously but is this the case? A pointer to
a previous discussion if one exists would be sufficient, thanks ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-compilation), anyone know what that might be? Or even better, a list of
config options that I can use to tailor my build?
This seems like basic information that should be in a man page or readme file
somewhere, is it?
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From
having a
project to do this would be ideal since it would make the build and deploy
process much simpler. Anything like a VS project to build crypto only out
there anywhere?
Thanks .. N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
comments? ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
dynamically)
Thanks to Dave for the response ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: September 21, 2012 7:37 PM
To: openssl-users@openssl.org
Quick question: is there a simple openssl api call which will tell me if an
x509 certificate is self-signed? ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http
the windows stuff.
Anybody know offhand? Thanks .. N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl
experiences vis a vis Metro/openssl
etc .. N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of mar...@v.loewis.de
Sent: August 3, 2012 3:36 PM
To: openssl-users@openssl.org
in the technical questions at this point,
not the political ones.)
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Thanks very much for your clearly laid out and informative note; most of this
matches my intuitive understanding of the differences but having it elucidated
backed with experience is invaluable, thanks again ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message
is on the horizon but not
imminent) - is there any documentation anywhere on how this might be
accomplished?
Thanks again ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf
).
Does anyone have experience with this? Any pointers or links to documentation
for how this might be done?
Thanks in advance N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project
tunnel established? i.e. how do
you securely agree on a symmetric key for further secure communications?
(Which is how I assume things proceed.)
Any pointers?
N.
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner
both oks are ==1) - why two
calls?
Why is it failing with the fips library and passing with the non-fips library -
does it have anything to do with the 1024 bit key? (i.e. 2048 and 4096-key
certs both work, and the ca cert has a 2048-bit key)
Thanks ... N
---
Nou Dadoun
ndad...@teradici.com
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
Is it failing because of the (unapproved) md5 signature algorithm? ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
.
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: Nou Dadoun
Sent: June 18, 2012 11:06 AM
To: 'openssl-users@openssl.org'
Subject: RE: FIPS doesn't verify certificate with 1024-bit keys
Here's the certificate which is failing:
Certificate:
Data
It passes OK with the usual verify utility but that's not surprising since it
passes verification if I'm not using FIPS, I don't imagine there's any way to
force the verify utility to use the FIPS routines; in any case, I'm happy to
send them to you offline ... N
---
Nou Dadoun
ndad
throw out a general query, is there any simple mechanism for
simply extracting the string (or strings) which define the x509 Subject
Alternative Names for simple string matching?
Thanks ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
or something
like that.)
Thanks ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
a user argument which works
great.)
Any suggestions on how to get around this problem?
(Did I mention that I'm doing this in boost? That shouldn't have any bearing
on the solution though.)
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
You're right about it being non-obvious but I got it working, thanks! ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: May 10, 2012 3:47 PM
be usable for the certificate the client presents
in the case of mutual authentication?
(Pointers to documentation if any would be sufficient!)
Thanks N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project
that above N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dinh, Thao V CIV NSWCDD, K72
Sent: April 11, 2012 4:19 AM
To: openssl-users@openssl.org
Subject: RE: expired
it's still a little mysterious why the two would interfere with each other! It
would seem to be right down in the crypto algorithm code because that seems to
be all that they have in common. That's why a total scrub cleanup function
would be useful ... N
---
Nou Dadoun
ndad...@teradici.com
604
or so has some sample code you can probably modify.
Standard warnings apply N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Srihari, Gautam
Sent: April 10, 2012 3:04 AM
the difference? (I suspect the second is
signature checking and the first is everything else but I'm curious).
Thanks in advance ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
- the ms docs
are woefully inadequate) but if anyone has pointers on information on how to
use the capi engine, I'd greatly appreciate it, thanks! ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us
of the windows cert store to look in for
the certificate that I want to use being selecting the actual certificate, and
it's not clear how I would do that, thanks again for your help ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us
.
CRYPT_OAEP --- RSA_PKCS1_OAEP_PADDING
?? the default - RSA_PKCS1_PADDING
I've tried CRYPT_DECRYPT_RSA_NO_PADDING_CHECK (and get an NTE_BAD_FLAGS error)
thanks ms, I've tried reversing the encrypted buffer, all to no avail.
Am I missing something here? Thanks in advance N
---
Nou Dadoun
Sorry I knew I'd forget something, I've put the my_rsa_key declaration and
initialization in the right place marked / here / ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org
that
certificate for the ssl handshake to the peer.
I've read the O'Reilly section on Engines but it's pretty rudimentary and
doesn't touch the capi engine, do you have a pointer to any user documentation
that might have some examples on using the capi engine?
Thanks again ... N
---
Nou Dadoun
but thought I'd start with a high-level description
of the problem to avoid clouding the issue too much.
thanks in advance ... Nou
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project
43 matches
Mail list logo