And there's no reason for it to do so, because it isn't needed. If you generate
one TLS packet every nanosecond, it will take nearly six centuries to overflow,
by which time the version of TLS you're using will have been deprecated and all
security guarantees are moot anyway.
In general, most
On 10/03/2017 04:34, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Jakob Bohm
Sent: Thursday, March 09, 2017 19:05
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow
First, note my original
I have been tiring to keep my posting to a minim but I am not getting
across what I am looking to
fix. And I have been getting reports that my source code is not
viewable. In my Apache logs I see that some people have be using the
wrong link, they are tiring to use
On 03/10/17 00:49, Robert Moskowitz wrote:
[---]
> Is there some 'simple' way to provide these answers? Like with env
> variables?
I tend do create response files (one response per line) and then
simply pipe to openssl:
$ cat foo.params | openssl ...
Just make sure openssl doesn't
Jan,
On 03/09/2017 08:06 PM, Jan Danielsson wrote:
On 03/10/17 00:49, Robert Moskowitz wrote:
[---]
Is there some 'simple' way to provide these answers? Like with env
variables?
I tend do create response files (one response per line) and then
simply pipe to openssl:
$ cat foo.params
Yes there are easier ways to do this. Set up a conf file and use it (via the
-conf flag). You can use env vars, set default values, and so on. Look at the
config manpages, https://www.openssl.org/docs/manmaster/man5/
For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz
PS --
I am creating self-signed certs with:
openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey
rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days
3650 -x509 -extensions v3_req
Where, for example:
your_host_tld=z9m9z.test.htt-consult.com
Thing is that this then
First, to get intelligible text errors, replace your initial call with
ERR_load_crypto_strings(). The ERR_load_ERR_strings call doesn't even
seem to be documented, likely because it only loads the strings
associated with the ERR API, and you likely need PEM and BIO error
strings. When I did
Hi, Rich.
Fancy meeting you here.
On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote:
Yes there are easier ways to do this. Set up a conf file and use it (via the
-conf flag). You can use env vars, set default values, and so on. Look at the
config manpages,
> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote:
>
> I am creating self-signed certs with:
>
> openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048
> -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509
> -extensions
Viktor,
On 03/09/2017 08:17 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote:
I am creating self-signed certs with:
openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048
-nodes -keyout private/$your_host_tld.key
But if the starting value is random, the number of increments
before overflow or wrap will be random too (and could
hypothetically, but rarely, be as little as 1).
Anyway, I thought TLS records were limited to slightly more than
16K each, so the in-record block counter would not count very far.
On 03/09/2017 08:53 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote:
$ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up that I
needed:
chmod 640 for the private keys
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Jakob Bohm
> Sent: Thursday, March 09, 2017 19:05
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow
First, note my original calculation was wrong - I was
> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote:
>
>> $ umask 077 # avoid world-readable private keys
>
> Perhaps (no perhaps about it) this is old information, but I picked up that I
> needed:
>
> chmod 640 for the private keys for Apache. (and postfix and
Already fixed.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
No, it does not do this automatically.
if the nounce _explicit overflows or overlaps , then does openssl code
handles it (atleast by initiating renegotiation )?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Script started on Thu Mar 9 05:45:36 2017
root@doctor:/usr/source/openssl-1.0.2-stable-SNAP-20170309 # make
making all in crypto...
making all in crypto/objects...
making all in crypto/md4...
making all in crypto/md5...
making all in crypto/sha...
making all in crypto/mdc2...
making all
18 matches
Mail list logo