Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

And there's no reason for it to do so, because it isn't needed. If you generate one TLS packet every nanosecond, it will take nearly six centuries to overflow, by which time the version of TLS you're using will have been deprecated and all security guarantees are moot anyway. In general, most

Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

On 10/03/2017 04:34, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jakob Bohm Sent: Thursday, March 09, 2017 19:05 To: openssl-users@openssl.org Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow First, note my original

Re: [openssl-users] error making Private RSA

I have been tiring to keep my posting to a minim but I am not getting across what I am looking to fix. And I have been getting reports that my source code is not viewable. In my Apache logs I see that some people have be using the wrong link, they are tiring to use

Re: [openssl-users] scripting creating a cert

On 03/10/17 00:49, Robert Moskowitz wrote: [---] > Is there some 'simple' way to provide these answers? Like with env > variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat foo.params | openssl ... Just make sure openssl doesn't

Re: [openssl-users] scripting creating a cert

Jan, On 03/09/2017 08:06 PM, Jan Danielsson wrote: On 03/10/17 00:49, Robert Moskowitz wrote: [---] Is there some 'simple' way to provide these answers? Like with env variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat foo.params

Re: [openssl-users] scripting creating a cert

Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages, https://www.openssl.org/docs/manmaster/man5/ For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz PS --

[openssl-users] scripting creating a cert

I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req Where, for example: your_host_tld=z9m9z.test.htt-consult.com Thing is that this then

Re: [openssl-users] [EXTERNAL] Re: error making Private RSA

First, to get intelligible text errors, replace your initial call with ERR_load_crypto_strings(). The ERR_load_ERR_strings call doesn't even seem to be documented, likely because it only loads the strings associated with the ERR API, and you likely need PEM and BIO error strings. When I did

Re: [openssl-users] scripting creating a cert

Hi, Rich. Fancy meeting you here. On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote: Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages,

Re: [openssl-users] scripting creating a cert

> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote: > > I am creating self-signed certs with: > > openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 > -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 > -extensions

Re: [openssl-users] scripting creating a cert

Viktor, On 03/09/2017 08:17 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote: I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key

Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

But if the starting value is random, the number of increments before overflow or wrap will be random too (and could hypothetically, but rarely, be as little as 1). Anyway, I thought TLS records were limited to slightly more than 16K each, so the in-record block counter would not count very far.

Re: [openssl-users] scripting creating a cert

On 03/09/2017 08:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the private keys

Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm > Sent: Thursday, March 09, 2017 19:05 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow First, note my original calculation was wrong - I was

Re: [openssl-users] scripting creating a cert

> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote: > >> $ umask 077 # avoid world-readable private keys > > Perhaps (no perhaps about it) this is old information, but I picked up that I > needed: > > chmod 640 for the private keys for Apache. (and postfix and

Re: [openssl-users] [openssl-dev] Openssl 1.0.2 stable SNAP 20170309 issue

Already fixed. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

No, it does not do this automatically. if the nounce _explicit overflows or overlaps , then does openssl code handles it (atleast by initiating renegotiation )? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Openssl 1.0.2 stable SNAP 20170309 issue

Script started on Thu Mar 9 05:45:36 2017 root@doctor:/usr/source/openssl-1.0.2-stable-SNAP-20170309 # make making all in crypto... making all in crypto/objects... making all in crypto/md4... making all in crypto/md5... making all in crypto/sha... making all in crypto/mdc2... making all