Your description seems like on Certificate Verify message? I was talking about Finished message.
Thanks, Xiaoyu > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Gayathri S > Sent: Thursday, December 06, 2007 5:46 PM > To: openssl-users@openssl.org > Subject: Re: Generation of the Finished message > > Yes, if the negotiated algorithm is RSA, then the hash is a combinatin of > MD5 and SHA-1 (16+20 = 36) which is further encrypted using the public key > of the server/client depending on who is sending the finished message, > using the RSA algorithm, and the padding ensures that the message is an > integral multiple of the block size. > > For DH the finsihed message will contain only the MD5 hash, I guess this > information is available in the rfc. > > Thanks > --Gayathri > > On Thu, 6 Dec 2007, Xiaoyu Ruan wrote: > > > Hello All, > > > > According to RFC 2246 or 4346, the Finished message should be > > > > > > struct { > > > > opaque verify_data[12]; > > > > } Finished; > > > > > > > > verify_data > > > > PRF(master_secret, finished_label, MD5(handshake_messages) + SHA- > 1(handshake_messages)) [0..11]; > > > > In addition to this there are Handshake type (1 byte) and message length (3 > > bytes). Then > the Finished message should be 16 bytes. However, OpenSSL s_server and > s_client are > sending out 40-bytes or 48-bytes Finished messages. This implies that the > 16-byte data has > been encrypted or undergoing some other processing. Can anyone please let me > know what > is done here and what the corresponding RFC reference is? > > > > Thanks, > > > > Xiaoyu > > > > > > ************************************************************************** > ****** > This email message (including any attachments) is for the sole use of the > intended > recipient(s) > and may contain confidential, proprietary and privileged information. Any > unauthorized > review, > use, disclosure or distribution is prohibited. If you are not the intended > recipient, > please immediately notify the sender by reply email and destroy all copies of > the original > message. > Thank you. > > Intoto Inc. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
