A PKI in a web page
From my blog, at https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10 I'm making available my small set of web pages and Perl script that implement a self-service PKI built around OpenSSL. The Perl script and config are under 250 lines and the couple of web pages involved are under 200 lines; there's also a couple of screen shots to guide someone through installing a cert on Microsoft Windows. It's all in the public domain. Enjoy. -- STSM, DataPower CTO WebSphere Appliance Architect http://www.ibm.com/software/integration/datapower/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: https in java
Isn't SSL/TLS part of javax.security? At any rate, this is not a good place for Java questions... The IBM keyman program (google search...) seems to have better support for some standard formats than the standard keytool does. /r$ -- STSM, Senior Security Architect SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Interoperable w/ CryptoAPI
Does anybody know how hard it is to make OpenSSL play nice with Window's CryptoAPI? We exchange signed and/or encrypt content with MS-based applications all the time. As long as you stick to standard formats (SSL, PKCS#7, XML Encryption, etc) it's not a big deal. I vaguely recall that we had to track down RFC's etc to find out particualr PKCS7-S/Mime versions. /r$ -- STSM, Senior Security Architect SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Query regarding AES support in Open SSL
I am using keytool command to generate the certificates, currently i am using RSA algorithm. We are planning to change this to AES You can't do that. (Well, actually, you can, but it means that anyone who can verify the certificate can also generate their own counterfeit that is impossible to detect. You probably need to read some intro material on crypto. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: license question
The other alternative is that you're not very good at reading it. :) /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: license question
There are many funny licensing clauses that appear nonsensical to the layman but are perfectly logical. The SSLeay and OpenSSL license is an extremely sloppy and poorly defined document because the people who wrote it were under the misguided assumption that good legal documentation is simple. I don't know about OpenSSL, but for SSLeay you're wrong. A great deal of lawyer time and effort was spent in writing it. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RHEL 3 OpenSSL package concern
My inclination is to believe a vendor when they say things like it's XXX version n, with all known vulnerability fixes thru version n+m Vendors often do this kind of thing, for the same reason you don't want to upgrade RHEL installations. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: can repository reliably convert between PEM and DER?
Can a certificate repository freely convert between PEM and DER formats? Yes, they are simple transcriptions, so something else is going on. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cross Signing
You'd also need to identify that second CA. Verifying that internal (second) signature would be tricky since you'd have to remove the extension (tweak the DER length fields, etc) before hashing. And then there's all the complexity of checking for revocation from the second CA. (Which, frankly, probably wouldn't happen given how little revocation checking is done on the real CA. :) For example, wouldn't you have to keep the serial numbers in sync? And validity periods? A simpler approach seems to be for concerned applications to require the client to provide certificates from both CA's. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extending a PKCS12 certificate
PKCS12 is a data format. It's usually password-protected, and is designed to bundle together a private key with one or more certificates. Openssl includes tools (programs and API's) to parse and generate PKCS12. Once you've extracted the cert, you can parse it, and add an extension. To sign the new certificate, you need the CA's private key; if you don't have that, forget it. If you do have that, then you might want to look at apps/ca.c or apps/x509.c to see the API's used to manipulate extensions and sign certificates. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
ensures me that the data is safely stored, as the certificate, and therefore also my additional data, can only be opened when the password is known. If this is all you want to do, a cryptographic beginner such as yourself will probably find it easier to use something like the GNU Privacy Guard. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Query On SSL Processing
The SSL records include a message digest (MAC) of the application data within the record. If you remove the application data, the SSL record is no longer valid. If you think about it, this is obvious. SSL guarantees the integrity of the application data. If someone modifies or removes the application data, then the SSL layer should, of course, notice this. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Too long organizationName (O=...)
[EMAIL PROTECTED],CN=Test CN,OU=Test Unit, O=Very very very long+O=Organization name,C=LT Are you sure that the schema allows for multiple values for the O RDN? I know multiple OU RDN's are allowed; you might look at the config docs to see how that's set up. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Query On SSL Processing
Ok, what I meant is I will be removing the SSL record along with the app data!! So this should be fine right? Then SSL will notice that records have been removed. Since records can contain application data, and SSL guarantees the integrity of the application bytestream, *ANY* attempt by an intermediary to prevent the recipient from getting all the original bytes that are sent will be noticed. Any SSL implementation that does not do this is fundamentally flawed. You'll have to hack the source. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE : Re: How to share SSL session when using CreateProcess/execv
There is no pre-existing way to write out all the SSL state so that another process can reconstruct it. I would do it this way; when a connection comes in, spawn stunnel to handle the SSL with a pipe() back to the dispatcher. Use raw read on the pipe; when it's time to spawn a client, hand the pipe descriptors off to the client. This replaces the SSL problem with process-management, which if you don't find it simpler, is certainly better understood by more people. I don't remember the details of how to do this on windows, but the concept is the same. -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Query On SSL Processing
SSL is designed for private reliable bytestream between two parties. Without looking at the spec, I can't say for certain, but I would be *very* surprised if you can slice out any part of the SSL traffic and not have generate an error. Read the SSL/TLS spec. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Does Openssl cache App data -- 2nd Try..
So in a crux, what can I do to ensure that openssl does not read app data pkts at all.. Nothing. You have no guarantee how many bytes the kernel's read() will hand back up to you. You will have to severely hack on your kernel and networking implementation to make this happen. You might find it easier to have the kernel do 'all' SSL, and then do callbacks/upcalls to user space for the non-kernel stuff. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and multiple threads
select() has a limit on how big the descriptors can be, otherwise it crashes. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and multiple threads
You may look at poll() and epoll() as alternative event wake mechanisms for IO with large numbers of fds in the working set. Yes. Either rebuild your entire system and fix this value: /usr/include/bits/typesizes.h:#define __FD_SETSIZE1024 or use poll. You'll probably find poll() easier. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS Security Policy question
Thus, if you are selling to an entity that requires FIPS, all OpenSSL (and other encryption) libraries must be put into FIPS mode, or FIPS is not satisfied and thus the application is not FIPS compliant. As of Wednesday, June 21, the FIPS certification for OpenSSL has been withdrawn; see http://csrc.nist.gov/cryptval/140-1/1401val2006.htm#642 The Open Source Software Institute has an update dated June 16 (http://www.oss-institute.org/index.php?option=contenttask=blogcategoryid=62Itemid=99) that says the FIPS 1.0 is being withdrawn by request (of NIST), and that FIPS 1.1 is available. Unfortunately, this is incorrect as both ftp://ftp.openssl.org/source/ and http://www.openssl.org/source/ list the 1.0 version and not the 1.1 version. I don't know that the plans are for the OpenSSL team, but as things stand right now there is *no* FIPS version available. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: confusion about digital signatures
bob got one private key and a public key, both keys can encrypt any data but only the private key (that is kept secret ) can decrypt the data , right ? No. What can be encrypted with one key can only be decrypted with the other. This is a one-to-one concept; the public and private key come in pairs, and only work in matching sets. If I have your public key, I can encrypt something so that only you (or the holder of your private key) can read it. If you encrypt something with your private key, anyone who has the public key can decrypt it. If you hash a message (stream of bytes), and encrypt the hash, then you can call that a signature. Anyone who has the message, your public key, and the signature can verify that the message they have is an exact copy of the message you signed. /r$ -- SOA Appliances Application Integration Middleware [EMAIL PROTECTED] wrote on 06/23/2006 07:16:58 AM: now for Bob to create a digital signature , needs to compute a digest message using a hashing function, then encrypt the digest message, and that gives me the digital signature. now Pat receives a document from Bob with his digital signature, Pat's computes the message digest of the document and DECRYPT the signature with Bob's public key !!! I've understood that's only Bob's private key can decrypt any data , so what's wrong ? please enlighten me Thanks you hicham __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: On select and blocking
Same thing, no guarantee about what an actual future operation will do. By would not block, they mean a hypothetical operation taking place at the time the indication is given to you. No. That's stupid. It's useless. By 'would not block' they mean 'if nobody else messes with the descriptor, the operation would not block.' Your meaning means that select is absolutely *useless* to a programmer unless the socket is set to non-blocking mode; there is no mention in the select manpage that the socket must be in non-blocking mode. Further, since a non-blocking selectd can return EWOULDBLOCK for any operation, select on non-blocking becomes nothing more than an optimization hint to avoid a read system call. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
On select and blocking
David, Please post a link to a manpage or other documentation that justifies your description of select. Your stat analogy is incomplete; stat returns the true file size, in the absence of other external factors, such as another process (or thread) doing something. Select makes the same guarantee, under the same circumstances. Note that select predates threads. Your idea that the semantics of TCP might change, invalidating current implementations, is also not valid -- no fair to conjecture about implementations not written for protocols not specified. Nevertheless, from the beginning, there are various buggy implementations -- primarily because of non-BSD implementations (can you spell STREAMS? :), so therefore it's always safest to use non-blocking and check for EWOULDBLOCK. Note that setting non-blocking itself is a portability hassle. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CSR Without Prompting
I'm attaching a shar file file of the scripts I've used a couple of times. It would help to acdtually do the attachment... /r$ -- SOA Appliances Application Integration Middleware scripts.shar Description: Binary data
Re: CSR Without Prompting
- Am I correct that the only way to do this is to put the various values into openssl.cfg? Or is there a way to pass them on the command line? You can use the ENV:: construct to read them from the environment. - If I have to use the config file, is there any way to specify two config files (the default and the one with the CSR data)? You can have one config with basically *just* the CSR, and then use the main openssl config file for the ca command (to sign things). - If not, is there some documentation on the minimum information needed in the config file to create a CSR, so that I can create a basic one rather than replicating every field in the default file? I'm attaching a shar file file of the scripts I've used a couple of times. They create a PKI hierarchy and generate certs for signature and SSL. I also generated the keypairs, since this stuff was only used on for conference demo's, and it was easier and quicker this way. The scripts, written in classic unix shell, show several of the above techniques. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: change/convert 512 bit long modulus to 2048 on private key?
Can this be done with out having to make a new private key? Or am I just barking up the wrong tree? Absolutely not. It's like saying, can I make a two-digit number into a three-digit number. (You could add leading zero's, but that misses the whole point.) /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL with FORK
in this server i fork to use a independent exec. directly after the exec in the child i call exit(0), but then the SSL connection which is an exact copy of the parent gets also deinitialized. in this case even my server crashes because the TCP port is not available then. Call _exit, not exit. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Root CA key bit length too small - How do I change this?
You must generate new private key (longer) for CA and self certify. Next you should publish your new CA certificate. As a transition aide, you might want to have your old root also sign the new CA key. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OCSP
Look at the end of section 4.1.1 for the details of target cert identifier /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OCSP
1. Why OCSP_cert_to_id requires two certificates? Basically it should require only the certificate to be checked to construct an OCSP request, right? Perhaps you should read the OCSP RFC. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: need an example
but seems like that i am to stupid to write my own server... can someone give me an example? Have you looked at apps/s_server.c ? -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: New to openssl
Did you look in the apps sub-directory? In particular, the code for s_client. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Phantom Domain Name Mismatch?
Wow a 512 bit key! Really unwise. Ture. You did not mention the X509v3 Subject Alternative Name: DNS:helpdesk.cis.uab.edu When this is present the CN is ignored. Really? That seems like a bug. There's a reason why it's called subjectAlternativeName, and not subjectPreferredName. Nevertheless, as you say, putting both names is a reasonable work-around. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Phantom Domain Name Mismatch?
Here we go: RFC 2818 section 3.1: You rock. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about ssl certs
What will prevent somebody from stealing my cert and going around pretending to be me? Okay, if you're Susan, this this blob: xx Without your *private* key, they cannot do that. Therefore, they cannot pretend to be you. If they did, it be like accepting a passport or driver's license without seeing if it's your picture. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about ssl certs
What will prevent somebody from stealing my cert and going around pretending to be me? Okay, if you're Susan, this this blob: xx Sign. The challenge is sign this blob Without your *private* key, they cannot do that. Therefore, they cannot pretend to be you. If they did, it be like accepting a passport or driver's license without seeing if it's your picture. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Licenses...
I didn't want to get involved in a licensing discussion here, but there are some factual errors about early history that should be corrected. The original 'advertising clause' was from the UCal Regents, not FreeBSD organization et al. They were worried about their name being used inappropriately. The CSRG didn't care who used their stuff, or under what terms. Once it was understood that the advertising clause wasn't necessary, the CSRG et al were quite happy to remove it. They had already been paid to develop the software, they were not worried about *increasing* their publicity, they were worried about someone else *using the UCal Berkeley name* for inappropriate purposes. I know; I was there. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Not FIPS if app uses other crypto?
First of all I assume that we are talking about FIPS 140-2 [or 3 but that's not mandatory anywhere yet]. Mandatory? 140-3 isn't even issued yet. :) /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Not FIPS if app uses other crypto?
It seems to me that the question is this: can an application use two FIPS-certified toolkits at the same time? For example, a FIPS certified device for doing private key operations, and FIPS software for doing symmetric key operations. The answer is yes. (There will be issues and difficulties, of course: sharing key material, for example, may be impossible.) Most applications using FIPS toolkits use hardware devices or binary-only libraries, where the API is not changeable. As an open source distribution, the caveat to stay within the boundaries by not using other than the FIPS API's is worth particular mention. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: invalid x500UniqueIdentifier bitstring in openssl
I'm fairly sure the BITSTRING datatype for signatures was chosen by the PKCS working group, which at the time was a mostly self-selected group of experts organized by RSA. It certainly wasn't chosen by IETF. The X509v3 extension format was chosen by the X.509 group of ITU/ISO. Hindsight's 20/20. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Root ca chain in one file
One of our customers is using a certificate from globalsign. They use three root certificate's in the chain. A definition of root certificate is that nobody in the chain comes after it. So you don't mean three root certificates, but perhaps three intermediates or two intermediates and a root. Is there a way to create a pem formatted file with all three certificate's from the chain? You can just paste all three PEM files together, but that probably will not get the effect that you want. The normal PEM_read, etc., functions stop when they find the first object of the right type. If you want to read in a multiple certs from a single file, you probably want to use a data format such as PKCS7 or PKCS12 that supports it natively. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SPAM-URL Re: Another RAND question...
The part about the PRNG is in question? How did people pre-OpenSSL FIPs get validated when they used OpenSSL? Did they have to modify the OpenSSL code and add their own PRNG that would pass? Are there any FIPS certified apps that use openssl? If there are any, the short answer is that yes, they replaced the non-compliant code with code and got that certified. Depending on how the organization, if they already had a FIPS library, they probably ripped out most of openssl and treated the TLS library as an application that used their own crypto. I'm just speculating, mind you. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: build non-bsafe version of Openssl
You are mistaken. OpenSSL does not use BSafe. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: First posting NEWBEE
If you want to know how if MySQL can use OpenSSL, it probably makes more sense to ask MySQL folks. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl req -x509 does not create serial-number 0
let's see... you're talking about the authorityKeyIdentifier? I thought that that went up 2 steps up the tree and then gave a serial number of cert issued by that CA. No, it identifies the key that is signing the actual cert (or CRL). A CA's subject key identifier (SKI) gets populated as the AKI into everything it signs. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Getting IP-Adress
sockaddr* peername = NULL; int namelen; getpeername(buffer, peername, namelen); Just like namelen, you have to allocate space: sockaddr peername namelen = sizeof peername;; getpeername(buffer, perrname, namelen); -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Win32 Building requires write access???
Because the software has to build on so many platforms, config, Configure, do_nasm, do_masm, and so on have to copy files into the build directory as appropriate, and modify the makefile as appropriate. No, that's just the way it's done. There is actually no requirement that a build/port system modify files in-place. Most autoconf uses, for example, don't. And nothing prevents you from checking in generated files. It's just the way openssl works right now. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
The high medium and low are arbitrary terms, and date back to then the US had stricter export controls on cryptography. Ignore them. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
The openssl ciphers command shows the text format of the cipher suites supported Allow you users to choose from (a subset of) that list, and set the env var or config param appropriately. Like PATH, it's a colon-separated list in order of priority. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
The docs are outdated. AES is strong. -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Apache HTTP v2.0.52 and SSL
It is more likely that you are wrong, and that Apache is not wrong, even in windows. Can you do telnet {yourhost} 443 and see if you get a connection? Review your Apache configuration files -- did you set up a duplicate server on port 443? /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA private key protection
if i protect the RSA private key with a password: is this function part of the RSA algorithm? No. The RSA algorithm only case about (i.e., uses) the key itself. how validate the private key if the password is correct? Most key-wrapping mechanisms have some (minimal) error checking such as a checksum or special padding, same as any other decryption. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to encrypt a large file by a public key?
How can I encrypt a large file (like 100mb) with a public key so that no one other than who has the private key be able to decrypt it? Encrypt it using a strong symmetric key (such as AES) and use RSA to encrypt *that* key. This is the way everyone does it. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about data transfer
Now i've desided to write a new application instead of using an existing protocol.But I'm a fresh men here, so not very clear with what should i do first,would you please give me some advices about this ? If you don't know what you are doing, re-use an existing protocol. If you insist on writing your own, make sure you understand RFC 3117. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Measuring the performance of OpenSSL
Can anybody throw some light in this issue? In particular, how can one draw a meaningful SSL performance comparison accross implementations? Figure out what your typical load is like and benchmark that. For example, 10,000 different clients connecting twice a day, and doing a couple-dozen GETs of an average size of 30k. There's just too much variance otherwise, and no real way to normalize it. /r$ -- SOA Appliance Group IBM Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]