Re: OpenSSL 0.9.8m-beta1 release
On Thu, Jan 21, 2010 at 12:59:36AM +0100, OpenSSL wrote: The OpenSSL project team is pleased to announce the release of version 0.9.8m-beta1 of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bug fix beta release which implements draft-ietf-tls-renegotiation-03.txt to address CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. | *) Implement draft-ietf-tls-renegotiation-03. Re-enable | renegotiation but require the extension as needed. Unfortunately, | SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a | bad idea. It has been replaced by | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with | SSL_CTX_set_options(). This is really not recommended unless you | know what you are doing. | [Eric Rescorla e...@networkresonance.com, Ben Laurie, Steve Henson] The change described above is a major API/ABI change. Now applications must handle three different cases: 1) No built-in support for preventing unsafe renegotiation; do it yourself with callbacks. 2) Built-in support controlled by SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, no #define at all for SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 3) Built-in support controlled by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, no #define for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION I guess once again everyone gets to bump their major version numbers for the OpenSSL shared libraries for a point release (this'll be the second bump in three months for anyone who picked up 0.9.8l) and gets to write application code full of nasty #if hacks which check the OpenSSL version string. Yuck! Thor __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Looking for DES encryption/decryption source example
Hi everyone, I am looking for a sample source file which encrypts/decrypts a String with DES (or better triple DES). I could not find anything useful on google, the only information I have at the moment are the man pages (crypto(3) and des(3)). I don't want to encrypt/decrypt using the openssl command line, it needs be incorporate it in a c/cc file. Any hint or help is much appreciated. Best regards Thor _ HotmailĀ® goes with you. http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=TXT_TAGLM_WL_HM_Tutorial_Mobile1_052009__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Passing parameters to openssl for CSR
Thor, Have you checked out the man pages for the req program? It seems you'd want the * -subj * flag. http://www.openssl.org/docs/apps/req.html Here's a sample generation openssl req -nodes -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr -subj /C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com Hope this helps __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users-mcmkbn63+blafugrpc6...@public.gmane.org Automated List Manager majordomo-mcmkbn63+blafugrpc6...@public.gmane.org I did indeed read that page, but obviously not close enough! Thats pretty much exactly what i'm looking for. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Passing parameters to openssl for CSR
Hi guys, I'm wondering if its possible to pass parameters to openssl when creating a CSR, specifically the country name, state name, locality name, organization name, common name etc? The reason being, I ideally would like to automate the process of creating a CSR and have it not require user input (other variables would be passed to it by default from an outside source). Something like... openssl req -days 3650 -nodes -new -keyout user.key -out user.csr -config -countryname SE -commonname user ... Any help would be appreciated, Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Advice/ideas
I would like to use SSL as a method of client/server communication in the following scenario: Client (program) must authenticate with the server using a secret certificate (can't have other programs connect with it), it can then download media which should be encrypted on disk (to provide peace of mind to the media suppliers ). Ideally the media should be (have the option to be ) readable if the client isn't connected to the server, even though this would present a security risk, so each media item would have a certificate/key which would be encrypted, presumably with the client certificate, . Summary: server needs to verify that the connecting *program* is valid (an obfuscated build key perhaps?) Items downloaded need to be stored encrypted so that only the client program can decrypt them. Any comments / advice? Clarification required? Thanks for your time and help, Jurgen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
