subject:"\[openssl\-users\] Existing connections on certification expires"

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Robert Moskowitz




On 08/28/2017 09:44 AM, Alan Buxey wrote:

hi,



2) How can i get the list of ciphers supported by openssl 01.01.0f ?


openssl ciphers -v ???



These question looks to be very basic but i could not find any concrete
information regarding the same googling.

Google provides the answers if your question is well formed. or you
could just read the
openssl man pages?


And I have found Professor Google to be very patient with me as I form 
my questions to get answers I can work with.  But there HAVE been times 
when my search foo has been weak, and the good Professor just can't 
figure out what I want to learn


Bob


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Alan Buxey

hi,


> 2) How can i get the list of ciphers supported by openssl 01.01.0f ?


openssl ciphers -v ???


> These question looks to be very basic but i could not find any concrete
> information regarding the same googling.

Google provides the answers if your question is well formed. or you
could just read the
openssl man pages?

alan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Robert Moskowitz




On 08/28/2017 09:07 AM, Viktor Dukhovni wrote:

On Mon, Aug 28, 2017 at 06:13:51AM -0400, Robert Moskowitz wrote:


1) What happens to the existing SSL connections on certification expiry?
Does the openssl disconnects the existing connection?

No, once authenticated, TLS connections continue indefinitely,
until either party chooses to disconnect.  The expiration of the
certificate does not invalidate the integrity of the original key
exchange, and presents no obvious increased risk of active attack.


Generally speaking:

openssl has nothing to do with a SSL/TLS connection.  It created the
certificate, it is not the application using the certificate.

This is wrong.  Many applications delegate certificate verification
to the OpenSSL library.  OpenSSL does not limit connection lifetime
based on certificate expiration.


Argh, you are right.  The libraries are indeed used.  I was thinking the 
whole program.  My error.  Thinking too narrowly.





That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client
(Web browser, Mail client, VPN client).  Most of these pay no attention to
the expiry date.

This is wrong.


They pay no attention to the expiry date to force the session to end at 
that time by adjusting the session lifetime to be no later than the 
expiry date.  Though there are probably apps out there with this behavior.


They do indeed ensure that the certificate is within its dates.  A 
nuance that I did not make clear.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Viktor Dukhovni

On Mon, Aug 28, 2017 at 06:13:51AM -0400, Robert Moskowitz wrote:

> > 1) What happens to the existing SSL connections on certification expiry?
> > Does the openssl disconnects the existing connection?

No, once authenticated, TLS connections continue indefinitely,
until either party chooses to disconnect.  The expiration of the
certificate does not invalidate the integrity of the original key
exchange, and presents no obvious increased risk of active attack.

> Generally speaking:
> 
> openssl has nothing to do with a SSL/TLS connection.  It created the
> certificate, it is not the application using the certificate.

This is wrong.  Many applications delegate certificate verification
to the OpenSSL library.  OpenSSL does not limit connection lifetime
based on certificate expiration.

> That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client
> (Web browser, Mail client, VPN client).  Most of these pay no attention to
> the expiry date.

This is wrong.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Robert Moskowitz




On 08/28/2017 06:13 AM, Robert Moskowitz wrote:



On 08/28/2017 01:09 AM, mahesh gs wrote:

Hello All,

We are using openssl for providing the secured communication for our 
application. I have some basic queries about the openssl behaviour.


1) What happens to the existing SSL connections on certification 
expiry? Does the openssl disconnects the existing connection?


Generally speaking:

openssl has nothing to do with a SSL/TLS connection.  It created the 
certificate, it is not the application using the certificate.


That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a 
client (Web browser, Mail client, VPN client).  Most of these pay no 
attention to the expiry date.  Some, like IPsec specify to check the 
expiry date and set the maximum connection lifetime to less that it.  
Of course even there your mileage will vary by how each product author 
read the specs.


I recall now the IPsec debate on this.  The consensus was that at the 
time of connection setup, the certificate was valid.  Thus the parties 
could set whatever connection lifetime they have in their policy.  It 
was not considered MANDATORY to shorten the lifetime to the certificate 
expiry date.  This was important, as there are IPsec policies with 
month-long connection lifetimes.






2) How can i get the list of ciphers supported by openssl 01.01.0f ?

These question looks to be very basic but i could not find any 
concrete information regarding the same googling.


Thanks,
Mahesh G S








-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Robert Moskowitz




On 08/28/2017 01:09 AM, mahesh gs wrote:

Hello All,

We are using openssl for providing the secured communication for our 
application. I have some basic queries about the openssl behaviour.


1) What happens to the existing SSL connections on certification 
expiry? Does the openssl disconnects the existing connection?


Generally speaking:

openssl has nothing to do with a SSL/TLS connection.  It created the 
certificate, it is not the application using the certificate.


That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a 
client (Web browser, Mail client, VPN client).  Most of these pay no 
attention to the expiry date.  Some, like IPsec specify to check the 
expiry date and set the maximum connection lifetime to less that it.  Of 
course even there your mileage will vary by how each product author read 
the specs.




2) How can i get the list of ciphers supported by openssl 01.01.0f ?

These question looks to be very basic but i could not find any 
concrete information regarding the same googling.


Thanks,
Mahesh G S




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Paul Yang

> On 28 Aug 2017, at 13:09, mahesh gs  wrote:
> 
> Hello All,
> 
> We are using openssl for providing the secured communication for our 
> application. I have some basic queries about the openssl behaviour.
> 
> 1) What happens to the existing SSL connections on certification expiry? Does 
> the openssl disconnects the existing connection?

It depends on how you control OpenSSL to process the verification. Read the man 
page of SSL_CTX_set_verify (and related) function. Seems you can find the doc 
there: https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_verify(3) 

> 
> 2) How can i get the list of ciphers supported by openssl 01.01.0f ?

Either by using an API as ‘SSL_get_ciphers’ or a command line tool ‘openssl 
ciphers some-options', read related documentation for details.

> 
> These question looks to be very basic but i could not find any concrete 
> information regarding the same googling. 
> 
> Thanks,
> Mahesh G S
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Existing connections on certification expires

2017-08-27 Thread mahesh gs

Hello All,

We are using openssl for providing the secured communication for our
application. I have some basic queries about the openssl behaviour.

1) What happens to the existing SSL connections on certification expiry?
Does the openssl disconnects the existing connection?

2) How can i get the list of ciphers supported by openssl 01.01.0f ?

These question looks to be very basic but i could not find any concrete
information regarding the same googling.

Thanks,
Mahesh G S
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

Re: [openssl-users] Existing connections on certification expires

Re: [openssl-users] Existing connections on certification expires

Re: [openssl-users] Existing connections on certification expires

Re: [openssl-users] Existing connections on certification expires

Re: [openssl-users] Existing connections on certification expires

Re: [openssl-users] Existing connections on certification expires

[openssl-users] Existing connections on certification expires

8 matches

Site Navigation

Mail list logo

Footer information