Re: DSA certificates from windows certificate store into openssl
Replying to the DSA inquiry yesterday Nou Dadoun First thing is RSA certificate has RSA keys and DSA certificate has Diffie-Hellman (DH) keys. In SSL, Diffie-Hellman is done for key exchange to create in each end a common shared secret. Thereafter, the channel is secure using the secret not the DH keys. DSA is primarily for digital signature to check the authenticity as well as integrity. Under OpenSSL, you can load both RSA and DSA certificates and key pairs in the SSL_CTX and SSL structure. If you use a DSA certificate, you must load DH keys. Although the RSA algorithm is used for both key exchange and signing operations, DSA can be used only for signing. Therefore, DH is used as the key agreement algorithm with a DSA certificate in an SSL application. Nonetheless, see this link on using the DH keys @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch06s06.html @ http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html#DESCRIPTION DSA is not really used interchanged with RSA. Is either former or latter. RSA and DSA certificates and keys are incompatible. An SSL client that has only an RSA certificate and key cannot establish a connection with an SSL server that has only a DSA certificate and key. Check out this article which used DSA or RSA as server certificate. Java based @http://www.novell.com/documentation/extend52/Docs/help/AppServer/books/admS ecurity.html#1021296 Openssl based @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html#d0e3109 See the Table of cipher suites in the above article which illustrate the encryption strength avail. E.g. DSA cert - TLS_DHE_DSS_WITH_AES_256_CBC_SHA or RSA cert - TLS_DHE_RSA_WITH_AES_256_CBC_SHA Now there is also TLS1.2. Coming back, RSA certificates are commonly used for SSL, SSL servers that use DSA certificates are rare. Just a quick compare is that, DSA is faster at signing. RSA is faster at verifying. I see DSA for key exchange/sign only purpose while RSA can encrypt and sign. Hth Aaron Anderson janders...@widener.edu Widener University 610-499-1049 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: DSA certificates from windows certificate store into openssl
Yes it is independent and what I meant is that It is either one and I doubt you one to go for such hybrid to be consistent and for key provisioning. Actually ECDSA or ECC is another efficient crypto also worth exploring. Overall it is up to you how you will want to make it operational efficient. ... not forgetting the troubleshooting hassle and multiple users. :D -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Nou Dadoun Sent: Wednesday, July 25, 2012 12:38 PM To: janders...@widener.edu Cc: openssl-users@openssl.org Subject: RE: DSA certificates from windows certificate store into openssl Thanks very much for your clearly laid out and informative note; most of this matches my intuitive understanding of the differences but having it elucidated backed with experience is invaluable, thanks again ... N --- Nou Dadoun ndad...@teradici.com 604-628-1215 -Original Message- From: Jaaron Anderson [mailto:janders...@widener.edu] Sent: July 25, 2012 8:05 AM To: openssl-users@openssl.org Cc: Nou Dadoun Subject: Re: DSA certificates from windows certificate store into openssl Importance: High Replying to the DSA inquiry yesterday Nou Dadoun First thing is RSA certificate has RSA keys and DSA certificate has Diffie-Hellman (DH) keys. In SSL, Diffie-Hellman is done for key exchange to create in each end a common shared secret. Thereafter, the channel is secure using the secret not the DH keys. DSA is primarily for digital signature to check the authenticity as well as integrity. Under OpenSSL, you can load both RSA and DSA certificates and key pairs in the SSL_CTX and SSL structure. If you use a DSA certificate, you must load DH keys. Although the RSA algorithm is used for both key exchange and signing operations, DSA can be used only for signing. Therefore, DH is used as the key agreement algorithm with a DSA certificate in an SSL application. Nonetheless, see this link on using the DH keys @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch06s06.html @ http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html#DESCRIPTION DSA is not really used interchanged with RSA. Is either former or latter. RSA and DSA certificates and keys are incompatible. An SSL client that has only an RSA certificate and key cannot establish a connection with an SSL server that has only a DSA certificate and key. Check out this article which used DSA or RSA as server certificate. Java based @http://www.novell.com/documentation/extend52/Docs/help/AppServer/books/admS ecurity.html#1021296 Openssl based @ http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html#d0e3109 See the Table of cipher suites in the above article which illustrate the encryption strength avail. E.g. DSA cert - TLS_DHE_DSS_WITH_AES_256_CBC_SHA or RSA cert - TLS_DHE_RSA_WITH_AES_256_CBC_SHA Now there is also TLS1.2. Coming back, RSA certificates are commonly used for SSL, SSL servers that use DSA certificates are rare. Just a quick compare is that, DSA is faster at signing. RSA is faster at verifying. I see DSA for key exchange/sign only purpose while RSA can encrypt and sign. Hth Aaron Anderson janders...@widener.edu Widener University 610-499-1049 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Cert issue with 64 bit build on Windows
@ James I know sometimes with deep processes Im learning that though you install it (__blank___) in one place on the x86 portion of 64bit Win7 or 2008 R2 ... there may be another place you also MUST register it and have it listed here FIRST in environment paths ... hth -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of James Swift Sent: Monday, October 01, 2012 8:21 AM To: openssl-users@openssl.org Subject: Re: Cert issue with 64 bit build on Windows Tests passed with no-asm I checked my nasm version and I was using an old release candidate from 2010, 2.09rc6 Updated to version 2.10.05 from http://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D Tests passed without the no-asm option in this case so we can say that a newer version of nasm than 2.09rc6 is required Thanks for your help. I haven't checked yet but it seems likely this will fix my curl problem. May I suggest updating the INSTALL.W32 file to point to http://www.nasm.us instead of the old sourceforge address and perhaps suggest some recent version of nasm known to work. thanks again, James On 1 October 2012 13:55, Dr. Stephen Henson st...@openssl.org wrote: On Mon, Oct 01, 2012, James Swift wrote: Try running the OpenSSL tests using: nmake -f ms\ntdll.mak test rsa_test PKCS #1 v1.5 encryption/decryption ok OAEP decryption (test vector data) failed! PKCS #1 v1.5 encryption/decryption ok OAEP decryption (test vector data) failed! PKCS #1 v1.5 encryption/decryption ok OAEP decryption (test vector data) failed! PKCS #1 v1.5 encryption/decryption ok OAEP decryption (test vector data) failed! PKCS #1 v1.5 encryption/decryption ok OAEP decryption (test vector data) failed! PKCS #1 v1.5 encryption/decryption ok OAEP decryption (test vector data) failed! problems. Anyone else experience these? Build machine: Windows 7 Enterprise 64 bit, SP 1, Core i7 3930 Visual Studio 2010 Professional SP 1 perl Configure no-idea no-mdc2 no-rc5 VC-WIN64A call ms\do_win64a nmake -f ms\ntdll.mak nmake -f ms\ntdll.mak test Could be a compiler and/or assembler issue. Are you using nasm for the build or ml64? Try using a no-asm option to Configure and install nasm if you haven't already. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Error thrown by s3_pkt.c when connecting via flash sockets with socket.io over SSL
Try SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER I think its included in SSL_OP_ALL, which you can specify by supplyin -bugs to s_client -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Monday, October 01, 2012 9:19 AM To: openssl-users@openssl.org Subject: Re: Error thrown by s3_pkt.c when connecting via flash sockets with socket.io over SSL On Fri, Sep 28, 2012, Justin Meltzer wrote: Hello everyone, My company is running into a problem which has been causing us a lot of strife. We're using socket.io to connect a cross-domain client to our node.js server over flash sockets using SSL encryption. Unfortunately, one of the OpenSSL files seems to be throwing an error preventing the connection from being established. The crux of the problem is explained here: http://stackoverflow.com/questions/11571517/https-error-data-length-to o-long-in-s3-pkt-c-from-socket-io I'd be very grateful if anyone could point me in the right direction. Have you tried setting SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
affected Openssl versioning for heartbleed clarity
Say all . if #Heartbleed https://twitter.com/search?q=%23Heartbleed https://twitter.com/search?q=%23Heartbleedsrc=hash src=hash exploits #OpenSSL https://twitter.com/search?q=%23OpenSSL https://twitter.com/search?q=%23OpenSSLsrc=hash src=hash 1.0.1 1.0.2-beta releases then if I have mod version 0.9.8 but not really using it am I clear from any heartbeat affected concern ? thx JAaron Anderson ITS Developer/Administrator o:610/499-1049 x:610/499-1201 m:856/347-0JAA www.Widener.Edu
RE: OS390 UNIX - openssl install questions
install openssl on mac http://lmgtfy.com/?q=install+openssl+on+mac+site%3Aexperts-exchange.com hth -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Shaffer, Terri E Sent: Wednesday, April 04, 2012 3:15 PM To: openssl-users@openssl.org Subject: OS390 UNIX - openssl install questions Hi, I was wondering if anyone had any information on how to install openssl on z/OS UNIX? I have been getting numerous errors with the config and/or Configure files and sortof at a loss. Thanks Ms. Terri E. Shaffer terri.e.shaf...@jpmchase.com Engineer J.P.Morgan Chase Co. GTI DCT ECS Core Services zSoftware Group / Emerging Technologies Office: # 614-213-3467 Cell: # 412-519-2592 This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to European legal entities. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: intermediate, chained and linked certs
Ben, Intermediate is only a fragment of the complete chain. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Adams Sent: Friday, May 04, 2012 5:33 AM To: openssl-users@openssl.org Subject: intermediate, chained and linked certs Hello, I'm trying to create a cert with an intermediate cert for testing. So I'm going to build it all locally. I will be testing with uploading to cisco's netscaler. I have done some looking around and I find the names of Intermediate, Chained look to be the same thing, Netscaler is using Linked for combining the certs into one on the machine. (Looks to be the same idea as others) It looks to me all three are the same thing. is this correct? Also anyone have a way to make a Chained Cert on OpenSSL without going to an external company. Thanks BA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Generate CSR, based on information in a file.
BC, Sounds like maybe a wildcard cert could help expedite your production for you perhaps. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Brent Clark Sent: Thursday, May 10, 2012 6:41 AM To: openssl-users@openssl.org Subject: Generate CSR, based on information in a file. Good day I would like to ask. The information that is needed for when you generate a CSR, can that be stored and read by openssl to generate the CSR. Reason Im asking is. I have to generate quite a few CSR,s, that idea is like a batch / for loop to read the CSR information file, and I output a CSR. I googled and stumbled across this. http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html But hacking with variable subject lines, just appear wrong. If anyone can help, it would be appreciated. Regards Brent Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL Security Advisory
Also try your range here https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp Hth jaa -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Walter H. Sent: Friday, April 11, 2014 7:40 AM To: openssl-users@openssl.org Subject: Re: OpenSSL Security Advisory On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the simplest. Simpler still... https://gist.github.com/robstradling/10363389 It's based on what Viktor posted, but it works without patching the OpenSSL library code. Hello, I get a link error - the same es the 2nd comment mentions there; how can I fix this? Thanks, Walter -- Mit freundlichen Grüßen, Best regards, Mes salutations distinguées, Ing. Walter Höhlhubmer _/ _/ _/_/ _/ _/ _/_/ Lederergasse 47a/7 _/ _/ _/_/ A-4020 Linz a. d. Donau _/ _/ _/ _/_/_/_/ Austria/EUROPE _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ (+43 664 / 951 83 72)_/ _/ _/_/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Linux Foundation Core Infrastructure Initiative fellowships
Wow you guys are rocking kudos -- #contagious -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess Sent: Thursday, May 29, 2014 11:40 AM To: openssl-users@openssl.org Subject: Linux Foundation Core Infrastructure Initiative fellowships I am very pleased to announce that the Linux Foundation Core Infrastructure Initiative (CII), http://www.linuxfoundation.org/programs/core-infrastructure-initiative, has extended full time fellowships to Stephen Henson and Andy Polykov of the OpenSSL project. Andy will need to disengage from significant responsibilities with his current employer over a period of two months, but Steve is on the job already as the first ever dedicated full time resource. By mutual agreement I'm not mentioning any specific numbers, but these fellowships constitute compensation comparable to what their skillsets and experience would bring in the private sector. This is huge news for OpenSSL; we will have the two key developers able to concentrate 100% on the maintenance and improvement of OpenSSL without the distractions of day jobs or worrying about rent money. While the fellowship offers are strictly hands-off, with no restrictions on what Steve and Andy can or cannot work on, it is their expectation, desire, and intention that they will focus on discharging the responsibility they have always felt to see that OpenSSL is as secure and reliable as possible. As of today possible has just been redefined in a very positive way. They will be able to give sustained attention to what needs attention most, as tedious and unsexy as that may be. To that end I should note that the LF CII is also funding a code audit of OpenSSL by the Crypto Audit Project (OCAP). We plan to work closely with Kenn White his colleagues on that effort. Along with the recent Nokia, Smartisan, and Huawei sponsorships this Linux Foundation funding constitutes a bright new beginning for OpenSSL. My colleagues are already busily discussing plans for leveraging these new resources to address multiple issues and revitalize OpenSSL. I hope we'll have some detailed plans to share publicly in a week or two. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org