Thanks for the help.
I've come to learn that my problem is the HSM. It removes the RSA values p,q
and d from the EVP key before returning it. This is normal since it is
protecting the key by keeping it in the HSM - duh. Anyway so, I cannot use it
as a normal key. "Live and learn"
So this
Hi all,
I'm currently enhancing HTTP(S) clients based on OpenSSL in several
flavors, in particular a CMP client, which in turn uses simple HTTP
clients for contacting CRL distribution points or OCSP responders.
Getting the client connect right appears surprisingly messy when one
needs to cope
The upgrade is now working fine in one of the applications which make TLS
connections. I can see the engine functions being called when some action
(sign/verify) which require the privatekey.
However, this engine is also used in a patched version of Racoon2.
In one of the files
> The rsa_mod_exp function is only called for private key operations. You can't
> tell if it is a private encrypt or a private decrypt though but that
> shouldn't matter because the operation performed at that level is the same for
> both.
Ah, I see. So to clarify (pls correct me if I'm wrong):
On Mon, Aug 28, 2017, Brett R. Nicholas wrote:
> > The rsa_mod_exp function is only called for private key operations. You
> > can't
> > tell if it is a private encrypt or a private decrypt though but that
> > shouldn't matter because the operation performed at that level is the same
> > for
>
On Mon, Aug 28, 2017, Leon Brits wrote:
> The upgrade is now working fine in one of the applications which make TLS
> connections. I can see the engine functions being called when some action
> (sign/verify) which require the privatekey.
>
> However, this engine is also used in a patched
> Note also that if you set the public key components (n, e) you don't need
> to perform the public key operations in your ENGINE if you keep the original
> bn_mod_exp(): OpenSSL will do them for you
This is good to know. However, I think I will be implementing modular
exponentiation for both
From https://www.openssl.org/news/secadv/20170828.txt
OpenSSL Security Advisory [28 Aug 2017]
Malformed X.509 IPAdressFamily could cause OOB read (CVE-2017-3735)
===
Severity: Low
If an X
On Mon, Aug 28, 2017, Brett R. Nicholas wrote:
>
>
> One more follow up question:
>
>
> > If possible you should set the public key components anyway: some operations
>
> > such as generating certificate requests require them to be present
>
> I'm confused what you mean here, since my
Hi Steve,
> Have you recompiled the application? Some structures have changed between
> OpenSSL 0.9.8 and 1.0.2 so you'll get problems with applications (or an
> ENGINE) compiled against the wrong headers.
In a build VM, both the TLS application and Racoon2 is compiled against freshly
compiled
10 matches
Mail list logo