I'm no expert, but doesn't "connection reset by peer" mean that the other side
of the connection is hanging up? So maybe the error is with whatever you are
talking to? Andrew
On Wed, Jan 22, 2014 at 11:24:07AM +, Thirumal, Karthikeyan wrote:
> Dave,
> Thanks for your response. Please find t
On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote:
>
> i am not following this in any detail, but if you look at the certificate you
> included in your original email it expired in 2008. just look at it with
>
>openssl -text -in
openssl x509 -text -in
i am not following this in any detail, but if you look at the certificate you
included in your original email it expired in 2008. just look at it with
openssl -text -in
sorry if i'm jumping into something i've misunderstood,
andrew
On Fri, Dec 27, 2013 at 01:47:47PM -0600, Bobber wrote:
Hi,
I realise the 1.0.0 to 1.0.1 transition happened some time ago, but it only
hit Centos recently (with the 6.5 release). Some of our code broke, and while
I suspect the problem is too low-level / detailed for anyone to say anything
useful, I thought I better ask, just in case... (if you can h
ning? Or is it meant o just calculate
a digest (hash)? So that confusion may not be helping things. Sorry.
Andrew
On Tue, Dec 17, 2013 at 03:45:46PM -0300, Andrew Cooke wrote:
>
> Hi,
>
> I realise the 1.0.0 to 1.0.1 transition happened some time ago, but it only
> hit Centos
Yes, that's how my more recent engine-based code works. Maybe the best thing
is to merge those two code bases and get rid of this old stuff. Thanks,
Andrew
On Tue, Dec 17, 2013 at 07:56:46PM +0100, Dr. Stephen Henson wrote:
> On Tue, Dec 17, 2013, andrew cooke wrote:
>
> >
Argh, OK, the attribute is called sign. So it's correct, I just had the wrong
name in my notes. Andrew
On Tue, Dec 17, 2013 at 03:51:04PM -0300, Andrew Cooke wrote:
>
> I should have also said that this is called by X509_REQ_sign.
>
> So, in short, the EVP_MD.digest atrtibu
well, not really, because in practice the name has to match, so you are stuck
(as the earlier answer says).
i guess the answer is somewhere in the nss code...
andrew
On Fri, Dec 13, 2013 at 10:04:52PM +0100, Walter H. wrote:
> On 13.12.2013 21:16, andrew cooke wrote:
> >well, i r
t use (EDE
is saying something about DES - how to build 3DES from DES - rather than
giving a mode, isn't it?)?
andrew
On Fri, Dec 13, 2013 at 08:51:44PM +0100, Erwann Abalea wrote:
> Don't regret it, it wasn't that bad ;)
>
> --
> Erwann ABALEA
>
> Le
sorry, that was a bad joke i now regret sending. andrew
On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote:
>
> it dpends how many characters differ when sorted.
>
> in this case:
>
> ECDHE-ECDSA-DES-CBC3-SHA -> ---
it dpends how many characters differ when sorted.
in this case:
ECDHE-ECDSA-DES-CBC3-SHA -> 3AABDDDHHSSS
* *** **
ECDHE-ECDSA-3DES-EDE-SHA -> 3AACCEEHHSSS
you can see (marked by *) that 6 characters don't match.
now 6 is a triangular
You can write your own engine that calls the routines you have.
You can also write a shim library that wraps the library you have and presents
it as PKCS#11. Then you can use a PKCS#11 engine.
The first approach is easiest but the second gives you more options down the
line (you don't need to i
why not use -nopad when calling openssl enc, and add the zero padding
yourself?
> echo -n '' > topsecret.txt
> head -c8 /dev/zero >> topsecret.txt
> xxd topsecret.txt
000: 6161 6161 6161 6161
> openssl enc -des-cbc -K 0101010101010101 -
Hi,
I'm doing some work for a client who has a requirement to use ECDSA. However,
I am having a hard time working out which curves I should enable.
This site - http://safecurves.cr.yp.to/ - seems to be the current
state-of-the-art on which curves to use. It recommends five: Curve2213,
Curve117
Well, for the record, the hardware (PKCS11) library we were using wraps and
exposes some ancient version of OpenSSL. And was being linked first, blocking
libcrypto.
Andrew
On Tue, Mar 26, 2013 at 12:17:39PM -0300, Andrew Cooke wrote:
>
> I admit that this is probably not an OpenSSL-sp
I admit that this is probably not an OpenSSL-specific issue, but perhaps some
experienced C dev here has seen this before and would be kind enough to
explain? Apologies in advance, but (as I hope I can show) it's very odd...
So, I have a dynamic engine. One that works with openssl from the com
Damn! Thanks! I was looking at openssl req (because openssl x509 or
something similar does print a fingerprint).
With that, I can fix things...
Thanks again,
Andrew
At 08:50 AM 8/25/01 +0200, you wrote:
>On Sat, Aug 25, 2001 at 07:41:08AM +0100, Andrew Cooke wrote:
> > How does s
At 10:03 PM 8/24/01 +0200, you wrote:
>On Fri, Aug 24, 2001 at 05:28:43PM +0100, Andrew Cooke wrote:
> > What I should have asked is how to detect a *substitute* request. It will
> > be self-consistent, but will not match the correct private key.
> >
> > One s
Are you trying to import the certificate from a file that contains a
human-readable certificate before the
-BEGIN CERTIFICATE
line? If so, delete everything up to (but not including) that line and try
again.
Andrew
At 12:33 PM 8/24/01 -0500, you wrote:
>I am getting an error
>keytool
If there's a solution using existing code (ie the openssl utility) then I'm
asking the same questions (in effect) in the "Practical CA problem"
threads, so you might want to look at any answers that appear there
(hopefully!) too.
(You could also encrypt and then decrypt some data - if you ge
At 05:28 PM 8/24/01 +0100, you wrote:
>At 05:17 PM 8/24/01 +0200, you wrote:
>> Just verify the signature of request with : openssl -req -verify -in
>>requestfile
>
>Thank-you, but I made a mistake asking the question.
I was supposed to say Sorry too, at that point!
_
At 05:17 PM 8/24/01 +0200, you wrote:
> Just verify the signature of request with : openssl -req -verify -in
>requestfile
Thank-you, but I made a mistake asking the question.
What you are suggesting will detect a modified request (which is what I
wrote), but not someone substituting a diffe
Hi,
How do I detect whether a certificate request (in particular, the public
key) has been modified before signing?
The only solutions I can see are:
- doing an explicit test using private and public key
- checking the public key data in request and certificate by eye
I cannot see any way of
, I
could have spotted it from s_server output further down the page if I had
thought more clearly; yes I could have spotted it by comparing source if I
had concentrated better...!)
Cheers,
Andrew
At 12:10 PM 2/16/01 +0100, Lutz Jaenicke wrote:
>On Fri, Feb 16, 2001 at 10:56:47AM +0000, And
Hi,
I'm using 0.9.5a, but this should be easy to check in 0.9.6:
The no_tmp_rsa flag in s_server is ignored. There is an "#if 1" that
forces a callback to be used (which ignores the flag), blocking the code
that would test the flag before setting a value. Simply grep for
no_tmp_rsa in s_se
[Copied to Lutz + openssl - looks like you set follow up there]
Hi,
Thanks for two good suggestions. Although I was using neither, they don't
change much:
- I am now using SSLv23_method and SSL_OP_ALL
- The connection fails unless SSL_OP_NO_SSLv3 is included (ie SSLv3 is
excluded)
- The err
Hi,
This is a rather odd questions. Apologies if anyone has seen this on the
mod_ssl list (the same problem occurs with 0.9.5a; I haven't tried later
versions yet).
Anyway, if anyone can explain the following I'd be more than grateful:
I have some server code that uses openSSL. During testi
le CN's.
>
> Would it work? It would be subject to a MITS (man-in-the-stack) attack,
> but you've got bigger problems if you got a man in your stack ;)
>
> Greg Stark, [EMAIL PROTECTED]
> Ethentica, Inc.
> www.ethentica.com
>
> - Original Message
Be careful - verification needs to be integrated within the rest of the
cryptographic system. If you open up an encrypted connection and *then*
do verification your verification will probably be susceptible to
man-in-the-middle attack (basically, the man-in-the middle can
intercept and modify c
Geoff Thorpe wrote:
> On Thu, 24 Feb 2000, Andrew Cooke wrote:
[...]
> > Looking at the code, it seems that SSL_free only deletes the session if
> > the reference count is zero. So can I keep an SSL_SESSION simply by
> > incrementing the reference count and saving a pointer?
I'm looking at preserving sessions on the client and found the quoted
email saved away in my mailbox.
Looking at the code, it seems that SSL_free only deletes the session if
the reference count is zero. So can I keep an SSL_SESSION simply by
incrementing the reference count and saving a pointer
I was under the impression that Dr Stephen Henson, who posts regularly
to this list, does paid consulting/support. But looking at a recent sig
of his, maybe he has a real job now...
(Just in case he doesn't want to advertise himself :-)
Andrew
Andy Moskoff wrote:
>
> On Mon, 7 Feb 2000, Mik
I haven't used s_server and s_client, but to do this you would need to
call SSL_CTX_set_verify with SSL_VERIFY_NONE on the server and
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT (that's a binary or)
on the client. If no-one else replies, you should be able to work
backwards from the code t
client only
> needed the public key of the server, signed by the CA?
>
> Skye
>
> Word on the street is that Andrew Cooke said:
> >
> >
> > Skye Poier wrote:
> > >
> > > I think I might have it figured out.
> > >
> > > 1. Do step
There's a summary that's out-of-date, but still more-or-less OK at
http://www.intertrader.com/library/SSLeay/no_rsa.cfm
(Ignore the instructions on building the code and note that revoking a
certificate is now possible with the openssl ca command)
Andrew
> Jun-Hua Li wrote:
>
> Hi, I am new a
Hi,
I've compiled 0.9.4 using VC5 and haven't had any problems.
As far as I remember, I just followed the instructions in INSTALL.W32.
In particular, I don't remember specifying anything about threads
(although the makefile ms\ntdll.mak does include the MD flag). The
library is used in multit
> Josh Berezin wrote:
>
> Parity -- of course!
>
> Not to split hairs with Mr. Cooke, but 3DES is certainly much more
> than twice as secure as single DES, even if it does only provide 112
> effective bits of encryption. More like 2^56 times more secure
> (against an exhaustive search).
Sorry
If this is for marketing, then note that 3DES only provides 2*56 bits of
security - it's only twice as secure as DES. See Schneier's book for
details (and to check - I may be wrong - I remember some kind of meet in
the middle attack, but have no idea whether it is practical).
(So claiming "168
[For the list archives]
I think this is now cleared up - openssl by default uses \n rather than
\r\n. However, it is possible to change the format using a simple perl
script (or, apparently, by emailing certificates). Whether lines end
with \n or \r\n does not affect certificate use.
Andrew
"Leland V. Lammert" wrote:
> At 02:08 PM 1/6/00 , you wrote:
> >- You must unpack the tar file (which is like a zip file) using
> >something like PkZip or WinZip (or tar -xvf in Cygwin bash).
> I would assume that if someone download a tar file, .. they would have downloaded,
>perhaps, a UNIX fi
Hi,
I'm not sure that's right - I don't know if there is a zip file and
anyway PkZip can handle tar files.
In my previous reply I assumed that the person asking knew what a tar
file was - if not:
- You must unpack the tar file (which is like a zip file) using
something like PkZip or WinZip (or
Flemming Jans wrote:
> I'm using openssl 0.9.4 on Sparc Solaris 2.6/2.7 for a webserver like
> process which must recognize customers from a simple username/password
> scheme or from a client certificate.
>
> The customer 'subscription' is stored in a database where the username
> is the unique
Hi,
Not really a open-ssl bug, but it's interesting and I'm curious to hear
how people will be dealing with it: has anyone tried to make a
certificate that lasts for the next century? We tried (just because we
were fed up with test certificates expiring) and found that we couldn't
get past 2037
I guess I could if I knew what a Netscape plug-in was (I use OpenSSL to
communicate between components within our own software - I don't have
much experience of browsers etc).
Andrew
Michael Pogrebisky wrote:
> The method uses Netscape plug-in, so you can make your conclusions.
> Fro
Andrew Cooke wrote:
> Oliver King wrote:
> [...]
> > OK, silly me... I recompiled the library with SSL_ALLOW_ADH defined and the
> > ADH ciphers worked fine. Thanks for the pointers though. It's a bit weird
> > that the ADH ciphers still show up even when
Massimiliano Pala wrote:
> Andrew Cooke wrote:
[...]
> > If people want to use the utility routines as a "library" to build their
> > own CA scripts, then it would be better, for example, to provide a
> > separate routine that checks that they know the CA passwo
Michael Pogrebisky wrote:
> We've found a way to add any arbitrary CA certificate into certificate
> database of Netscape Communicator (on Win32 only) in a way completely
> transparent to users. I mean, no UI warnings or questions at all.
> If anyone is interested, I can e-mail the code.
Across
Massimiliano Pala wrote:
> Mario Fabiano wrote:
> > openssl ca -revoke asks for the CA key protection password, but the CA
> > key should be needed only to issue the CRL thst must be signed.
> NO. As the CA, from now on will consider the certificate REVOKED and in
> every CRL issued will mark it
Andrew Cooke wrote:
[...]
> PS OpenSSL seems better than SSLeay (even more comments in the code!) -
> thank-you to everyone who has contributed.
I just realised that could be read two ways, one of which only makes
sense as sarcasm - I meant "more comments in the
0.9.4 has openssl ca -revoke (don't know about earlier versions - we
were using SSLeay before, and it didn't have this). Note that index.txt
remains the same - the new database is in index.txt.new (the db inside
demoCA, or whatever the directory is called in your cnf file).
Andrew
PS OpenSSL s
Hi,
There's an old web page at
http://www.intertrader.com/library/SSLeay/no_rsa.cfm#use that I wrote.
Much is out of date (it is for SSLeay; in particular there is a
ca-revoke and no need for patches with OpenSSL), but the description of
how to generate certificates is still valid - I think it
@110
> SSLv23_method @111
> SSLv23_server_method@112
> SSLv2_client_method @113
> SSLv2_method @114
> SSLv2_server_method @115
Cheers,
Andrew
@111
> SSLv23_server_method@112
> SSLv2_client_method @113
> SSLv2_method @114
> SSLv2_server_method @115
Cheers,
Andrew
Ulf Möller wrote:
>
> On Thu, Dec 09, 1999 at 06:10:51PM +,
Yes they do. I will do it again to make sure (recording exactly what I
type) and post back.
Andrew
Ulf Möller wrote:
>
> On Thu, Dec 09, 1999 at 06:10:51PM +, Andrew Cooke wrote:
>
> > - Ichange NSTALL.W32 to mention this. Something like "If you use any of
> &
Hi,
This doesn't compile without deleting unused routines from the .def
files for the libraries. It's not a problem if you know about it but
could either:
- Ichange NSTALL.W32 to mention this. Something like "If you use any of
the -no-XXX options in Configure to exclude ciphers you will have
Jan Meijer wrote:
> You could have a point here. I was fooling around with a test certificate
> that is signed by our root CA (the SURFnet PCA). With this test-certificate
> I signed client certs and I had problems verifying the client certs. The
> troubles went away after including the PCA cer
Vin McLellan wrote:
>
> Date: Mon, 29 Nov 1999 14:11:47 -0800
> From: Tom Weinstein <[EMAIL PROTECTED]>
> Organization: Geocast Network Systems
> Sender: [EMAIL PROTECTED]
>
> Jaroslav Pinkava wrote:
> >
> > Where can I get the last informations about present SSL security status?
> > I seek mo
EKR wrote:
> Andrew Cooke <[EMAIL PROTECTED]> writes:
> > EKR wrote:
> > > Andrew Cooke <[EMAIL PROTECTED]> writes:
> > > > Nicolas Roumiantzeff wrote:
> > > > > Does anybody know why both IE and Netscape browser implement exclusively RS
Skye Poier wrote:
[...]
> Also, what files do I need to generate for the server and client
> (certificates? CA? private/public keys?) for those ciphers and what
> are the steps for doing that? I think I can be my own CA, also neither
> the client nor the server are checking certificates, we're
Dr Stephen Henson wrote:
> Andrew Cooke wrote:
> > However, it seems to me that it would be better if the verifier had only
> > the root CA certificate, and the verifiee supplied not just its
> > certificate, but the intermediate certs in the chain. In this way, the
> &
This isn't quite true - you can compile OpenSSL to be copyright free.
However, as far as I know (and my knowledge is a bit out-of-date, so
this may have changed), this then leaves SSL with cipher suites which
are not supported by the common browsers. So you can only write secure
applications tha
Hi,
I've been looking around and can't see an answer to this, but if one
exists, please point me to it rather than posting again...
I have been playing with certificate chaining (signing certs that are
signed by a certificate signed by a certificate signed by ... a
self-signed certificate) and
As the person who started this thread can I suggest that you look at
s_client.c in the apps directory. There is some sample code there that shows
how to handle SSL_read (just search for SSL_read) - it's pretty clear what
the code is trying to do.
Andrew
Stefan Pedersen wrote:
> Ok...
Hi,
The problem I am seeing does not resolve itself on subsequent calls to SSL_read -
if it fails to return -1 once, then repeated calls also return 0. In other words,
on most occassions when the socket closes it returns -1 immediately, but sometimes
it repeatedly returns 0.
If anyone could ex
ller wrote:
> On Tue, Apr 13, 1999 at 12:00:00AM +, Andrew Cooke wrote:
>
> > I am reading across the network, using SSLeay-0.9.0.b, and have an
> > intermittent problem - the sending socket is being closed, but this is
> > not always being detected by the receiving SSL. I
Hi,
I am reading across the network, using SSLeay-0.9.0.b, and have an
intermittent problem - the sending socket is being closed, but this is
not always being detected by the receiving SSL. In particular,
SSL_read(ssl, buffer, length)
is returning zero rather than -1.
This seems to be a bug,
Found it - Web Security and Commerce is a very good intro to
security issues. By Garfinkel and Spafford, pub by O'Reilly.
Andrew
At 02:17 PM 2/19/99 +, you wrote:
>
>This may be the same book... on a similar vein (good intro, but no
>maths) try the Nutshell book with the shark on the fron
This may be the same book... on a similar vein (good intro, but no
maths) try the Nutshell book with the shark on the front. Can't
remember the title or author and it looks like someone has "borrowed"
it
Andrew
At 12:13 PM 2/19/99 +, you wrote:
>On Fri 19 Feb, John wrote:
>> Hi guys,
Whoa! Why isn't this list configured so that if I hit reply
it goes to the original sender by default, and not the list?
ssl-users workled like that, as does another mailing list I
use. It was a bit of a surprise to see a message I thought
I had just dashed off to one person arrive on the list!
I think I mention DH in the docs at
http://www.intertrader.com/library/SSLeay/no_rsa.cfm
Andrew
At 02:59 PM 2/9/99 +0800, you wrote:
>Hi,
>
>I want to use the Diffie-Hellman part in OpenSSL, but I can't find a
>relevant documentation in the "openssl-0.9.1c\doc" directory. Anyone
>who knows co
70 matches
Mail list logo