Michael Sierchio wrote:
I'm not suggesting that this isn't useful, just that it is not
a defect that it isn't part of the key format itself.
That may or may not be true, but none of your arguments support this point.
I'm learning towards a belief that it is a defect, but I am not thoroughly
Wow, is it possible one can't get help on this simple question??
It's entirely possible that the person who had the answer to your question
saw it and had no idea they knew the answer. Your question contains *no*
details. It would require someone to go hunting to figure out what your
Michael Sierchio:
If it's your policy not to reuse keys, or allow their use beyond
the lifespan of the certificate, then the enforcement mechanism
for this MUST be in the CA.
I completely disagree. If this were true, CA's would generate the private key
as part of the certificate issuing
David Schwartz wrote:
Michael Sierchio:
If it's your policy not to reuse keys, or allow their use beyond
the lifespan of the certificate, then the enforcement mechanism
for this MUST be in the CA.
I completely disagree. If this were true, CA's would generate
the private key
David's apparent statement is the person trusting the time is the
person generating the key.
Michael's apparent idea is if you're generating it and including it
in the key format, then you're making an assertion which must
trustable by people other than the person generating the key.
Michael Sierchio wrote:
Anyway, in the case of RSA keypairs we don't manufacture them, we
discover them. They're already there, we just search for our p's and q's
in the appropriate range and rely on chance starting conditions to find
some not in use. I suggested, but not entirely in jest,
Steffen Dettmer wrote:
You may argue, and get me to agree, that cert
reissue/resigning with the same SubjectPubkeyData is a bad
idea. Make 'em generate keypairs. Keep a list forever of
pubkeys seen in certs and reject any that appear in CSRs.
(CSR? Is this like a CRL or something
Do you want to do it inline or not. If not I can send the commands.
EL HACHIMI Driss wrote:
Hello,
I have to setup an SSL communication between a client and a server. I
have bought the OpenSSL book and I have downloaded the last OpenSSL
release version.
I think the first think to do is to
The vague idea I've gotten so far is that I need to somehow
transfer the SSL_SESSION to the new process. Examining the
output of SSL_SESSION_print_fp() I see that the session ID
and master key change every time SSL is initialized, so
simply reinitializing the SSL library in the new process
Doesn't what you suggest create a headache? Every time I want to
decrypt an
old message I sent or I received, or a file, I will need to
change the mail
client configuration and point it to another private key.
One would hope your mail client will allow you to keep any number of key
Arguably, you shouldn't do it even once, because it's extremely easy
to fall into the pattern of one key and one key only in the systems
design or implementation. I can't remember who coined the phrase, but
it's not good crypto hygeine.
I have argued many times that not including the
I have argued many times that not including the creation date
in every private key data format was a *huge* mistake.
Furthermore --
How do you know what time it is? How do I know you know what time
it is? Do I trust you to put the correct time, or even a monotically
increasing
Thanks Marek!
One last question, can an algorithm or cipher suite be enabled or
disabled on OpenSSL by an user (I mean, without needing to
recompile and redistribute OpenSSL binaries)?
You can definitively disable an algorithm by not including it in the
libraries. Most programs that use
I am using s_client and s_server right now and it is working for me.
I specify the -certs file and the CAfile for the root.
Josh wrote:
Hello,
We are getting an odd self-signed cert error when using openssl s_client
to test the connection for a web service on an internal server. This
Let's start with the obvious, just to make 100% sure we're really having an
issue here.
Here is one code example where I'm reading a 10-byte block of data
(always 10-bytes, not less):
bufptr = (u_char *)wh;
for (nread = 0; nread sizeof(wh); nread += ret) {
ret =
I am using the s_client() program in openssl to test my certificates.
Anyone ever see this error?
subject=/C=US/ST=Colorado/L=Louisville/O=SUN/OU=Storage Group/CN=topeka
issuer=/C=US/ST=Colorado/L=Louisville/O=SUN/OU=Storage Group/CN=RootCA
---
No client certificate CA names sent
---
SSL
Consider:
char buf[1024];
int i, j;
buf[1024]=0; // to make sure we don't run off the end
Does not C number the indices: 0..1023?
Yeah, that's what I get for hastily constructing an example.
DS
__
OpenSSL
when i compile the program p192.c i get following error
[EMAIL PROTECTED] ~]# gcc p192.c
This is not the command to compile. This is the command to compile and link.
gcc -c p192.c is the command to compile, and you will likely get no
errors.
/tmp/ccicrxZV.o: In function `main':
We are using OPEN SSL library in our client server application. We are
using SSL_WRITE and SSL_READ api used to read and
write operations between them. Connection is broken When server sends very
large message (more than 56K) using SSL_WRITE api.
That's probably due to a bug in your code.
26.02.08, 23:23, [EMAIL PROTECTED]:
Hello,
I have to connect to my OpenSSL server through proxy server.
How can I
establish this connection?
Establish tcp connection through proxy (connect, socks5, transparent,
reverse or any other)
and next run SSL on this tcp connection.
Best
My application calls some library functions, which uses
OpenSSL. When my appliction runs, I believe OpenSSL emitted
some messages described below.
Nope. Your application emitted them. OpenSSL detected them and reported
them, you chose to print them out.
Does anyone know what caused those
..I mentioned overhead not in terms of data bytes, but the time.
Considering that in the system each session should not last not
more than 3-4 seconds, and client wanting to make multiple SSL
session with server, persistence can offer performance improvement.
You're just making that up,
I'm encrypt a file using RSA_private_encrypt, this work fine.
Actually, you've *signed* the file, not encrypted it. And you've done so
incredibly badly at that.
DS
__
OpenSSL Project
This is nearly impossible to do. It's possible that you did it correctly,
but very unlikely. The basic problem is this -- when you call 'read' to
get
the last message of the first session, how do you make sure you also
don't
get all or part of the first message of the second session?
I do
I have a SSL client and a server application.The client connects to a
SSL server in a TCP socket persistence mode, i.e, it does a data
exchange with the server through a SSL connection , tears down the SSL
connection but again sends out a client_hello in the same TCP socket
connection it had
But, the application code tries to clear out/shutdown existing
SSL session with orderly bi-directional alerts. Once shutdown it
creates a new SSL object 'ssl' [ssl = SSL_new (ctx)]
for the next session in persistent connection..
This is nearly impossible to do. It's possible that you did it
Can someone point me to some documentation on how to create certificates
during runtime in the code?
I can use the openssl command from solaris at the terminal but how do I
do it in the code?
Thanx.
Dave
__
OpenSSL
Please give me some feedback.
Why don't you just call RAND_add? This seems like a complicated way to
accomplish nothing.
DS
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
When I connect to our printer server, the certificate is never verified
correctly. When I specify the CA certificate file manually on the command
line, it works though. The root certificate in question is installed, and
^
I am using the latest 9.8g openssl on Solaris 10 update 3. The ssl
handshake is working fine. I want to use the Niagra 2 chip to do my
encryping but I need the pkcs11 engine. The 9.8g
ENGINE_load_builtin_engines() does not have pkcs11.
How do I get it and if there is a way then how do I
After the accept do the following... BTW...are you using the pkcs11
engine? I am trying to find out the patch for 9.8g version.
sbio=BIO_new_socket(socketFd, BIO_NOCLOSE);
// Create a new SSL structure
ssl=SSL_new(ctx);
// Connect the read and write BIOs
Joel Christner wrote:
dataRead=recvfrom(connfd,readBuffer,sizeof(readBuffer),0,NULL,NULL);
for (i=0;istrlen(readBuffer);i++) {
Umm, you just stored the number of bytes read in 'dataRead'. Why are you
passing 'readBuffer' to strlen? The 'readBuffer' contains the array of bytes
read from the
Sorry for my bad english, it crashes, it doesn't hang.
Then compile with '-g' and run 'gdb' on the core dump. Post the output of
the 'where' command.
DS
__
OpenSSL Project
Program received signal SIGPIPE, Broken pipe.
You need to either catch or ignore SIGPIPE.
There is also the output of the program. I think the focus should
not be on the call the caused the crash, but on the call before,
which returned 7 even if the connection was closed.
There's nothing
ret = SSL_write( m_ssl, buf, buf_lef );
which returns -1, as you'd expect. But (and here's the odd part) when I
call:
SSL_get_error( m_ssl, ret )
it returns SSL_ERROR_WANT_READ, not SSL_ERROR_WANT_WRITE. How can this
be!? The OpenSSL library is setup in client mode, so shouldn't
I found out that if I keep calling SSL_write, if the connection
is closed remotely (killing stunnel), my application hangs.
I thought your problem was crashing. Now I see that it's hanging. These are
two totally different problems.
I made some tests, and saw that the error happens only if I
If I close stunnel, the next SSL_write will return a positive value,
as if everything is ok, the second causes sudden application termination.
Make a build with debugging symbols, get a core dump, and analyze it with
'gdb' or similar. Alternatively, post the smallest complete, compilable
Hi All;
Thanks to you for your suggestions. I followed your suggestion
and removed ssl/ssl_task.c and compiled it but I got one
problem which is as follows:
crypto\sha\sha1s.cpp, line 72: cc0020: error: identifier GetTSC is
undefined
GetTSC(s1);
You have no TSC, so this
Can you share the code that you found, a link to it, or at
least a hint as to which search engine you found it on?
http://www.cs.odu.edu/~cs772/sourcecode/NSwO/compiled/encdec.c
There you go.
I'm curious -- do you understand what the code you are compiling is supposed
to actually *do*?
I made a program that connects to a stunnel server.
I am able to connect to the server, read, write, with no problems.
Good.
The problem is that if I close the stunnel, I can handle the error
correctly if I make an SSL_read, but not if I make an SSL_write.
The SSL_write returns a positive
Hi David,
Yes indeed I do. I have seen that link before,
but it doesn't contain the contents of incremental_send
(this data is left hanging in limbo with nothing to do).
That is the contents of incremental_send.
My goal is to integrate this into a sockets application
I'm using where
The source for incremental_send isn't in the book anywhere
that I've seen.
Well then that explains the problem. You are calling a function that does
not exist.
I'm using the first edition (June 2002).
My code does call incremental_send,
and the code I'm trying to compile is the example
Hi David,
I'm down to symbol not defined for one item - incremental_send
(and I can't find what file this is supposed to be in).
Well, you need to do that.
I re-installed to /usr/include/openssl and used --prefix=/usr/include
and --openssldir=/usr/include/openssl
I'm trying to compile
Ummm, I realize that. I've tried hunting down where the
incremental_send method is and I can't find it anywhere.
It's in your book.
Can you give some suggestions on the rational troubleshooting
you recommend?
Check your source code for references to incremental_send. You can use
grep for
Sorry I didn't update the list, but I tried with
-lssl and -lcrypto, as well as -I/usr/include/openssl.
And what happened? Did you get the same error messages or different ones?
I've reinstalled openssl to no avail.
What directories did you install to? And did you tell your compiler/linker
On Feb 3, 2008 10:51 AM, David Schwartz [EMAIL PROTECTED] wrote:
mac# gcc blowfish.c -o blowfish
Where did you get this command from and what
was it supposed to accomplish?
blowfish.c is a progam I wrote which contained a series of methods for
initializing, encrypting, and decrypting
mac# gcc blowfish.c -o blowfish
Where did you get this command from and what was it supposed to accomplish?
DS
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Hi there
I am trying to integrate a paypal shopping cart into my site and paypal
recommend getting a security certificate from your website.
Their site tells users to find the WIN32 section of your site to get
the source for the certificate but I cant find that section anywhere.
I googled
Thanks, but as I said, I cannot simply provide my own linkable versions
of fopen, fread, etc. These functions are reserved by the system for
other uses.
Is there no way to cleanly override IO in OpenSSL?
Thanks.
Just never ask OpenSSL to operate on a file. If you want to read a key in
Now the problem is before the connection is established.
Select is based on the file descriptor. Looks like I can't get
the file descriptor before the connect.
FD_SET(BIO_get_fd(conn, c), rfds) BIO_get_fd
returns null. what did I do wrong?
You should not be calling 'select' until told to.
Because that's what HTTP version 1.0 says to do, and you asked
for HTTP 1.0
behavior. If it didn't, how would the client know when it got the entire
request?
(You mean the entire response, and in particular response body
aka entity.)
Right.
Content-length is allowed in 1.0, and if
Hello!
I use openssl to work with apache server via https.
But I see a strange situation when the second and the third calls
to send()
in my test-case read 0 bytes from socket.
Can you provide here any help?
Why is that surprising? That's exactly what I would expect to happen. When
the
Hi
Thanks for reply.
In fact, I'm not sure why apache closes connection even if I set KeepAlive
to On in httpd.conf.
Because that's what HTTP version 1.0 says to do, and you asked for HTTP 1.0
behavior. If it didn't, how would the client know when it got the entire
request?
If I send
The problem is if I give the name of the extension given as in the
certificate,
What is the name of the extension given as in the certificate?
Certificates don't contain extension names.
the OBJ_sn2nid function is throwing NULL value that
means it is
unable to find the extension.
Probably
3. I installed OpenSSL and run it in the Windows Vista cmd and
the command
is
openssl genrsa -out my-pkey.pem 1024
I got the following:
C:\OpenSSLopenssl genrsa -out my-prvkey.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long
Can you elaborate a little bit more cause I'm totally new to
this openssl. I'm doing this to create encryptions for my
paypal buttons
You want me to elaborate on, I think it should be safe to ignore?
If you want more details, read this question and answer. It doesn't directly
apply, but it
By the way, this detailed explanation was my first hit Googling
'openssl not seeded'.
This comment, while true, it not useful. I meant to point out that it was my
first hit when Googling 'openssl unable to write'.
DS
__
I just found out that the files i have been creating are in the
OpenSSL folder, not in the Bin folder. Are those files that I have created
working ? how do i test it ?
I have no idea what files you are talking about. You could be talking about
keys, certificates, configuration files,
Sorry for not being clear.
I was following the link you have provided below. First I was trying to
generate a private key by
type openssl genrsa -out my-prvkey.pem 1024 to the windows Vista CMD
and the result was:
C:\OpenSSLopenssl genrsa -out my-prvkey.pem 1024
Loading 'screen' into
smime.p7m
Description: S/MIME encrypted message
Hello David,
Then why are you downloading OpenSSL? It's a library, a toolkit.
It has no enduser application.
Are you really sure?
I subscribed, while at the openssl.org site for this list
the description was given:
openssl-users open anybody Application Development, OpenSSL Usage
I am newly looking into the openSSL code part and trying to understand.
I have a few silly doubts regarding the usage and implementation of
openSSL along with Heimdal Kerberos. Could you please let me know whom
can I contact?
Ask your question in this newsgroup. It is for users of OpenSSL.
OpenSSL is *NOT* intended to be 'used' by people who use
programs that use
it. It is intended to be used by programs and by people who make them.
I'll stick my 0.01 euro cent in here and state i disagree with this
hypothesis. whether you are a user via a 3rd party program (as almost
???
I'm sorry, I never did any programming, never any compiling,
I'm just an enduser, using payware, shareware and freeware
programs, that are already prepared for use. ;-)
Then why are you downloading OpenSSL? It's a library, a toolkit. It has no
enduser application.
If you are installing
The entire body of source code which makes up OpenSSL and is
distributed as OpenSSL, btw, might fall under the compilation
copyright rules. My understanding of those rules (which govern
things like phone books, dictionaries, databases, and anything else
that sources from multiple places and
license prohibited any other kind of
modification that the GPL allowed. For example, you cannot place something
under the GPL that outputs David Schwartz is the best, all must kneel
before him to your system log every time you run it and add a license
clause that you must leave that intact
No you can't change anything at all in the validate source so you are SOL.
What if you made your own compiler that was identical to 'gcc' except that
when asked to define 'B_ENDIAN' it defines 'L_ENDIAN'? I realize this may
violate the spirit of the rule, but I believe it conforms to the
Folks,
I wrote a webbot Perl script that goes through an entire checkout process
and tests for validation.
It works great. It has been in production for a while now.
Now to make changes, I had to copy into our test environment and work with
our test web server. (Change control go figure...)
Writing:
1) Acquire the mutex.
2) Call SSL_write. If we have sent all of the data, release the lock and
returen.
3) If we sent any data, re-adjust to only send the data that remains and
go
to step 2.
4) If we got a zero, release the lock and return the number of bytes
If I call like this, I get 32-byte return(The first 16 byte string equal to
Ciphertext in the test case)
ret = EVP_EncryptUpdate(ctx, out, outl, in, inl);
if(!ret) abort();
len += *outl;
ret = EVP_EncryptFinal_ex(ctx, out+len, outl);
if(!ret) abort();
len += *outl;
You
How can I get rid of the expired certificates in the revocation
list? When I
do openssl ca -gencrl -out revocationlist.crl -config myconfig.cfg the
revoked certificates that are also expired are added into the
list. It is no
use to store them there because the revocation list grows bigger
So, at first, I made two simple wrapper functions to replace plain
read/write functions.
-- snip --
int read_ssl( .. ) {
pthread_mutex_lock( rw_lock ) ;
SSL_read( ... ) ;
pthread_mutex_unlock( rw_lock ) ;
}
int write_ssl( .. ) {
pthread_mutex_lock( rw_lock ) ;
Yes, the protocol is asynchronous exactly, not query/response sequence,
and could not re-design it now.
Many protocols are that way and should be that way. I wouldn't redesign the
protocol unless it was badly designed in the first place.
I could not find sufficient documents or examples
Thank you for your reply!!!
I have another question about this topic. I need to generate a shared
secret which size 16 byte, using a DH_compute_key() function. How can
i manage that size
Produce a much larger shared secret and then reduce it securely to 16
bytes.
Should I use a
The decrypt program:
unsigned char *DecryptTest(unsigned char *in, int inl, unsigned
char *key, unsigned char *iv, int * outl)
{
int ret;
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(ctx);
ret = EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), 0, key, iv);
if(!ret) abort();
I have a client that attempts to open a secured session with the server.
After calling SSL_connect(), on failure, the client would free the SSL
object,
and read the response on normal tcp socket.
On the other hand, the server calls SSL_accept(), and on failure, would
free
the SSL object,
dh_struct = DH_new();
dh_struct-p = BN_new();
dh_struct-g = BN_new();
dh_struct-priv_key = BN_new();
dh_struct-pub_key = BN_new();
num_byte = BN_dec2bn(dh_struct-p,str_p); // Here it seems that not
execute anything about
Something is very wrong in your code. BN_new returns a 'BIGNUM *',
To begin with, when the client calls SSL_connect(), it is guaranteed that
the server is waiting / looping in SSL_accept(). So I believe there is no
chance that SSL_connect() will read any plaintext data.
Do you have any rational basis for this belief? Consider:
1) The client calls
Indeed, the problem was with my application.
I was just using ::select() to see if there was data waiting for me
to SSL_read off the socket, which I cover to discover is not reliable.
How did you know whether to 'select' for reading or for writing?!
It's always possible that SSL can't read
Thks.
But, I also meet a problem when decrypt data(the encrypted data
is a 16 bytes long ). The code is below:
When you say the encrypted data is 16 bytes long, do you mean the data you
encrypted was 16 bytes long before you encrypted it? Or do you mean that the
encryption produced 16 bytes
Hi
This is my piece of program:
EVP_CIPHER_CTX_init(ctx);
ret = EVP_CIPHER_CTX_set_padding(ctx, 0); //0 for no
padding, 1 for padding // ret ==1 here
unsigned char *key = GetKeyPtr();
ret = EVP_EncryptInit(ctx, EVP_aes_128_cbc(), NULL, NULL);
// ret ==1 here
As far as the free 3rd party signing my certificate, I understand your
point. So, I'll have just have to have my users set up there web
browser to
trust the certificate I email to them.
Thanks to all for your help. Much appreciated.
Another possible solution is to put your certificate up
I setup my certificate for 10.x.x.x and when I try and access the site, i
use https://10.x.x.x and I get the error about the certificate being setup
for a different web site. I've read up on this and the example
they usually
use is make sure you use www.foobar.com and not just foobar.com.
Lasantha,
Thanks for the info. Adding the export didn't work. However, from the
link you gave me (bugzilla). I downloaded and complied the latest svn
snapshot and everything seems to be working. Thanks!
Looks like it will be good to go in 2.0.62
On Nov 21, 2007 7:04 AM, David Cooper [EMAIL
I'll take a look at that this morning, thank you.
On Nov 20, 2007 10:51 PM, Lasantha Marian [EMAIL PROTECTED] wrote:
David,
The bug you encountered more looks like the one that I too have experienced
with Apache 2.2.6 (not 2.0.61) + OpenSSL 0.9.8g for which a resolution was
available
, the commands error out.
Would anyone have any advice on what the correct method should be for
installing a Trusted CA cert file on a Linux/Apache Server? I am running out
of hair to pull out.. haha.
Cheers!
David
Hello,
I was asked to update some RHEL 4 boxes, for security patches.
They are running RHEL 4.4 and I thought, Oh, very easy, I went to
run up2date to grab what I needed just to find out there's not a
current license for RHEL.
So I decided to build from source.
First of all my experience
I'm happy to use the fipscansister, but it seems that both
openssl-fips-1.1.1 and openssl-0.9.7m both fail building if configured
using ./config fips shared.
Why are you trying to build the FIPS canister with anything other than
./config fips?
Without the shared option only static
But as I have just read, it seems the Security Policy mandates only the
fips option be supplied to be FIPS140 compliant.
Exactly.
What about directory directives, such as --prefix, --openssldir,
--install_prefix ???
The Security Policy mandates only the fips option be supplied.
Having
I wonder why my buffer of iv is overwritten. What can I use it for?
To continue encrypting or decrypting.
If the overwritten iv is useless, why doesn't the library make a
clone of it
for its own purposes?
It's not useless, it's the next IV to use.
I am not sure about overwriting the iv
I have setup a server as a proxy using ssl_proxy.
I use openssl to create the neccessary keys(certificate/key),
but I am unable to force the config to use ssl3. I figured I
could put something into openssl.cnf, but am having no luck.
This server is not a web server and doesn't have
I have one worrying question... I have generated my keys and ca and all
with easy-rsa package and he has generated 1024 bit rsa keys... but as far
as I have seen openvpn is using blowfish... blowfish in a symetric
encription cypher and rsa is an asymetrical one... shouldn't match keys
and
Asymmetric ciphers like RSA are used on very small pieces of
information,
not on bulk data. In the case of encryption, the asymmetric algorithm is
used to securely exchange a random small number that is then
used as the key
in a symmetric algorithm like blowfish or AES.
This number
because when I try to
install Openssh it runs findssl.sh and shows that the installed library
files
do not match, which they do not. I have tried various different scenarios
with no luck.
Can anyone give me some input on this? Thanks.
David
I just saw the RE: Changing the expiry date of a cert thread
but I think
my question is a little different.
My certs are not CA certs they are user certs where the only thing I
really need to preserve are subject, issuer, key cert extensions. The
serial # doesn't matter.
The thing I
I have an application using openSSL version 0.9.7d.
I am able to create 20,000 TLS connections, but my heap size
is at 1.5GB. It looks like it is the SSL context. Is there anyway
to reduce the memory fotprint?
I'm not 100% sure I understand your question. But if I understand it
correctly,
Mark H. Wood wrote:
Further, it won't be a trust root until it's distributed and the
recipients are satisfied that it is legitimate. And I think that's
the real question:
When my CA's certificate expires, can I update it without having to
deliver copies securely to everyone who is
, and that another program that uses the same
openssl version has this problem as well, suggests that openssl may
be involved.
Thank you in advance for any help anyone can provide!
--David
__
OpenSSL Project
This is really one of those don't do that then things.
Thread-per-connection is well-known to break down at about 750
connections.
Just curious at how the number 750 was calculated or deduced. And
is this a linux-specific limit?
On Windows, it's usually more like 800 on older versions
Even reducing the thread stack size didn't help.
I observe that the thread creation as such is not
a problem. I create about 1000 threads , delay in
each thread the SSL_connect for about 10 sec.
Once the delay expires and each client make connections
to the server the seg fault occurs.
You
701 - 800 of 1731 matches
Mail list logo
