On Sat, Dec 16, 2006 at 04:43:52PM +0530, bsenthil wrote:
Hi,
I don't know is it a right forums to discuss about the question? If it
is wrong please suggest the forum.
I am looking for openssl accelerator. Is any body know any free
implementation / projects. Please send me
On Thu, Dec 14, 2006 at 01:27:10PM +0100, Marek Marcola wrote:
This is done by simply appending the key to the digest input.
I can not agree. In HMAC you use some message digest algorithm
(MD5/SHA1/...) with HMAC algorithm.
Let MD() will be some message digest algorithm, M - message to
On Wed, Dec 13, 2006 at 08:45:50PM +0100, Marek Marcola wrote:
Hello,
H = HMAC(packet_proto+ssl_version+data_len+M, server_write_mac)
Should be:
H = HMAC(packet_sequence+packet_proto+ssl_version+data_len+M,
server_write_mac)
Marek,
You forgot to mention that HMAC has a secret
On Fri, Nov 17, 2006 at 11:04:48PM -0500, Victor Duchovni wrote:
On Fri, Nov 17, 2006 at 08:14:26PM -0500, Brian Thompson wrote:
We have a group of users here who wish to send email through
Thunderbird to a SMTP server (sendmail) that requires SSL/TLS
authentication/encryption. The
On Sat, Oct 21, 2006 at 08:04:01PM -0700, Ferianto siregar wrote:
Dear all,
Thank you very much for this chance. Thanks
All, now I am finishing my paper. The title is TLS.
As I know that TLS use SSL to make the communication secure.
Can anybody tell me how can SSL make communication secure?
On Thu, Oct 19, 2006 at 12:14:55PM +0530, Kaushalye Kapuruge wrote:
Hi,
I tried to get the base64 encoded result of a SHA1 digest. But the
result is not compatible with the same operation in Java. Also I tried
to use a javascript function. It is matching with the result of the Java
On Wed, Oct 18, 2006 at 11:35:13AM +0200, Marek Marcola wrote:
Hello,
the block size is always the same as the key length in AES (and the most
block
ciphers, I think). You are using 128-AES - 128 bits key == 16 bytes block
size
(q.e.d).
Not exactly:
AES128: block_size: 16
--- Sendil kumar [EMAIL PROTECTED] wrote:
Hi,
I've got some code that seems to work, except when
the server responds with
a 'large' amount of data.
When the server sends 5000 bytes of data to the
client ,the client was able to read it and
every thing goes fine.But when the server
--- Florian G otter [EMAIL PROTECTED] wrote:
Added code:
if(SSL_set_cipher_list(m_ssl,EXP-RC4-MD5)==1)
{
cout setting cipher went okay endl;
}
else
{
cout cipher not set endl;
}
Dont use EXP- ciphers!
__
Do You Yahoo!?
Tired
--- Buicliu, Ion VSA:EX [EMAIL PROTECTED]
wrote:
Thank you Girish, I understand now. The
combination: encrypt with
public key - decrypt with private works.
What we are trying to do is to place an encrypted
file on our ftp server
for a specific user. The ftp server is behind a
--- Florian G otter [EMAIL PROTECTED] wrote:
Hello everybody !
I have a problem witht the SSL_accept / handshake
which i could not
resolve with the help of the net / colleagues /
time.
Having written a small server / client, it gives the
following output
(debug info generated by me
--- David Irvine [EMAIL PROTECTED] wrote:
-
Many thanks for a fantastic explanation and for
taking the time tohelp me. I was just reading some
docs there pointing me to this but youhave saved me a
good few hours.
I will search out info for python info on
--- Ryan Shon [EMAIL PROTECTED] wrote:
I am attempting to build OpenSSL for the Analog
Devices
Blackfin 537 digital signal processing chip using
the
VisualDSP++ compiler, also from Analog Devices.
I have been studying the Configure script, and I
would
be appreciative of any advice you
--- Buicliu, Ion VSA:EX [EMAIL PROTECTED]
wrote:
I am trying to do the following:
- create a private and public key (self-signed
certificate)
- encrypt a file and place on an ftp server
- the client will pick up the file and decrypt it
using the PUBLIC key
Here is what I did to create
--- [EMAIL PROTECTED] wrote:
Hello openssl-users,
I generate an RSA key-pair like this:
openssl genrsa 1024
And put it's output into a PEM file.
Now I need to read both private and public parts
of the key-pair
into an RSA object in a program.
This is how I try handling
--- [EMAIL PROTECTED] wrote:
Hello openssl-users,
For some peculiar reason I need to have a
base64-encoded file to be
written as one single line.
Currently I get nice-looking, properly-wrapping
files that I have to
edit manually.
What BIO flag should I set to avoid this
--- Michael P. Soulier [EMAIL PROTECTED]
wrote:
Hey,
I'm on a CentOS 4.3 Linux system, and ssh-keygen is
occasionally
crashing. The backtrace from the coredump shows that
it's in openssl.
Core was generated by `/usr/bin/ssh-keygen -l -f
/etc/ssh/ssh_host_key.pub'.
Program terminated
--- Bhat, Jayalakshmi Manjunath
[EMAIL PROTECTED] wrote:
Hi All,
I am trying to complie openssl.9.8a on HP-UX. I am
getting errors
../../include/openssl/pem.h:610: parse error before
`RSA'
../../include/openssl/pem.h:611: warning:
return-type defaults to `int'
pem_all.c: In
Dear Jon,
--- Jon Perkin [EMAIL PROTECTED] wrote:
Hi folks.
Apologies if this is the wrong place for my query,
as I'm not sure how to
track down whether my problem lives in core OpenSSL,
in the Perl OpenSSL
modules, or in the LWP modules I'm trying to use
them via.
I'm trying to get
--- GUIRY Aroun [EMAIL PROTECTED] wrote:
Hi all
I am doing a simple ssl server/client. I use a
select function to read
and write in the socket.
From my client I send 1KB of data, in one time, and
then I expect to
read it in the server.
In the server appli, I have got a select
--- Robert Butler [EMAIL PROTECTED] wrote:
Okay, that works, I get an OK from OpenSSL, but now
I'm getting other,
more cryptic errors-
DEBUG LEVEL: 7 (Dump to Screen)
--
[EMAIL PROTECTED]:~/stunnel# sbin/stunnel
--- Robert Butler [EMAIL PROTECTED] wrote:
Hi everybody. I'm trying to set up an OpenSSL
Certificate Authority for use with my
recently-installed stunnel 7.x installation-
only, I'm having a hard time creating the cacert.pem
file. It seems that OpenSSL wants an infile when
generating
But it
would appear that
this is the hard way to do it and have heard
numerous recommendations to
instead use the EVP API, but I have found minimal
examples on how to do
this. Does anyone have some sample code?? And also I
I had sent one few days ago. I am sending it again.
HTH,
Girish
Deval,
--- DEVAL SHAH [EMAIL PROTECTED] wrote:
Hello,
I have openssl installed on a Solaris machine. I
have logged in as a root
user. I goto /usr/local/ssl/bin and try to run
openssl command. It gives me
this error:
openssl: not found.
How was it installed? Was it installed already or
-- Kyle Hamilton [EMAIL PROTECTED] wrote:
If you installed it to /usr/local/ssl/bin, and you
have changed
directory to /usr/local/ssl/bin, then the most
likely scenario is that
you do not have . in your $PATH.
I consider it a security risk to have the current
directory in your
path; in
--- Marten Lehmann [EMAIL PROTECTED] wrote:
Hello,
how can I view the information that are contained in
a CSR, KEY or
CRT-file? E.g. for which hostname a cert is issued,
when it will expire,
who is the company it is issued for ...
man x509
For eg,
$ openssl x509 -text -noout -in
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Sat, Jul 22, 2006, Bu Bacoo wrote:
Thanks you both... after correcting my
BIO_do_connect (and all
read/write following it) - adding retries (as
Girish pointed), it
works just fine.
Now I'll check the errors, mentioned by Darryl, to
Hello,
--- Bu Bacoo [EMAIL PROTECTED] wrote:
Instead of modifying the BIO, I've also tried to set
it's socket to
non-blocking mode. Same result, BIO_do_connect
returns -1
This is good news then since it is expected behavior.
:-) You are doing nothing wrong till now. However you
have to keep
Mayorga,
--- Mayorga, Armando CTR NIOC Norfolk N361
[EMAIL PROTECTED] wrote:
Hello all,
Could someone please clarify this for me and correct
me if I am wrong
I am using AES_encrypt and AES_decrypt which
apparently only work on
chunks of 16 bytes of data, my goal is to create my
own
Do you know stunnel ( www.stunnel.org ) ?
You could use that to setup https tunnel.
man evp will give u enuf info on encrypting strings
with OpenSSL.
OpenSSL really is the definitive resource for
cryptography. :-)
Please find attached my code. It may be of use.
regards,
Girish
--- Mayorga,
Don't know the specifics but you do need all certs
till the root CA for verification in the web of
trust model.
You navigate up and up with the issuername matching
the subject name until both are same.
HTH
--- Michael P. Soulier [EMAIL PROTECTED]
wrote:
Marek Marcola wrote:
Maybe good
Excuse me if I am saying the obvious.
But did you factor the fact that an SSL renegotiation
or handshake can happen anytime during the
conversation?
Irrespective of whether you are doing SSL_read or
SSL_write... That is why you have to check for pending
write during a SSL_read and vice versa
I am afraid few can help u with this. man 3 rsa on a
linux/*BSD system might help u.
The code samples at www.opensslbook.com have couple of
samples IIRC
All the best!
regards,
Girish
--- Neil Dugan [EMAIL PROTECTED]
wrote:
Hi,
OpenSSL newbie here, I am looking for an 'C'
In a blocking socket when a network read freezes, it
is normal. It only means that nothing arrived on the
socket.
You got to take a look at the MSN protocol. With HTTP,
it might be sending a TCP FIN or something which is
why it is working in that case...
--- Robert Olsson [EMAIL PROTECTED]
Urjit,
I got it working once I replaced
EXP-DES-CBC-SHA with
DES-CBC-SHA
I think you might have to do something special to
enable export quality ciphers.
regards,
Girish
--- Urjit Gokhale [EMAIL PROTECTED]
wrote:
Hi,
I have attached the sample server and client
programs for your
--- Urjit Gokhale [EMAIL PROTECTED]
wrote:
Hi,
Thanks for the reply. Urjit,
I got it working once I replaced
EXP-DES-CBC-SHA with
DES-CBC-SHA
I think you might have to do something special
to
enable export quality ciphers.
They can place restrictions on the size
You urself answered it just now! :-)
The client doesn't matter, so you can connect to
s_server...
--- Urjit Gokhale [EMAIL PROTECTED]
wrote:
Well ... In that case,
A] how is it that s_server and s_client can
communicate
1) Using the same ssl library
2) Using the same certificates
3)
As far as block ciphering goes, it just munches input
data. It really doesn't care whether the input is text
or xml(special form of text) or binary data.
So I think you should not worry about that. There are
examples of how to use the crypto functions in OpenSSL
in the man pages. man evp will
0002], fatal
handshake_failure
02 28
Has someone faced this kind of problem earlier?
Could anyone throw some more light on this?
~ Urjit
- Original Message -
From: Girish Venkatachalam [EMAIL PROTECTED]
To: openssl-users@openssl.org
Yes, u can use setsockopt(...TCP_NODELAY) before
SSL_set_fd(). OpenSSL doesn't care about Nagle.
regards,
Girish
--- Leandro Gustavo Biss Becker
[EMAIL PROTECTED] wrote:
Hello
Can I disable Nagle algorithm using OpenSSL? My
application always send
entire buffers to openssl, so I think
I am guessing here, did you check the methods you
specified in SSL_set_ssl_method() ? Most
interoperability problems are caused due to this.
Since some cipher suites are not supported in some
protocols it might be a good guess. :-)
HTH,
Girish
--- Urjit Gokhale [EMAIL PROTECTED]
wrote:
Hello
I don't know what your need actually is , the only
impediment to using sha1-512 is that the compiler has
to suppor the 64 bit long long type. Some embedded
systems may not have this support.
Other than that, you can easily follow the code. I
have seen one implementation in the OpenBSD IPsec
First you create a certificate request using the
openssl req command. I guess that is what you have
done now. The default output format for that is pem.
The next step is to get the certificate request signed
by a certificate authority. This is accomplished using
the openssl x509 command. This
Right. If I were you I would use kqueue() on *BSD or
epoll() which is avail only on 2.6 linux kernels.
I am not sure what you are trying to achieve but it
may be worthwhile to take a look at libevent by Neils
Provos as well. It abstracts out select(), kqueue()
and epoll() thus making ur app
I think ur HP UX box is not able to get enough random
data to seed its PRNG. Consider using the -rand option
as suggested by the error message or figure out what
is different in HP UX. Maybe the devices
/dev/(u)random is not configured properly
randomness is very imp for cryptography
--- Matthew
bcoz d2i resolves to d2i_X509() , not to
d2i_PrivateKey
--- �� ���� [EMAIL PROTECTED] wrote:
when i use PEM_read_PrivateKey find it work error
,so i look into
PEM_read_PrivateKey to find the reason.
first i find in
#define PEM_read_PrivateKey(fp,x,cb,u) (EVP_PKEY
] wrote:
how come ? plz explain.
On 6/13/06, Girish Venkatachalam
[EMAIL PROTECTED] wrote:
bcoz d2i resolves to d2i_X509() , not to
d2i_PrivateKey
--- �� ���� [EMAIL PROTECTED]
wrote:
when i use PEM_read_PrivateKey find it work
error
,so i look
The IV is used only for decrypting the first block
since after that the first block serves as the IV for
the second block and so on.
To answer ur question, the IV has to be known at both
sides along with the key.
regards,
Girish
--- Wai Wu [EMAIL PROTECTED] wrote:
Do the Initial Vectors
Random number generation always depends on the PRNG
being seeded first.
The man page clearly mentions that.
Add RAND_seed() or RAND_add() with the required
entropy required before calling RAND_bytes(). In a
pseudorandom number generator the seed uniquely
determines the random sequence. So you
the ENGINE interface is the hardware interface of
OpenSSL. If you are not using any cypto hardware you
can safely
#define OPENSSL_NO_ENGINE
CRYPTO_cleanup_all_ex_data() is defined in ex_data.c
file. Make sure your compiler picks up the definition
from there...
--- Namrata Patil [EMAIL
openssl-0.9.8a/crypto/hmac directory has the hmac
interface code.
openssl-0.9.8a/crypto/sha directory has the sha
implementation and
openssl-0.9.8a/crypto/md5 directory has the md5
implementation.
Now you take the relevant files, remove the
dependencies and compile...
All the best!
Looks like I have not understood your problem.
Why do you have to do an SSL_read() to figure out if
it has closed? SSL_write() will fail it the other side
closes...
--- michael Dorrian [EMAIL PROTECTED] wrote:
Here is the relevant code. The problem is in this
do_client_loop. I need to read
Kyle is the best person to explain these things to
you. However I will make an attempt. Please find
answers inline.
--- michael Dorrian [EMAIL PROTECTED] wrote:
I make a client and server certificate and then sign
it with the root cert.Are these generated
certificates the public keys?
Yes,
about exactly how they are used. The diffie hellman
one is the ephemeral keying one and thats about all
i know..any help would be great thanks.
Girish Venkatachalam [EMAIL PROTECTED] wrote:
Kyle is the best person to explain these things to
you. However I will make an attempt. Please find
Padding is a standard enforced by encryption algos and
protocols and independent of language...
I suggest you use the openssl enc command line to
verify the padding with Java.
It will certainly work. Actually DES padding scheme is
very simple. It is only 4 lines of C code.
regards,
Girish
---
I tried your code and I had a suspicion that using the
*_ex() functions along with *() functions can cause
trouble. Which is what has happened in your case.
Here is the correct code for your reference. You are
supposed to stick to either Init_ex() , Final_ex()
functions or Init() ,Final()
Sorry if I sound too obvious.
Actually I think you need to allocate space for the
buffer, try with
unsigned char buf[4096] or something.
I am sure you have tried it ...
regards,
Girish
--- vipin rathor [EMAIL PROTECTED] wrote:
hi all,
i need to fetch the thumbprint of the X509
You should take care that the key and IV are indeed
same. What I mean by that is that in the C and Java
code you should hardcode the actual hex values and it
should have the exact length. For instance DES
requires 8 byte key and you should hardcode something
like this.
unsigned char key[8] =
The problem you are talking about seems to be
occurring at the TCP layer even before things come
into the hands of SSL_accept().
So I suggest you test this without SSL first.
You might hit some SSL session reuse limit and get a
similar problem but yours doesnt seem to be that.
And 150 is a
Doug,
Certpatch was needed when OpenSSL did not have support
for SubjAltName. That is the reason you don't find it
in the latest version of OpenBSD.
You will find certpatch in an old CVS snapshot in the
OpenBSD tree.
I am attaching a slightly modified certpatch for your
use.
All the best!
AFAIK Blowfish key setup times are very high. That
might account for the difference.
All things being equal AES certainly gives you more
security than any other cipher.
And AES was chosen also because it was found fit for
implementation on severely constrained embedded
devices. So you get both
None of the solutions suggested by others in the list
will protect you against a SIGPIPE for the simple
reason that it is a fatal signal if not handled or
ignored and it can come at any time during the TCP
session...
Ignoring SIGPIPE is one of the steps in writing a
server daemon and it is
None of the solutions suggested by others in the list
will protect you against a SIGPIPE for the simple
reason that it is a fatal signal if not handled or
ignored and it can come at any time during the TCP
session...
Ignoring SIGPIPE is one of the steps in writing a
server daemon and it is
--- Kyle Hamilton [EMAIL PROTECTED] wrote:
SIGPIPE is a remnant of BSD attempting to overlay
UNIX socket (named
pipe) semantics onto TCP/IP connections. If the
socket that you are
writing to is a socket (or pipe), AND the pipe is
closed, then you
receive a SIGPIPE.
In this case, the
SIGPIPE is fatal if not handled or ignored and it can
come at any time during the TCP session. Which means
that none of the solutions suggested by others in the
list will work.
And it is wrong to rely on OpenSSL for solving a TCP
closure at the remote end which is essentially a TCP
issue.
The standard practice is that of ignoring SIGPIPE in
all TCP servers.
signal(SIGPIPE,SIG_IGN);
OpenSSL cannot help you here because the problem
occurs at a lower level(TCP).
I remember seeing this line in the ssh server source
code as well.
regards,
Girish
--- Alberto Alonso [EMAIL
It seems to be 7200 seconds on my system even though
the man page says the default value is 300 seconds.
I don't think it possible to specify the timeout in a
system-wide config file without any effort from your
part. You can however have another config file and set
the timeout using
There is a utility called certpatch developed by
OpenBSD folks for including the SubjAltName extension.
I have modified it a little bit to suit my need.
This utility modifies the certificate in place and
regenerates the hash. Perhaps you can modify it a
little to suit your need.
If all you need
Dear Pjothi,
Making an application TLS aware/TLS enabled is not
much trouble once you have access to the source code.
You have to set up the SSL/TLS server with proper
X.509 certificate and corresponding private key,
specify which protocol(in your case TLS v1) you want
to use and then call
Try calling EVP_CIPHER_CTX_cleanup(ctx) at the end...
--- Felix Dorner [EMAIL PROTECTED] wrote:
Hi,
the following code executes once, and does fine.
Calling the function a
second time gives a segfault during the call marked
by --
unsigned char *encrypt_message(unsigned char
*message,
Try calling EVP_CIPHER_CTX_cleanup(ctx) at the end...
--- Felix Dorner [EMAIL PROTECTED] wrote:
Hi,
the following code executes once, and does fine.
Calling the function a
second time gives a segfault during the call marked
by --
unsigned char *encrypt_message(unsigned char
*message,
Dear Kadir,
Did you enable mod_ssl while building httpd?
Is mod_ssl listed in httpd -l?
Most likely httpd doesn't recognize the directive
SSLEngine since mod_ssl is not able to see it.
Hope this helps.
Also this mail belongs to Apache mailing list. :-)
regards,
Girish
--- kadir iscmng
Hi everyone,
Openssl smime is not able to handle big files ( We
tried with a 500MB file). It doesn't report any error message.
On stepping through the source, we found that it's
failing in OPENSSL_malloc.
However openssl enc works fine with files larger
than 2 GB.
There is a bug in one
Hi,
The FILE pointer corresponding to stdout,stdin and stderr gets corrupted in
Windows NT when we use openssl.
Is there a way out ?
kind regards,
Girish V
__
OpenSSL Project
Hi samaritans and friends,
Is there a port of openssl on VxWorks? If not, what will be the
difficulty in doing the same? Has anyone attempted it?
Thanks in advance for the help.
kind regards,
Girish V
__
OpenSSL Project
75 matches
Mail list logo