Re: how to enable DHE ciphers on openssl for using on command line

2021-11-17 Thread M K Saravanan
> I am extremely for making such a basic stupid mistake. I am extremely sorry. On Wed, 17 Nov 2021 at 21:19, M K Saravanan wrote: > > Thanks Matt. > > I am extremely for making such a basic stupid mistake. > > On Wed, 17 Nov 2021 at 18:33, Matt Caswell wrote: > > &

Re: how to enable DHE ciphers on openssl for using on command line

2021-11-17 Thread M K Saravanan
Thanks Matt. I am extremely for making such a basic stupid mistake. On Wed, 17 Nov 2021 at 18:33, Matt Caswell wrote: > > > > On 17/11/2021 08:25, M K Saravanan wrote: > > Hi, > > > > Do I need to do any config to enable DHE based ciphers in openssl for > > c

how to enable DHE ciphers on openssl for using on command line

2021-11-17 Thread M K Saravanan
Hi, Do I need to do any config to enable DHE based ciphers in openssl for command line usage? $ openssl s_client -cipher 'DHE_RSA_WITH_AES_128_GCM_SHA256' -connect 10.10.16.100:443 Error with command: "-cipher DHE_RSA_WITH_AES_128_GCM_SHA256" 139775998456896:error:140E6118:SSL

Re: CVE-2019-1559 advisory - what is "non-stiched" ciphersuite means?

2019-02-27 Thread M K Saravanan
ng A and B > sequentially). > > I believe OpenSSL uses stitched implementations in TLS for AES-CBC + > HMAC-SHA1/2, if they exist for the platform. > > Also note that "AEAD ciphersuites are not impacted", i.e. AES-GCM and > ChaPoly are not impacted. > > Cheers,

CVE-2019-1559 advisory - what is "non-stiched" ciphersuite means?

2019-02-26 Thread M K Saravanan
Hi, In the context of https://www.openssl.org/news/secadv/20190226.txt == In order for this to be exploitable "non-stitched" ciphersuites must be in use. == what is "non-stitched" ciphersuites means? with regards, Saravanan

Re: [openssl-users] Why openssl is printing session ID where there is none sent by server, when using session ticket?

2019-01-15 Thread M K Saravanan
Hi Matt, On Tue, 15 Jan 2019 at 20:02, Matt Caswell wrote: > This is perhaps best explained by this comment in the client side code for > processing a new ticket from the server: > > /* > * There are two ways to detect a resumed ticket session. One is to set > * an appropriate

[openssl-users] Why openssl is printing session ID where there is none sent by server, when using session ticket?

2019-01-15 Thread M K Saravanan
Hi, When I use openssl s_client to connect to a server which uses session ticket to resume a session (session ID is turned off), openssl is still printing a session ID where none is sent by the server (packet capture shows session ID length = zero in the Server Hello). == New, TLSv1.2,

[openssl-users] The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL?

2018-12-10 Thread M K Saravanan
Hi, I read the recent research paper: The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations by Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and Yuval Yarom Nov 30, 2018 Research Paper: https://eprint.iacr.org/2018/1173.pdf As per this paper,

[openssl-users] What is the need for 0x00 byte prefix in pubkey and prime of a static DH key pair?

2018-11-29 Thread M K Saravanan
Hi, When I create static DH key pair using openssl, why the public key and prime contains the prefix 0x00 byte? For e.g. in 1024 bit key, 128 bytes is enough. private key properly shows 128 bytes. But public key and prime shows 129 bytes with a 0x00 byte at the beginning. What is the need for

[openssl-users] X25519 - why openssl shows server temp key as 253 bits?

2018-09-03 Thread M K Saravanan
Hi, When using openssl with X25519, why it shows the server temp key as 253 bits? Example: --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- I thought Curve25519 is using 256 bit keys. Why 253 instead of 256?

Re: [openssl-users] Bleichenbacher Vulnerability

2017-12-19 Thread M K Saravanan
On 20 December 2017 at 14:21, haris iqbal wrote: > Wanted to know this, since my custom application uses an older version > of OpenSSL, and I wanted to be sure that it is not affected. Not answering your original question. But you can test it using one of the following

Re: [openssl-users] Where to find the OCSP response signer cert if the OCSP response does not contain one?

2015-10-28 Thread M K Saravanan
Hi, > Upon checking the wireshark capture, I found the OCSP response does not send > signer cert, but only the responderID (byKey). > > In such scenario, where do I find the OCSP response signer cert? Clarifying my own question. https://tools.ietf.org/html/rfc6960#section-4.2.2.3 says:

[openssl-users] Where to find the OCSP response signer cert if the OCSP response does not contain one?

2015-10-27 Thread M K Saravanan
Hi, If the OCSP responder does not send the response signer certificate in the OCSP response, then how can we find the signer certificate? I was doing a simple test to verify google certificate via OCSP like this: $ openssl ocsp -issuer ./www.google.com.sg-issuer.cer -CAfile ./ca.cer -cert