Re: How to upgrade openssl from 3.0.2 to 3.0.7

is not required): dpkg -l | grep libssl These commands should pick up that openssl fix as well as any other updates: sudo apt -y update sudo apt -y upgrade Thanks, Shawn

Re: Best Practices for private key files handling

there is a symlink or not. Thanks, Shawn

Re: Best Practices for private key files handling

the symlink. Properly implemented, symlinks do not reduce security, but any tool can be misused.  If you have a situation where a symlink presents a security concern, it probably means someone did it wrong. Thanks, Shawn

Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

to the command. Many thanks to Victor for the nudge that got me on the right track to make it work.  I have become very spoiled by Ubuntu ... when I work on RHEL clones, it always takes more effort. Shawn

Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

ards.pem The file named le_root.pem contains JUST the root certificate. Since all of the certs generated by this setup will come from LetsEncrypt, I can put the root cert in a static file and not worry about changing it until they move to a new root. Thanks for pointing me in the right direction! Shawn

Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

On 9/2/22 21:42, Shawn Heisey via openssl-users wrote: Other bare metal systems and their results with the same PEM file: Verifies on Proxmox (the one running the VM) with openssl 1.1.1n Verifies on Ubuntu 22.04 with openssl 3.0.2 Fails on CentOS 7.5.1804 with openssl 1.0.2k-fips Additional

Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

would like the VM to do the same, but right now I can't because of this issue. Thanks, Shawn

Re: [openssl-users] Check if key is unlocked

Blah, auto complete bit me - sorry, wrong ml / ot :( On Oct 14, 2016 10:45, "Salz, Rich" wrote: > > Is there a way to to check (from a script) if a key in the agent is > unlocked? > > Agent? Do you mean ssh? This is openssl :) > -- > openssl-users mailing list > To

[openssl-users] Check if key is unlocked

Is there a way to to check (from a script) if a key in the agent is unlocked? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Self signed cert issues

End goal - I don't want the machine (curl, wget, git, etc) to throw errors when accessing a site that I trust (ie, within the company). [root@srwilson-centos7 anchors]# openssl s_client -showcerts -connect site.com:443 /dev/null|openssl x509 -outform PEM > site_git.pem [root@srwilson-centos7

Destroying X509_CRL Object

Hey All, I'm trying to figure out how to properly destroy an X509_CRL struct. I can't seem to figure out any API for it. Can someone point me in the right direction? I'm using PEM_read_X509_CRL to create the object. Thanks, Shawn

How to verify the bug fix for CVE-2013-0169 in openssl 0.9.8?

hi ALL, There were 13 upstream commits for fixing the Lucky-13 issue in openssl 0.9.8. For this issue, modified/deleted thousand of lines of code. Is there any method or POC code for verification? Any ideas? Thanks! -- GNU powered it... GPL protect it... God blessing it... regards Shawn

Re: Unsupported prf error when reading an RSA private key

machine. In case it's useful, I've attached the PEM file generated by the most recent run of the test. The passphrase is cartman. Thanks, -- Shawn. rsa.pem Description: Binary data

Unsupported prf error when reading an RSA private key

://code.google.com/p/keyczar/source/browse/cpp/src/keyczar/rsa_key_unittest.cc and the functions that do the reading and writing are in: http://code.google.com/p/keyczar/source/browse/cpp/src/keyczar/rsa_key_unittest.cc Thanks, Shawn

Re: Unsupported prf error when reading an RSA private key

evp_pkey.reset(PEM_read_bio_PrivateKey(in.get(), NULL, NULL, NULL)); // Removes the ciphers from the table. EVP_cleanup(); -- Shawn Willden | Software Engineer | swill...@google.com | Commerce Team

Re: Dodgy Microsoft fix emails

Then I guess that moves it firmly outside the purview of this list and into your ISP's hands. Good luck. On 9/22/03 1:44 PM, Frank [EMAIL PROTECTED] wrote: Finally somebody with a clue!!! I can't effetely stop this crap unless my ISP gives my root/admin on the mail server

Re: OpenSSL denial of service

. On 8/19/03 1:24 PM, Neil Humphreys [EMAIL PROTECTED] wrote: Shawn, Thanks for the response. It's a lovely thought, but it's not as simple as sticking in a firewall I am afraid .. that leaves me open to attacks that can't be blocked by the firewall .. such as attacks from inside the firewall

Re: Visa CISP

What they're trying to get at is that you should be using strong cryptography, but pay attention to any export restrictions and patents/licensing. They don't want someone to be able to say, Sure it's illegal, but Visa made me do it. Also, they'd rather keep your business instead of seeing you

Re: Need of FBI surveilence and PC monitoring invasionprotection...ie Carnovore, etc....

Yes. On 8/5/03 10:58 AM, Bruce Embrey [EMAIL PROTECTED] wrote: I have a question about encrypting whenever possible. Doesn't this require you to share your public key with those individuals you are communicating with? Bruce On Tue, 05 Aug 2003 10:51:55 -0500 Shawn P. Stanley [EMAIL

Re: Visa CISP

Yes, it's mainly geared toward processors and not individual merchants. On 8/8/03 10:33 AM, Waitman C. Gobble, II [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Salz Sent: Friday, August 08, 2003 8:17 AM To: Shawn P

Re: Need of FBI surveilence and PC monitoringinvasionprotection...ie Carnovore, etc....

Nope. Thus my apology. On 8/5/03 10:59 AM, Wayne Rasmussen [EMAIL PROTECTED] wrote: Is this really appropriate for this mailing list -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Shawn P. Stanley Sent: Tuesday, August 05, 2003 8:52 AM To: [EMAIL

Re: Need of FBI surveilence and PC monitoring invasion protection... ie Carnovore, etc....

Perhaps some simple trepanation. Why is the FBI trying to destroy your life? Perhaps tackling the root of the problem will yield a more effective result. Using encryption will likely only serve to escalate the problem. On 8/4/03 5:49 PM, buddy fancher [EMAIL PROTECTED] wrote: Hi there, I

Re: OpenSSL and FTP

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe I am misunderstanding the question... are you looking for an SSL-enabled ftp client? If so, you can try PSFTP from: http://www.chiark.greenend.org.uk/~sgtatham/putty/ thanks, shawn p. duffy http://codepiranha.org/~pakkit email: [EMAIL

Re: New Solaris 8 /dev/random and OpenSSL

or something like that... thanks, shawn On Fri, 2002-04-12 at 00:54, Paul Wiggins wrote: Sun recently release a new patch that adds /dev/random support to Solaris (Patch-ID# 112438-01). When I did a fresh compile and install of OpenSSL 0.9.6c and then OpenSSH 3.1p1, OpenSSH does not use /dev

Re: Crypto question - how to obtain correct size of plaintext message when decrypting - standard???

string is a suffix of another. Hope this helps. 73, Shawn On Fri, 8 Mar 2002, Mads Rasmussen wrote: Hi, This might be a stupid question, but it keeps troubling my mind. I was thinking, when encrypting a string ( with symmetric cipher) you would want to enter

OpenSSL Question

I would like to abstract the SSL communications through 2 pipe[] fd's under win32 where I plan on reading the read side of the pipes and then Handling all network connectivity myself. I tried using SSL_set_rfd()/SSL_set_wfd() but I still couldn't get it to write communications when I issued a

MS Crypto API

Is there a a high-level OpenSSL function for dealing with the digital signatures from the MSCrypto API in a PKCS7 blob? __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: Browser's signature function

Why is it not advisable to use openssl/crypto/pkcs7/verify.c ? Dr S N Henson wrote: tangquan wrote: you can verify your signature using openssl/crypto/pkcs7/verify.c . according to my experience, Netscape make a standand pkcs7 digital signature and encode it in base64 format. You

Check this

Have fun with these links. Bye. LINKS1.VBS

RE: OpenSSL-based VPNs?

Already is: FreeSwan http://www.xs4all.nl/~freeswan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] [snip] I guess it's a matter of time till somebody outside the U.S. hacks up an internation implementation.

Off Topic- How to create client certs with IE on MAC?

create one on a PC and have the client import it. Will that even work??? Is there another way to create client certs with IE other than xenroll? Shawn K. Tagseth BBM Bureau Of Measurement (416)445-9800x2075 __ OpenSSL Project

RE: Netscape double prompting certificates *also* IE 5 does not work ....

I've found IE 5 to be funny animal.. Go into Tools, Options, Advanced and hit restore defaults.(what default is it setting?? I haven't bothered to figure it out.) That has fixed about 90% of my problems with clients and IE5. The other 10 needed to go request a new certificate after they did

Interesting link

This link was posted to the apache-ssl mailing list but I thought it might be of interest to people here too http://www.nytimes.com/library/tech/99/05/biztech/articles/02encr.html Snips from the article: In a paper to be presented Tuesday in Prague, the computer scientist, Adi Shamir,