Hi all!
Many public CAs suggest Extended Validation for certificates
of web servers. [...] I had a talk with a specialist
of technical support of Thawte [...] He also refused
to answer how browser determines what bar to display -
green or yellow?
See thawte Certification Practice
Hi all,
Which version of the ANSI Spec, and where did you get a copy?
I have to rely on secondary sources and experience using
various implementations that claim conformance.
Wikipedia http://en.wikipedia.org/wiki/ANSI_C is used to have
a link to a recent draft (free of charge) which is
Hi all!
* Jeffrey Walton Sent: Friday, May 25, 2012 4:39 PM
On Fri, May 25, 2012 at 7:25 AM, Sudarshan Raghavan
sudarshan.t.ragha...@gmail.com wrote:
Ok, I can fix the custom free to take care of this.
But, why is this happening in openssl 1.0.1 and not in 1.0.0
Hi all!
If the library crashes on free(NULL), you're just making
people like me do this everywhere:
if (ptr != NULL) free (ptr);
ok, if you have a test case free (NULL), agreed ;-)
Seems not all platforms conform to the free(NULL) is a no-op.
I understand your example, thanks for that,
With Git, Mercurial and other revision control systems
available. Why is OpenSSL still suck on CVS?
Moving a mature project off of CVS is not trivial.
Also, why move at all?
People can development features with let's say GIT, even
in teams and concurrently, and then checking in to CVS,
* Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
[...]
Or, in other words: Let's assume I have a ultimate root
(self-signed) Root and a branched CA X. I would like to
trust X and all it's children, but not Root. Is this
not possible?
[yes, it is not possible by default]
Since I wait until the SSL_connect() function succeeds I
wanted to know if there is a better approach.
Yes, there is a better approach, for example the one mentioned
in the manual:
* http://www.openssl.org/docs/ssl/SSL_connect.html
If the underlying BIO is non-blocking, SSL_connect() will
4. Truncate the string to your desired file name length, but not so
short that accidental collisions become likely (Example to
keep up to 16000 file names likely different, use file names with 2
*
log2(16000)=2*14=28 bits minimum).
Where can I learn more about this formula?
I think it
can any one please help me regarding this, like how to
retrieve the SSL pass phrase , or assign a new pass phrase
for the same private key.
Add all information you remember (possible parts, used characters,
length information) to a key cracking tool, run it and wait?
- U1, U2, U3 are end-user certificates, issued by CA1
- U1 is revoked, and the CRL is published (lets call it CRLg1)
The problem here is that you can't trust a CRL when its
signature key is compromised.
I think that this is not the reason.
If a signature key is compromised but used
Hi all,
Hi Dominik,
in a project I maintain I have to deal with OIDs not
contained within OpenSSL. In particular, I use OpenSSL to
parse ASN1 encoded data containing OIDs (using the Macros
from asn1t.h) and do switch-case statements on the resulting
NIDs. Until now I used to patch
http://stackoverflow.com/questions/6520676/pop3s-implementatio
n-using-openssl-library
char bf[16] = STLS\r\n;
if (send(c-socket, bf, sizeof(bf), 0) 1) {
fprintf(stderr, [%d] failed writing to auth server
socket(ssl_coneect), getpid());
}
I don't think that you
* derleader mail on Monday, May 02, 2011 8:14 PM
But what exactly do you want to know? If you can use SSL and
Blowfish?
It does not appear in http://www.openssl.org/docs/apps/ciphers.html.
Yes the web site and the book about the OpenSSL is outdated.
Does TLS spec nowadays defines a
* owner-openssl-us...@openssl.org
What is the purpose of the project?
This is a open source project - I need a way to monitor a
huge number of servers - monitor CPU load, RAM load, HDD
load, installed packets and etc.
Why not using http://www.nagios.org/?
The data which will gathered
If I decide to go with openssl and blowfish what are the
potential threats?
Yes, heaps of.
You might consider asking more detailed.
Is there another security mechanism that I can use with blowfish?
Of course...
But what exactly do you want to know? If you can use SSL and Blowfish?
It does
* Matthew Fletcher, Wednesday, April 27, 2011 12:40 PM
I guess that does not 100% rule out DNS/Network stuff, as SSL
could be doing extra network lookups.
Are there any more SSL diagnostics i can enable to try and
pinpoint the problem ?
maybe checking with strace -ttt -p ... which
Hi,
thank you for clarification, Dave!
* Dave Thompson Friday, April 22, 2011 12:34 AM:
so among 2^n+1 different messages, at least two of them
must have the
same 2^n bit hash (actually half because of birthday attack).
To be exact: for an n-bit or 2^n-value hash, with 2^n + 1
* Luc Perthuis:
Hi all,
I'm specially interested on finding a way to uniquely
identify rather small data chunks (less than or equal to
128*1024 bytes in size) without using a byte per byte compare.
Is there any theoretical proof for a good selection of 2
HASH (computing the results of
-Original Message-
BIO_set_close(bio, 0)
No, I haven't tried it yet, but it seems this is what I've
been looking for- clean neat.
Is it?
Wouldn't this mean that father process sooner or later runs out of file
descriptors?
Shouldn't the father process close(2) and the child - after
Hi,
I though this was already discussed, but I cannot find pointers.
When some entity verifies a certificate, finds a valid signature
etc but the current date is not between Valid From to Valid
To, meaning the certificate seems not yet valid or expired,
what is recommended to do?
I think,
* S Mathias wrote on Wed, Jan 19, 2011 at 03:29 -0800:
Ok. It's a Firefox Add-on:
https://www.eff.org/https-everywhere
3) Can someone trust this Add-on? Is it safe to install/use?
It isn't 100% safe. There always is a risk.
4) If it's so great why isn't it more prevalent?
What's youre
Hi!
* sandeep kiran p wrote on Wed, Aug 11, 2010 at 20:36 -0700:
Ours is an LDAP client application that fetches LDAP server names on
the fly using DNS SRV Resource Records. We then randomly pick one the
servers returned from DNS, establish an SSL/TLS connection with that
server and then
* Kyle Hamilton wrote on Fri, Jul 23, 2010 at 20:06 -0700:
There's a company called StartCom (http://www.startssl.com/) who will
do 2-year validity wildcard certs, upon verification of your identity
and verification that you have control of the domain for which you are
requesting certificates.
* Mark Parr wrote on Thu, Jul 08, 2010 at 13:42 -0500:
I then loaded the openssl-fips-1.2.tar.gz file into a different
directory and attempted to create a RPM install for it as well but
have hit some issues. First off, rpmbuild complained that it could
not find the openssl-0.9.8f.tar.gz file
* Sebastián Treu wrote on Mon, Jul 05, 2010 at 10:39 -0300:
if we can use a fake DNS that resolves a name as we want and
also we can gather that certificate to be installed in the
fake-server,
This fake-server would not have the secret key belonging to the
public key certified in the (public)
* Subra Aswathanarayanan wrote on Mon, Jun 07, 2010 at 20:44 -0400:
Both of you mention that OpenSSL doesn't provide such an interface.
May be this question is not appropriate for this forum, but do you
know of any such simpler libraries that I might be able to use?
If it is just
* Chuck Pareto wrote on Mon, May 24, 2010 at 16:12 -0700:
Hi,
When I run openssl rsa to display my public key info. I see this
below. How do I convert this output to a byte array? What is this
output? Is it ascii or base64?
it's ASCII and in the Mail potentially base64... :)
* Christina Penn wrote on Wed, May 05, 2010 at 07:42 -0400:
Can you show me exactly how to break up my example code to make my
example work? I tried removing the EVP_DecryptFinal_ex from my
DecryptMessage function and just seeing if the first part would just
decrypt the first 7
* Modem Man wrote on Wed, Apr 28, 2010 at 17:49 +0200:
Since I'm working under Windows and have Visual Studio installed, the
easiest way to do so will be by creating a visual studio project with
the source code
I tried it and stopped after ~4 hours.
[...]
Next, split makefile into
* Kenneth Goldman wrote on Sun, Apr 11, 2010 at 15:36 -0400:
owner-openssl-us...@openssl.org wrote on 04/11/2010 01:38:14 PM:
* Kenneth Goldman wrote on Fri, Apr 09, 2010 at 08:12 -0400:
I notice that the tarballs also include a SHA1 digest.
What's the point?
To have a check whether
* Kenneth Goldman wrote on Fri, Apr 09, 2010 at 08:12 -0400:
I notice that the tarballs also include a SHA1 digest. What's the
point?
To have a check whether the FTP download was successful to avoid
accidently using corrupt files, a file integrity check with a
checksum is quite common.
* Eisenacher, Patrick wrote on Tue, Feb 23, 2010 at 12:30 +0100:
[...]
The selection of a trust anchor is a matter of policy: it
could be the top CA in a hierarchical PKI, the CA that
issued the verifier's own certificate(s), or any other CA in
a network PKI.
And no, I don't need
Hi!
* Victor Duchovni wrote on Fri, Feb 12, 2010 at 15:03 -0500:
On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote:
(So DER encoding is used, and it is allowing 128 byte long
length fields allowing 2^1024 [a number taking four and a half
line in xterm because 309
* Sad Clouds wrote on Mon, Feb 15, 2010 at 13:18 +:
2. Rationale for callbacks?
Pushing some of the responsibility for locking OpenSSL internal
structures to application developers seems a bit lame. Why not get rid
of locking callbacks and have OpenSSL handle it transparently inside
the
* Sad Clouds wrote on Mon, Feb 15, 2010 at 14:52 +:
On Mon, 15 Feb 2010 15:19:23 +0100
Steffen DETTMER steffen.dett...@ingenico.com wrote:
Delegating functionality via callbacks allows arbitrary
implementations; I would not consider this lame
- but clean, strong, orthogonal, KISS
* Victor Duchovni wrote:
The SSL/TLS record layer has a maximum record size, a
certificate probably needs to fit into one record, so if your
500+ domains generate a certificate that is larger than ~16K
bytes, you may be out of luck.
(I just ask for curiosity, not because I have any problem
* Victor Duchovni wrote on Fri, Feb 12, 2010 at 14:20 -0500:
The limit is not (only?) an X.509 limit, rather the SSL/TLS
record layer cannot carry messages larger than 2^14 bytes (plus
some overhead for compression algorithms which provably need to
be able to make some records larger in order
* Patrick Patterson wrote on Sun, Feb 07, 2010 at 10:14 -0500:
A quick question here. Should the Certificate Signing Request message be
protected when requesting for Certificate from CA?
I think, if you want to certify that a public matches subject
description, of course you should
Namrata Sorte wrote:
Ya to be more specific, I want to sign and verify Word Document
File and using command line will be fine for now.
Are you looking for something like
openssl smime -sign -in ml.doc...
openssl smime -encrypt -in in.doc...
maybe? With RSA based certificates it uses RSA.
* Kyle Hamilton wrote on Tue, Jan 19, 2010 at 16:00 -0800:
On Tue, Jan 19, 2010 at 6:19 AM, Steffen wrote:
* Kyle Hamilton wrote on Thu, Jan 14, 2010 at 15:50 -0800:
(assuming, that a peers identity should not change within a
session - but as discussed later in this mail this could be
* Kyle Hamilton wrote on Thu, Jan 14, 2010 at 15:50 -0800:
On Wed, Jan 13, 2010 at 5:58 AM, Steffen DETTMER wrote:
There is currently no way for even an ideal TLS implementation to
detect this issue.
[...]
Yes. Please see SSL_CTX_set_info_callback(3ssl).
hum, now I'm confused, I
* Kyle Hamilton wrote on Thu, Jan 14, 2010 at 12:03 -0800:
* Steffen asked...
...on this level
[thanks a lot again for all the clarifications: authentication
levels, authentication-agnostic, URI-dependent certificates,
bugfix because missed intention, MITM tricks twitter to decrypt
and
Hi,
thank you very much for all your explanation and to give me one
more free training :)
* Kyle Hamilton wrote on Tue, Jan 12, 2010 at 13:33 -0800:
Isn't it a bug in the application when it does not allow me (its
user) to configure it? As far as I know there is no way to tell
Firefox i.e.
* aerow...@gmail.com wrote on Tue, Jan 12, 2010 at 12:29 -0800:
On Tue, Jan 12, 2010 at 3:12 AM, Steffen DETTMER
The problem is this:
The attacker makes a connection to a TLS-enabled server,
sending no certificate. It sends a command that, for whatever
reason, needs additional privilege
Hi,
thank you for your detailed explanations.
The main thing I still not understood is whether TLS by design
enforces the `bad behavior', meaning TLS cannot be used securely
at all by anyone,
- or -
if TLS just does not enforce to use is securely, meaning that TLS
relies on application code
Hi,
thank you too for the detailed explanation. But the impact on
the client certificates (and its correct validation etc) is not
clear to me (so I ask inline in the second half of this mail).
* Kyle Hamilton wrote on Mon, Jan 11, 2010 at 14:28 -0800:
The most succinct answer is this: the
Hi all!
I miss something around the Re-negotiation flaw and fail to
understand why it is a flaw in TLS. I hope I miss just a small
piece. Could anyone please enlight me?
* Kyle Hamilton wrote on Thu, Jan 07, 2010 at 16:22 -0800:
It is also, though, undeniably a flaw in the TLS specification
* Dr. Stephen Henson wrote on Tue, Jan 05, 2010 at 20:26 +0100:
Trying both types to see which (if any) worked would be one
strategy to handle this automatically or seeing if the initial
SEQUENCE header looked like it covered the whole file. There
would be exceptions to both cases though.
* Kyle Hamilton wrote on Tue, Nov 24, 2009 at 13:10 -0800:
[startssl.com]
from the CA policy http://www.startssl.com/policy.pdf:
Fully qualified domain names, typically .www.domain.com. or
.domain.com. are validated by sending an electronic mail message
with a verification code to one of
* Arno Garrels wrote on Sun, Oct 11, 2009 at 16:10 +0200:
Why are issuers looked up by subject at all?
Because that's what the standards (X.509, RFC3280 et al) require.
Ah ok, but shouldn't name duplicates be taken into account when
issuers are looked up, even though that might
(OT)
just kidding.
* Michael S. Zick wrote on Thu, Oct 01, 2009 at 16:44 -0500:
Everbody in the same room should be sufficiently security qualified
to see anything typed within that room.
cheating pupils in school exams probably won't agree, neither
will people who are writing love letter SMS
(OT)
* Dave Thompson wrote on Thu, Sep 24, 2009 at 19:23 -0400:
But 'ca' by default, and thus it appears to me CA.pl
always, also prompt for the CA key passphrase (unless
insecurely clear), and you're not complaining about that.
I think it depends where it is stored if no passphrase is
* Victor Duchovni wrote on Wed, Sep 23, 2009 at 16:18 -0400:
On Wed, Sep 23, 2009 at 10:04:48PM +0200, Michael Prinzinger wrote:
I have a somewhat curious setting (without CAs) about [...]
//check certificate
This only verifies the server's *trust chain*, but not its
identity.
* Nigel Sollars wrote on Mon, Sep 14, 2009 at 19:06 +0200:
At the company we have an online store and we need to replicate it for
different locales/languages. After reading some information on the net
it seems that the RFC spec is good but the implementation ( at the time
of the writing was
(OT)
* Mark wrote on Thu, Sep 10, 2009 at 15:54 +0100:
No offense, but that's what the mailing list is for.
Granted, a search might have yielded the answer as well...
but if anything, the question should make you feel good
because it's one mess you won't be cleaning up.
No offense, but
* Anoop C wrote on Wed, Sep 09, 2009 at 18:02 +0530:
Thanks for the quick response.
I totally agree on your point. Our associates often used to try others
certificate .So I want to remove that threat also by incorporating MAC
address also into the certificates apart from the
* Serge Fonville wrote on Wed, Sep 02, 2009 at 13:00 +0200:
The chain always includes all CAs and certificates. I've done some
googling, and it shows that you can trust 'just' the intermediate CA
without trusting the root CA, altough this kinda obsoletes the purpose
of the root CA.
[...]
* Dr. Stephen Henson wrote on Wed, Sep 02, 2009 at 15:08 +0200:
Including a public key certificate in no way risks the
integrity of its private key as several others have said in
this thread.
I think this theoretically opens the possibility to brute-force
the private key.
I think that
* Victor Duchovni wrote on Fri, Aug 28, 2009 at 13:39 -0400:
The OP is not using fixed DH keys. He is proposing to use ADH key
exchange. This gives confidentiality, but NOT authentication.
Yes, and confidentiality without authentication usually doesn't
help much. In case of MITM, the
* David Schwartz wrote on Sun, Aug 23, 2009 at 15:40 -0700:
My question is why _using the same code_ Windows is returning
WSAEWOULDBLOCK instead of WSAECONNREFUSED when my server is down?
while UNIX correctly returns ECONNREFUSED...
Because Windows cannot tell whether your server is down
* tito wrote on Wed, Jul 15, 2009 at 09:19 +0530:
Now the threat is, If an agent export the certificate he
acquired in a USB or in someother way and goes to his home pc
or somewhere else and he imports the certificate to his
personal PC and started doing transactions.
He shouldnt be able to
* Michael S. Zick wrote on Wed, Jul 15, 2009 at 07:38 -0500:
You can approximate that by grabbing the processor's silicon
serial number plus grab the USB stick's silicon serial number
plus a user input (partial) passphrase.
I assume a good virtualisation (maybe some patched VMWare or
alike)
* Stephan V Bechtolsheim wrote on Fri, Jun 05, 2009 at 18:20 -0700:
This is hardly anything remotely resembling a formal proof,
of course. But it should give you the basic idea -- it's a
difficult problem because the numbers are big.
Your argument only applies to your algorithm. The
(OT)
* Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500:
A more general solution would be:
# Am I running as user 0 (root)?
uid=$(/usr/bin/id -u) 2/dev/null
if [ $uid == 0 ] ; then
BTW, shouldn't it be just one = (to be compliant with POSIX and
/usr/bin/test)?
oki,
* Scott Gifford wrote on Wed, May 20, 2009 at 21:52 -0400:
AngelWarrior srikanth.bemin...@gmail.com writes:
but this still requires a CA kind of certificate right.I dont
know if the client will be have a CA certificate to
authenticate it.If I am wrong please explain me how it can be
* AngelWarrior wrote on Wed, May 20, 2009 at 15:18 -0500:
I dont need to know with whom I am contacting but after
contact my messages should be private.
If you sent your message to just anybody, how can it be private?
oki,
Steffen
--[ End of message
* loody wrote on Fri, May 22, 2009 at 21:51 +0800:
2009/5/22 David Schwartz dav...@webmaster.com:
Dear all:
at the end of letter, I append the the public key I excerpted from my
certificate by openssl x509.
Since the key is 2048 bits, 256 bytes, I find the length of
00:af:..14:f7
* Nikos Balkanas wrote on Mon, May 18, 2009 at 15:29 +0300:
Wikipedia is right in principle, but doesn't cover the case of TCP
hijacking.
I think this is out of scope,
TCP is said to be reliable, not neccesarily secure.
oki,
Steffen
--[ end of message
* Victor Duchovni wrote on Mon, May 18, 2009 at 13:53 -0400:
On Mon, May 18, 2009 at 10:24:55AM -0700, Kyle Hamilton wrote:
'reverse SSL'?
In other words, the TCP initiator and passive listener are not
necessarily also the SSL client and server respectively.
I think stunnel already
* David Loman wrote on Wed, May 06, 2009 at 11:21 +0200:
Mods: Any way there can be some banning happening soon?
Don't feed the trolls.
oki,
Steffen
---[ end of message ]-8===
* Sever P A wrote on Sat, Apr 25, 2009 at 13:35 +0200:
I don't reach to understand how to implement all this steps. So:
I think stunnel could be suited well here.
oki,
Steffen
About Ingenico: Ingenico is the world’s leading provider of payment solutions,
with
* Sever P A wrote on Mon, Apr 27, 2009 at 10:49 +0200:
(Steffen said:) I think stunnel could be suited well here.
Maybe... but my idea was to implentent this functions in the
C/C++ programm while the users has no computer expertise
skills.
I suddenly thought to integrate this in a batch
* tobias.sem...@diemer-ing.de wrote on Tue, Apr 14, 2009 at 15:04 +0200:
Is there a chance to create a certification on the intern server called by
the extern https://name.dyndns.org adress ?
It depends on the software you are using and on the setup...
If you use some non-routable IP for your
* Dr. Stephen Henson wrote on Thu, Apr 02, 2009 at 13:01 +0200:
[...]
Under this scheme
1. Bug fix releases will change the letter.
E.g. 1.0.0 - 1.0.0a
2. Feature releases will change the last (minor) number.
E.g. 1.0.0 - 1.0.1
3. Major development will change the second
Hi all!
* Nickfx wrote on Wed, Feb 11, 2009 at 08:54 -0800:
Crazy I know. Having removed split, Openssl is now working as
it should. It would seem that there is something screwy with
Cygwins Split or Cat command.
I rember that I had trouble because DOS/UNIX line feed
translation was performed
Hi all!
* Dave Thompson wrote on Fri, Feb 06, 2009 at 20:59 -0500:
Adding the quotes didn't work because, if I understand things
correctly, the notion of quotes (or escaping characters with \)
is a shell concept - hence my attempt to force the command to run
under a shell.
Those are
Hi all,
* Charles Darwin wrote on Sun, Feb 08, 2009 at 09:27 -0500:
Any idea?
(This is off topic here)
Shouldn't it be in /etc/sshd_config (or /etc/ssh/sshd_config)?
And if missing there, why not simply add it?!
oki,
Steffen
ps.: is this your real name or is it because of the `Darwin Year
Hi all, Hi Alistair!
* Young, Alistair wrote on Fri, Feb 06, 2009 at 10:16 +:
Ultimately I settled on the use of a shell script to act as an
intermediary:
#!/bin/bash
If you can use bash you could pass the key in \xNN form for
$'\xNN' to avoid special characters like blanks and control
* Md Lazreg wrote on Thu, Jan 08, 2009 at 15:11 +0100:
The problem in my case was a server one. I use a non-blocking socket for the
server to receive information from the clients, so the server performs a
select with a timeout of 1 second to read information. It turns out that
when they are
* Vishnu Param wrote on Mon, Nov 17, 2008 at 16:12 +0800:
s3_enc.c:(.text+0xaeb): undefined reference to `COMP_CTX_new'
I am sure I am pointing to the 0.9.9 libraries/headers, because I
wouldn't get these errors if I wasn't.
I think what you were supposed to ensure is that you have the
* prashanth s joshi wrote on Tue, Oct 07, 2008 at 21:13 +0530:
Could anyone please tell me how to run the gdb in openssl?
In gdb I am running the command as path_of_bin/bin/openssl s_client -connect
ipaddress:4433.
But i get the error as: Undefined command: . Try help.
why is it so?
* Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 14:22 +0200:
we purchased a hrng for the generation of RSA keys for instance.
It is an USB device an shows up as /dev/qrandom.
Note: if /dev/urandom is available, OpenSSL will read an additional amount
of random bytes from it whether an
Hi,
thanks a lot for your detailed explanation.
* Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 16:46 +0200:
OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with
SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt
to add any input to it as the entropy in the
* Lutz Jaenicke wrote on Tue, Aug 12, 2008 at 08:47 +0200:
Please help me with the command line to convert a DER
Certificate to PEM Certificate.
$ openssl x509 -inform der -outform pem certificate.der
or
$ openssl x509 -inform der -text certificate.der
(which includes a human readable
* Konrad Kleine wrote on Fri, Jun 13, 2008 at 17:32 +0200:
One of our principles is to have only one exit point in
functions, so in this point we would agree with you. On the
other hand, it is also possible to do it without gotos.
Yes, it is possible to `goto' without `gotos', sometimes there
* [EMAIL PROTECTED] wrote on Fri, May 30, 2008 at 06:51 -0500:
Back in the day, DES was the de facto encryption algorithm.
[...]
In an ideal world, I think the system should throw an exception
then and let the calling application feed it another key.
However, I think the general consensus
* John Parker wrote on Sat, May 31, 2008 at 15:35 -0500:
Probability that a proper key falls in the space of the
bad debian keys: 2^15 / 2^2048 = 1 / 2^2033.
That's a lot of zeros before the first non-zero digit.
Put differently, if you were to start generating keys now at a rate
of,
* Victor Duchovni wrote on Wed, May 28, 2008 at 21:10 -0400:
Only against random attacks of course, if all attackers
first check these keys, then removing them strengthens the
algorithm against (non-random) brute-force attack. This
said, the effort of explicitly avoiding these is
* Deane Sloan wrote on Thu, May 29, 2008 at 04:47 +1200:
stated, the overall risk of generating such a key on an unaffected
system is (extremely?) small for the security that a 2048bit RSA private
key is intended for?
The risk to generate one specific key of 2^16 (or how small was
the key
* Lutz Jaenicke wrote on Tue, Apr 22, 2008 at 09:59 +0200:
This rule is independent of current time. e.g. If the validity dates
of the parent certificate is 2008/04/18~2009/04/18 and the ones of
child certificate is 2008/06/18~2009/06/18 or 2008/03/18~2009/03/18,
the certificate chain
(OT)
* Badra wrote on Fri, Apr 18, 2008 at 17:03 +0200:
I have also unsigned char B that stores a binary value. I need to
convert it to hexadecimal, I do:
char *table = 0123456789abcdef;
int i;
for (i=0; istrlen(B); i++)
{
B[2*i+1] = table[B[i] 0xf];
B[2*i] =
* Li, Yvonne wrote on Fri, Apr 18, 2008 at 23:46 -0400:
You have lots of good points. Thank you again.
I work for AOL, developing cross platform SDK for instant messaging that
supports plugins. Plugins can be malicious. And AOL is responsible for
protecting users' identity and privacy.
* Tomas Neme wrote on Wed, Apr 16, 2008 at 17:44 -0300:
The problem is that SSL_pending might return 0 if there's
stuff on the socket, but isn't enough to decode a full record.
If you want SSL to be transparent, why are you interested in
intermediate protocol-specific data which would not be
* Kyle Hamilton wrote on Wed, Apr 09, 2008 at 14:22 -0700:
Each peer goes through this process:
1) peer creates a keypair
2) peer generates a CSR (certificate signing request) for its public key.
3) peer connects to server, submits CSR along with whatever
information necessary to determine
* Kyle Hamilton wrote on Thu, Apr 10, 2008 at 02:34 -0700:
(That means the CA remotely signs online submitted CSRs and sends
back a Cert immediately? Maybe such a CA would not be that
trustworthy...)
First: it is as trustworthy as the application seems to
require. It's not as
* Wockenfuß, Frank wrote on Wed, Apr 02, 2008 at 09:07 +0200:
Thank you for that hint.
I will try to rebuild the class as singleton. This could help,
but isn't really nice.
I think you'd need multiple classes. For things done once a
program life time, a C++ class (singleton) may not be suited,
* [EMAIL PROTECTED] wrote on Wed, Mar 26, 2008 at 18:26 +0100:
For some hours now I try to find out how to create CAfile (a
file with multiple CAs inside, the one file counterpart of
-CApath).
Could anybody please give me an example
Not sure if I understand you right, but if you want to
Hi,
in short I think in your -signkey command you need to add
-enddate.
* Andreas Grimmel wrote on Mon, Mar 24, 2008 at 17:28 +0100:
That depends on what you need to do by policy for renewal.
There is no such thing as technical renewal - there is only
policy based. Since this sounds like
* Michael Sierchio wrote on Tue, Mar 18, 2008 at 17:01 -0700:
... It specifies things that third parties can know and rely
on. Only the principal itself can know what it's actually
going to use the key for.
No, key usage restrictions are certainly within the realm of
what a CA will bake
Hi,
interesting thread.
I also think that secret and shared keys have attributes as
creation or validation date. One very important attribute I would
like to mention is the is revoked attribute. Of course
certificates also can be revoked, but this is something
different. Revoked certificates can
1 - 100 of 136 matches
Mail list logo
