On Mon, Aug 01, 2011 at 02:51:19PM +, Spurr, Matthew E wrote:
Hello I am just looking for a simple question to be answered, and
cannot find a place to really have a discussion about it. Part of the
ECE GF(2^m) algorithms have a patent on them. I am wondering if it is
ok to use these
On Thu, Jul 28, 2011 at 09:14:34AM -0700, navin gopalakrishnan wrote:
1) When i use my own applications (client server) which uses
the openssl library a separate client program and a separate server
program, both configured to use only eNULL as above. (i.e. with only
NULL_SHA NULL_MD5),
On Wed, Jul 27, 2011 at 02:53:09AM -0700, navin gopalakrishnan wrote:
a) testing NULL Encryption:
While building openssl i modified the macro SSL_DEFAULT_CIPHER_LIST to
#define SSL_DEFAULT_CIPHER_LIST eNULL
That was unwise, don't do that.
My understanding is the above modification? would
On Fri, Jul 22, 2011 at 02:03:27PM -0700, Alex Lindberg wrote:
I have a certificate file CAcert.pem containing two or more certificates
between BEGIN/END blocks.
the openssl command only seems to read the first certificate.
How can I extract information from all certs in a single file?
On Fri, Jul 15, 2011 at 01:17:36PM +0800, Kumar, Nilesh wrote:
I have few queries regarding OpenSSl 0.9.8 :
1. Does it have 64-bit support? If not, which version(s) support
64-bit arch?
Yes, on many 64-bit CPU architectures.
2. RHEL version(s) supported
None. The software
On Wed, Jul 06, 2011 at 04:26:18PM +0300, islam wrote:
Hi i have some problems using openssl library. I got this error :
14742:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:293:
You should give up and ask someone on your team who is more experienced
to implement
On Tue, Jun 21, 2011 at 05:43:57AM -0500, Michael S. Zick wrote:
I've encountered a strange issue. It might not be related to OpenSSL itself,
but maybe it is.
When sending a Client Hello message that's larger than 270 bytes (not sure
what the exact limit is, 255 maybe?), lots of
On Tue, Jun 07, 2011 at 10:05:19AM -0500, Erwin Himawan wrote:
Hi Victor,
If I understand these printout correctly, my compilation environment is
mixed. However, can you confirm?
When the code crashes, here are the print outs:
OPENSSL_VERSION_NUMBER: 9470255
Converted to
On Tue, Jun 07, 2011 at 10:42:54AM -0500, Erwin Himawan wrote:
Thanks for your help. Once I fix my compilation environment, everything
works ok.
Glad it works for you.
When the code crashes, here are the print outs:
OPENSSL_VERSION_NUMBER: 9470255
Converted to hexadecimal,
On Mon, Jun 06, 2011 at 03:18:12PM -0500, Erwin Himawan wrote:
I am trying out the example in this
http://www.openssl.org/docs/crypto/EVP_DigestInit.html.
When I build this example using ver 1.0.0d, the example crashes at E
VP_DigestFinal_ex. When I build this example using previous
On Mon, Jun 06, 2011 at 06:22:53PM -0500, Erwin Himawan wrote:
I am using Netbean 7.0 for my IDE.
I am using cygwin: CYGWIN_NT-5.1 1.7.9(0.237/5/3) 2011-03-29 10:10 i686
My host platform is WindowXP 32 bit.
I am building the openssl ver 1.0.0d using the cygwin.
The path to the OpenSSL
On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote:
I'd like to know the feasibility or complexity around using my own
socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
BIOs to read and write would that be sufficient? How tightly integrated
the code is with
On Wed, Jun 01, 2011 at 10:56:47AM -0700, Eric S. Eberhard wrote:
The way I do things like this is to slightly modify OpenSSL (and keep track
of the mods!)
Completely unnecessary, OpenSSL supports custom I/O layers via BIO pairs.
--
Viktor.
On Tue, May 17, 2011 at 02:22:46AM -0700, G S wrote:
1. Generate a random key and initialization vector to encrypt the block of
text.
2. Encrypt that random key with the RSA public key.
3. Encrypt the data payload with the random key and IV, using Blowfish or
other encryption.
4. Send the
On Mon, May 16, 2011 at 11:56:41AM +0100, Mike Bell wrote:
Thanks Viktor,
I hadn't properly understood the relationship between the certificate
and the cipher, so I'll look at that now. I think I'm also confusing
the OpenVPN? OpenSSL relationship.
OpenVPN does appear to be using TLS
On Sat, May 14, 2011 at 12:55:44PM +0400, A.B.COKO/\OB wrote:
For example:
subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
will produce an error but the equivalent form:
subjectAltName=@subject_alt_section
[subject_alt_section]
On Fri, May 13, 2011 at 05:41:52PM +0100, Mike Bell wrote:
However I keep getting a no shared cipher error.
In my client server openssl.cnf files I've specified
cipher AES-128-CBC
This is not an EC cipher, and if you configure an EC cert, but specify
a cipher that is one of the ones
On Fri, May 13, 2011 at 06:36:34PM +0100, Mike Bell wrote:
I had originally put
cipher AES-128-CBC
in SERVER.OVPN CLIENT.OVPN, not OPENSSL.CNF files (it's been a long week!)
I am not familiar with your VPN product, so you'll have to figure out
what configuration options are applicable. If
On Wed, May 11, 2011 at 08:39:49AM -0700, Eric S. Eberhard wrote:
I have found that fork() on modern machines as a negligible affect on
performance and in fact I almost always use inetd instead of writing my own
servers, mainly because it is dead reliable, easier to code, and again
seems
On Thu, May 05, 2011 at 02:29:07PM -0400, Alona Rossen wrote:
Please list all encryption algorithms supported by OpenSSL 0.9.8e,
0.9.8m and 1.0.0d.
To list all ciphers
$ openssl ciphers -v ALL:eNULL:@STRENGTH
just use the appropriate openssl(1) binary to find which ciphers are
supported
On Thu, Apr 07, 2011 at 04:50:19PM +, Lou Picciano wrote:
Friends, I must admit we've never had to do it before - Can we query
the expiration date directly from a certificate, perhaps by using the
ASN structure code? (Is there a map of the currently-vailable structure
codes, as used by
On Tue, Mar 29, 2011 at 10:15:04AM +0200, Aarno Syv?nen wrote:
HI,
what would error OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start
line mean ?
A PEM file was expected, but the input was not a PEM file, specifically,
it had no -BEGIN ...- line.
--
Viktor.
On Tue, Mar 22, 2011 at 08:47:55PM -0700, Claus Assmann wrote:
On Tue, Mar 22, 2011, Victor Duchovni wrote:
client() has some code like this:
SSL_CTX_set_ex_data(a_ctx-a_ssl_ctx, myidx, a_ctx-cb_arg);
No, don't do that, the SSL_CTX application context object is global.
I
On Sun, Mar 20, 2011 at 07:13:18PM -0700, Claus Assmann wrote:
On Sun, Mar 20, 2011, Victor Duchovni wrote:
once, ... so there needs to be some once-only code in your application,
That's trivial to do and already working fine.
and setting a write-once global there does not seem
On Mon, Mar 21, 2011 at 08:49:09PM -0700, Claus Assmann wrote:
On Mon, Mar 21, 2011, Victor Duchovni wrote:
Can you explain a bit more clearly why you can't initialize an
integer index or two when the application starts?
I can, but that's not the problem. Here's an example:
initialize
On Sun, Mar 20, 2011 at 10:42:28AM -0700, Claus Assmann wrote:
It seems the official way to use an application
context is via:
int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int SSL_set_ex_data(SSL *ssl,
On Thu, Feb 24, 2011 at 08:15:47AM +0100, Mounir IDRASSI wrote:
Your analysis is not true because the original poster says he has dmp1,
dmq1 and iqmp, not only p and q.
Yes, naturally if the OP has d (or equivalently d mod (p-1) and (q-1),
which are presumed co-prime), he can recover e if he
On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote:
Just to be clear, below is not the actual code, but what I would *like*
to be able to do (or something close).
What you are asking to do is not possible, not because of API limitations,
but as a matter of principle
On Fri, Feb 18, 2011 at 01:22:44AM -0800, kalpesh07 wrote:
hi,
I am trying to create digital signature for pdf document by openssl commands
from php file.
I write these two commands first in php file
exec(openssl req -x509 -nodes -days 365 -subj
On Mon, Feb 14, 2011 at 04:36:07PM +, Martin Nicholes wrote:
I am also interested in the ability to allow non-root certs, but my
company is not planning on distributing OpenSSL.
Callbacks are implemented in the application, not in the OpenSSL library.
Therefore a custom verification
On Fri, Feb 11, 2011 at 05:04:11PM -0500, Jean-Michael Cyr wrote:
I have some difficulties to make openssl work to crypt my email.
Email encrypt is generally done via S/MIME. OpenSSL provides an
smime(1) command.
http://www.openssl.org/docs/apps/smime.html
--
Viktor.
On Thu, Feb 10, 2011 at 05:03:05PM +0100, Mounir IDRASSI wrote:
I think you misunderstood Matthias's question? He is not asking about how
to make his own CA accepted (from his post, it appears he already knows how
to do that), but he is rather asking how to make an end entity server
On Tue, Jan 11, 2011 at 11:51:47PM +0100, Ron Arts wrote:
I just renewed my Thawte webserver certificate. This certicifate seems to
work fine with various browsers I tried, but it curl, wget on CentOS 5.5
are not able to verify it:
Browsers often have a fairly large set of trusted roots and
On Tue, Jan 04, 2011 at 04:34:05PM +0100, Richard Koenning wrote:
A further (very
quick) survey shows that Thawte too supports additional subjectAltNames,
but here it comes with a price (http://www.thawte.com/ssl/index.html).
A more intensive survey will probably show up further CAs
On Mon, Dec 20, 2010 at 10:49:57AM -0800, travis+ml-open...@subspacefield.org
wrote:
libnss, at least on Linux, checks that the signing cert (chain) is valid
at the time of signature - as opposed to present time. (It may check
present time as well - not sure on that)
This makes for
On Mon, Dec 20, 2010 at 07:21:54PM -0500, Bhola Ray wrote:
I have noticed the above flag in our openssl code in several c and h files.
If I use
#define OPENSSL_NO_COMP 1
in the right include file, and build the libcrypto.a and libssl.a
then in that build
Do not do this by
On Fri, Dec 17, 2010 at 01:24:40PM -0500, Jeff Saremi wrote:
d1-srvr.c:
int dtls1_accept(SSL *s)
I cannot be 100% sure what changes on the client or on the server in
between. But the low-level client socket and ssl connections are exactly
the same in both scenarios. Also both use OpenSSL
On Fri, Dec 17, 2010 at 03:11:54PM +0530, Kingston Smiler wrote:
Is there any way to identify whether the other end supports TLS or not.
Only if the application protocol supports a way to negotiate TLS (e.g.
SMTP, IMAP, telnet, ... with STARTTLS), or the service in question is
layered over TLS
On Tue, Dec 14, 2010 at 09:52:58AM -0500, Kenneth Goldman wrote:
Question:
OPENSSL_VERSION_TEXT is undocumented. Can I count on it being there and
up to date, or is it for internal use only?
Request:
OPENSSL_VERSION_NUMBER varies between a long and an int constant, Could
it please
On Wed, Dec 15, 2010 at 11:14:59AM -0500, Jeff Saremi wrote:
So under situations that are not entirely clear, a call to
SSL_get_peer_certificate() returns null after a successful SSL accept is
done on the server.
My question is if there are conditions under which one cannot rely on
the
On Tue, Dec 14, 2010 at 06:20:54PM +1100, Corin Lawson wrote:
Hi All,
Is it possible to establish an SSL connection with no compression? How?
OpenSSL 1.0.0 provides a new option that can be set via
SSL_CTX_set_options() or SSL_set_options().
SSL_OP_NO_COMPRESSION
While I'm at it, is
On Tue, Dec 14, 2010 at 04:14:01PM -0800, Mike Mohr wrote:
How do you mean, an additional 0 byte is prepended? I generated
several DH parameters and exported them to C code ( -C ), some of
which has the MSB set. It looks like BN_bin2bn is used directly on
the raw bytes of the prime without
On Tue, Dec 14, 2010 at 05:05:06PM -0800, John R Pierce wrote:
but didn't openssl get its
start with that same openbsd crypto code?
No. From the information-free OpenBSD mailing list message:
It is alleged that some ex-developers (and the company they worked
for) accepted US
On Tue, Dec 14, 2010 at 07:30:33PM -0800, Kannan J wrote:
I have a private key that I need to load onto the smart card.
The PIV User Guide says PQ = P-1 mod Q
Instead of re-interpreting it is best to provide a direct reference,
or at least an unedited quote of the specificied requirements
On Tue, Dec 14, 2010 at 09:46:11PM -0800, Kannan J wrote:
I'm copying and pasting the text from the smart card guide. It is too
big to attach.
Please use plain-text (non-HTML) email when sending mail to lists.
The following convention applies for the P, Q, DP1, DQ1, and PQ parameters:
P is
On Tue, Dec 14, 2010 at 09:55:26PM -0800, Kannan J wrote:
From my relentless search on the internet I hit upon this webpage
http://www.mobilefish.com/services/rsa_key_generation/rsa_key_generation.php
which accepts prime values and generates the rest of the exponents and
coefficients.
On Thu, Dec 09, 2010 at 01:07:14PM +0200, Yannay Alon-BAY004 wrote:
Hi
Is there a file/location that lists all openssl #ifdef preprocessor
identifiers (e.g. OPENSSL_NO_SSL2, OPENSSL_NO_IDEA, OPENSSL_NO_MD5) with
possibly an explanation of each?
Options that enable/disable features at
On Mon, Dec 06, 2010 at 11:36:01AM -0600, Mike Brennan wrote:
It seems that Openssl doesn't always obey the server's priority
s/doesn't always obey/never by default obeys/
ordered list of ciphers (set with SSL_set_cipher_list()), even when
that list is syntactically correct,
On Fri, Dec 03, 2010 at 09:50:49AM -0500, Erik Tkal wrote:
That's a pretty bold statement and doesn't always apply in a product
environment.
I have a production environment. The non-security issues in the unpatched
1.0.0b release create substantial interoperability issues with servers
and
On Fri, Dec 03, 2010 at 09:10:41AM -0800, Marcus Carey wrote:
I am still have issues with the default ECDH parameters in 1.0.0c.
kEECDH handshakes appear to work.
The key generation with NIST Prime-Curve P-192 crashes.
How do you reproduce this?
static void nist_cp_bn(BN_ULONG *buf,
On Fri, Dec 03, 2010 at 12:06:22PM -0800, Marcus Carey wrote:
openssl ecdhtest
What is openssl ecdhtest?
Must use the -no_ecdhe flag.
openssl.exe s_server -no_ecdhe
With what cert/key? Any other options? What client invocation? ...
openssl.exe!nist_cp_bn(unsigned int * buf=0x00acea80,
On Fri, Dec 03, 2010 at 01:43:17PM -0500, Victor Duchovni wrote:
I don't understand the code in BN_nist_mod_192(), which calls
nist_cp_bn(), it has rather obscure pointer manipulation:
/*
* we need 'if (carry==0 || result=modulus) result-=modulus;'
* as comparison
On Thu, Dec 02, 2010 at 03:03:02PM -0500, Erik Tkal wrote:
Can someone point to details on CVE-2010-4180 and CVE-2010-4252?
CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any
references to the other two.
1.0.0c contains important non-security bug fixes for 1.0.0b, so you
On Mon, Nov 29, 2010 at 02:34:29AM -0800, A. N. Alias wrote:
As an example, IE may connect and send a ClientHello.? The server responds
with
a ServerHello on the same socket.? IE then replies with
ClientExchange/ChangeCipherSpec/Finished, but not necessarily on the same
socket.?
This is
On Fri, Nov 26, 2010 at 11:20:36AM +0100, Mounir IDRASSI wrote:
Contribution are usually done by sending a patch to r...@openssl.org. The
subject of the email must start with [PATCH].
The patch should be against the latest stable sources or CVS head of the
branch/branches you are targeting
On Thu, Nov 25, 2010 at 12:02:26AM +0100, Mounir IDRASSI wrote:
This is a known issue for which I have sent a patch (under ticket #2240) on
April 25th 2010. OpenSSL wrongly returns an error if the ServerHello is
missing the Supported Point Format extension whereas it should interpret it
as
On Thu, Nov 25, 2010 at 01:37:10PM +0100, Dr. Stephen Henson wrote:
Thanks, I'd missed that one. I've simulated the issue here and committed a
slightly different patch which works for me:
http://cvs.openssl.org/chngview?cn=20089
Let me know of any problem.
I wroted and tested a patch
I am finding some TLS enabled SMTP servers that don't appear to like
the TLSv1 sesion ticket extension.
With session tickets enabled:
$ openssl s_client -starttls smtp -msg -tlsextdebug -connect 192.0.2.1:25
CONNECTED(0003)
TLS 1.0 Handshake [length 00cb], ClientHello
I see intermitten failures to complete an SMTP STARTTLS handshake
with some servers. This happens when on entry into
ssl_check_serverhello_tlsext() the server proposes a kEECDH
cipher, say:
(gdb) p *(s-s3-tmp.new_cipher)
$7 = {valid = 1, name = 0x2a95a0ceea ECDHE-RSA-DES-CBC3-SHA, id =
On Mon, Nov 22, 2010 at 12:30:10PM +0200, r rubin wrote:
Thank you Victor for the detailed answer. I still don't understand: Does the
vulnerability affect TLS *cliens*?
In the vulnerability detail, it is mentioned that:
- Any OpenSSL based TLS *server* is vulnerable.
Does this mean that
On Sun, Nov 21, 2010 at 04:40:09PM +0200, r rubin wrote:
Hello,
In the vulnerability detail, it is mentioned that:
?Any OpenSSL based TLS *server* is vulnerable.
Does this mean that OpenSSL-based TLS *client* applications aren't
vulnerable at all?
Sorry if this is an obvious question,
On Thu, Nov 18, 2010 at 11:12:11AM -0600, William A. Rowe Jr. wrote:
On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote:
A 1.0.0c release is planned in the next few days. We're just seeing if any
other issues arise before the release: a couple have been fixed already.
Have any observed
Anyone know why I am seeing the below errors:
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem
-no_dhe -num 10 -f -time
Available compression methods:
NONE
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA
ERROR in SERVER
On Tue, Nov 16, 2010 at 03:48:13PM -0500, Victor Duchovni wrote:
Anyone know why I am seeing the below errors:
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem
-no_dhe -num 10 -f -time
Available compression methods:
NONE
DONE via BIO pair: TLSv1, cipher
On Tue, Nov 16, 2010 at 11:36:50PM +0100, Mounir IDRASSI wrote:
Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under
Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error.
I don't see anything OS specific in the changes introduced in t1_lib.c or
s3_srvr.c. Could it
On Wed, Nov 10, 2010 at 11:02:05PM +, Dimitrios Siganos wrote:
You can turn the can't find local issuer error for B, into an
OK in the verification callback by specifically whitelisting
the the fingerprint of B, or finding B in a suitable store.
So the solution is:
1) Maintain a
On Wed, Nov 10, 2010 at 10:10:48PM +, Dimitrios Siganos wrote:
Hi,
Is there a way to instruct openssl to treat an intermediate CA as a
trusted CA, which need not have its issuer checked i.e. it will be the
last certificate of the certificate chain.
It seems that openssl insists on
On Tue, Nov 09, 2010 at 01:45:15PM +, Bruce Stephens wrote:
Michael Str??der mich...@stroeder.com writes:
Bruce Stephens wrote:
[...]
Ah, my fault. Obvious in retrospect: Debian's openssl finds the root
cert because it's in the ca-certificates package!
Did you use -CAfile
On Tue, Nov 09, 2010 at 11:42:14AM -0500, josh kirbey wrote:
Hi All,
We are required to upgrade the sizes of private/public key pairs to 3072
bits from 1024 bits.
Welcome to bureaucratic insanity. There is no rational basis for
this requirement. Even 2048 bits is excessively conservative
On Tue, Nov 09, 2010 at 01:31:40PM -0500, josh kirbey wrote:
Thanks Viktor for your quick response. Even I am contesting the unnecessary
usage of 3072 bit sized key.
Surprisingly, in the given scenario, if I write this line of code before
modifying the certificate it works like a charm.
On Tue, Nov 09, 2010 at 09:34:42PM +0100, Stef Hoeben wrote:
Hi,
using the openssl tool, we generated an Elliptic Curve key pair
and put it into a pkcs8 file:
0 48: SEQUENCE {
32: INTEGER 0
6 48: SEQUENCE {
86: OBJECT IDENTIFIER ecPublicKey (1 2 840
On Mon, Nov 01, 2010 at 01:06:50PM -0500, Eichenberger, John wrote:
I have been looking at OpenSSL version 1.0.0a source code in order to
determine how to use it in an application where EAP TLS is used. It
seems like this application would be working correctly if only the
privatekey field
On Thu, Oct 14, 2010 at 06:48:58AM -0400, L. Michael Asher wrote:
Sorry, I meant to say that appears to be an error generated by the parent
library whenever the SMTP server says it doesn't accept TLS (or won't on that
specific port at least). It may be that the OpenSSL libs are not even
On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote:
Does BIO support 64 bit IO (large files)? If so would the rest of
OpenSSL (such as the ssl itself) support those BIOs?
I configured the build with 64bit support and didn't see any noticeable
changes.
Specifically, I'd like to know
On Mon, Sep 20, 2010 at 02:42:08PM +0400, Sergey Sedov wrote:
Hi,
My ISP provides to me .p12 file containing certs for using TLS for wifi
connection.
I can install it under Windows and use it.
But when I try to install it under Linux I have some troubles.
NetworkManager wants 3 certs to
On Fri, Sep 17, 2010 at 10:40:45AM -0400, Tom Cocagne wrote:
I've been searching for a way to set up an encrypted SSL connection
that doesn't require the use of certificates. Ideally, I'd like to use
SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly
available, I'd like to
On Tue, Sep 14, 2010 at 11:27:09AM -0400, Allan E. Johannesen wrote:
I noticed that our CA store (/usr/local/ssl/cacert.pem) was pretty old, with
some expired certificates in it, etc.
I exported the certificate list out of a Windows firefox and put that in place
and I thought things were
The 0.9.8[no] SSLv3 client code sends the SCSV cipher even when built
with no-tlsext and is then unable to process the server response if
the server returns tls extensions.
It is my impression that enabling tls extensions breaks binary
compatibility, so I cannot replace a no-tlsext shared
On Thu, Sep 02, 2010 at 11:02:21PM +0200, Dr. Stephen Henson wrote:
On Thu, Sep 02, 2010, Victor Duchovni wrote:
It is my impression that enabling tls extensions breaks binary
compatibility, so I cannot replace a no-tlsext shared library with
one that support extensions without re
On Mon, Jul 12, 2010 at 04:16:13PM +0200, Jakob Bohm wrote:
On 10-07-2010 20:13, Jeffrey Walton wrote:
The general approach is to encrypt data using a symmetric cipher (e.g.,
AES-256) with a randomly-generated key, and then encrypt that symmetric
key
with the RSA (public) key.
AES-256
In changes:
http://cvs.openssl.org/chngview?cn=19759
http://cvs.openssl.org/chngview?cn=19760
http://cvs.openssl.org/chngview?cn=19761
http://cvs.openssl.org/chngview?cn=19762
a bug is fixed in AES_wrap_key(), but the same bug remains unchanged
in AES_unwrap_key.
What is the
On Fri, Jul 09, 2010 at 12:26:46PM -0500, Michael S. Zick wrote:
On Fri July 9 2010, Suryya Kumar Jana wrote:
Hello,
Would any one please let me know whether the following ciphers are supported
in 0.9.8m?
1. EXP1024-DHE-DSS-DES-CBC-SHA
2. EXP1024-RC4-SHA
3. DHE-DSS-RC4-SHA
4.
On Mon, Jun 07, 2010 at 03:03:28PM +0100, David Woodhouse wrote:
On Thu, 2010-06-03 at 21:35 -0400, Victor Duchovni wrote:
The problem is that only the application knows which names are those of
the peer it tried to reach.
True, but the app could easily provide that information
On Mon, Jun 07, 2010 at 04:07:06PM -0400, Jason Fister wrote:
Hello folks,
I have a service to which people can send data. My service then stores the
data and returns the SHA checksum for the data back to the client. I also
store the checksum I computed and the offset at which it was
On Fri, Jun 04, 2010 at 01:04:42PM -0400, jeff wrote:
I tried the following and it created more interesting results.
It now fails on the good certificate -- the one that matches the
nameConstraint.
The error it returns is:
error 34 at 1 depth lookup:unhandled critical extension
Did
The declaration of EXP-ADH-DES-CBC-SHA in s3_lib.c (OpenSSL 0.9.6m,
0.9.7m, 0.9.7n, 1.0.0) seems to suggest that this cipher has a 128-bit key
/* Cipher 19 */
{
1,
SSL3_TXT_ADH_DES_40_CBC_SHA,
SSL3_CK_ADH_DES_40_CBC_SHA,
SSL_kEDH,
SSL_aNULL,
On Fri, Jun 04, 2010 at 03:50:21PM -0400, jeff wrote:
yes it's 0.9.8
I'll do a test with 1.0 before Monday and i'll let everyone know
The fact that 0.9.8 does NOT support checking name constraints was
mentioned multiple times in this thread. It is not polite to waste
list members' time in this
On Thu, Jun 03, 2010 at 09:36:56AM -0400, jeff wrote:
I have an example, detailed below, that specifies permitted and excluded
subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate
requests adhering to and violating the name constraints both, even
though the nameConstraints
On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote:
I would expect such constraints to only apply when
certificates are being *verified*. There seems to be
little point in preventing a CA from attempting to sign
violating certificates.
Yes I later tried to verify and I still
On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote:
Hodie III Non. Iun. MMX, Victor Duchovni scripsit:
On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote:
I would expect such constraints to only apply when
certificates are being *verified*. There seems
On Fri, Jun 04, 2010 at 01:19:52AM +0100, David Woodhouse wrote:
On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote:
Generally, OpenSSL does not verify peer names, only the certificate
trust chain, and peername checks are left up to applications.
Which is a shame... I'm far too
On Wed, May 26, 2010 at 07:20:12PM -0500, Dallas Clement wrote:
One small piece of additional info: I'm trying to avoid the use of
any certificates. Is that even possible with OpenSSL?
Yes. If both server and client support aNULL ciphers, and list these
above any other ciphers, or the server
On Sat, May 01, 2010 at 06:11:05AM -0500, Michael S. Zick wrote:
Those very large numbers are called _pseudo_ primes for a reason.
Because there is no known __practical__ method for proving they
are prime. If that could be proven, then pseudo would not be
a qualifier in their descriptive
On Fri, Apr 30, 2010 at 06:32:30PM +0200, Michael T?xen wrote:
On Apr 30, 2010, at 9:29 AM, denot...@libero.it wrote:
Hi all.
I need to generate a BIGNUM C that is relatively prime with a BIGNUM N(
GCD
(N,C)=1 )
is there a pre-built function in openssl library ??
Doesn't C=1
On Sun, Apr 25, 2010 at 06:58:06PM -0700, Thomas J. Hruska wrote:
Running 'openssl s_client' on 0.9.8n without any additional arguments
crashes openssl.exe.
On a Linux system it reports a connection refused (to localhost:4433)
...
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
setsockopt(3,
On Sun, Apr 18, 2010 at 07:09:09PM +0100, Luigi Auriemma wrote:
I have noticed that a client ssl connection initialized with the
classical SSLv23_method no longer works in OpenSSL 1.0.0.
Postfix TLS client SSL context is always created via:
SSL_CTX *client_ctx =
On Fri, Apr 16, 2010 at 10:11:20AM +, Kaila, Ashish wrote:
Hi,
I just built Openssl 1.0.0 on a Win32 platform, after building when
I try and run the binary openssl.exe I get a warning message Cant
open Config file: /usr/local/ssl/openssl.cnf , I don't have a sample
configuration file.
On Wed, Apr 07, 2010 at 06:58:05PM +0100, David Woodhouse wrote:
As you can see, the results all got much faster once I got back in time
to about mid-2007. Using 'git-bisect' I was able to find the offending
commit which had caused the performance degradation:
http://cvs.openssl.org/chngview?cn=19536
-SSL_library_init() only registers ciphers. Another important initialization
-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
-be performed separately.
+SSL_library_init() mainly adds ciphers and digests used directly by
On Tue, Apr 06, 2010 at 09:17:01PM +0200, Dr. Stephen Henson wrote:
Has the guidance to developers who use OpenSSL for TLS/SSL rather than
as general-purpose cryptography toolkit changed wrt. library initialization?
[...]
I suppose it makes sense to add the SHA2 algorithms to
1 - 100 of 713 matches
Mail list logo