Hi NilsThanks for your help.We have dropped IAIK in favour of BouncyCastle java library and now we at
least don't get the unknown digest anymore.But now we get error 18 at depth 0, since we are using self-signed certs.We are using x509 = d2i_X509_fp(file, NULL); to read the cert and Are you testin
On Sat, Jul 22, 2006 at 12:46:35AM +0200, Marek Marcola wrote:
> parent accept() and SSL_accept() then fork(), parent
> SSL_free() and close() and child to some work.
What work would that be? It should not be possible for the child
process to splice itself into the middle of an SSL session withou
Hello,
> Maybe what i've said was not clear enough.
> In fact, i don't want two processes to be able to
> communicate on the socket at the same time.
>
> I just would like the process which has accepted the
> connection to give the SSL object to a second process.
> Then the first process doesn't n
Hello,
> You are
> being dense, the only question is whether it's deliberate.
No comments.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org
User Suppor
> Thanks Marek, can you explain more on this "MAC" verification errors?
> When I can ensure only control records are read by SSL_read, why should
> I get such errors? Yeah, ur correct, I will discard appliation records ;)
> (don't ask me how!!) but then openssl will work rite?
>
> What I have to
> Hello,
> > Did you only read the second paragraph and not the first?
> I have read both.
Then why did you ignore the first paragraph in your reply?
> AES key is AES key and not passphrase.
An "AES key" is a key used for AES. A "key" is a generic term and does
not
restri
Alfred Thomas wrote:
Hi all
Is the following supposed to work if testcert.pem is a selfsigned cert that
failes with error 18 when I do openssl verify testcert.pem
I want to ignore the fact that it is an untrusted cert and read the public
key regardless.
X509 * x509;
EVP_MD_CTX md_ctx;
cons
SSL is designed for private reliable bytestream between two parties.
Without looking at the spec, I can't say for certain, but I would be
*very* surprised if you can "slice out" any part of the SSL traffic and
not have generate an error.
Read the SSL/TLS spec.
/r$
--
SOA Appliances
Ap
On Fri, Jul 21, 2006 at 03:55:09PM +0200, Frederic Renault wrote:
> First i want to thank you both for your quick answers.
>
> It's quite hard to change the design as its an old
> application which must be upgraded to SSL.
>
> Maybe what i've said was not clear enough.
> In fact, i don't want tw
There is no pre-existing way to write out all the SSL state so that
another process can reconstruct it.
I would do it this way; when a connection comes in, spawn stunnel to
handle the SSL with a pipe() back to the dispatcher. Use raw read on the
pipe; when it's time to spawn a client, hand the
First i want to thank you both for your quick answers.
It's quite hard to change the design as its an old
application which must be upgraded to SSL.
Maybe what i've said was not clear enough.
In fact, i don't want two processes to be able to
communicate on the socket at the same time.
I just wou
Hi all
Is the following supposed to work if testcert.pem is a selfsigned cert that
failes with error 18 when I do openssl verify testcert.pem
I want to ignore the fact that it is an untrusted cert and read the public
key regardless.
X509 * x509;
EVP_MD_CTX md_ctx;
const unsigned char * sig_b
Hello,
> Thanks Marek, can you explain more on this "MAC" verification errors?
When SSL record is read from TCP socket first is decrypted (using
read_secret and CBC xor vector) and then MAC of decrypted packet
is checked. When calculating MAC of decrypted packet the following
information is used:
Marty Lamb wrote:
Luc Perthuis wrote:
Hello,
Any advice on this ECB like behaviour of CTR will be highly appreciated.
We are currently integrating openssl in our application.
One of the goals is to use symetric encription on streams of data to
keep them encrypted on a storage device (1).
As f
Gayathri Sundar wrote:
Thanks Richard..but I was thinking only SSL RECORDS with Record Type "APP
DATA"
Contain application data!!! If I can ensure that only complete SSL Records
of Type
Handshake, Change cipher spec, and Alerts are given to OpenSSL, it can
process it rite?
This way how can open
Marek Marcola wrote:
>[EMAIL PROTECTED] writes:
For the moment, i have a kind of supervisor which,
accept a connection, read some datas on the socket and
then start the process which is able to handle this
datas. ( using createprocess/execv). The socket's
handle is shared to this process and ther
Thanks Richard..but I was thinking only SSL RECORDS with Record Type "APP
DATA"
Contain application data!!! If I can ensure that only complete SSL Records
of Type
Handshake, Change cipher spec, and Alerts are given to OpenSSL, it can
process it rite?
This way how can openssl know that app data re
I'm not sure about the meaning of "schema", but I can issue certificate with
two (maybe more) O= fields. But they will be separated by comma, so it will
look like different companies is defined, but I need to split one company
name to two O= fields in such way, in which all other software will
unde
> Ok, what I meant is I will be removing the SSL record along with the app
> data!!
> So this should be fine right?
Then SSL will notice that records have been removed. Since records can
contain application data, and SSL guarantees the integrity of the
application bytestream, *ANY* attempt by
Ok, what I meant is I will be removing the SSL record along with the app
data!!
So this should be fine right?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Salz
Sent: Friday, July 21, 2006 5:28 PM
To: openssl-users@openssl.org
Subject: RE: Query
> [EMAIL PROTECTED],CN=Test CN,OU=Test Unit, O=Very very very
> long+O=Organization name,C=LT
Are you sure that the schema allows for multiple values for the O RDN? I
know multiple OU RDN's are allowed; you might look at the config docs to
see how that's set up.
/r$
--
SOA Appliances
Ap
The SSL records include a message digest (MAC) of the application data
within the record. If you remove the application data, the SSL record is
no longer valid.
If you think about it, this is obvious. SSL guarantees the integrity of
the application data. If someone modifies or removes the ap
Thanks Marek, can you explain more on this "MAC" verification errors?
When I can ensure only control records are read by SSL_read, why should
I get such errors? Yeah, ur correct, I will discard appliation records ;)
(don't ask me how!!) but then openssl will work rite?
What I have to do next depen
Hi guys,
I have one little annoying problem (no, not a Frog) - I need to issue
certificate to organization, which name is more than 64 char long. I beleave
there is must be mechanism for such situation, but for now i'm only know,
that RFC defines 4 octets with 64 chars for organizationName. The pr
Hello,
> What would happen if openssl is starved of application data records
> and is fed only control messages? Would it misbehave?
SSL application records are not mandatory (but usually very useful :-)
So you may establish SSL connection and do for example
renegotiation after renegotiation or s
Hi Nils
Thanks for your help.
We have dropped IAIK in favour of BouncyCastle java library and now we at
least don't get the unknown digest anymore.
But now we get error 18 at depth 0, since we are using self-signed certs.
We are using x509 = d2i_X509_fp(file, NULL); to read the cert and eventuall
Hello,
> For the moment, i have a kind of supervisor which,
> accept a connection, read some datas on the socket and
> then start the process which is able to handle this
> datas. ( using createprocess/execv). The socket's
> handle is shared to this process and therefor the
> process is able to exc
Hello,
I hope it's the good place to ask such a question.
For the moment, i have a kind of supervisor which,
accept a connection, read some datas on the socket and
then start the process which is able to handle this
datas. ( using createprocess/execv). The socket's
handle is shared to this proces
Hello,
>
> Did you only read the second paragraph and not the first?
I have read both. AES key is AES key and not passphrase.
If "munki" is not valid AES key (not because it is ASCII string
but because it is too short) (first paragraph) then it can not
be used as AES key (as stated that thi
ok, well ldapAdmin lets me decide for myself if I want to accept the
certificate or not. Will check how to get linux to accept it though.
Thanks =)
Kyle Hamilton wrote:
If the self-signed certificate is not trusted by your LDAP client (the
details of 'how to trust' differ from application to a
If the self-signed certificate is not trusted by your LDAP client (the
details of 'how to trust' differ from application to application), it
will not be able to verify the certificate.
Please see the documentation for your LDAP client (ldapAdmin) for
information on how to trust the self-signed ce
Hi all
I have created a self signed certificate using the instructions given on
this site http://www-128.ibm.com/developerworks/linux/library/l-openldap/
Now when I connect through ldapAdmin I recieve a message saying that the
certificate could not be verified. What went wrong? through my lin
32 matches
Mail list logo
