Hi all,
I am using a self signed certificate as a CA certificate.
My entity certificate is signed by this self signed CA. in my test programs
But another programmer who is doing client part is saying I need to
include keyUsage field in my self signed certifcate refering to RFC
3280 ( section
Hi
i try complie apache with my openssl
./configure --prefix=/usr/unizeto/apache22 --enable-proxy --enable-ssl
--with-ssl=/opt/NEW/openssl/
[...]
checking for OpenSSL version... checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version in -lcrypto... no
checking for SSL_CTX_new in -lssl... no
checking for ENGINE_init... no
checking for ENGINE_load_builtin_engines... no
checking
2007/10/3, Piotr [EMAIL PROTECTED]:
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version in -lcrypto... no
checking for SSL_CTX_new in -lssl... no
checking for ENGINE_init... no
On Wed, Oct 03, 2007 at 11:47:33AM +0530, Subramaniam wrote:
I am using a self signed certificate as a CA certificate.
Post the CA certificate to the list.
My entity certificate is signed by this self signed CA. in my test programs
Post the entity certificate to the list.
But another
Hello everyone,
I modified my code to add the following two lines after initializing the ssl
library with SSL_library_init():
---
RAND_write_file(prngseed.dat);
RAND_load_file(prngseed.dat, -1);
---
And this solved the problem on HPUX.
Now I am facing the same connectivity problem on
Don't save it in the binary?
Regards,
Daniel Clusin
EnerNOC, Inc.
(617)5328154
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Md Lazreg
Sent: Wednesday, October 03, 2007 11:04 AM
To: openssl-users@openssl.org
Subject: public key in the
Hi,
I am encrypting a file using a private key, and my program is decrypting it
using the public key compiled in the binary.
The question is how to protect my public key against binary analysis within
the binary? I do not want someone to replace it with their own public key
and hence encrypting
On Wed, Oct 03, 2007 at 10:04:26AM -0500, Md Lazreg wrote:
I am encrypting a file using a private key, and my program is decrypting it
using the public key compiled in the binary.
Private keys don't encrypt they sign. The public key *verifies*.
If you want to encrypt, you use the public key to
In message [EMAIL PROTECTED] on Wed, 3 Oct 2007 10:04:26 -0500, Md Lazreg
[EMAIL PROTECTED] said:
mdlazreg I am encrypting a file using a private key, and my program
mdlazreg is decrypting it using the public key compiled in the
mdlazreg binary.
If it isn't an automatic process of some kind,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Piotr Skwarna schrieb:
Hi
i try complie apache with my openssl
./configure --prefix=/usr/unizeto/apache22 --enable-proxy --enable-ssl
--with-ssl=/opt/NEW/openssl/
[...]
checking for OpenSSL version... checking openssl/opensslv.h
Hello,
I modified my code to add the following two lines after initializing
the ssl library with SSL_library_init():
---
RAND_write_file(prngseed.dat);
RAND_load_file(prngseed.dat, -1);
---
And this solved the problem on HPUX.
This is not good solution.
You should install PRNG on
On 10/3/07, Victor Duchovni [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 10:04:26AM -0500, Md Lazreg wrote:
I am encrypting a file using a private key, and my program is decrypting
it
using the public key compiled in the binary.
Private keys don't encrypt they sign. The public key
On Wed, Oct 03, 2007 at 10:42:59AM -0500, Md Lazreg wrote:
Private keys do encrypt using the function :
http://www.openssl.org/docs/crypto/RSA_private_encrypt.html
Of course they do, but when a private key encrypts, it is
called signing, because the public key is presumed to be (drum
roll...)
On 10/3/07, Victor Duchovni [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 10:42:59AM -0500, Md Lazreg wrote:
Private keys do encrypt using the function :
http://www.openssl.org/docs/crypto/RSA_private_encrypt.html
Of course they do, but when a private key encrypts, it is
called
On Wed, Oct 03, 2007 at 10:57:39AM -0500, Md Lazreg wrote:
If you are signing, your model is fine, and embedding the public key in
the binary is exactly the right thing to do. If you are encrypting,
use a symmetric algorithm, the public key algorithm is just confusing
you.
Yes I am
On 10/3/07, Victor Duchovni [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 10:57:39AM -0500, Md Lazreg wrote:
Is this DRM? DRM is not possible without
trusted hardware, and even then is difficult.
Yes it is DRM in a way. I know it is not possible to have a 100% protection
using only
On Wed, Oct 03, 2007 at 11:11:26AM -0500, Md Lazreg wrote:
On 10/3/07, Victor Duchovni [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 10:57:39AM -0500, Md Lazreg wrote:
Is this DRM? DRM is not possible without
trusted hardware, and even then is difficult.
Yes it is DRM in a way.
I am trying to debug a problem with the browser prompting for a client
certificate, and I used the following to see the details of the SSL
negotiation:
# openssl s_client -connect *hostname:port* -msg
I am testing 2 different scenarios and get basically the same output for
both except that the
On Wed, 3 Oct 2007, Md Lazreg wrote:
On 10/3/07, Victor Duchovni [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 10:42:59AM -0500, Md Lazreg wrote:
Private keys do encrypt using the function :
http://www.openssl.org/docs/crypto/RSA_private_encrypt.html
Of course they do, but when a
Hello,
If your users are not technically sophisticated, and the application is
aimed at paying business customers and not the general public, it is
enough to compile the key into the application. Businesses don't like
being caught stealing.
If or users are the general public and/or they are
On Wed, Oct 03, 2007 at 11:11:26AM -0500, Md Lazreg wrote:
What problem does preventing the user from fielding a modified application
solve?
It solves the problem of preventing the user from running my application in
a mode they did not pay for.
If your target is PC software, then
The switch and load balancer do not have their own SSL server certificate.
In the browser, when I view the certificate, I can see that I am getting the
SSL certificate from the back-end server myserver.
The switch and load balancer SHOULD be configured such that the SSL session
terminates at the
Hello,
I am trying to debug a problem with the browser prompting for a client
certificate, and I used the following to see the details of the SSL
negotiation:
# openssl s_client -connect hostname:port -msg
I am testing 2 different scenarios and get basically the same output
for both
Thanks for your comments.
I do not think it has anything to do with a DN hostname mismatch. It is true
that your browser will give you warning if the CN in the SSL server
certificate does not match the hostname you are requesting, but this doesn't
affect whether you are prompted for a client
On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote:
Here is the URL they direct the victim too:
https://us.etrade.com/login/challange/2b593cba/logon.htm
This is not the actual booby-trapped URL that users who click on the
phishing links would use. You are not looking at the
I need a way to hide the public key in the binary...
You can't ask in public for a good hiding place.
Note that your question has *nothing* to do with OpenSSL or even public key
encryption for that matter. Your question is basically how do I make a
tamperproof executable.
DS
On 10/3/07, David Schwartz [EMAIL PROTECTED] wrote:
I need a way to hide the public key in the binary...
You can't ask in public for a good hiding place.
Note that your question has *nothing* to do with OpenSSL or even public
key
encryption for that matter. Your question is basically how
That's right-
nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS,
since everything is encrypted using TLS or SSL.
If you get extremely lucky and catch the browser at the wrong moment,
you can sniff the server key and browser key,
but apart from that, it really depends on the
Thank you very much!
I never realised there was even an html attachment! I use mutt and never
looked for it. Of course I know why I use mutt and this is one of the reasons
why.
Since I never looked at the html I never saw the bogus address. How cute eh!
These financial instutions have a
Right. With server auth you elimate the weakenss I was thinking about a few
years back. As was pointed out I didn't check for html.
On Wed, Oct 03, 2007 at 03:55:21PM -0700, Michael Sierchio wrote:
[EMAIL PROTECTED] wrote:
I'd like to ask the group about a possible man in the middle
On Wed, Oct 03, 2007 at 05:04:52PM -0600, [EMAIL PROTECTED] wrote:
These financial instutions have a major major problem. Then they
recomend to people to use insecure systems. I expect within a few few
years we are going to see some MAJOR hiests!
I think you mean a few years ago, but this
[EMAIL PROTECTED] wrote:
I'd like to ask the group about a possible man in the middle attack over https.
What you've described (though see Viktor's post about what you didn't
really include in your message) is not MITM -- it's just a fake URL
scheme. SSL v3.0 and TLS with server auth are not
That isn't man-in-the-middle- that's simple spoofing.
And, I never said spoofing wasn't doable. I stated that getting
in-between a user and their SSL server depends on the strength of that
remote server's SSL cert, or catching the client and server when they're
about to start the exchange of
On Wed, Oct 03, 2007 at 07:57:41PM -0400, Robert Butler wrote:
That isn't man-in-the-middle- that's simple spoofing.
I would like to humbly suggest that this thread end... Phishing attacks
can be discussed on other lists.
--
Viktor.
Indeed, I had planned on clamming up after that last post.
- Robert
On Wed, 2007-10-03 at 22:17 -0400, Victor Duchovni wrote:
On Wed, Oct 03, 2007 at 07:57:41PM -0400, Robert Butler wrote:
That isn't man-in-the-middle- that's simple spoofing.
I would like to humbly suggest that this
Figured out the problem: Internet Explorer. I should have guessed.
In IE's security settings, the default for the Internet zone has the setting
Don't prompt for client certificate when no certificates or only one
certificate exists set to Disabled. However, the default for the Local
intranet zone
37 matches
Mail list logo
