openssl and PeopleSoft
Hi I am trying to use openssl to generate RSA keys and use it in PeopleSoft. But PeopleSoft requires keys in hex notation with specific keysize of 168 which I am not able to generate with openSSL. Please let me know if anyone has experience working with OpenSSL for PeopleSoft.Any help is appreciated. Thanks Regards Vivek Panikulam Use Entered Value Select this option to use key values that aren't in the PeopleSoft keystore. Enter a key value that's formatted appropriately for the algorithm that you're configuring. This value will be entered into the PET keyset table, not the PeopleSoft keystore. The value that you enter has a length that depends on the keysize of the cipher. For triple DES with keysize 112, this is 16 bytes. For a keysize of 168, this is 24 bytes. This value should be represented in hex notation. You must generate the key value that you enter here. You can use any key generation utility capable of producing hex encoded keys of the required length. PeopleSoft delivers the core OpenSSL command line program precompiled and ready to use. You can use it to generate key values and perform other encryption-related tasks. The executable program is PS_HOME\bin\server\WINX86\openssl.exe on Windows, and PS_HOME/bin/openssl on Unix and Linux platforms.
Re: multi thread, example on win32 is wrong?
I'm a *nix programmer too [?]. I just think there may be some error with the example on wind32. On Thu, Sep 2, 2010 at 11:36 PM, Sam Jantz wrote: > Lu, > > I'm not sure specifically about windows, but it seems that you have > not created the id function. Once you create the id function then you need > to register it in the thread_setup with the function > CRYPTO_set_id_callback(); The thread_id function > is a very small function that just returns the thread id for calling thread. > In linux you implement it like this: > > static unsigned long id_function(void){ > > } > > On Thu, Sep 2, 2010 at 3:34 AM, Lu zhuiyue wrote: > >> the documentation (http://www.openssl.org/docs/crypto/threads.html) says >> >> to use openssl library in multi threds environments, the user should set >> thses tow callback functions >> locking_function and threadid_func >> >> the example: >> *crypto/threads/mttest.c* >> on win32 platform: >> >> it does not set threadid_func. it is an error? >> > > > > -- > Sam Jantz > Software Engineer > > <<330.gif>>
Question on applying GPROF to OpenSSL s_server
Hi, I'd like to use gprof to profile the OpenSSL application s_server on a Linux box. I had a 'CFLAG= -g -static -pg' in the 'openssl-0.9.8o/apps/Makefile', then configured the OpenSSL, made it and installed it. However, I didn't get the gprof output (gmon.out) after running the 'openssl s_server'. Did I miss anyting here? Can anyone give me some guidelines on how to use gprof to profile the OpenSSL s_server? Thanks a lot! Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
problem https with class 3 cert CACert
hi fols hi all the people hi openssl users hi apache httpd users t explain my problem i use CentOS 5.5 use httpd.i386 2.2.3-43.el5.centos.3 rpm's centos use mod_ssl.i386 1:2.2.3-43.el5.centos.3 rpms's centos I sometimes against this kind of problem with certificates of type class 3, it was the color in the address bar with the firefox the color in the address bar disappear sometimes and a reload of web page was view again The padlock disappears for the same occasion ... many return and welcome some ideas are welcome __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
problem https with class 3 cert CACert
hi folks hi all the people hi openssl users hi apache httpd users t explain my problem i use CentOS 5.5 use httpd.i386 2.2.3-43.el5.centos.3 rpm's centos use mod_ssl.i386 1:2.2.3-43.el5.centos.3 rpms's centos I sometimes against this kind of problem with certificates of type class 3, it was the color in the address bar with the firefox the color in the address bar disappear sometimes and a reload of web page was view again The padlock disappears for the same occasion ... many return and welcome some ideas are welcome __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Patch: 0.9.8[no] SSLv3 client broken with "no-tlsext".
On Thu, Sep 02, 2010 at 11:02:21PM +0200, Dr. Stephen Henson wrote: > On Thu, Sep 02, 2010, Victor Duchovni wrote: > > > > > It is my impression that enabling tls extensions breaks binary > > compatibility, so I cannot replace a "no-tlsext" shared library with > > one that support extensions without re-compiling all the clients. So, > > some legacy systems still get "no-tlsext" libraries until we move > > everyone to 1.0.0. > > > > A few fields are appended to some structures to support TLS extensions which > means that some structures increase in size. These structures are only ever > allocated and freed by library calls so binary compatibility *should* be > maintained. However there is a slight risk that a highly broken application > will allocate the structures itself and poke around in internals to set them > up. So no existing fields change size or position? And the ABI is only broken when applications allocate SSL, SSL_CTX, ... structures directly rather than via SSL_new() or SSL_CTX_new()? If so, I may take the plunge with 0.9.8p, if it is likely that the most common applications (Apache, stunnel, curl, wget, ...) and high-level language run-times (Perl, Python, ... SSL support) do not break when tls extensions are enabled in an updated shared library. Is there anywhere either a list of applications known to work or known to not work with recompiled libraries? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Patch: 0.9.8[no] SSLv3 client broken with "no-tlsext".
On Thu, Sep 02, 2010, Victor Duchovni wrote: > > It is my impression that enabling tls extensions breaks binary > compatibility, so I cannot replace a "no-tlsext" shared library with > one that support extensions without re-compiling all the clients. So, > some legacy systems still get "no-tlsext" libraries until we move > everyone to 1.0.0. > A few fields are appended to some structures to support TLS extensions which means that some structures increase in size. These structures are only ever allocated and freed by library calls so binary compatibility *should* be maintained. However there is a slight risk that a highly broken application will allocate the structures itself and poke around in internals to set them up. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Patch: 0.9.8[no] SSLv3 client broken with "no-tlsext".
The 0.9.8[no] SSLv3 client code sends the SCSV cipher even when built with "no-tlsext" and is then unable to process the server response if the server returns tls extensions. It is my impression that enabling tls extensions breaks binary compatibility, so I cannot replace a "no-tlsext" shared library with one that support extensions without re-compiling all the clients. So, some legacy systems still get "no-tlsext" libraries until we move everyone to 1.0.0. The SSL client should not solicit server behaviour it does not support. Patch below. --- ssl/ssl_lib.c 2010-02-17 14:43:08.601690964 -0500 +++ ssl/ssl_lib.c 2010-09-02 13:19:18.401865197 -0400 @@ -1299,6 +1299,8 @@ j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); p+=j; } + +#ifndef OPENSSL_NO_TLSEXT /* If p == q, no ciphers and caller indicates an error. Otherwise * add SCSV if not renegotiating. */ @@ -1310,10 +1312,11 @@ }; j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); p+=j; -#ifdef OPENSSL_RI_DEBUG +# ifdef OPENSSL_RI_DEBUG fprintf(stderr, "SCSV sent by client\n"); -#endif +# endif } +#endif /* OPENSSL_NO_TLSEXT */ return(p-q); } -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: reading and writing into pem file
Hi, Thanks for your input..it worked for me...i am writing encryption and decryption using RSA... #include #include #include #include #include #include RSA * readPubKey(char *filename) { RSA *key; BIO *bp; ERR_load_crypto_strings(); bp=BIO_new(BIO_s_file()); if (BIO_read_filename(bp,filename) <= 0) { perror("ERROR: public.pem"); exit(0); } if ((key=(RSA *)PEM_read_bio_RSA_PUBKEY(bp,NULL,NULL,NULL)) == NULL) { ERR_print_errors_fp(stderr); key = NULL; } BIO_free(bp); return key; } rsaEncrypt() { RSA *pubkey; unsigned char *message= "Hello !! can u hear me now !!"; unsigned char *encryptmess, *decryptmess; int long_message; char **key; char buff[300]; pubkey = readPubKey("public.pem"); char test1,test2; printf("\nsize of (in byte)s public:private :: %d:\n",RSA_size(pubkey)); /* Encrypt the message */ encryptmess = (unsigned char *) malloc (RSA_size(pubkey)); test1=sizeof(test2); long_message= (strlen(message)&test1+1); RSA_public_encrypt(long_message, message, encryptmess, pubkey, RSA_PKCS1_OAEP_PADDING); printf ("\n message %s\n", message); printf("\nlenght= %d\n",strlen(encryptmess)); int i; i =strlen(encryptmess); printf("length ==%d\n",i); memmove(buff,encryptmess,i); int j; j=(strlen(buff)*sizeof(char)+1); //printf ("\n message=== %s\n", encryptmess); printf("j=%d\n",j); free(encryptmess); printf("%s",buff); } int main(void) { rsaEncrypt(); } when i encrypt the message it works and printing the outpu..i need to write the encrypted message to main function to decrypt the encrypted message... i have tried the below program ..it is not giving as expected..please help me out to write the this #include #include #include #include #include RSA * readPubKey(char *filename) { RSA *key; BIO *bp; ERR_load_crypto_strings(); bp=BIO_new(BIO_s_file()); if (BIO_read_filename(bp,filename) <= 0) { perror("ERROR: public.pem"); exit(0); } if ((key=(RSA *)PEM_read_bio_RSA_PUBKEY(bp,NULL,NULL,NULL)) == NULL) { ERR_print_errors_fp(stderr); key = NULL; } BIO_free(bp); return key; } int rsaEncrypt(unsigned char *message,unsigned char *decryptmess,int long_message) { RSA *pubkey; RSA *privkey; unsigned char *encryptmess; int long_message1,j; char **key; long_message1=long_message; pubkey = readPubKey("public.pem"); /* Encrypt the message */ printf("hello encrypt"); encryptmess = (unsigned char *) malloc (RSA_size(pubkey)); RSA_public_encrypt(long_message1, message, encryptmess, pubkey, RSA_PKCS1_OAEP_PADDING); printf ("\n message %s\n", message); j=strlen(encryptmess); printf("\nj=%d",j); decryptmess=encryptmess; } //main program=== main() { unsigned char *message= "Hello !! can u hear me now !!"; unsigned char* decryptmess; int long_message,i; long_message= (strlen(message)*sizeof(char)+1); int rsaEncrypt(unsigned char *message,unsigned char *decryptmess,int long_message); i=strlen(decryptmess); printf("\n%s\n",decryptmess); printf("\nsize=%d",i); } Thanks kris On Wed, Sep 1, 2010 at 2:03 AM, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy > santhanam > > Sent: Tuesday, 31 August, 2010 13:33 > > > #include > > > writekey(RSA *key2) > > You're obviously using a C89 (or earlier) compiler or mode. > > Snipped most non-I/O steps: > > > { > > EVP_PKEY *pkey; > > FILE *fp; > > //BIO *file; > > OpenSSL_add_all_ciphers(); > > OpenSSL_add_all_algorithms(); > > Aside: add_all_algorithms *includes* add_all_ciphers > > > if(!(fp = fopen("private1.pem", "w"))) { > > > if(!PEM_write_PrivateKey(fp, pkey,NULL,NULL,0,NULL,NULL)){ > > > close(fp); > > > if(!(fp = fopen("public1.pem", "w"))) { > > > if(!PEM_write_PUBKEY(fp, pkey)){ > > >close(fp); > > close() is not the correct routine to close a stdio FILE*. > It doesn't even take the correct type of argument, but > your compiler wasn't required to warn you because you > didn't include its header (e.g. unistd.h) and in C<=89 > undeclared functions default to int(/*unspecified*/). > > Since you didn't close the files, no data actually got written > to them, so there was nothing there for the PEM_read's to read. > > Use fclose. And see if you can use a C99 compiler, or at least > a C89 compiler with better warnings (like gcc -Wimplicit). > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Problem verifying a chain...
Use the '-issuer_checks' parameter to show exactly what it's looking for and where it's looking for it. At 'depth 1' (i.e., one step above the end-entity certificate), it's looking for the issuer (which means it's looking for the USERTRUST root certificate). -Kyle H On Thu, Sep 2, 2010 at 9:39 AM, John Doe wrote: Hi, I have some issues with chained certificates. I am trying to verify my certificate with the intermediate certificate of my registrar... my.crt: Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com gandi.crt: Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA # openssl verify -CAfile gandi.crt my.crt my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA error 2 at 1 depth lookup:unable to get issuer certificate Is it the right command to test...? Is the error about gandi or usertrust? Thx, JD __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-users] **Spam** Problem verifying a chain...
Bonjour, Hodie post. Kal. Sep. MMX, John Doe scripsit: > I have some issues with chained certificates. > I am trying to verify my certificate with the intermediate certificate of my > registrar... > > my.crt: > Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA > Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com > > gandi.crt: > Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, > OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware > Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA > > # openssl verify -CAfile gandi.crt my.crt > my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA > error 2 at 1 depth lookup:unable to get issuer certificate It wants to check the issuer's certificate of Gandi. You can find it in your browser, or maybe in a decently installed Ubuntu/Debian, in /etc/ssl/certs directory (UTN_USERFirst_Hardware_Root_CA.pem on my machine). -- Erwann ABALEA Département R&D KEYNECTIS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Problem verifying a chain...
Hi John, Your CAfile must contain the chain that issued your cert (i.e. the intermediate(s) and the root). The error is indicating that it is unable to locate the issuer of the intermediate. Erik Tkal -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John Doe Sent: Thursday, September 02, 2010 12:39 PM To: openssl-users@openssl.org Subject: Problem verifying a chain... Hi, I have some issues with chained certificates. I am trying to verify my certificate with the intermediate certificate of my registrar... my.crt: Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com gandi.crt: Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA # openssl verify -CAfile gandi.crt my.crt my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA error 2 at 1 depth lookup:unable to get issuer certificate Is it the right command to test...? Is the error about gandi or usertrust? Thx, JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Symmetric Key Encryption
Hello, Where is the symmetric key stored during an SSL transaction? There is a place for it (deep) inside of the ssl structure at ssl->s3->tmp.key_block with length of ssl->s3->tmp.key_block_length However these are never populated on any connection that I make. It seems odd to me that encryption/decryption can happen without a symmetric key, but at surface value that seems to be what is happening. I have done quite a bit of digging on this and found a function (or 4) that is supposed to generate the key block (tls1_generate_key_block() and all the functions it calls), and then I can partition it out the keys according to the TLSv1 RFC (http://www.ietf.org/rfc/rfc2246.txt page 14) but it seems that whenever I do this I cannot use this key to decrypt the data from the transaction (using the IV from the key block as well). So either my Key, or IV, or both are incorrect. The "label" I am using (as per TLSv1 spec) is "key expansion" however I have no idea if that is the correct value. I've attached the code I am currently using to generate the key block. It's a lot to digest, but it's better to be more verbose, than lacking in detail. Long story short, if there is a better way to access the the session key I would like to know about it. Thank you for any input or feedback you can provide. -Sam -- Sam Jantz Software Engineer /* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (e...@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (t...@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright *notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright *notice, this list of conditions and the following disclaimer in the *documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software *must display the following acknowledgement: *"This product includes cryptographic software written by * Eric Young (e...@cryptsoft.com)" *The word 'cryptographic' can be left out if the rouines from the library *being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from *the apps directory (application code) you must include an acknowledgement: *"This product includes software written by Tim Hudson (t...@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright *notice, this list of conditions and the following disclaimer. * *
Problem verifying a chain...
Hi, I have some issues with chained certificates. I am trying to verify my certificate with the intermediate certificate of my registrar... my.crt: Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com gandi.crt: Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA # openssl verify -CAfile gandi.crt my.crt my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA error 2 at 1 depth lookup:unable to get issuer certificate Is it the right command to test...? Is the error about gandi or usertrust? Thx, JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: multi thread, example on win32 is wrong?
Sorry accidentally sent that: return pthread_self() } Then you register it, and your library should be thread safe. Again sorry about sending that too soon. Best of luck! -Sam On Thu, Sep 2, 2010 at 10:36 AM, Sam Jantz wrote: > Lu, > > I'm not sure specifically about windows, but it seems that you have > not created the id function. Once you create the id function then you need > to register it in the thread_setup with the function > CRYPTO_set_id_callback(); The thread_id function > is a very small function that just returns the thread id for calling thread. > In linux you implement it like this: > > static unsigned long id_function(void){ > > } > > On Thu, Sep 2, 2010 at 3:34 AM, Lu zhuiyue wrote: > >> the documentation (http://www.openssl.org/docs/crypto/threads.html) says >> >> to use openssl library in multi threds environments, the user should set >> thses tow callback functions >> locking_function and threadid_func >> >> the example: >> *crypto/threads/mttest.c* >> on win32 platform: >> >> it does not set threadid_func. it is an error? >> > > > > -- > Sam Jantz > Software Engineer > > -- Sam Jantz Software Engineer
Re: multi thread, example on win32 is wrong?
Lu, I'm not sure specifically about windows, but it seems that you have not created the id function. Once you create the id function then you need to register it in the thread_setup with the function CRYPTO_set_id_callback(); The thread_id function is a very small function that just returns the thread id for calling thread. In linux you implement it like this: static unsigned long id_function(void){ } On Thu, Sep 2, 2010 at 3:34 AM, Lu zhuiyue wrote: > the documentation (http://www.openssl.org/docs/crypto/threads.html) says > to use openssl library in multi threds environments, the user should set > thses tow callback functions > locking_function and threadid_func > > the example: > *crypto/threads/mttest.c* > on win32 platform: > > it does not set threadid_func. it is an error? > -- Sam Jantz Software Engineer
RE: RE: AES in counter mode no support in openssl
Hi Sagar, No, I do not see any engine support. That code appears to use AES_encrypt directly, and evp.h has hints but nothing enabled: #if 0 const EVP_CIPHER *EVP_aes_128_ctr(void); #endif Also, if the hardware you have (you didn't say what it was) is not supported by OpenSSL then the hardware vendor (or yourself) would have to implement engine code to perform the operations. Erik From: sagar gupta Subject: Re: RE: AES in counter mode no support in openssl can that aes_ctr.c be used to connect to hardware driver. I have a hardware driver which can implement the encryption method for more performance. Thanks On Thu, 02 Sep 2010 03:30:20 +0530 wrote > OpenSSL 1.0.0a has aes_ctr.c in the crypto/aes directory. Erik Tkal Subject: AES in counter mode no support in openssl hi all, I was working on the Openssl1.0.0 version for AES cryptographic support in counter mode i.e; AES-CTR mode. I did not find any support added to the openssl1.0.0 version. I wanted to ask that is there support for AES counter mode in openssl?? if Yes which version of Openssl support AES counter mode?? if no I wanted to know why the support for AES counter mode is not added into the openssl?? Any help or answers in this regard will be really useful for me. Thanks for all in Advance. please do give me some answers for my questions. :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���
Re: Confusion about subject alternative names
Since webmail, imap, smtp(s) all operate on different ports, and you have different listeners, the correct way to me seems to use three certificates with the desired hostnames etc. Having the same IP address doesn't matter in this particular case. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
multi thread, example on win32 is wrong?
the documentation (http://www.openssl.org/docs/crypto/threads.html) says to use openssl library in multi threds environments, the user should set thses tow callback functions locking_function and threadid_func the example: *crypto/threads/mttest.c* on win32 platform: it does not set threadid_func. it is an error? static HANDLE *lock_cs; void thread_setup(void) { int i; lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE)); for (i=0; i end.wDayOfWeek) end.wDayOfWeek+=7; ret=(end.wDayOfWeek-start.wDayOfWeek)*24; ret=(ret+end.wHour-start.wHour)*60; ret=(ret+end.wMinute-start.wMinute)*60; ret=(ret+end.wSecond-start.wSecond); ret+=(end.wMilliseconds-start.wMilliseconds)/1000.0; printf("win32 threads done - %.3f seconds\n",ret); }
RE: Confusion about subject alternative names
Hi Gaiseric, -Original Message- > From: Gaiseric Vandal > >I am using various version of openssl-0.9.x (including >openssl-0.9.8k-1.fc11.i686 on > my linux machine altho the cusotmized openssl.cnf file is probably inherited > from a > slightly earlier version.) > When I create a certificate signing request with openssl, I have an option to > specify an > Subject Alternative Name (SAN.) The request file (csr) as well as the > resulting > certificate includes the SAN as a value in the in the subject field. > > Subject: C=US, ST=x, L=x, O=x, OU=IT, > CN=server1.company.com/subjectAltName=server2.company.com/emailaddress=xx...@company.com I've never seen a subjectAlternativeName construction like this. This is not what openssl does by default. So this behaviour is related to the changes you did in your openssl.conf file. Looks like you defined your own private RDN subjectAltName. This is not standard. And nobody else will understand this! I recommend you read up about using the openssl req and ca commands, or alternatively the x509 command if you are using this to issue your certicates, and the format of the configuration file: man req man ca man x509 man config man x509v3_config HTH, Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org