Re: Issue With continous PRNG test with Fips module of openssl

Hi Jacob, Thanks for such a detailed reply. But I am having one concern that how an application can know whether it si secure or not. Fips uses GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns, but my application is running even at faster rate so same value is being

OpenSSL FIPS

I am reading the OpenSSL FIPS user guide and the first thing I notice is that it says it only supports openssl 0.9.8j and up but not openssl 1.0.0. We are currently using openssl 1.0.0. Does that mean we cannot use the FIPS module? Do we have to move back to 0.9.8 branch? Alex

stunnel 4.44 released

Dear Users, I have released version 4.44 of stunnel. The ChangeLog entry: Version 4.44, 2011.09.17, urgency: MEDIUM: * New features - Major automake/autoconf cleanup. - Heap buffer overflow protection with canaries. - Stack buffer overflow protection with -fstack-protector. * Bugfixes

Fwd: Exit failed in sslv3 read client certificate B and Exit failed in sslv3 read client certificate A

Hi all i hope someone can gives me an explanation or a solution for this problem: I have a reverse proxy ssl on production environnement, based on apache 2.2.17 and modssl2.2.16 and openssl 0.9.8r and sslcache (shù) Clients are auhentified by a client certificate, on the other hand my sever is

Error converting from .cer to .pem

hi, I have created root CA(evalRootCertificate.cer) and server certificate(OdysseyServer.pfx) using 'evalCerts.exe' of Funk software. For using evalRootCertificate.cer on linux, I wanted to convert to .pem format, I issued the command # openssl x509 -inform der -in evalRootCertificate.cer -out

RE: Cipher setting error: fixedDH and experiment EXP

Hi Dave, Thanks for your reply. I got the steps I mentioned after some googling. But those steps are not working. I understand you must be very busy, but I am stuck into there from then on. Can you please manage some time to look into it. Or if you know someone who can help me in this regard. It

Unable to enable GOST ciphers support

Hi! I'm trying to enable GOST ciphers in openssl-1.0.0e and so far I failed. What I've done so far: 1. built openssl with ./config shared zlib enable-rfc3779 --prefix=/tmp/gost-ssl-new 2. updated config file as described in README.gost. I've straced openssl run and I'm sure it reads my

Re: Issue With continous PRNG test with Fips module of openssl

On 9/19/2011 8:49 AM, alok sharma wrote: Hi Jacob, Thanks for such a detailed reply. But I am having one concern that how an application can know whether it si secure or not. Fips uses GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns, but my application is

Re: Error converting from .cer to .pem

On 9/18/2011 3:48 PM, ubuntuv wrote: hi, I have created root CA(evalRootCertificate.cer) and server certificate(OdysseyServer.pfx) using 'evalCerts.exe' of Funk software. For using evalRootCertificate.cer on linux, I wanted to convert to .pem format, I issued the command # openssl x509

Re: OpenSSL FIPS

On 09/16/2011 08:11 PM, Alex Chen wrote: I am reading the OpenSSL FIPS user guide and the first thing I notice is that it says it only supports openssl 0.9.8j and up but not openssl 1.0.0. We are currently using openssl 1.0.0. Does that mean we cannot use the FIPS module? Do we have to move

Re: Issue With continous PRNG test with Fips module of openssl

On Mon, Sep 19, 2011, alok sharma wrote: Hi Jacob, Thanks for such a detailed reply. But I am having one concern that how an application can know whether it si secure or not. Fips uses GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns, but my application is

c/c++ and GOST is russian ciphers.

Hi guys! I need help, please. I don't know, how do it. Maybe anyone has experience with signing/verify a docs/strings with GOST, and he will help me with... I have little code, which has can't load `md_gost94'... And I don't know how to use API for the GOST... :( My code are: [CODE=cpp]

c/c++ and GOST is russian ciphers.

Hi guys! I need help, please. I don't know, how do it. Maybe anyone has experience with signing/verify a docs/strings with GOST, and he will help me with... I have little code, which has can't load `md_gost94'... And I don't know how to use API for the GOST... :( My code are: [CODE=cpp]

readerr=0 on port 5989 but successful on 443

Hi, From a windows machine s_client is successful on port 443 but fails on port 5989 with 400 Bad Request and read:errno=0 The same works from another machine for the same target. The target machine is an ESXi. Request help to better understand the error. -- View this message in context:

Re: Error converting from .cer to .pem

Thanks Jacob. Output of #less evalRootCertificate.cer -BEGIN CERTIFICATE- MIICBDCC.MVWn1dH/IzvUWbQ== -END CERTIFICATE- I even tried removing the following file lines -BEGIN CERTIFICATE- -END CERTIFICATE- # openssl x509 -inform der -in

Re: Error converting from .cer to .pem

On 09/19/2011 04:29 PM, ubuntuv wrote: Thanks Jacob. Output of #less evalRootCertificate.cer -BEGIN CERTIFICATE- MIICBDCC.MVWn1dH/IzvUWbQ== -END CERTIFICATE- I even tried removing the following file lines -BEGIN CERTIFICATE- -END CERTIFICATE- #

Bug in [ policy_match ] among OpenSSL versions?

Hello folks, I'm developing a tool for signing digital TV apps, and for testing I'm creating a lot of different test scenarios. Well, using OpenSSL 1.0.0e to create a new certificate, signed by a snakeoil one I got the following error: -- The stateOrProvinceName field needed to be the same

SSL_ERROR_SSL

Hello, I'm debugging a problem with ucspi-sslhttp://www.superscript.com/ucspi-ssl/index.html, an open-source SSL client and server wrapper. The client wrapper seems to run into an infinite loop sometimes when the server abruptly closes the socket without shutting down SSL properly. The problem

Remote server doesn't seem to respond to SSL_shutdown

Hello, I'm debugging a problem with ucspi-sslhttp://www.superscript.com/ucspi-ssl/index.html, an open-source SSL client and server wrapper. For the most part everything works great, but I am seeing strange shutdown behavior when using the client wrapper to connect to one particular server. The

Re: Bug in [ policy_match ] among OpenSSL versions?

Hi Gabriel, openssl performs as it is described. You probably wanted the behaviour activated by the option supplied which requires the DN component to be present, but doesn't tie it to the corresponding entry in the CA DN. Regards Willy Am 19.09.2011 17:02, schrieb Gabriel Marques: Hello

Interoperability testing and debugging

Hello, I've been troubleshooting a few problems with ucspi-sslhttp://www.superscript.com/ucspi-ssl/index.html interoperating with particular SSL implementations. I am not encountering bugs in openssl itself, but rather bugs in the implementation of the client or server. I was wondering if there

Re: Bug in [ policy_match ] among OpenSSL versions?

On Mon, Sep 19, 2011, Gabriel Marques wrote: Hello folks, I'm developing a tool for signing digital TV apps, and for testing I'm creating a lot of different test scenarios. Well, using OpenSSL 1.0.0e to create a new certificate, signed by a snakeoil one I got the following error: -- The

Re: Bug in [ policy_match ] among OpenSSL versions?

Thanks Dr. Stephen an Mr. Willy Weisz, the comments clarifies the different matching options. Still, bugged with the details that made OpenSSL complain about two strings apparently equal, I've sniffed out the certificates: 0.9.8 SET (1 elem) SEQUENCE (2

Re: Remote server doesn't seem to respond to SSL_shutdown

Hi Scott! When it is time to cleanly close the connection, it calls SSL_shutdown(), then returns to its select loop to wait for a response indicating that the server has completed its end of the shutdown. When the server has completed the shutdown, it expects select to return with a readable