Re: strong TLS connections
On Fri, Oct 7, 2011 at 7:40 PM, Kristen J. Webb kw...@teradactyl.com wrote: My understanding is that a TLS connection with a server cert only identifies the server to the client. This leads to a MiTM attack, where the mitm can impersonate the client because the server has not verified the client. Your understanding is flawed - while in the scenario you mention there is no binding of a client identity to a public key, SSLv3/TLS are not vulnerable to MITM - no third party can manipulate the stream without being detected. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
starting point for learning to use OpenSSL
Hello All, I want to use OpenSSL for the application that i am writing. Could someone direct me what is the best starting point. I tried Google but failed to find any examples. PS: I hope i am posting on the right forum. -Thanks mithun
RE: TLS false start support on Openssl
Hi Richard, Thanks for the reply, I did some research and found that there is an openssl patch which can get me this option, I tried it in my lab and it works also. Here is the location of patch http://technotes.googlecode.com/git-history/3bea6d3d226c878577c0d520784e14f2c8efbe1c/openssl-1.0.0d-falsestart.patch There is an option also in s_client to do so, here is an example openssl s_client -connect 10.24.132.51:443 -cutthrough Ritesh -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Richard Könning Sent: Friday, October 07, 2011 7:44 AM To: openssl-users@openssl.org Subject: Re: TLS false start support on Openssl Am 06.10.2011 23:28, schrieb Ritesh Rekhi: Does openssl support TLS false start http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00 ? I cite the last section of this draft: At the time of writing, the authors are not aware of any deployed TLS implementation that is not False Start compatible (with one single host still pending investigation). However, if an implementation uses a strategy of receiving as many bytes as available from the underlying transport during the handshake (expecting to find only handshake messages), achieving False Start compatibility would likely require special care. One of the authors being member of the OpenSSL team i think that he has investigated the OpenSSL case. If Openssl supports TLS false start how can I use it with s_client ? When there is not already an appropriate option (i didn't check), you have to add corresponding code to s_client. Ciao, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Differences between RSA and ECDSA - Conceptual and Practical
Hi all, This week i was in doubt to implemment some methods to sign using OpenSSL. I know that RSA needs the hash algorithm to do the padding scheme and ECDSA doesn't need. Another thing that i know is that RSA can only sign things that are smaller than the size of the key used. I can imagine that the encrypt process follows the same idea. I know that to sign, i have to take a hash of some document or message but, theoretically, i could encrypt any document? The padding scheme would shrink the message and them could reveal the same message after deciphering? My doubt is: and ECDSA? Does it has the same features? I know it doesn't needs the hash algorithm, but the message needs to be smaller than the size of the key? ECDSA signs a message with any size? Example: an ecdsa key with 192 bits signing a hash sha 512. It could be signed or it is wrong? Thanks, -- Rick Lopes de Souza
Re: Differences between RSA and ECDSA - Conceptual and Practical
On Sat, Oct 8, 2011 at 6:39 AM, Rick Lopes de Souza dragonde...@gmail.com wrote: Another thing that i know is that RSA can only sign things that are smaller than the size of the key used. No - you can sign a message of arbitrary length - a suitable message digest is what is encrypted (well, decrypted) in the RSA digital signature scheme. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cert VU#864643
On Fri, Oct 7, 2011 at 1:55 PM, Diffenderfer, Randy randy.diffender...@hp.com wrote: How worried should I be about the contents of this? http://www.kb.cert.org/vuls/id/864643 (published 2011-9-27) Is this the topic that flitted across the board a week or so ago? SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. Build OpenSSL *without* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: starting point for learning to use OpenSSL
From: Mithun Kumar Sent: Friday, October 07, 2011 5:54 PM Hello All, I want to use OpenSSL for the application that i am writing. Could someone direct me what is the best starting point. I tried Google but failed to find any examples. PS: I hope i am posting on the right forum. -Thanks mithun http://shop.oreilly.com/product/9780596002701.do