On 8/21/13 8:55 AM, Nico Williams wrote:
OpenSSL should use pthread_atfork() and mix in more /dev/urandom into
its pool in the child-side of the fork(), Only a child-side handler
is needed, FYI, unless there's locks to acquire and release, in which
case you also need a pre-fork and parent-side
On Wed, Aug 21, 2013, redpath wrote:
> *openssl Configuration question:*
>
> I am using these command to create a CA signed cert.
>
> opensslreq-new-nodes-out my.csr -days 730 -keyout
> mykey.pem
> -batch*-extensions * v3_OCSP-config configname.cnf
>
>
*openssl Configuration question:*
I am using these command to create a CA signed cert.
opensslreq-new-nodes-out my.csr -days 730 -keyout
mykey.pem
-batch*-extensions * v3_OCSP-config configname.cnf
openssl ca -out *mycert.pem* -in my.csr -passin pass:
On Wed, Aug 21, 2013 at 5:41 AM, Ben Laurie wrote:
> Something needs to be done, but won't this re-introduce the problem of
> /dev/random starvation, leading to more use of /dev/urandom (on platforms
> where this is a problem)?
>
> Mixing in the time seems like a safer solution that should also fi
You misunderstand how it's supposed to work.
OpenSSL does not prevent you from signing anything. It can't; for example, you
could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the chain, it
should reject the chain because the signin
Hi,
this shouldn't be, because you marked this extension as critical;
what is your OpenSSL release?
and in case of Linux, which distro (version/release) are you using?
Walter
On 20.08.2013 20:18, Peter1234 wrote:
Hi all,
although I issued a certificate for an intermediate CA (CA2) with a
pathle
On Wed, Aug 21, 2013 at 2:19 AM, Patrick Pelletier
wrote:
> An easy way to work around this, if you don't mind linking against pthreads,
> is to do this at the start of your application, after initializing OpenSSL:
>
> typedef void (*voidfunc) (void);
>
> if (ENGINE_get_default_RAND () == NULL)
>
All,
We are using openssl-0.9.8e_WIN32 with Axis to connect the Webserivce using
the https end point. We resently upgrade the servers to windows 2008 R2
servers from 2003. The application takes 30-50sec more on windows 2008 R2
servers. I found SSL_connect() API is taking more time on 2008 servers.
I am new to OpenSSL and have a private RSA key and am trying to read a
encrypted message that looks to be in base64 format but I'm not to sure.
When i do the below code i get this error if you can offer any help it
would be great.
Thanks
OpenSSL> rsautl -decrypt -inkey privatekey.pem -in mess
On 21 August 2013 03:19, Patrick Pelletier wrote:
> On 8/15/13 11:51 PM, Patrick Pelletier wrote:
>
>> On Aug 15, 2013, at 10:38 PM, Nico Williams wrote:
>>
>> Hmm, I've only read the article linked from there:
>>> http://android-developers.**blogspot.com/2013/08/some-**
>>> securerandom-thought
Hi Dave,
Thanks for the reply.
I do have access to the server code but cannot change it's implementation to
suite my requirement as the server is serving other clients in other
platforms as well.
Below is the java code to encrypt an AES symmetric key with the public key
it recieves from the clie
I am not 100% sure this is a real bug, hence mailing openssl-users
instead of rt@.
641 if (is_sslv3)
642 {
647 unsigned overhang = header_length-md_block_size;
648 md_transform(md_state.c, header);
649
Hi all,
although I issued a certificate for an intermediate CA (CA2) with a
pathlength of zero (pathlen:0), I could use this certificate to create
certificates for further CAs (CA3).
Due to pathlen:0 I expected openssl would either cancel creation of sub-CAs
with an error massage or would cr
Hi,
Thanks for the reply.
"That's because it's not a raw public key; it's a base64 encoded
structure containing the key parts. It's a lot more than just stripping
the header and footer."
I was not aware of this.
But I think my requirement is to send the public key in Base64 encoded
structur
On Wed, Aug 21, 2013, Zyan Wu wrote:
> Hi Dr. Stephen Henson,
>
> Thanks for your answer.
>
> I know this cipher suite is rarely used however we do need this feature
> and we do want to test it using openssl.
>
Well as I said it is only supported by OpenSSL 1.0.2 and later, not in any
currre
On 8/21/13 12:19 AM, Patrick Pelletier wrote:
Nikolay Elenkov wrote a proof-of-concept that shows the pid-wrapping bug
on Android, and then I took it one step further and wrote a
proof-of-concept using OpenSSL in C, demonstrating that this is an
underlying OpenSSL bug:
https://gist.github.com/p
On 8/15/13 11:51 PM, Patrick Pelletier wrote:
On Aug 15, 2013, at 10:38 PM, Nico Williams wrote:
Hmm, I've only read the article linked from there:
http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html
Yeah, that's the only place I've seen it, and then the Google+ th
17 matches
Mail list logo