On Mon, Jul 02, 2012, Dirk Menstermann wrote:
Hello Sergio,
I use openssl-1.0.1c (and a daily snaphost) and openssl-fips-2.0.1. Which
combination are you using and which target (debug?) do you build? Will the
function FIPS_corrupt_aes be exported and is the include file fips.h
available?
On Mon, Jul 02, 2012, Erwann Abalea wrote:
Bonjour,
Le 02/07/2012 16:05, Mathias Tausig a écrit :
Which padding method does openssl use, when I sign a certificate with
the 'ca' command (using an RSA key)?
RSA PKCS#1v1.5
Is there a way to change it?
I don't think so.
In openssl
On Thu, Jul 05, 2012, John wrote:
Thomas J. Hruska shineli...@shininglightpro.com wrote in message
news:4ff658d9.2010...@shininglightpro.com...
On 7/5/2012 8:07 PM, John wrote:
Hello. I have OpenSSL-Win64 version 1.0.1c installed on 64-bit Win7. I
am trying to use it to create a
On Sat, Jul 07, 2012, pro...@secure-mail.biz wrote:
Hello,
is it possible to sign a foreign SSL public key without having CSR/private
key?
Background:
Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd
like to pin a SSL certificate from a website I have no
On Mon, Jul 09, 2012, MauMau wrote:
Hello,
Please let me ask you for information and ideas about how to use
OpenSSL effectively to implement encryption for data storage.
I'm designing an encryption feature for a certain kind of data
management system. I want to implement the
On Tue, Jul 10, 2012, Wim Lewis wrote:
(I think this is more appropriate for openssl-users than -dev, so I'm
responding to that list.)
On 10 Jul 2012, at 8:59 AM, Sirshendu Rakshit wrote:
My questions are:
1) Is this a good way to know the EC_KEY using the curve-name Or there is
On Wed, Jul 18, 2012, Aunt Jomamma wrote:
Sorry if this is duplicate, but I had an issue with the mailer, and not sure
if this went...
I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using
ndk-r8.
I am doing cross-compile on Mac OSX.
However, I cannot pass
On Wed, Jul 18, 2012, AJ wrote:
Its my application producing the error.
I've been reading more... perhaps I need to get Android build to link via
fipsld to get the valid fingerprint?
Does this sound right? Any tips?
How are you linking your application?
If it is to the OpenSSL shared
On Wed, Jul 18, 2012, AJ wrote:
This explains it -- thank you -- I was using a static library -- so I would
need to use fipsld, if I continue to use static.
However, knowing this, I wanted to try with shared OpenSSL library instead,
but my build fails on multiple definition errors.
The
On Fri, Jul 20, 2012, Abyss Lingvo wrote:
Hi all!
How to
create certificate request programmatically via OpenSSL API?
This is the solution for command line utility:
openssl genrsa -out server_key.pem -passout pass:$passwd -des3 1024
openssl req -new -key server_key.pem
On Fri, Jul 20, 2012, AJ wrote:
1) I am cross-compiling a static FIPS enabled OpenSSL library for Android
(using Linux host).
I have generated the libssl.a and lib crypto.a.
I am trying to use the fipsld tool, as documented in Sec 5.3.1 in the User
Guide.
However, I am running into
On Fri, Jul 20, 2012, AJ wrote:
OK, that worked -- built my library using fipsld. However, on running, I am
STILL getting fingerprint validation failure when calling FIPS_mode_set(1).
1552985864:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not
On Sun, Jul 22, 2012, AJ wrote:
Hi Steve,
Thanks for all the help -- I think I've things sorted out now.
Here are some of the issues I've had cross-compiling for Android. Just some
feedback -- maybe they'll help someone running into the same.
1) Building as shared libraries is
On Wed, Jul 25, 2012, Puneet Khunteta wrote:
Hello,
I am an user of openssl library.
I am seeking for a method to get the Extended Key Usage field from the
X509 certificate .
I will be grateful if you can provide me a sample code in c.
You can retrieve a structure representing any
On Wed, Jul 25, 2012, Cassie Helms wrote:
Hi folks,
I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and
libssl.so) into my product's build, but still get a fingerprint does not
match
error when I call FIPS_mode_set(1). This is using a validated copy of FIPS
2.0
On Thu, Jul 26, 2012, Cristiano Toninato wrote:
This simple test program should print always the same result, but
with openSSL 0.9.8o and gcc 4.5.2 output is
From http://www.schneier.com/code/vectors.txt, cipher bytes should
be 51866FD5B85ECB8A
Test BF_ecb_encrypt(): 51866FD5B85ECB8A
Test
On Wed, Jul 25, 2012, Fili, Tom wrote:
I'm trying to setup my application to allow for the use of client
certificates. I am using the capi engine to pull from the Windows store.
I setup my ssl connection and it works fine if I set the correct
certificate using SSL_CTX_use_certificate_ASN1
On Fri, Jul 27, 2012, Albers, Thorsten wrote:
Hi,
I have a problem with the openssl s_server (v1.0.1c) when requesting a client
certificate. I'm developing my own TLS 1.2 implementation (for embedded
platforms), and I'm stuck with a problem with using the client certificate. I
already
On Fri, Jul 27, 2012, Cassie Helms wrote:
Cassie Helms cassie.helms@... writes:
Built fips_algvs on build system and scp'd to target system as suggested.
Hmm. I incorporated building fips_algvs into my build system and ran it from
the
rpm install on the target machine. I get
On Fri, Jul 27, 2012, Puneet Khunteta wrote:
any Update ?
regards,
Puneet
On Thu, Jul 26, 2012 at 4:27 PM, Puneet Khunteta
khunteta.pun...@gmail.comwrote:
Hello Stephen,
On using the suggestion provided by you , got the following output snippet
It shows extusage-data Empty.
On Fri, Jul 27, 2012, Cassie Helms wrote:
Dr. Stephen Henson steve@... writes:
Integrity test started
ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229
Integrity test Failed Incorrectly!!
Well that error indicates the fingerprint error
On Sat, Jul 28, 2012, Tayade, Nilesh wrote:
Hi,
Could someone please point me to the link where I can download
OpenSSL-1.0.0g-fips?
On http://www.openssl.org/source/, I see only OpenSSL-1.0.0g. To get '-fips'
do I need to apply any patch?
There has never been an official 1.0.0*-fips
On Sat, Jul 28, 2012, Jeffrey Walton wrote:
Hi All,
According to the FIPS 2.0 User Guide (Default DRBG, page 64): A
special DRBG instance called the default DRBG is used to map the
DRBG to the RAND
interface. Unfortunately, the documentation (both the Security Policy
and User Guide) does
On Mon, Jul 30, 2012, Albers, Thorsten wrote:
Thanks Steve! Unfortunately your hint couldn't help me. I know that in TLS
1.2 the hash and signature algorithms can be chosen during the handshake. I
chose to use Sha256 with RSA for the signature, and therefore adding the
corresponding algorithm
On Sun, Jul 29, 2012, Dave Thompson wrote:
Note that X.509 certs (and ASN.1 generally) don't actually support
UTF8. They support several 1-byte codes (some now obsolete), BMPString
which is 2-byte UCS-2, and UniversalString which is 4-byte UCS-4.
I believe OpenSSL selects the smallest of
On Tue, Jul 31, 2012, Sebastian Raymond wrote:
Hello,
I have written a SSL client program to talk with SSL server.
I have a linux machine and Openssl 1.0.0e is installed with zlib enabled.
That means, deflate compression method is supported.
I want to transfer the data without
On Tue, Jul 31, 2012, Sebastian Raymond wrote:
Yes, I am calling it before SSL_new();
SSL_CTX_set_options(ctx,SSL_OP_NO_COMPRESSION);
SSL *ssl = SSL_new(ctx);
Is your application linked to an older version of OpenSSL?
If that isn't it you could try running it under a debugger
On Thu, Aug 02, 2012, Ashok C wrote:
Hi,
Is there a way in which I can determine the correct issuer certificate of
an issued certificate(either intermediate CA or end entity) based on
comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate
On Thu, Aug 02, 2012, MITSUNARI Shigeo wrote:
Hi,
I tried to use openssl command to generate an HMAC with a key
contains '\0', but failed.
openssl dgst -sha1 -hmac `cat key-file` input-file
I'm happy if dgst command supports binary format like enc command.
So I appended -hmachex key in
On Fri, Aug 03, 2012, Saurabh Pandya wrote:
Hi all,
I am using server certificate X problematically with following API for each
SSL * session. X is dynamically generated for each client, when its CA(s)
as always same.
SSL_use_certificate(this_ssl, X);
It works fine when there
On Fri, Aug 03, 2012, Jakob Bohm wrote:
On 8/3/2012 10:32 AM, Maciej Pawlus wrote:
Hi,
I need to sign mobileconfig file before sending it to the iOS device.
For this I want to call openssl as a separate process. However I do not
want to operate on physical files, as it requires a lot of
On Fri, Aug 03, 2012, Erik Tkal wrote:
I debugged this to see what is happening, and it seems that the server is
looking at the configured certificate and key and deciding that the client
needs to be sending 0xFF01 (it is finding NID_X9_62_prime_field as the field
type). However, the
On Fri, Aug 03, 2012, Erik Tkal wrote:
Hi Steve, here's the cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 34474 (0x86aa)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=eRoot1, OU=Engineering, O=Juniper Networks, Inc.,
L=Westford, ST=MA,
On Mon, Aug 06, 2012, Jakob Bohm wrote:
Much (maybe all, I don't know) of suite B is probable in OpenSSL
1.0.1 too, but I don't have an algorithm by algorithm breakdown
of inclusion status, others on this list probably have such a
list.
All the required suite B algorithms are supported
On Tue, Aug 07, 2012, Jeffrey Walton wrote:
Hi Doctor Henson,
On Mon, Aug 6, 2012 at 11:33 AM, Dr. Stephen Henson st...@openssl.org wrote:
On Mon, Aug 06, 2012, Jakob Bohm wrote:
Much (maybe all, I don't know) of suite B is probable in OpenSSL
1.0.1 too, but I don't have
On Fri, Aug 03, 2012, Daniel Tekel wrote:
Hello OpenSSL community,
I'm trying to work with FIPS-mode enabled OpenSSL library (version
2.0.1) on iOS platform, but unfortunately every time I try to enable
FIPS mode (via FIPS_module_mode_set), few self-tests fail.
Specifically these:
On Tue, Aug 14, 2012, no_spam...@yahoo.com wrote:
Is there a correlation between the strength (size) of the asymmetric keys
used to do the authentication and the strength (size) of the ephemeral DH
keys generated/used to protect the session key (during the key exchange)?
On first glance, in
On Tue, Aug 14, 2012, adrien pisarz wrote:
For information, the index file is written by parsing a CRL file but I
don't want to write into this file all the valid certificates as an
enrolment be done and my index file may not be synchronized. I have an
other question, why the engine
On Thu, Aug 16, 2012, Kenneth Goldman wrote:
I call these:
d2i_X509()
X509_print_fp()
which calls
pkey_set_type()
EVP_PKEY_asn1_find()
and that call fails.
I've traced the following error down to the rsaOAEP algorithm, which has a
nid of 919. I've
On Thu, Aug 16, 2012, Martin Kaiser wrote:
Dear all,
I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
MGF1 should use sha256 instead of the default sha1.
Does openssl support this at all? I tried something along the lines of
size_t outlen;
int ret;
On Thu, Aug 16, 2012, Felipe Blauth wrote:
Dear all,
Im writing an OpenSSL engine and I have some internal data to manage via
ex_data functions.
What I've been doing so far is using RSA_get_ex_new_index(0, NULL, NULL,
NULL, my free function), at the initialization of the engine to
On Fri, Aug 17, 2012, Cassie Helms wrote:
I want to make sure I don't potentially report openssl bugs that someone else
has already reported. Is there a database of open openssl bugs that I
haven't seen the link to, somewhere?
See:
http://www.openssl.org/support/faq.html#BUILD16
and
On Fri, Aug 17, 2012, Felipe Blauth wrote:
I see. I've digged a little bit more in the built-in engines and found out
that this is the way some of them are implemented. I guess there's no way
to to the same for ECDSA_METHOD tough, since there's no finish function
pointer on that...
There
On Fri, Aug 17, 2012, Cassie Helms wrote:
I'm seeing odd failures in the MD4/MD4_Init functions and I can't
debug them with gdb because I can't see what the source is doing.
Maybe I should add that I've verified that FIPS_mode is turned on right before
my failing MD4 calls (think
On Fri, Aug 17, 2012, Cassie Helms wrote:
Maybe I should add that I've verified that FIPS_mode is turned on right
before
my failing MD4 calls (think OpenSSLDie()), and I didn't do anything special
to compile or turn on the MD4 algorithm.could that be where I'm missing
a
step?
On Fri, Aug 17, 2012, Eric Fowler wrote:
Must a client free the pointer returned from OBJ_nid2obj() ? I assume
the pointer references data in some internal table and is not
free()'d.
But I want to be sure ... man page is no help on this.
An application doesn't have to no. However it is
On Sat, Aug 18, 2012, Charles Mills wrote:
This is probably the world's most basic question but I can't find the
answer.
I have the following in my OpenSSL config file:
snip
[ usr_cert ]
snip
subjectAltName = @alt_names
snip
[ alt_names ]
On Mon, Aug 20, 2012, Charles Mills wrote:
http://www.openssl.org/docs/apps/config.html
Okay, thanks, I had seen that. I thought there must be more.
Did you run openssl.exe from the same command prompt where you
typed the SET commands?
Absolutely. It is in fact a .BAT file. The
On Mon, Aug 20, 2012, Ken Goldman wrote:
I'm trying to compile openssl for:
Linux, 32-bit on a 64-bit machine, shared libraries, and debug.
The closest I found was:
./Configure linux-elf -m32 -shared -g
but this still does -O3, and the optimizer doesn't work well with
the source
On Tue, Aug 21, 2012, Nathan McCrina wrote:
On 08/21/12 23:04, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Nathan McCrina
Sent: Tuesday, 21 August, 2012 21:31
Not in commandline; in library it's fine.
See http://marc.info/?l=openssl-usersm=134463726501144w=2
On Wed, Aug 22, 2012, Seiichi Tatsukawa wrote:
We are seeing the deadlock in FIPS 2.0. (1.0.1c + fips-2.0 and using
AES256-SHA256 if that matters.) DRBG's auto reseeding (after 2^24 operations)
causes it. Here is the simplified backtrace.
fips_drbg_bytes()
On Thu, Aug 23, 2012, Saurabh Pandya wrote:
I found following definition of SSL_CIPHER in openssl code
typedef struct ssl_cipher_st
{
int valid;
const char *name; /* text name */
unsigned long id; /* id, 4 bytes, first is version
On Wed, Aug 22, 2012, Varma Dantuluri wrote:
Hi
We are in the process of adding support for ECDSA-ECDHE cipher suites and
hence ECDSA certificates to our server.
Right now, the server does the following:
1) Assign the ECDSA certificate to the SSL_CTX.
2) Set the callback for ECDH
On Mon, Aug 27, 2012, GWu wrote:
Hello,
I'm trying to verify an email signature using openssl.
I've saved the complete mail to a file named mail.eml, then I'm using
openssl to verify:
openssl smime -inform SMIME -CAfile all.pem -verify -in mail.eml
which gives an error:
On Mon, Aug 27, 2012, GWu wrote:
On Mon, Aug 27, 2012 at 9:27 PM, Dr. Stephen Henson wrote:
On Mon, Aug 27, 2012, GWu wrote:
[...]
openssl smime -inform SMIME -CAfile all.pem -verify -in mail.eml
which gives an error:
[...]
It sounds like the signature is malformed. That wouldn't
On Tue, Aug 28, 2012, GWu wrote:
On Mon, Aug 27, 2012 at 10:50 PM, Dr. Stephen Henson wrote:
On Mon, Aug 27, 2012, GWu wrote:
The email is available at
http://www.buergerkarte.at/mvnforum/mvnforum/viewthread_thread,272#1180
(German language forum, but the email - or it's significant
On Tue, Aug 28, 2012, GWu wrote:
Great, thanks a lot. I've been able to reproduce this on the erroneous
messages as well, and a correctly signed message gives for example
openssl rsautl -verify -certin -inkey s.pem -in sig.der -asn1parse
0:d=0 hl=2 l= 33 cons: SEQUENCE
2:d=1
On Tue, Aug 28, 2012, la...@angry-red-pla.net wrote:
Hi all
I created a shared key based on a DH exchange and want to use that key
with a symmetric encryption algorithm. This key has a length of 16 Bytes
(128 bit). Here is what I do to initialize AES:
char *key,*iv;
// DH exchange
On Fri, Aug 31, 2012, Dave Thompson wrote:
like a scifi movie monster feeding on nuclear bomb radiation.
There is definitely an engine for MS CAPI, and I thought I had
heard mention that the engine interface was adding at least some
truststore function. But looking in 1.0.1c I don't see any
On Tue, Sep 04, 2012, Ken Goldman wrote:
Use case: I have to parse a non-standard X.509 certificate that
openssl cannot handle at a higher level. I think I have to parse at
a low level and pull out the data I need.
Is this the OAEP certificate issue? It should be possible to retrieve
On Tue, Sep 11, 2012, Charles Mills wrote:
{
case GEN_DNS:
case GEN_URI:
case GEN_IPADD:
On Wed, Sep 12, 2012, Kenneth Goldman wrote:
If I shouldn't use GEN_IPADD, what should I use?
The goal is to extract the text value associated with several OIDs.
dumpasn1 says the values are PrintableString.
You check each value of the returned GENERAL_NAMES structure until you find
the
On Fri, Sep 14, 2012, TJ wrote:
On 7 September 2012 23:54, Steve Marquess
marqu...@opensslfoundation.com wrote:
On 09/07/2012 12:24 AM, TJ wrote:
I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c).
./Configure no-asm no-hw linux-generic32
make -j1 -C openssl-fips
On Wed, Sep 19, 2012, Jochen Hayek wrote:
Until recently this worked for me
(and it still does on a different platform with *older* versions of
everything),
but now it breaks:
$ curl --verbose --insecure 'https://banking.postbank.de/rai/login'
* About to connect()
On Fri, Sep 21, 2012, YUN GAO wrote:
Hi there:
I got a problem for upgrading openssl from 0.9.8l to 1.0.1b. Now I can
repro the problem using s_server and s_client:
openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem
openssl s_client -connect localhost:4433 -no_ssl3
On Mon, Sep 24, 2012, YUN GAO wrote:
Thanks for the explanation,
As i mentioned in my email, the following situation does works:
openssl s_server -ssl2 -cert ssl_server.pem -WWW -CAfile cafile.pem
openssl s_client -connect localhost:4433 -ssl2 -debug
Does it mean that -ssl2 is not using
On Tue, Sep 25, 2012, blaan...@rockwellcollins.com wrote:
I've been using openssl-fips for a couple of years. I'm looking to
upgrade to 2.0 because of the slow (~10 seconds) integrity check on my
platforms when using version 1.2 when I call FIPS_mode_set().
I've got the FIPS canister
On Tue, Sep 25, 2012, sanjaya joshi wrote:
We can conclude an X509 V1 certificate to be a root ca using
(EXFLAG_V1|EXFLAG_SS).
Similarly, is there a way to know whether an X509 V1 certificate is an
intermediate CA or end-entity certificate ?
You can't: there is nothing in a V1
On Tue, Sep 25, 2012, david preetham wrote:
am trying to build wpa_supplicant which is referencing openssl header file
x509v3.h on Visual studio 2005. while i am building compiler hitting
x509v3.h header file and finding hell lot of errors. Can anybody please
help me.
On Tue, Sep 25, 2012, blaan...@rockwellcollins.com wrote:
After further investigation, the FIPS private headers (for instance,
fipssyms.h) are definitely being installed when I do make install in the
openssl-fips-2.0.1 directory. Then those headers are being used by my
openssl build,
On Tue, Sep 25, 2012, Thakur, Praveen Kumar wrote:
I don't see any issue if .so files extension is 1.0.0. However, I wanted to
confirm that is this a defect with 1.0.1 release? Or am I missing something.
The 1.0.1 release should be binary compatible with 1.0.0, any discrepancies
should be
On Wed, Sep 26, 2012, Michel wrote:
Hello,
I am using the the OpenSSL enc command to encrypt and decrypt a test file.
When using AES-GCM mode, I can encrypt but cannot decrypt the result.
Even though I succeed with all other modes.
Example is as follow :
openssl enc -e -a -aes-128-gcm
On Fri, Sep 28, 2012, YUN GAO wrote:
Hi there:
I found a different behavior between 0.9.8l and 1.0.1b, it happens
when s_server using an invalid certificate, and s_client requires a
verification
of server certificate. The invalid certificate has an incorrect
signature length, and its name
On Fri, Sep 28, 2012, James Swift wrote:
Hi,
I have also posted this issue in the OpenSSL mailing list but it
occurs down in the OpenSSL libraries and this is probably the place to
ask.
This issue doesn't occur in a 32 bit compile of OpenSSL 1.0.1c (with
libcurl 7.27.0) but
does when
On Mon, Oct 01, 2012, Thulasi wrote:
Hello all,
I've a problem with TLS 1.2 client authentication where client has 512-bit
RSA key and certificate and signature hash is of sha512.
This is reproducible with openssl-1.0.1c and many prior versions which
support TLS 1.2 client authentication.
On Mon, Oct 01, 2012, James Swift wrote:
Try running the OpenSSL tests using: nmake -f ms\ntdll.mak test
rsa_test
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
PKCS #1 v1.5 encryption/decryption ok
OAEP decryption (test vector data) failed!
PKCS #1
On Fri, Sep 28, 2012, Justin Meltzer wrote:
Hello everyone,
My company is running into a problem which has been causing us a lot of
strife. We're using socket.io to connect a cross-domain client to our
node.js server over flash sockets using SSL encryption. Unfortunately, one
of the
On Mon, Oct 01, 2012, Abhiram Shandilya wrote:
Is there a way to add a specific signature_algorithm extension when using
s_client to connect to an SSL server? Why does s_client negotiate
ECDH-RSA-AES128-SHA256 when I use the cipher ECDH-ECDSA-AES128-SHA256? Is
this because they are equivalent
On Tue, Oct 02, 2012, Dirk Menstermann wrote:
Hello list,
is there a way to use ENGINEs in a non-blocking way - meaning for a network
operation (remote HSM) the thread can do something else instead of waiting for
the IO operation to complete?
No there is no way to do that at present.
On Wed, Oct 03, 2012, mclellan, dave wrote:
We know how to extract the subject and issuer from a cert sent by a peer.
Can anyone point out where we get started to look into how to extract the
Organization and organizationalUnit attributes?
It's not obvious from the API definitions and
On Tue, Oct 09, 2012, Juan Angel Martin Gomez [AC Camerfirma] wrote:
Hello,
Im trying to make a CSR with a CN that has more than 64 chars
I know that the upper bound is 64 chars, but I can see in the RFC 5280 this
note:
-- Note - upper bounds on string types, such as
On Wed, Oct 10, 2012, Dr. Stephen Henson wrote:
On Tue, Oct 09, 2012, Juan Angel Martin Gomez [AC Camerfirma] wrote:
Hello,
Im trying to make a CSR with a CN that has more than 64 chars
I know that the upper bound is 64 chars, but I can see in the RFC 5280
On Thu, Oct 11, 2012, redpath wrote:
I have a PKCS7 file with signature in the envelope.
What API function can I use to open the PKCS7 to extract the signature data
and length
and then verify the message digest? The verify is shown below assuming I got
the signature
data and length.
On Thu, Oct 11, 2012, Derek Cole wrote:
Hello,
Is there a way to sign certificates with your own CA, and NOT have to use a
database file to keep track of them? For development purposes, I end up
creating the same cert multiple times, and trying to sign it which will
cause me to get the
On Fri, Oct 12, 2012, Michel wrote:
I am guessing that 'special handling' is linked to the 'no
additional authentication data' issue discussed in :
http://incog-izick.blogspot.fr/2011_08_01_archive.html
It's to do with the fact that additional parameters are required with GCM and
how the
On Fri, Oct 12, 2012, Kumar Ghanta wrote:
Hi,
Earlier versions of openssl-fips (versions 1.1.2 etc) have the following
checks in the fips_rand.c. It looks this check is being removed in the
later versions. I just want to know whether we need this check in earlier
versions as per the NIST
On Fri, Oct 12, 2012, redpath wrote:
Tried to find documentation and examples ( which includes searching the
forum)
for using a PKCS7 standard in context to what I am trying to do for best
practices
when using a signature to verify a document received.
Basically I have a document file
On Sat, Oct 13, 2012, Ken Goldman wrote:
On 10/10/2012 8:08 PM, Kyle Hamilton wrote:
Suggestions from my experience:
If you include the library, #1 for novices has to be:
1 - Using strlen() to get the length of encrypted data.
I'd add...
Forgetting to call OpenSSL_add_all_algorithms
On Mon, Oct 15, 2012, Charles Mills wrote:
Oh-oh. I'm not calling OpenSSL_add_all_algorithms() or anything real
similar.
I call SSL_library_init() and SSL_load_error_strings() and set up the
Locking callback but that's it.
SSL_library_init() counts as similar to
On Tue, Oct 16, 2012, AJ wrote:
Any other comments on the actual issue here?
I don't believe the inconsistency is the expected way the API should work.
It's a bug. The fix was applied to non-validated versions of OpenSSL but was
too late to be included in the last validation.
Steve.
--
Dr
On Sun, Oct 14, 2012, Kumar Ghanta wrote:
Thank you very much for the quick response Stephen. Is it fine if we allow
parent and child processes to share the same seed? I just want to know if
there are any NIST restrictions. If possible, can you please elaborate on
how does openssl takes care
On Wed, Oct 24, 2012, TJ wrote:
Can somebody please confirm that the SP 800-90 DRNGs are only included
with the FIPS module? I removed the FIPS module from our product since
we are doing our own validation, but apparently we require SP 800-90
DRNGs for validation. Are the SP 800-90 DRNGs
On Thu, Oct 25, 2012, Ken Goldman wrote:
I've managed to parse the odd X509 certificate I received. Now I
have to create one.
It should look like the below.
X509v3 extensions:
X509v3 Subject Alternative Name: critical
On Mon, Oct 29, 2012, Gerardo Ganis wrote:
Dear OpenSSL Users,
Could someone confirm that when loading private keys in memory using
PEM_read_PrivateKey
EVP_PKEY *evpp = PEM_read_PrivateKey(fk, 0, 0, 0);
the full key is filled in, i.e. evpp points to a complete
On Tue, Oct 30, 2012, Leonardo Laface de Almeida wrote:
Hi,
The code for my project example is attached. The error code is as well.
The error remains. For generating Key, the callback is called. For getting
Private Key, the callback is not called.
What's wrong here?
I really
On Wed, Oct 31, 2012, Dave Thompson wrote:
I meant to make that any _nonstatic_ [EC]DH (i.e. ephemeral with
authentication, or anonymous without). OpenSSL doesn't implement
static DH at all, and I've never seen anyone use static ECDH.
Actually OpenSSL does now implement static DH but
On Thu, Nov 01, 2012, Abhiram Shandilya wrote:
I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When
I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg
ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails
with s_server
On Fri, Nov 02, 2012, Abhiram Shandilya wrote:
Hi Steve, Thanks for your response. I'm just trying to figure out what it
takes to get this working - are you of the opinion that an SSL server should
not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why?
Well one reason is
On Fri, Nov 02, 2012, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Abhiram Shandilya
Sent: Thursday, 01 November, 2012 21:31
-dev added
I configured my openssl RSA CA to add the key usage extension
for key agreement to the ECC certificate but even then it
On Mon, Nov 05, 2012, Erik Tkal wrote:
I have a tool that is creating a cert using X509_sign. I noticed that there
are no EVP_MD structs that handle ECDSA properly and found this thread from
a while back.
What version of OpenSSL is this for?
For OpenSSL 1.0.0 and later you just pass the
1 - 100 of 3755 matches
Mail list logo