On Fri, Sep 02, 2011, Michael B Allen wrote:
> Hello,
>
> Is there a way to disable SSLv2 system-wide (assuming non-static
> linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit
> card processing certification and the scanning company blindly flags
> SSLv2 as non-compliant. Rathe
On Fri, Sep 02, 2011, Coda Highland wrote:
> > Well I was hoping there was some kind of global configuration file
> > directive that would affect the behavior of the openssl library and at
> > least everything dynamically linked with it. But based on your answer
> > it's fairly clear that there is
On Wed, Sep 07, 2011, Shawn Willden wrote:
> (Note: CC'd to the Keyczar mailing list. Apologies to anyone who's
> on both lists.)
>
> I'm getting errors that I don't really understand from
> PEM_read_vio_PrivateKey on Mac OS X 10.6 (the error does not occur on
> Linux, so it's version/platform-
On Wed, Sep 07, 2011, Dominik Oepen wrote:
> Hi all,
>
> in a project I maintain I have to deal with OIDs not contained within
> OpenSSL. In particular, I use OpenSSL to parse ASN1 encoded data
> containing OIDs (using the Macros from asn1t.h) and do switch-case
> statements on the resulting NIDs
On Wed, Sep 07, 2011, Shawn Willden wrote:
> On Wed, Sep 7, 2011 at 12:15 PM, Dr. Stephen Henson wrote:
> >
> > Have you included OpenSSL_add_all_algorithms()?
>
>
> Yes. Here's a more complete snippet:
>
> // Ciphers table requires to be
On Thu, Sep 08, 2011, Kenneth Goldman wrote:
> I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to
> be the latest. It seems to be well known on openssl-dev, but I don't know
> what to do about it. Any ideas?
>
> gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REE
On Fri, Sep 09, 2011, Kenneth Goldman wrote:
> > From: Jakob Bohm
> > Date: 09/09/2011 05:36 AM
> > Subject: Re: out range error compiling fips 1.2.3
> >
> > On 9/8/2011 9:35 PM, Kenneth Goldman wrote:
> > > ...
> > >
> > > A second question. In researching this error, I saw someone compile
> w
On Fri, Sep 09, 2011, Kenneth Goldman wrote:
> Replies below. But the meta-question is "does there exist
> step by step instructions for compiling the openssl FIPS module.
>
The user guide and the security policy have details.
>
> > That is for testing purposes for the unvalidated 2.0 module
On Mon, Sep 12, 2011, Stef Hoeben wrote:
> Hi,
>
> we have an SOD (a CMS for e-passports and e-ID cards) file that we can read
> out and verify nicely if the signature algo is RSA_PKCS1_PADDING.
>
> But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1
> dump),
> the verificati
On Tue, Sep 13, 2011, Kenneth Goldman wrote:
> I'm trying to compile a 32-bit openssl 1.0.0d on Intel 64-bit Linux RHEL
> 6.1.
>
> This was the only combination of many I tried that seems to work. Was I
> right? Was there a better way?
>
> ./Configure linux-generic32 -shared -m32
>
That is
On Thu, Sep 15, 2011, Kenneth Goldman wrote:
> I have a preinstalled Linux OpenSSL package, where "openssl version" says
> OpenSSL 1.0.0-fips 29 Mar 2010.
>
That is a non-standard FIPS version specific to some Linux distros. You should
ask in the distro specific mailing lists.
> I have the dev
On Mon, Sep 19, 2011, alok sharma wrote:
> Hi Jacob,
> Thanks for such a detailed reply. But I am having one concern that how
> an application can know whether it si secure or not. Fips uses
> GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns,
> but my application is r
On Mon, Sep 19, 2011, Gabriel Marques wrote:
> Hello folks,
>
> I'm developing a tool for signing digital TV apps, and for testing
> I'm creating a lot of different test scenarios.
>
> Well, using OpenSSL 1.0.0e to create a new certificate, signed by a
> snakeoil one I got the following error:
>
On Wed, Sep 21, 2011, Gabriel Marques wrote:
> I'm developing a tool for signing digital TV apps, and one of the
> goals was to embed OCSP responses into the CMS signature file of the
> application.
> The idea is that the broadcaster equipment would query the OCSP and
> update t
On Thu, Sep 22, 2011, Dominik Oepen wrote:
>
> However, I'm not exactly sure whether or not the ASN1 subsystem is meant
> to be used outside of OpenSSL. I couldn't find a lot of documentation
> about it and learned how to use it by reading the source. Maybe one of
> the OpenSSL developers could c
On Thu, Sep 22, 2011, Chang Lee wrote:
> Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail. As you say, there are templates
> for primitives and I looked at
On Thu, Sep 22, 2011, Erwann Abalea wrote:
> Le 21/09/2011 21:20, Gabriel Marques a écrit :
> >I'm developing a tool for signing digital TV apps, and one of the
> >goals was to embed OCSP responses into the CMS signature file of
> >the application.
> >The idea is that the broadcaster equipment wou
On Thu, Sep 22, 2011, Chang Lee wrote:
> I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect
> to be a DER encoded SEQUENCE, into an object. I need to do this because I'm
> trying to verify an Authenticode signature. I need to generate a digest of
> the contents of the s
On Thu, Sep 22, 2011, Chang Lee wrote:
> Thanks for the info. I'll try to get it to work using ASN1_get_object().
> Just for my edification, was my approach using the templates and macros not
> a viable option?
>
Well it would work but you'd have to parse the whole structure which isn't
necessar
On Thu, Sep 22, 2011, Gabriel Marques wrote:
> Thanks Steve and Erwann,
>
> Putting the OCSP response inside a tagged object did the job for
> OpenSSL recognizing the OtherRevocationInfoFormat.
> BouncyCastle also changed the CMS version to 5 automatically when I
> did it, and I've changed the OI
On Fri, Sep 23, 2011, alok sharma wrote:
> Hi,
> So is there any method on Windows to generate non-predictable
> randomnumbers. I think mostly FileSytem time is used to seed randomness
> which is failing in my case.
>
As I indicated this shouldn't be happening if you've set up locking callba
On Fri, Sep 23, 2011, alok sharma wrote:
> I am using the openssl fips version for my application.So, I have not made
> any change in openssl or Fips code. Just enabling fips and using SSL API
> exposed for client server model. But through debugger I have found that my
> application is crashing gi
On Fri, Sep 23, 2011, alok sharma wrote:
> Hi,
> The error message comes when we invoke SSL_accept() API. But taking
> lock on it will affect performance as it performs network operation inside
> this API (like client hello message and other). So if network is overloaded
> then mutex hold tim
On Fri, Sep 23, 2011, alok sharma wrote:
> Hi,
> Ok I got your point. I think it will be helpful.Do you have any link or
> precedure to setup these call backs or these are just function pointers
> which needs to be initialized at ssl initialization time.
See the FAQ:
http://www.openssl.org/
On Fri, Sep 23, 2011, brajan wrote:
>
> hi
> i installed the openssl-fips 1.2 in opensuse kernel 2.6.25.5-1.1-default
> Opensuse version 11.1. i try to run the following code . i got the illegal
> instruction ..
> and i need to knoe i installed the fips 1.2 fully..
>
Build an FIPS capable Open
On Fri, Sep 23, 2011, Jakob Bohm wrote:
>
> Is openssl running out of bit values for SSL_OP_ constants?
>
Well more ran out of contants. When a new flag was needed for TLS v1.2 all 32
bits were used but fortunately two ancient ones were never used by anything
AFAIK so could be reassigned.
Ther
On Sun, Sep 25, 2011, Paul Suhler wrote:
> Hi, everyone.
>
>
>
> (This got no response on the developers list, so I'll retry it here.)
>
>
>
> Should EVP_Cipher() be used? I've found an inconsistency in its return
> values: For the cipher EVP_aes_256_gcm, successful decryption returns
>
On Mon, Sep 26, 2011, Clment Marcel wrote:
> Hello,
>
> I have some problems to sign message with OpenSSL. The following code has
> been provided as an example (of a global project prototype):
>
> input arguments are:
> * Bin: const unsigned char * to be signed
> * BinLen: length of the previous
On Tue, Sep 27, 2011, Clment Marcel wrote:
> I finally solve the problem using EVP_PKEY_get1_RSA() & RSA_sign() to
> convert EVP_PKEY into RSA key and sign digest. Both codes provide same
> results. And I had some checks for errors.
Yes that is the correct procedure for 0.9.8.
Steve.
--
Dr Steph
On Thu, Sep 29, 2011, Michael Haas wrote:
> Hello,
>
> i tried to enable TLS1.1 + TLS1.2 on Apache 2.2.21 with
> openssl-1.0.1-stable-SNAP-20110927 but didn't succeed.
> TLS 1.1 is working as excpected but TLS 1.2 not. I don't get a
> connection with TLS1.2, tried IE9 and Opera.
> Should TLS 1.2
On Thu, Sep 29, 2011, Akanksha Shukla wrote:
> Hi All,
>
> I tried following things:
>
>
>
> 1) Made socket() system call with AF_INET6 family type.
>
> 2) Made connect() system call to get connected to destination address
> using the socket created above.
>
> 3) Then made ca
On Tue, Oct 04, 2011, William A. Rowe Jr. wrote:
> On 10/4/2011 10:45 PM, Bill Durant wrote:
> >
> > Does anyone know how to produce a FIPS-capable OpenSSL that works on
> > Windows NT?
>
> It's likely not possible...
>
> > But when I run it under Windows NT, I get the following run-time error
On Wed, Oct 05, 2011, Bill Durant wrote:
> On Oct 5, 2011, at 8:08 AM, Dr. Stephen Henson wrote:
> > On Tue, Oct 04, 2011, William A. Rowe Jr. wrote:
> >
> >> On 10/4/2011 10:45 PM, Bill Durant wrote:
> >>>
> >>> Does anyone know how
On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote:
> Hello,
>
> My PKI is currently running on a 32 bit machine with Open SSL
> version 0.9.8 suffering from the Y2038 bug. Another 64 bit machine
> does not show that bug.
>
> What I need for now is a CA certificate for signing which should
>
On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote:
> On 10.10.2011 13:14, Dr. Stephen Henson wrote:
> >
> >If you use OpenSSL 1.0.0 or later you shoudln't see the 2038 issue on any
> >platform because OpenSSL uses its own internal date routines to bypass the
> &g
On Sat, Oct 22, 2011, Akanksha Shukla wrote:
>
> 5) BIO_set_nbio(conn, 1);
>
> 6) int retVal = BIO_do_connect(conn);
>
> if(retVal <= 0)
>
> {
>
> cout << " The Bio_do_connect failed" << endl;
>
> }
>
>
>
> After executing the program, I am getting output as :
>
>
On Mon, Oct 24, 2011, Bill Durant wrote:
>
>
> Hello Steve:
>
> I downloaded
> ftp://openssl.org/snapshot/openssl-fips-2.0-test-20111023.tar.gz and
> http://openssl.org/source/openssl-0.9.8r.tar.gz.
>
> I am getting the following compile errors. Any ideas on what I am doing
> wrong?
>
You c
On Sun, Oct 23, 2011, Akanksha Shukla wrote:
> Hi Stephen,
>
>
>
> I tried with retry logic as well (though earlier it was also same), but same
> result.
>
>
>
> int retryCounter = 0;
>
> while(retryCounter < CONNECT_MAX_TRY)
>
> {
>
> int retVal = BIO_do_connect(conn);
>
> if(
On Mon, Oct 24, 2011, Bill Durant wrote:
> On Oct 24, 2011, at 4:00 PM, Dr. Stephen Henson wrote:
> > On Mon, Oct 24, 2011, Bill Durant wrote:
> >
> >>
> >>
> >> Hello Steve:
> >>
> >> I downloaded
> >> ftp://ope
On Tue, Oct 25, 2011, Nan Luo wrote:
> Hi, I used to work with openssl-0.9.7, and all my certificates were
> generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's
> certificates, I never had issues in parsing, verification, .. Recently
> I upgraded my application with open
On Thu, Oct 27, 2011, Norm Green wrote:
> > The best I can tell, the snapshot is broken.
> At this point, I wouldn't be surprised.
>
> Update:
>
> I made some (major) changes to my example code based on the SRP code in
> ssltest.c. Mainly, I implemented and used all the SRP callback functions.
On Thu, Oct 27, 2011, Richard Knning wrote:
> Am 27.10.2011 14:09, schrieb Matthias Meixner:
> >
> >Hello!
> >
> >When upgrading to version 0.9.8r my system stopped supporting session
> >resumption.
> >It looks like session tickets are the reason for this.
> >
> >I was using some external session
On Thu, Oct 27, 2011, Matthias Meixner wrote:
>
> Hello!
>
> it looks like my original EMail has been truncated, therefore, my main
> questions
> were missing.
>
> I had already found option SSL_OP_NO_TICKET but I have some questions
> regarding
> SSL session tickets for which I have not f
On Fri, Oct 28, 2011, Bill Durant wrote:
> Hello,
>
> What is the procedure for building a 64-bit FIPS-capable OpenSSL on Windows
> from the following latest snapshots:
>
> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111028.tar.gz
>
> ftp://ftp.openssl.org/snap
On Fri, Oct 28, 2011, Bill Durant wrote:
> On Oct 28, 2011, at 1:57 PM, Dr. Stephen Henson wrote:
> > On Fri, Oct 28, 2011, Bill Durant wrote:
> >
> >> Hello,
> >>
> >> What is the procedure for building a 64-bit FIPS-capable OpenSSL on
> &
On Mon, Oct 31, 2011, Bin Lu wrote:
> Hi Steve,
>
> Is it still disabled by default? In build 1.0.1-stable-SNAP-20111028, I do
> not see that line in ssl/ssl_lib.c as you mentioned, meaning enabled by
> default going forward?
>
It is enabled by default in newer snapshots now.
Steve.
--
Dr St
On Tue, Nov 01, 2011, Vladimir Belov wrote:
>
> How to use some "engine API" in my program? What is the name of
> this "some engine API" or engine plug-in?
>
> Please, give a small example or where can I find documentation about
> this? Is any documentation on the openssl.org?
>
Note that the
On Tue, Nov 01, 2011, Bill Durant wrote:
> Hello,
>
> What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu
> 8.04.4 LTS from the following snapshots:
>
> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.tar.gz
>
> ftp://ftp.ope
On Tue, Nov 01, 2011, William A. Rowe Jr. wrote:
> On 11/1/2011 8:35 PM, Bin Lu wrote:
> >
> > Do you have an answer for my question below? Is the fips-2.0-test code
> > branched off from a
> > FIPS-capable version? Which version is it based on if yes?
>
> AIUI, fipscanister doesn't include TLS
On Thu, Nov 03, 2011, Jack D. Pond wrote:
> Uh, Steve,
>
> crypto/opensslv.h
>
> #define OPENSSL_VERSION_NUMBER0x1010L
> #ifdef OPENSSL_FIPS
> #define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0-fips-dev xx XXX "
> #else
> #define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0-dev xx XXX "
>
On Sun, Nov 06, 2011, Maurice Mahieu wrote:
> I want to know if it is possible to decrypt the signature from a
> server certicate with the issuers public key using openssl.
>
An additional data point to the comprehensive replies you've received so far.
If you literally want to "decrypt the signa
On Wed, Nov 09, 2011, Markus Niedermann wrote:
> Hi,
> I want to use openSSL in C to sign/verify messages with ECDSA
> (fixed curve).
> Its the first time I use openSSL, maybe my questions are very trivial..
>
> How can I import a key that I generated externally to a EC_KEY object?
> I have 3 ch
On Mon, Nov 14, 2011, Caswell, Paul wrote:
> Hellol,
>
> We have some software that uses OpenSSL for digital signature creation
> and verification. I have to implement a means to test this against
> known answers and so have fished out the test vectors for ECDSA from
> http://csrc.nist.gov/group
On Mon, Nov 14, 2011, Caswell, Paul wrote:
> Hi Steve,
> Does this mean you have something I can look at or are you trying to
> tell me that I don't need to test our software as OpenSSL already tests
> ECDSA?
It depends on what you want to test ECDSA for. If it is part of FIPS 140-2
compliance (
On Mon, Nov 14, 2011, Caswell, Paul wrote:
> I have a specific requirement to perform a KAT and am struggling with
> setting k as per my original e-mail.
Well you were on the right lines with your original email. If you look in
ecdsa_sign_setup in ecs_ossl.c you'll see how it uses a random k valu
On Mon, Nov 14, 2011, Kevin Fowler wrote:
> Hi,
> I successfully built the FIPS 2.0 module (2010), its tests passed, and
> it was installed correctly in /usr/local/ssl/fips-2.0.
>
> I then build openssl 1.0.1 (2010):
>
> ./config fips shared
> make
>
> which all seems to go ok
>
> Then
On Tue, Nov 15, 2011, dricha...@globalcerts.net wrote:
> Hello,
>
> I am maintaining a piece of code that calls PKCS12_parse. It worked with
> an older version of openssl (0.9.8m), but it is not working with version
> 1.0.0
> Here are some clips:
>
> X509 *cert = NULL;
> BIO
On Tue, Nov 15, 2011, Tobias Nissen wrote:
> Hi,
>
> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through
> AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom
> verification mechanism by setting verify_cb³. Here's an example (keys
> included):
>
> http://past
On Tue, Nov 15, 2011, Tobias Nissen wrote:
> Dr. Stephen Henson wrote:
> > On Tue, Nov 15, 2011, Tobias Nissen wrote:
> >> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use
> >> through AnyEvent::TLS². AnyEvent::TLS provides the means to define
> &g
On Fri, Nov 18, 2011, Kevin Fowler wrote:
> Let me first say I have read the User Guide and Security Policy
> repeatedly, as well as the Incore Tutorial, looked through this users
> group, and read anything else I could find - so I'm not being lazy,
> although my questions may be pedestrian... Ple
On Mon, Nov 21, 2011, Charles Owens wrote:
> I'm trying to make sure I completely understand the situation with
> respect to the "TLS ephemeral ECDH crash" issue (from
> http://openssl.org/news/secadv_20110906.txt).
>
> Is it true that with 0.9.8r by default the related ciphersuites
> (ECCdraft)
On Thu, Dec 01, 2011, Hopkins, Nathan wrote:
> I'm using the below commands to create a ca ...
>
>
>
> openssl genrsa -des3 -out ca.key 2048
>
> openssl req -new -x509 -key ca.key -out ca.crt -days 730
>
> ... please can you advise how I can add a "friendly name" to this cert?
>
What do yo
On Thu, Dec 08, 2011, gkout wrote:
>
> Hello everybody,
>
> Nice to find you. My first post in the forum is about printing the text of
> all CA cetificates in a chain file.
>
> openssl x509 -text -noout -in CA_chain_file will not do the job as it only
> prints the first cert in the chain and th
OpenSSL 1.0.1 is expected to be released in the next few weeks.
There have been many changes since OpenSSL 1.0.0 including:
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o
On Sun, Dec 11, 2011, cellecial wrote:
> Hi,
>
> I wrote a simple pkcs12 demo(under Windows), it just read from a PKCS12
> file and got private key and certificate.
> If I use single thread, it works fine.
> If I use multi-thread, it works fine for a while ,then popups an error
> dial
On Sun, Dec 11, 2011, cellecial wrote:
> Thank you. I add "OpenSSL_add_all_algorithms();" in main function and
> include "openssl/evp.h",but it still pops error dialogue after a while.
> Some threads can end well, others are not so lucky.
>
>
Have you set the locking callbacks? You need to set
On Wed, Dec 14, 2011, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Anamitra Dutta Majumdar
> > Sent: Tuesday, 13 December, 2011 14:37
>
> > >I am looking for OpenSSL api to parse pkcs7 bag of
> > certificate file that
> > >has two certificates a SubCA and the othe
On Wed, Dec 14, 2011, Marius Peschke wrote:
> Marius Peschke
>
> Sadly I had to experience that my MD5-speed dropped by roughly 20-25% again
> without using assembler optimization.(Measurements made by "openssl speed
> md5")
>
Looking at how we measure speeds in apps/speed.c the results may n
On Thu, Dec 15, 2011, gkout wrote:
>
> Hi Erwann,
>
> Putty is set to translate to UTF-8.
> Unfortunately I can not send this certificate. It was generated by another
> authority and sent to me, which means I can not re-try generating it again.
>
> One note: The file is a chain CA file, contai
On Thu, Dec 15, 2011, Pietro Romanazzi wrote:
> Hi,
> afraid this question has been already issued but I did not find any solution
> surfing the web.
> I need to sign data with a RSA private key and obtain a pkcs#7 envelope with
> data, signature
> and certificate.
> In the past I remember I fo
On Fri, Dec 16, 2011, Michael S. Zick wrote:
> On Fri December 16 2011, _daxh_ wrote:
> >
> > Hello.
> >
> > I have signed certificate stored in cert.pem file. Also I have private key
> > stored in iPhoneMyBase64PrivateKey.pem. Then I can use the fillowing openSSL
> > comand:
> >
> > $openssl p
On Thu, Dec 15, 2011, harrije wrote:
>
> I have not had any success in my search for a known issue with malformed
> client certificates generated by openssl 1.0.0e for Windows. Before I invest
> too much time trying to debug the issue, I wanted to query whether others
> may have a clue on cause a
On Wed, Dec 21, 2011, chetanrun wrote:
>
> How to read certificate details ( serial number, issuer , subject details)
> from x509 certificate using Openssl.
>
> I parsed P12 file using PKCS12_parse(), then retrieved serial number in
> ASN1_INTEGER format from objtained x509 certificate. But how
On Thu, Dec 22, 2011, Per Hedeland wrote:
> Hello,
>
> I recently had the misfortune of running into the case of an application
> built with an OpenSSL installation that had the RC4_CHAR option set
> (linux-ppc in Configure), but run using libcrypto.so from an
> installation that *didn't* have RC
On Thu, Dec 22, 2011, Per Hedeland wrote:
> "Dr. Stephen Henson" wrote:
> >
> >Well whatever you do here is likely to be a a hack which could well break in
> >future etc etc etc...
>
> Understood.
>
> >With that disclaimer out of the way you *m
On Wed, Dec 28, 2011, Ireneusz Szcze??niak wrote:
> Hi,
>
> In public key cryptography, a message encrypted with a private key
> can be decrypted with a public key, and so I tried:
>
> openssl rsautl -encrypt -inkey private-key -in message -out cryptogram
>
> openssl rsautl -decrypt -inkey publ
On Wed, Dec 28, 2011, Ireneusz Szcze??niak wrote:
> Thank you, Steve, for your post. Let me explain what I'm trying to
> do. In the public key cryptography:
>
> message = Dprv(Epub(message)) = Dpub(Eprv(message)
>
> D stands for decrypt, E for encrypt
> prv - private key, pub - private key
>
On Tue, Jan 03, 2012, The Doctor wrote:
> Finally got Openssl 1.0.1 daily working
>
> However,
>
> Mozilla Thunderbird is choking saying
>
> SSL received a malformed Server Hello handshake message.
>
> (Error code: ssl_error_rx_malformed_server_hello)
>
>
> No such problem in Outlook Expres
On Tue, Jan 03, 2012, Dr. Stephen Henson wrote:
> On Tue, Jan 03, 2012, The Doctor wrote:
>
> > Finally got Openssl 1.0.1 daily working
> >
> > However,
> >
> > Mozilla Thunderbird is choking saying
> >
> > SSL received a malformed Serv
On Wed, Jan 04, 2012, Mick wrote:
> On Wednesday 04 Jan 2012 12:33:06 you wrote:
>
> > I've found many articles how I can add that attribute by using a
> > custom config file and the -extfile and -extensions
> > parameters. I've used that as a "work around" to get subjectAltName
> > into certif
On Wed, Jan 04, 2012, vhow...@currenex.com wrote:
>
> Hello,
>
> I have a problem using SSL. When I click run, it immediately logs off. I
> look at the log and I see:
>
>
> LOG5[5748:5472]: stunnel 4.50 on x86-pc-mingw32-gnu platform
> 2012.01.04 11:28:29 LOG5[5748:5472]: Compiled/running wi
On Thu, Jan 05, 2012, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Dr. Stephen Henson
> > Sent: Thursday, 05 January, 2012 11:34
>
> > On Wed, Jan 04, 2012, vhow...@currenex.com wrote:
>
> > error:05067068:Diffie-Hellman routines:G
On Thu, Jan 12, 2012, Ashok C wrote:
> Hi,
>
> I see that the openSSL certificate verify utility uses the
> X509_verify_cert() in x509_vfy.c for certificate validation.
> Based on the manual pages for verify, I understand that the order for
> verification is as follows:
>
>1. Firstly a certi
On Mon, Jan 16, 2012, Eisenacher, Patrick wrote:
> > -Original Message-
> > From: Steffen DETTMER
> >
> > * Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
> > [...]
> > > >>> Or, in other words: Let's assume I have a ultimate root
> > > >>> (self-signed) "Root" and a branched C
On Tue, Jan 17, 2012, nilesh wrote:
> On Tuesday 17 January 2012 04:46 PM, t...@terralogic.net wrote:
> >I would want to double check this. The APACHE docs found here state the
> >following:
> >
> >http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
> >
> >"How do I get SSL compression working?
>
On Thu, Jan 19, 2012, Roger Myers wrote:
> Hi,
>
> Can you tell me which versions of OpenSSL support TLS 1.1 or TLS 1.2.
>
OpenSSL 1.0.1 and later. There haven't been any official releases of those yet
but 1.0.1 is in beta.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commer
On Wed, Jan 18, 2012, Keith Welter wrote:
> If I call EVP_get_digestbynid with NID_ecdsa_with_SHA256,
> NID_ecdsa_with_SHA384 or NID_ecdsa_with_SHA512 it returns null (on OpenSSL
> 1.0.0-fips 29 Mar 2010). I expected it to return EVP_sha256, EVP_sha384
> and EVP_sha512 respectively. Am I supp
On Mon, Jan 23, 2012, Vimol Kshetrimayum wrote:
> Hi,
>
>
> I have an application which uses RSA or Diffie Hellman (DH) algorithms for
> key exchange and RAND_seed and RAND_bytes to generate pseudo random number.
>
>
> Now, I have added FIPS_mode_set(1) to enable FIPS. As per openSSL-fips
> s
On Tue, Jan 24, 2012, Kelvin Brown wrote:
> I had stunnel working on this machine but then I moved it to a remote server
> and got this error:
>
>
> 2012.01.24 17:03:04 LOG7[3236:2044]: Remote FD=348 initialized
> 2012.01.24 17:03:04 LOG3[3236:2044]: error queue: 14098077:
> error:14098077:SSL r
On Wed, Jan 25, 2012, Gerald L Collins wrote:
> Hello all,
> I've been tasked to look at some security issues for our OpenSSL
> implementation. We are currently at FIPS 1.2.2 and openssl 0.9.8k. Most
> of the issues I was asked to look at were no issue for us, but the below
> item I'm less
On Fri, Jan 27, 2012, Dave Thompson wrote:
>
> > Is there any way to do that with openssl?
> >
> Just call the low-level primitive RSA_sign if you still want
> the conventional algid+hash encoding and PKCS1 formatting
> (i.e. if you are interoperating with almost anyone) or
> even lower-level
On Wed, Feb 01, 2012, Bram Cymet wrote:
> Hi Mathias,
>
> Thanks for the reply. I made the change however it doesn't seem to have
> fixed my problem.
>
> I am still getting:
>
> 139697024018088:error:2606B08C:engine routines:ENGINE_finish:dsa not
> implemented:e_lunaca3.c:710:DSO not set
> 1396
On Fri, Feb 03, 2012, francesco.petru...@innovery.it wrote:
> Have you miss the OpenSSL_add_all_algorithms() initialization?
>
>
>
> Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
> Per conto di Roberto Martelloni
> Inviato: venerdì 3 febbraio 2012 12:31
> A: open
On Fri, Feb 03, 2012, Dan Schmitt wrote:
> I have a situation where I'd like my client to validate
> against my server, but I don't expect the default CA
> .pem files for openSSL to be there.
>
> Is there a way to take
>
> SSL_CTX *mySSL_CTX = existing_ssl_ctx;
>
> char *foo = "valid pem st
On Mon, Feb 06, 2012, Kacper86 wrote:
> Hi,
>
> I would like to use openssl library in my iOS application
> (Objective-C) to generate certificate signing request.
>
> If I wanted to use openssl application in linux I would write
> something like that:
>
> openssl req -new -newkey rsa:2048 -node
On Tue, Feb 07, 2012, Bruce (Riji) Cai wrote:
> Hi all,
>
> >From man page of SSL_CTX_set_verify, I saw this example snippet:
>
> /*** snippet begin */
> ...
>
> mydata_t mydata;
>
> ...
> mydata_index = SSL_get
On Tue, Feb 14, 2012, Timothy Kay wrote:
> Erik,
>
> Thanks for the pointer. It's very helpful.
>
> HOWEVER, I can give you dozens of different sites that do it wrong, yet
> they all work in the browsers. Clearly that particular part of the spec is
> no longer relevant, and openssl should be upd
On Tue, Feb 14, 2012, Timothy Kay wrote:
> We have been baffled for a long time that curl cannot access websites that
> work just fine in the browser (unless we use --insecure, of course). The
> curl documentation points you to http://curl.haxx.se/docs/sslcerts.html,
> which explains that your ser
On Thu, Feb 16, 2012, john hagen wrote:
> Can someone shed some light on the following?
>
> I'm able to 'verify' via the command line like this:
> "# env OPENSSL_FIPS=1 ./openssl dgst -sha512 -verify pub.pem
> -signature format.sign format.c
> Verified OK"
>
> Programmatically I get the followin
On Thu, Feb 16, 2012, Jakob Bohm wrote:
> On 2/16/2012 11:36 AM, Magosányi Árpád wrote:
> >Hi!
> >
> >Is the sentence "It checks that p and q are in fact prime, and
> >that n = p*q" in RSA_check_key's documentation mean that it checks
> >for weak primes, like the ones mentioned here?:
> >http://ar
201 - 300 of 3980 matches
Mail list logo
