Re: What is key_id arg in load_private_key() and load_public_key()

On Tue, Feb 09, 2010, Becky H wrote: > Hello - > > Two openssl functions require *key_id as an argument. What is this? > > EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, > UI_METHOD *ui_method, void *callback_data); > > EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const

Re: Verify certificate against root?

On Tue, Feb 09, 2010, skillz...@gmail.com wrote: > I'm trying to programmatically verify that a certificate from a sub-CA > is signed by a specific root CA. I get an error of 7 > (X509_V_ERR_CERT_SIGNATURE_FAILURE) from X509_verify_cert. If I verify > with the openssl command line tool using 'open

Re: pkcs#12 format

On Wed, Feb 17, 2010, Nicolas Pelloux-Prayer wrote: > I'm trying to extract the cert/private key pair from a pkcs#12 file using > the PKCS12_parse method. It works fine for most p12 I used before, then I > ran into a strange p12 which doesnt work (returned cert & pkey are both > NULL). > [snip]

Re: SSL crypto library

On Thu, Feb 18, 2010, carlyo...@keycomm.co.uk wrote: > > > On Thu 18/02/10 3:31 PM , Robert Doncaster b...@edp.co.uk sent: > > Hello, > > > > Is there a programmatic way to give a list of available cypher names (eg > > AES-128-ECB...)? > > i.e a list of the names that could be supplied to EVP_g

Re: s_server + compression

On Thu, Feb 18, 2010, barcaroller wrote: > How can I force s_server (and s_client) to use compression (DEFLATE)? > The only supported compression algorithm is zlib. You can get that by compiling OpenSSL with zlib support: it is then used automatically. Steve. -- Dr Stephen N. Henson. OpenSSL pr

Re: Obsolete functions...

On Thu, Feb 18, 2010, barcaroller wrote: > > I have inherited some legacy OpenSSL code where the author uses the > following functions for decryption: > > EVP_CIPHER_CTX_init() > EVP_CipherInit() > EVP_Cipher() > EVP_CIPHER_CTX_cleanup() > > > The code works fine but the second

Re: Trouble with openssl on Snow Leopard 10.6.2

On Mon, Feb 22, 2010, Andre Dieball wrote: > Hi there > > I have some trouble using ssl in Apples Mail. > I have two certificates, one for private (j...@me.com) and one for business > (j...@acme.com). > Both are valid certificates from Verisign. > > With both certificates I can sign and encrypt

Re: release date of OpenSSL 0.9.8m?

On Tue, Feb 23, 2010, Michael Fuller wrote: > > When 0.9.8m beta 1 was released 1 month ago, I presumed that > 0.9.8m would follow shortly, presumably some time after the > renegotiation draft was approved, which happened ~2 weeks ago. > > So, now that RFC5746 has been upgraded from draft to fin

Re: PKCS#7 extract and verify certificate?

On Mon, Feb 22, 2010, Eisenacher, Patrick wrote: > > Unfortunately, the perceived verification algorithm is a limitation in > openssl, which always wants to do path validation up to a self signed cert, > even if no revocation checking is requested. And no, there's no way to > modify its verificat

Re: How to change initial value of a digest ctx

On Tue, Feb 23, 2010, Reinaldo Matukuma wrote: > > Hello all. > > I will try to explain what I need and what I want to do. > > I know a hash from a file "X". And I also know that this file "X" has data > always been appended at end periodically. > > So, I want to only update the hash informati

Re: Using existing public key with openssl

On Wed, Feb 24, 2010, Lewis Kapell wrote: > > A bit of research leads me to conclude that the public-key file is not in > the correct format. It is XML formatted with sections RSAKeyValue, Modulus > and Exponent. I gather that openssl requires the key in a format called > SubjectPublicKeyInfo

Re: OpenSSL 0.9.8m renegotiation alerts?

On Thu, Feb 25, 2010, Victor Duchovni wrote: > > If I am reading this correctly, unpatched OpenSSL clients will definitely > hang if the client initiates renegotiation to a patched server? If so, > why not send a fatal alert (especially if non-buggy clients treat it > as fatal)? What is the point

Re: OpenSSL 0.9.8m renegotiation alerts?

On Thu, Feb 25, 2010, Dr. Stephen Henson wrote: > On Thu, Feb 25, 2010, Victor Duchovni wrote: > > OpenSSL clients treat the warning as fatal because there is no API provision > to renegotiate and then continue if it is refused. So to be cautious we assume > that if an appl

Re: OpenSSL 0.9.8m renegotiation alerts?

On Thu, Feb 25, 2010, Victor Duchovni wrote: > > If I field a patched server, and sufficiently many unpatched pre-0.9.8m > OpenSSL clients attempt re-negotiation under normal conditions, I have > a resource starvation problem and unhappy users who are more annoyed at > stuck connections than fail

Re: OpenSSL 0.9.8m renegotiation alerts?

On Fri, Feb 26, 2010, Victor Duchovni wrote: > On Fri, Feb 26, 2010 at 02:45:19AM +0100, Dr. Stephen Henson wrote: > > > On Thu, Feb 25, 2010, Victor Duchovni wrote: > > > > > > > > If I field a patched server, and sufficiently many unpatched pre-0.9

Re: Problem with verifying of PKCS7-structure signed with ECDSA-certificate

On Fri, Feb 26, 2010, Alexei Soloview wrote: > Hello! > > > > I try to check signature on PKCS7-structure(see attached file pkcs7.bin). > > The following sequence of commands is performed: > > openssl pkcs7 -in pkcs7.bin -inform DER -outform PEM -out pkcs7.PEM > > openssl smime -verify -in

Re: CFB change (was Re: OpenSSL version 0.9.8m release)

On Fri, Feb 26, 2010, Bruce Stephens wrote: > With 0.9.8m I'm getting some failures to read PEM files (and do some > other thnigs, I think) that 0.9.8l is happy with. > > The PEM files are created by BouncyCastle, I think (though I imagine > 0.9.8l could be persuaded to write similarly failing fi

Re: Verify with RSA Public Key Fails

On Sat, Feb 27, 2010, Paul Suhler wrote: > Hi, Mounir. > > I misspoke. The value of the public exponent is in fact 3. > > Any idea what is the purpose of the padding check or why it should fail? > Most likely cause is that the verification failed for example the key not correctly set of the s

Re: Capi engine

On Sun, Feb 28, 2010, ? wrote: > Hello all ! > How can I specify OpenSSL to use capi engine by default ??? > (using openssl1.0.0beta5 library in my application) There are no default algorithm implementations in the CryptoAPI ENGINE at present: just private key operations. If you loa

Re: interoperability of C++ libcrypto and Java bouncy castle

On Sun, Feb 28, 2010, ashuahen wrote: > > I am using AES_CBC with padding (using PKCS#5 to pad) on C++ side: > > AES_set_encrypt_key( keyBuf, 128, &key ) > keyBuf contains key string > key is the key generated > > Block Lenght is 16 > > AES_cbc_encrypt (ibuf, obuf, lenpad, &key, iv, AES_ENCRYP

Re: Verify with RSA Public Key Fails

On Mon, Mar 01, 2010, Paul Suhler wrote: > Does anyone else have any speculation on why I'm failing the padding > check? I'm definitely using the public exponent and public modulus from > the CAVP sample request file. After conversion to BIGNUMs, the bytes in > the d, top, and dmax fields of eac

Re: setting FIPS_set_mode on HP PA64

On Tue, Mar 02, 2010, Vikram Arwade wrote: > Does anyone have pointer to this? > > Am running into a issue where I am trying to set FIPS_set_mode(1) in > shared library on HP PA64(11.11) system, but it fails with FINGER_PRINT > error. But if I set it in binary(executable) it works fine. > > >

Re: setting FIPS_set_mode on HP PA64

On Wed, Mar 03, 2010, Dr. Stephen Henson wrote: > On Tue, Mar 02, 2010, Vikram Arwade wrote: > > > Does anyone have pointer to this? > > > > Am running into a issue where I am trying to set FIPS_set_mode(1) in > > shared library on HP PA64(11.11) system, but it fai

Re: setting FIPS_set_mode on HP PA64

On Thu, Mar 04, 2010, Vikram Arwade wrote: > I am building my own library and have linked statically with openssl > libraries(crypto and ssl). > Do the two commands: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl sha1 /dev/null OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl md5 /dev/null work

Re: Coaxing an error message out of PKCS7_verify()

On Sun, Mar 07, 2010, Graham Leggett wrote: > Hi all, > > I am currently struggling to get to the bottom of a problem verifying a > PKCS7 message, and before I can make any headway, I need access to the > error message. > > The error message I am getting is this: > > "error:21075075:PKCS7 routin

Re: PKCS7_verify() and being valid on a certain date

On Sun, Mar 07, 2010, Graham Leggett wrote: > Hi all, > > Now that I have my full error message, the problem I have is that the > verification is failing because the certificate has expired: > > error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error: Verify > error:certificate has e

Re: change in certificate policy OID handling 0.9.8l -> 0.9.8m ?

On Sun, Mar 07, 2010, OpenSSL user wrote: > Hi, > > I updated from 0.9.8l to 0.9.8m on my gentoo machine and now openssl can't > parse anymore my X509v3 Certificate Policies field. > > This has worked before with my private and allocated policy OID. > > Oops, a sanity check added to OID hand

Re: question about struct ASN1_HEADER in version 1.0.0

On Mon, Mar 08, 2010, max yang wrote: > Hi > > We use version 0.9.8 before. there's a struct ASN1_HEADER > > but it is disappeared in version1.0.0. > > What could we use inplace of it? > What were you using it for? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial te

Re: problem converting PKCS8 keystore private key to PEM

On Wed, Mar 10, 2010, eoinmoon wrote: > > I then exported the private key [in java code], checked it was in PKCS8 form > - See below > > "if (key instanceof PrivateKey && "PKCS#8".equals(key.getFormat())) { > // Get certificate of public key > keyOutput =

Re: CPU usage and FPGA support

On Wed, Mar 10, 2010, . wrote: > Hello everybody. > > We are two students doing a project about accelerating encryption on an > embedded system. This system is build upon a ARM processor (180MHz) and an > FPGA. > We have built and implemented OpenSSH into the system (running Linux), and > tested

Re: BIO_do_connect() strange return

On Tue, Mar 09, 2010, Bin Lu wrote: > Hi, > > I have the following code snippet: > > bio = BIO_new_connect(host); > BIO_set_conn_port(bio, port); > BIO_set_nbio(bio, 1) > while (true) { > status = BIO_do_connect(bio); > if (status > 0 || !BIO_should_retry(bio)) { > break; > }

Re: Question about DSA private keys - Quick replies appreciated!

On Tue, Mar 09, 2010, Anand Giriraj wrote: > Hi Folks, > Would appreciate some responses for the questions below. > > Most importantly- > > I see the following note in > http://www.openssl.org/docs/apps/pkcs8.html > "The format of PKCS#8 DSA (and other) private keys is not well documented: > it

Re: BIO_do_connect() strange return

On Wed, Mar 10, 2010, Bin Lu wrote: > > Thanks Steve. > > Why the connection is still invalid, because subsequent OCSP_sendreq_bio() > receives no response(while in blocking mode it does), after the 2nd time call > to BIO_do_connect() in the loop which always returns 1/success ? > > It is fa

Re: i2d_X509_REQ_INFO doesn't convert req_info structure properly

On Thu, Mar 11, 2010, Peter Gubis wrote: > > int datasig_len; > unsigned char *tobesigned; > datasig_len = i2d_X509_REQ_INFO( req->req_info, NULL ); > tobesigned = (unsigned char *) malloc( datasig_len ); > if( !tobesigned ) { > printf("Unable to alloc mem buffer\n"); > return -

Re: linking FIPS 1.2

On Thu, Mar 11, 2010, Adam Grossman wrote: > hello, > > i just built fips 1.2, and then built a FIPs capable OpenSSL 0.9.8l as a > shared lib. I then took my application, added in FIPS_mode_set(1), and > it passed. But then i realized i did not switch over in my make file to > use "CC=fipsld"

Re: BIO_do_connect() strange return

On Thu, Mar 11, 2010, Bin Lu wrote: > It is running on Linux with openSSL 0.9.8d. > Ah that's pretty old. I'd suggest trying 0.9.8m. That includes proper non-blocking I/O support for OCSP with the new function OCSP_sendreq_nbio(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer.

Re: WG: OCSP response signature verification

On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: > Hi everyone, > > we are currently trying to verify an ocsp response. > The return is "Response verify OK" but we need to verify the signature > algorithm of the response signature. > We tried putting the response into an DER and

Re: WG: OCSP response signature verification

On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: > I forgot to write, which versions are used. > For the client we are using 0.9.8L. But we also tested with M. > We are not sure about the responders but we are trying to find out. > Oops, there was a bug in the print routine whic

Re: WG: OCSP response signature verification

On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: > Ah! That's exactly the point, where I tried to edit the code and recompile > it. But every time I tried to I became an error in make complaining about > [link_app.] and a false call of 'main' in _start... > > Can I just replace

Re: openssl0.9.8l on Netware 6.5 - problems

On Mon, Mar 15, 2010, Raghuveer, Nithin (BIO-DP) wrote: > Hi, > > I am trying to build openssl 0.9.8l libraries for netware 6.5. > > Initially, I tried building with the gnu compiler recommended in INSTALL.NW - > it did not work. > I modified the set_env.bat to use Watcom that was installed on

Re: Build problem, Mingw/MSYS, 1.0.0-beta5

On Tue, Mar 09, 2010, Wolfgang Pupp wrote: > I was trying to build openssl-1.0.0-beta5, shared, with MSYS/Mingw > (under Windows 7, 32 bit), with > $ perl Configure mingw shared > $ make > > libeay32.dll and ssleay32.dll were still successfully linked, but then > the compilation failed in the eng

Re: What is RAND_screen for ?

On Tue, Mar 16, 2010, Mathieu Malaterre wrote: > Hi there, > > I am looking at an old piece of code: > > http://cpansearch.perl.org/src/SAMPO/smime-0.7/smimeutil.c > > ... > #ifdef WINDOWS > LOG_PRINT("RAND_screen..."); > RAND_screen(); /* Loading video display memory into random state */

Re: Problem with ENGINE_cleanup with OpenSSL and PKCS11 engine

On Wed, Mar 17, 2010, Cesar Henrique Keiti Kuroiwa wrote: > Hello > > We are trying to use the PKCS11 engine for OpenSSL to interface with a > smart card reader "Gemplus GemPC Twin 00 00". We are having some > trouble when trying to retrieve the private from a smart card to > decrypt

Re: Backward compatibility of private key files?

On Wed, Mar 17, 2010, Mark Spruiell wrote: > Using OpenSSL 1.0b5, I generated a self-signed CA certificate and then > created a key pair using commands like this: > > openssl req -config ssl.cnf -newkey rsa:1024 -passout pass:password \ > -keyout key.pem -keyform PEM -out tmp/req.pem > openss

Re: Backward compatibility of private key files?

On Wed, Mar 17, 2010, Mark Spruiell wrote: > Thanks, that seems to fix it. > > One more thing: when I was looking for a solution to this issue, > I tried to convert the private key into the old format. I thought I > could do it with a command like this: > > openssl pkcs8 -in key.pem -out oldkey.

Re: way to get X509 cert from CMS

On Wed, Mar 17, 2010, Chris Bare wrote: > Is there a API to extract the X509 cert(s) from a CMS_ContentInfo object? > > Looking at the implementation of CMS_add0_cert() I see how to reach them, but > that function depends on things defined in cms_lcl.h, so I can't re-implement > it in my code. >

Re: What is RAND_screen for ?

On Wed, Mar 17, 2010, Mathieu Malaterre wrote: > On Tue, Mar 16, 2010 at 6:25 PM, Dr. Stephen Henson wrote: > > On Tue, Mar 16, 2010, Mathieu Malaterre wrote: > > > >> Hi there, > >> > >>  I am looking at an old piece of code: > >> > >>

Re: how do you create signatures in OpenSSL?

On Wed, Mar 17, 2010, Thomas Anderson wrote: > According to , you can > sign data with OpenSSL. My question is how? I tried to sign my > private key and got the following error: > > ubu...@ubuntu:~$ openssl rsautl -sign -in rsa.txt -inkey rsa.txt -out

Re: How to enable null cipher in openssl library build config?

On Thu, Mar 18, 2010, Vishal Rao wrote: > On 18 March 2010 10:09, Victor Duchovni > wrote: > > It is always enabled, no special compilation flags required. > > > > Applications have to enable NULL ciphers explicitly at runtime. Do not > > recompile with a broken DEFAULT cipher list, just configur

Re: Apache client certificate authentication

On Sat, Mar 20, 2010, Graham Leggett wrote: > On 2010/03/20 6:55 PM, Nuno Gonçalves wrote: > >> Questions: >> Is normal that firefox hangs when it doesn't have a valid certificate >> to provide? >> Openssl output looks OK?(or the error in the end is a exception?) > > I am not 100% sure of the deta

Re: PKCS7 - SubjectKeyIdentifier CHOICE in SignerIdentifier fails?

On Mon, Mar 22, 2010, Stef Hoeben wrote: > Hello, > > subjectKeyIdentifier [0] SubjectKeyIdentifier } > > Could it be that the SubjectKeyIdentifier CHOICE isn't supported here, > that the parser expects a IssuerAndSerialNumber only? > Yes the SKID option is not part of the PKCS#7 stand

Re: Public Key operation error

On Tue, Mar 23, 2010, Thomas Guettler wrote: > Hi, > > I try to verify the file 'data'. The signature is in file 'sig' and the > public key in 'pub_key.pem' > > But it fails. Can someone please help me? What I am doing wrong? > > u...@host> bin/openssl pkeyutl -verify -in data -sigfile sig -p

Re: 4485:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148:

On Tue, Mar 23, 2010, Konrads Smelkovs wrote: > Hello, > > I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which I > want to check OCSP response. > Root chain is added to root list. OpenSSL says all of it is OK: > Chain has three level architecture - Root which Signs OCSP & Poli

Re: getting FIPS information

On Tue, Mar 23, 2010, Adam Grossman wrote: > hello. > > After FIPS_set_mode() passes, and i am in FIPS mode, is there anyway to > retrieve a version strings, such as "FIPS 1.2" or anything like that so > i can verify that the correct FIPS module is being used? > Not directly but the 1.2 module

Re: 4485:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148:

On Tue, Mar 23, 2010, Konrads Smelkovs wrote: > Hi, > The OCSP responder has EKU=OCSP: > >X509v3 extensions: > X509v3 Subject Key Identifier: > 2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C > X509v3 Extended Key Usage: >

Re: Problems with SSL_shutdown() and non blocking socket

On Tue, Mar 23, 2010, Darryl Miles wrote: > Claus Assmann wrote: >> It should probably be >> ssl_errno = SSL_get_error(ssl, rc); > > Ah yes you could be correct on that, please consult the SSL_get_error() > documentation for correct usage. > > >> but even then I get SSL_ERROR_SYSCALL and err

Re: 4485:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148:

On Tue, Mar 23, 2010, Eisenacher, Patrick wrote: > Hi Steve, > > > -Original Message- > > From: Dr. Stephen Henson > > > > There are two automatic trust models for OCSP responder > > certificates. One is the CA key that signed the > > ce

Re: Revised 1.0.0 release timeline?

On Tue, Mar 23, 2010, Victor Duchovni wrote: > > Last time I asked (around October 2009), the best guess was that 1.0.0 > would be released in by year end. Then the whole renegotiation mess hit, > and priorities changed... > > Is there a new estimated release timeline? I'd like to use 1.0.0 for

Re: what are the minimal KeyUsage requirements for an OCSP-only, single-purpose cert?

On Tue, Mar 23, 2010, PGNet Dev wrote: > I'm planning to run openssl ocsp in server mode, > > openssl ocsp \ > -index /svr/demoCA/index.txt \ > -port \ > -CA /svr/demoCA/certs/CA/CA.cert.pem \ > -rsigner /svr/demoCA/crl/OCSP.cert.pem \ > -rkey /svr/demoCA/crl/OCSP.privkey.pem \ > -tex

Re: what are the minimal KeyUsage requirements for an OCSP-only, single-purpose cert?

On Tue, Mar 23, 2010, PGNet Dev wrote: > hi, > > On Tue, Mar 23, 2010 at 4:56 PM, Dr. Stephen Henson wrote: > >> Which, if any/all, of the "Digital Signature, Non Repudiation, Key > >> Encipherment" KeyUsage specifications are required, if this cert w

Re: getting both "OCSP Response Status: successful" and an "Response Verify Failure" error ?

On Tue, Mar 23, 2010, PGNet Dev wrote: > testing an ocsp query to a local openssl ocsp 'server', > > openssl ocsp \ > -issuer /svr/demoCA/certs/CA/CA.cert.pem \ > -cert /svr/demoCA/certs/domains/testdomain.cert.pem \ > -url http://localhost: \ > -resp_text > > i get what seems to be a "s

Re: 4485:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148:

On Wed, Mar 24, 2010, Rob Stradling wrote: > On Tuesday 23 March 2010 18:40:58 Dr. Stephen Henson wrote: > > On Tue, Mar 23, 2010, Eisenacher, Patrick wrote: > > > Hi Steve, > > > > > > > -----Original Message- > > > > From: Dr. Stephen H

Re: Extract DER of RecipientInfos from CMS

On Wed, Mar 24, 2010, Michael Strder wrote: > HI! > > Is there an API function in OpenSSL which extracts only the DER blob of > RecipientInfos from a CMS message (needed for encrypted S/MIME message). Or > has that to be done low-level with ASN.1 parser? > No you can't extract the received enco

Re: Need help on: openssl pkcs12 --- avoid or in batch mode

On Wed, Mar 24, 2010, John Chen wrote: > Hi guys, > > > > I am still searching for the answer of batch mode on openssl pkcs12 but > no luck. > > Is anyone can help me a work around way to avoid > > > > Enter Export Password: > > Verifying - Enter Export Password: > > > > > > Above

Re: Error: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN when using verisign intermediate certificates

On Mon, Mar 29, 2010, Lia Ipe wrote: > Hi, > > > I couldn't find sufficient information on this from the online openssl man > pages, or in any of the discussion forums, so Iwas hoping someone here > would be able to clarify. > > > > I am using openssl as part of my application for verifying

Re: OpenSSL 1.0.0 and FIPS

On Tue, Mar 30, 2010, Gatewood (Woody) Green wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: RIPEMD160 > > Given the response... > > Is there intention that the 0.9.8 branch be maintained past the 'n' > patch release for any future discovered security issues either in > openssl-0.9.8 code or

Re: S/MIME interop issue with Outlook 2010 beta

On Tue, Mar 30, 2010, Michael Strder wrote: > HI! > > Someone sent me an encrypted S/MIME message which I could not decrypt in > Mozilla's Seamonkey. Trying to determine the cause for that I wanted to look > at the RecipientInfos structure with OpenSSL 0.9.8k shipped with openSUSE > Linux 11.2 an

Re: S/MIME interop issue with Outlook 2010 beta

On Tue, Mar 30, 2010, Michael Strder wrote: > Dr. Stephen Henson wrote: > > On Tue, Mar 30, 2010, Michael Strder wrote: > >> Someone sent me an encrypted S/MIME message which I could not decrypt in > >> Mozilla's Seamonkey. Trying to determine the cause for that I

Re: S/MIME interop issue with Outlook 2010 beta

On Tue, Mar 30, 2010, Dr. Stephen Henson wrote: > On Tue, Mar 30, 2010, Michael Strder wrote: > > > Dr. Stephen Henson wrote: > > > On Tue, Mar 30, 2010, Michael Strder wrote: > > >> Someone sent me an encrypted S/MIME message which I could not decrypt in >

Re: Random Numbers

On Tue, Mar 30, 2010, Anthony Gabrielson wrote: > Hello, > > I've been searching around and I'm not finding much on > OpenSSL and random numbers. I'm trying to figure out how to best use > RAND_bytes and RAND_pseudo_bytes; do I still need to worry about entropy or > does OpenSSL

Re: Random Numbers

On Wed, Mar 31, 2010, Anthony Gabrielson wrote: > > Hello, > > I'm actually writing a Matlab toolbox that uses OpenSSL. I put together a > function, actually its really heavily based on the OpenSSL book, that > generates random keys and IV. Anyway, I wasn't comfortable with how I was > seeding

Re: setting an SSL_accept(...) timeout

On Sun, Apr 04, 2010, Adam Grossman wrote: > hello, > > is there a way i can set a timeout for an SSL_accept, either if the > handshake does not complete within X seconds (prefered), or even if it > is waiting on a blocking socket and no data comes in for X seconds. I > know i can use alarms, bu

Re: SSL algorithms vs. all algorithms...

On Tue, Apr 06, 2010, Victor Duchovni wrote: > > http://cvs.openssl.org/chngview?cn=19536 > > -SSL_library_init() only registers ciphers. Another important initialization > -is the seeding of the PRNG (Pseudo Random Number Generator), which has to > -be performed separately. > +SSL_libra

Re: SSL algorithms vs. all algorithms...

On Wed, Apr 07, 2010, Sad Clouds wrote: > On Tue, 6 Apr 2010 21:17:01 +0200 > "Dr. Stephen Henson" wrote: > > > Well that actual manual page is rather old and it still talks about > > PRNG initialisation which dates from the time OpenSSL didn't handle >

Re: Problem building OpenSSL version 1.0.0 using no-tlsext flag

On Wed, Apr 07, 2010, Kaila, Ashish wrote: > > Hi, > > I made the following changes in ssl.h (have indicated the changes with a > comment //added this) > > #ifndef OPENSSL_NO_TLSEXT //added this > /* TLS extensions functions */ > int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_

Re: SSL error: parse tlsext

On Wed, Apr 07, 2010, Florent Georges wrote: > Hi, > > I am using openssl from within neon, itself used from within > Subversion. During an svnsync, I receive the following error > message: > > svnsync: PROPFIND of '/svn/xxx': SSL negotiation failed: SSL > error: parse tlsext (https

Re: SSL error: parse tlsext

On Wed, Apr 07, 2010, Florent Georges wrote: > Dr. Stephen Henson wrote: > > Thanks for your fast response! > > > That looks like it is only part of the actual error code. > > That's all I have. I guess either Subversion or Neon truncates > the error

Re: openssl-0.9.8n and openssl-fips-1.2 ERR_peek_last_error failure

On Thu, Apr 08, 2010, Gatewood (Woody) Green wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: RIPEMD160 > > Setup: > > Built openssl-fips-1.2 per the Security Policy. > Built openssl-0.9.8n with the fips option > > Notes: > > Successfully built "FIPS-ified" version of wget, curl/libcurl, li

Re: Extracting RSA public key from private key

On Sat, Apr 10, 2010, Julien Kauffmann wrote: > Hello, > > I need to extract the RSA public key from a RSA private key using OpenSSL. > > I'm currently using |RSAPublicKey_dup()| passing the |RSA*| private key to > get the public key. However, while the call seems to work, I cannot load > (or us

Re: 1.0.0 EVP_PKEY_assign_RSA() segfault

On Mon, Apr 12, 2010, Kenneth Goldman wrote: > > I have some fairly basic code that is now segfaulting reliably with 1.0.0. > It has worked for years with all 0.9.8 releases. > > 1 - Did something change that I should know about? Before I compile > openssl for debug and step through it, is ther

Re: problem verifying OCSP signature

On Tue, Apr 13, 2010, Chris Bare wrote: > This command works: > > openssl ocsp -issuer issuer.pem -VAfile trusted_dir/ocsp_signer.pem -url > http://ocsp.test.com -cert cert.pem -resp_text > > but this fails: > openssl ocsp -issuer issuer.pem -CApath trusted_dir -url http://ocsp.test.com > -cer

Re: Extracting RecipientInfos/DER from S/MIME message

On Wed, Apr 14, 2010, Benjamin Amling wrote: > Hello, > > is it possible to extract the DER blob from the RecipientInfos-part of a > S/MIME message? I tried the following steps already but couldn't manage > to get what I want: > > *

Re: problem verifying OCSP signature

On Tue, Apr 13, 2010, Chris Bare wrote: > > Additional candidate signer certificates need to be included in the > > -verify_other option. > > > > If the OCSP signing certificate is self signed then it needs to be > > explicitly > > trusted which is the -VAfile option if you use that it will als

Re: How to decrypt PKCS7 structures

On Thu, Apr 15, 2010, Phillip Hellewell wrote: > Apparently PKCS7_decrypt() only works on enveloped data. How can I decrypt > a PKCS7 of type signedAndEnveloped or encrypted? > Signed and enveloped isn't supported and hardly anyone implements it any more. BTW you are best using the CMS functio

Re: Information wanted on OpenSSL cipher alias HIGH, MEDIUM and LOW.

On Fri, Apr 16, 2010, Bhat, Jayalakshmi Manjunath wrote: > Hi Sandeep and Adam Langley, > > Thank you very much. But I did not find where the aliases LOW,MEDIUM and > HIGH are defined. I wanted to know where they are defined in OpenSSL? > Don't send this to openssl-dev it is a users question.

Re: unable to load private key

On Fri, Apr 16, 2010, digitalderik wrote: > > Hi there > I've copied and pasted an rsa private key that i need to use with openssl. > However when i run any commands that use the private key like the command: > $openssl rsautl -sign -in textfile -inkey privatekey.pem -out result.txt > i get: unab

Re: engine_pkcs11 and openssl.cnf

On Fri, Apr 16, 2010, Dimitrios Siganos wrote: > Hi, > > I have use openssl-1.0.0 and engine_pkcs11 for storing an rsa private key > in a smartcard (feitian epass 3000). I got openssl to access the rsa > private key and used it to create a self-signed certificate like this: > > openssl > > OpenS

Re: engine_pkcs11 and openssl.cnf

On Fri, Apr 16, 2010, Dimitrios Siganos wrote: > Dr. Stephen Henson wrote: >> On Fri, Apr 16, 2010, Dimitrios Siganos wrote: >> >>> Now, I would like this engine to install automatically i.e. without >>> having to run the engine command. I tried adding

Re: SSLv23_method in OpenSSL 1.0.0

On Sun, Apr 18, 2010, Luigi Auriemma wrote: > Hey, > > I have noticed that a client ssl connection initialized with the > classical SSLv23_method no longer works in OpenSSL 1.0.0. > > This has been tested on both Windows (mingw) and Linux and both > connecting to a v2 and v3 server with the same

Re: possible user error / memory leak using RSA_new() and RSA_free();

On Mon, Apr 19, 2010, Stuart Weatherby wrote: > Hi List, > > I am trying to figure out why there is a memory leak using RSA_new & RSA_free: > Below is a code sample (which will produce a memory leak) and the relevent > valgrind output. I have checked the documentation but I still fail to see my

Re: possible user error / memory leak using RSA_new() and RSA_free();

On Mon, Apr 19, 2010, Stuart Weatherby wrote: > Thanks Steve, > > After commenting out lines 24 & 25 there is still unfree'd memory: > http://www.openssl.org/support/faq.html#PROG13 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http:

Re: does OpenSSL 1.0.0 provide TLS 1.1 support?

On Tue, Apr 20, 2010, Charlie Crowe wrote: > Hi, > > Does OpenSSL 1.0.0 provide full TLS 1.1 support? I tried to look through > the OpenSSL 1.0.0 documentation, but it seemed only partial support for TLS > 1.1 is available in 1.0.0. > > If full support for TLS 1.1 is not in OpenSSL 1.0.0, then

Re: CRL lookup in 1.0.0 - bug ?

On Thu, Apr 22, 2010, Jan Gillar wrote: > Hi, > I have problem with retrieving CRLs with my custom lookup method. With > 0.9.8h it is working as expected but with 1.0.0 I'm still getting > X509_V_ERR_UNABLE_TO_GET_CRL. I found that CRL is successfully retrived > with X509_STORE_get_by_subject c

Re: BIO_do_handshake() little help wanted

On Sat, Apr 24, 2010, Modem Man wrote: > Dear all, > > I'm fiddling since two days with BIO_do_handshake(), and always have no > luck. > I'm afraid, it's time to cry for help now. > > *Short description:* > After BIO_do_handshake() always returns -1, I always get the message: > /error:1408A0C1:S

Re: bad characters encoded on ssl logs coming from x509 cert

On Tue, Apr 27, 2010, Luis Neves wrote: > Hi to all, > > I have this data on ssl_error_log, coming from a client certificate > > [Fri Apr 23 14:13:26 2010] [debug] ssl_engine_kernel.c(1219): > Certificate Verification: depth: 2, subject: /CN=Cart\\xC3\\xA3o de > Cidad\\xC3\\xA3o 001/OU=ECEstado

Re: non-blocking problem

On Tue, Apr 27, 2010, piper.guy1 wrote: > Hi again, > > I'm trying to follow the instructions in the OpenSSL reference book, > and their example code from their site for setting a socket to > 'non-blocking'. > > Before I made any changes, I was working with good code that was > making secure con

Re: bad characters encoded on ssl logs coming from x509 cert

On Wed, Apr 28, 2010, Phillip Hellewell wrote: > On Tue, Apr 27, 2010 at 5:29 PM, Luis Neves wrote: > > > > As I think they are in DER format so I use > > openssl x509 -inform DER -in xx.cer -noout -text > > I was able to get it to output the characters correctly by adding > "-nameopt multil

Re: bad characters encoded on ssl logs coming from x509 cert

On Thu, Apr 29, 2010, Luis Neves wrote: > > Please Steve, > > Can you give me any clue on were can I fix this '\x' translation? Should I > post on Apache lists instead?. > is openssl/mod_ssl utf8 aware? Im frustated! It's Apache that is making the calls to deprecated functions so you shou

Re: Is it not possible to decrypt partial AES messages?

On Wed, May 05, 2010, Christina Penn wrote: > Hello David, > > Can you show me exactly how to break up my example code to make my example > work? I tried removing the EVP_DecryptFinal_ex from my DecryptMessage > function and just seeing if the first part would just decrypt the first 7 > bytes, bu

Re: PEM_read_bio_PUBKEY does not do the trick?

On Thu, May 06, 2010, heiko vonsachsen wrote: > Dear all, > attached a small code example which does not work... > > EVP_PKEY* pkey=PEM_read_bio_PUBKEY(mem,NULL,NULL,NULL) does not return any > value...can anybody please explaine me why? i've spend hours without any > results! > thanks in advance

<    2   3   4   5   6   7   8   9   10   11   >