unless somebody is gonna tap your LAN connection, I don't see a point in
using SSL. Generally its useful only when you want to send secure
application data over the internet. Intranets are safe esp ur 2 home
computers :).
thanks
--Gayathri
On Tue, Sep 11, 2012 at 11:36 AM, John A. Wallace
Hi John,
I definitely do not agree with charles's email, but what I think he meant
is, you need to write programs to use OpenSSL. Its an installable library,
which you need to invoke from your application using its exposed APIs and
recompile your code, link OpenSSL library and execute for it to
...@openssl.org] *On Behalf Of *Gayathri Sundar
*Sent:* Wednesday, September 12, 2012 10:07 AM
*To:* openssl-users@openssl.org
*Subject:* Re: openssl on a home LAN
** **
Hi John,
** **
I definitely do not agree with charles's email, but what I think he meant
is, you need to write
Hi All,
Have a basic ECC question, I have a predefined scalar K, and I used the
x9.62 256 prime curve. Invoking the scalar multiplication method
EC_POINT_mul with the generator of that curve, I get a different output,
when compared with wcurve of python.
The curve is fixed, K is fixed but the
Hi,
We are using OPEN SSL library in our client server application. We are
using SSL_WRITE and SSL_READ api used to read and
write operations between them. Connection is broken When server sends
very large message (more than 56K) using SSL_WRITE api.
We fixed problem with set
From: Gayathri Sundar [EMAIL PROTECTED]
Date: Fri, Feb 29, 2008 at 9:35 AM
Subject: [Fwd: Re: How to handle dead sessions with SSL_write]
Original Message
Subject: Re: How to handle dead sessions with SSL_write
From:Gayathri Sundar
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is used to thwart some CBC attacks.
check out this link for details
http://www.openssl.org/~bodo/tls-cbc.txt
Thanks
--Gayathri
Hi,
The client is configured with SSLv3_client_method.
*ctx = SSL_CTX_new(SSLv3_client_method());*
Whenever the client tries
Harshvir,
SO_REUSEADDR sock option has noting to do with ur problem, please go thro
the socket ops man page to get a better understanding. First find out if ur
server code is a blocking i/o or non blocking I/O..if former then
connections will be handled sequentially..only after the 1st client is
I think the openssl src already has sample server and client programs which
are written in non blocking mode ..check wserver2.c if I am able to recall.
On Fri, May 6, 2011 at 2:42 PM, Graham Leggett minf...@sharp.fm wrote:
On 06 May 2011, at 9:23 PM, derleader mail wrote:
Can you show us
WireShark to see packets, then it shows
that machine has received the packet from client. But server dont show that
alert.
Thats why i think it could be some socket option which is affecting it.
// Harshvir
On Fri, May 6, 2011 at 5:37 PM, Gayathri Sundar suraj...@gmail.comwrote:
Harshvir
to make that as non blocking?
Thanks.
On Fri, May 6, 2011 at 6:03 PM, Gayathri Sundar suraj...@gmail.com wrote:
Harsh,
Okay from what I can understand, if you make ur underlying fd non blocking
then it would work fine. Blocking FDs, unless and until one client is
finished with its processing
:
Thanks for the reply Gayathri.
Do you mean to changing the sockets to non blocking, or when i create bio for
ssl to make that as non blocking?
Thanks.
On Fri, May 6, 2011 at 6:03 PM, Gayathri Sundar
mailto:suraj...@gmail.comsuraj...@gmail.com wrote:
Harsh,
Okay from what I can
change the socket to non blocking, then my
current read write code will not work. i mean the one in which i use FD_SET
and select to perform operations.
Thanks.
// Harshvir
On Fri, May 6, 2011 at 10:33 PM, Gayathri Sundar suraj...@gmail.com wrote:
Harsh.,
If u have any specific
, 2011 at 6:03 PM, Gayathri Sundar
mailto:suraj...@gmail.comsuraj...@gmail.com wrote:
Harsh,
Okay from what I can understand, if you make ur underlying fd non blocking
then it would work fine. Blocking FDs, unless and until one client is
finished with its processing the other client
Eric, you must be really kidding this time :), servers with this
architecture are susceptible to dos and what not..am sure for embedded
systems where memory is a big limiting factor the best would be async
design, also code becomes easily portable in future.
On Wed, May 11, 2011 at 10:39 AM, Eric
Can u share the parsed core file?
On Wednesday, May 11, 2011, Mani Suresh suresh84...@gmail.com wrote:
While executing the below code its coring randomly in two cases,
1) While executing the method SSL_library_init() in the constructor.
2) Coring while executing the call back method
can you give some specific cipher like rc4-md5 using the --cipher command
and see if it goes thro? maybe the 1st cipher suite sent by the client is
not available with the server or something..you can use mozilla and edit the
cipher suites in the advance tab or use openssl client connect command
You could hack ur client and server to use cipher null and see the
alert in clear..most,y should be digest failure.
On Monday, May 16, 2011, pradeepreddy pradeepreddy@gmail.com wrote:
Hi,
After lot of struggles, finally get rid of this error, but I cant tell the
reason, how was it
Alert 21 seems to be decryption failure.
Sent from my iPad
On May 16, 2011, at 6:12 AM, pradeepreddy pradeepreddy@gmail.com wrote:
Hi,
After lot of struggles, finally get rid of this error, but I cant tell the
reason, how was it rectified.
We installed our libs on a new machine.
Of Gayathri Sundar
Sent: Monday, 16 May, 2011 10:18
You could hack ur client and server to use cipher null and see the
alert in clear..most,y should be digest failure.
If you mean MAC failure (actually MAC-or-decryption-failure,
since they were combined to avoid possibly helping
as Neo Liu has pointed out, if you try to use memory bio pair for
communcation, then its ur responsibility to read and write every byte
out the fd using tcp_send and recv() calls, as openssl would only read and
write into the bio. This approach is very very tedious and not sure if thats
the only
actually I would seriously recommend you read the OpenSSL book written by
Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync
usages..so that you get an idea of how OpenSSL itself works.
On Mon, May 23, 2011 at 6:02 PM, Neo Liu diablo...@gmail.com wrote:
I think you can
So finally u have agreed to my initial suggestion of state machines :)
The basic steps in terms of am algorithm are as follows
A. Create the ssl ctx and ssl. Obj
B. Create a pair of memory bios and attach them to the ssl obj, one is
for read and the other is for write.
C. Create the tcp fds and
, unknown
protocol
Thanks.
// Harshvir
On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar suraj...@gmail.comwrote:
So finally u have agreed to my initial suggestion of state machines :)
The basic steps in terms of am algorithm are as follows
A. Create the ssl ctx and ssl. Obj
B. Create a pair
Did you implement fd timeouts and appropriate cleanups after some
expiration? It's impossible for non blocking sockets to hang..so I am
assuming ur having a lot of unused fds on ur poll table.
On Friday, July 1, 2011, Harshvir Sidhu hvssi...@gmail.com wrote:
Hi,
I have implemented the state
Please dont expect much response to this question. Going thro the man pages
of openssl will have all the necessary answers you are expecting. Do you
homework before coding.
Thanks
--Gayathri
On Thu, Jul 14, 2011 at 8:17 AM, Amit Kumar amit.kumar...@gmail.com wrote:
Hi team,
I am using
strace is a unix command wherein u need to attach the process which is
linking with ur openssl library. It would tell the path from which all the
libraries are loaded (for that process) along with a ton of other info. You
would need to search the output of strace manually to figure out ur library
Hi,
First of all your question is really strange. Please check your client and
server settings as to which highest ssl version is enabled. Generally SSLv2
should be disabled and never negotiated.
The code your referring to is a piece of code that would be called when
sslv3 is negotiated during
-openssl-us...@openssl.org]
On Behalf Of Gayathri Sundar [suraj...@gmail.com]
*Sent:* Thursday, August 18, 2011 8:14 PM
*To:* openssl-users@openssl.org
*Subject:* Re: hi
Hi,
First of all your question is really strange. Please check your client and
server settings as to which highest ssl
Please read the RFC, it would clearly explain how the master secret is
dervied, and from that how the read and write keys are derived. With that
you can get to know how to extract the read n write keys. Meanwhile the read
and wirte keys are available as part of the ssl object.
Check that structure
side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated
in the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar suraj
--
*From:* owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org]
On Behalf Of Gayathri Sundar [suraj...@gmail.com]
*Sent:* Thursday, August 18, 2011 8:14 PM
*To:* openssl-users@openssl.org
*Subject:* Re: hi
Hi,
First of all your question is really strange. Please check your client
key. How i can get this in server side? is
there any code sample or snippet to get this key?
Krishna
On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar suraj...@gmail.com
wrote:
Master key is unique per session, and its same for both client and server,
thats the concept
did you try making use of non blocking fd? it cannot deadlock in if you use
that.
Thanks
--Gayathri
On Mon, Jan 16, 2012 at 10:17 AM, Nathan Smyth naf...@ymail.com wrote:
Just seeking advice/things to consider for deadlock (or 'wait') on a
SSL_Connect(). Unfortunately it stalls here, so
there be some issue with numerous SSL connections between the same
parties? Or maybe it's some threading issue - perhaps SSL has some special
considerations?
--
*From:* Gayathri Sundar suraj...@gmail.com
*To:* openssl-users@openssl.org
*Sent:* Monday, 16 January 2012, 16
Title: intoto Stationery
Hi.,
Following
isthe comments written on s3_pkt.c before the function
ssl3_read_bytes
Return up to 'len' payload bytes received in 'type' records.*
'type' is one of the following:** -
SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)*
- SSL3_RT_APPLICATION_DATA
Thanks once again for the responses...I would like to add few more points
here..there seems to be a callback function (msg_callback) within the ssl_st
structure, which when registered by the application for a specific content
type,
SSL_read, seems to call that if a pkt of that content type is seen
-Original Message-From:
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of David SchwartzSent: Friday, July 07, 2006
10:57 AMTo: openssl-users@openssl.orgSubject: RE: Does Openssl cache App
data -- 2nd Try.. a. Does this msg_callback get executed
after peek? or after read? if
Title: intoto Stationery
What would happen if
openssl is starved of application data records and is fed only control messages?
Would it misbehave?
Thanks
--Gayathri
Thanks Marek, can you explain more on this MAC verification errors?
When I can ensure only control records are read by SSL_read, why should
I get such errors? Yeah, ur correct, I will discard appliation records ;)
(don't ask me how!!) but then openssl will work rite?
What I have to do next
Ok, what I meant is I will be removing the SSL record along with the app
data!!
So this should be fine right?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Salz
Sent: Friday, July 21, 2006 5:28 PM
To: openssl-users@openssl.org
Subject: RE:
Thanks Richard..but I was thinking only SSL RECORDS with Record Type APP
DATA
Contain application data!!! If I can ensure that only complete SSL Records
of Type
Handshake, Change cipher spec, and Alerts are given to OpenSSL, it can
process it rite?
This way how can openssl know that app data
Hi Marek.,
Thanks once again for the detailed response..
Me now have a few more doubts..
Does this read_mac_secret and write_mac_secret change with
Every md5 hash verification?
I am not able to locate the code which actually updates this tcp
Seq numbers and so on..what does this hash_update
Marek,
There seems to be no such function in openssl
(ssl3_record_sequence_update())!!
Can you pls tell where exactly this SSL sequence number is updated.
Thanks
--Gayathri
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Monday,
Thanks Marek..appreciate ur help..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Monday, July 24, 2006 4:04 PM
To: openssl-users@openssl.org
Subject: RE: Query On SSL Processing
Hello,
There seems to be no such function in openssl
Wonder why you need a pfd format!!
Does man openssl mean anything to you?
Now how could anyone respond to ur query??
First of all let us know what you want to use it for
Coz openssl commands are plenty..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Wow, I was thinking its Privacy Enhanced Mode!! ?? No?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mouse
Sent: Tuesday, August 01, 2006 6:47 AM
To: openssl-users@openssl.org
Subject: RE: What does PEM mean?
PEM = Privacy-Enhanced Mail.
Check out ssl/ssl_ciph.c to get an idea.
Thanks
--Gayathri
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Krishna Vennamaneni
Sent: Thursday, November 30, 2006 9:13 AM
To: openssl-users@openssl.org
Hi Folks.,
Am facing a persistant problem with Internet Explorer not able to talk to
SSL Server when configured with a DSA certificate. SSL CTX has the
set_tmp_dh_params enabled and the code looks pretty much correct as
Mozilla/Firefox/Opera is working fine with the exact same SSL Server
Can someone give me inputs on the function ssl3_mac, especially where it
is called s-method-ssl3_enc-mac(s,(p[wr-length]),1);
I need to know what p[wr-length] is pointing to and why we do a digest
update of 2 bytes from that.
The code is taken from s3_pkt.c function ssl3_write_bytes.
Thanks
I am wondering if the following scenario possible:
1) The server calls SSL_accept(). The underlying socket is in blocking mode
2) The client calls SSL_connect(). The underlying socket is in blocking
mode
3) SSL_connect() returns error.
4) The server does not notice this, and continues to wait in
its probably a shown as a data file coz its encrypted..how did you
generate the cert? U should be using a PKCS12 format for importing that
stuff into the browser/server..btw are you telling it from windows's
perspective?
Hi,
I have a SSL server application in which the certificate file is
Yes, I agree with you, but then why would the CLIENT get an ERROR?
2) The client calls SSL_connect(). The underlying socket is in blocking
mode
3) SSL_connect() returns error.
4) The server does not notice this, and continues to wait in SSL_accept().
if SSL_connect indeed has returned with
update?
Thanks
--Gayathri
Gayathri Sundar wrote:
Can someone give me inputs on the function ssl3_mac, especially where
it is called s-method-ssl3_enc-mac(s,(p[wr-length]),1);
I need to know what p[wr-length] is pointing to and why we do a
digest update of 2 bytes from that.
The code
with respect to the current thread. So I will
send a new post for that.
Thank you everyone for responding.
~ Urjit
- Original Message -
From: Gayathri Sundar [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Thursday, March 29, 2007 1:02 PM
Subject: RE: SSL_connect and SSL_accept
Yes, I agree
by SSL_accept() and SSL_accept() will now error out
saying it read invalid SSL handshake packet.
Now as I write down this whole thing, I wonder if even non-blocking
sockets can help.
Does it look more like a design issue ?
~ Urjit
- Original Message -
From: Gayathri Sundar [EMAIL PROTECTED
-
From: Gayathri Sundar [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Friday, March 30, 2007 9:25 AM
Subject: Re: SSL_connect and SSL_accept
I am quite clear with your problem and am not confused. The only point I
have been stressing from beginning is that SSL_connect due to WHATEVER
error
its always better to use BIO for easier migration in the future if for
some reason some enhancement/changes are to be done in your product. Also
while using SSL_set_fd, socket BIO is automatically created and attaches
to the TCP fd. What you can do is to create explicitely a read bio and a
write
Hi,
I'm trying to verify a cert chain against a trusted chain of cert, and
here's what i get
error 20 at 1 depth lookup:unable to get local issuer certificate
can someone shed some more light at the error, like
1) what doest it mean
Its not able to find the CA that signed your
Whatever you have mailed is correct, but I believe the TLS 1.0 RFC explains
all these in details. Try reading 2246 from ietf.org.
Thanks
--Gayathri
Hi All
I have a general question about RSA Key Block.
The output of PRF with the master_secret to give us many keys. It
includes:
Hi All,
I am using EVP functions for AES encryption/Decryption. Please can any
one tell me how to find the exact AES encryption/decryption routines
called when do_cipher is invoked?
did you try single stepping using gdb or something? thats the easiest way
to find out..or checkout the cipher
Hi folks.,
I would like to know as an ssl server, when do I send a Hello request on
the wire? Based on what parameters should I trigger that? I have quite a
few questions based on this
A) Does the re-handshake happen on the existing tcp connection? i.e the
tcp connection over which the hello
Thanks marek, I didnt know abt the R option on s_server.
Is it possible to make IE renegotiate? I have a rather complex testing
requirement and I cannot test using s_client, somehow I need to ensure the
client triggers renegotiation. I got a KB on IE
http://support.microsoft.com/kb/265369
and
Hi There.,
Marek, hope ur reading this mail.
I am hitting a strange problem with Openssl. Recently I migrated from
OpenSSL-0.9.8a to OpenSSL-0.9.8d, from the release notes, I see that some
fixes have gone into cipher selection logic of OpenSSL.
Now for the same CLIENT HELLO message (same as in
Hi,
What I think is as its the application's responsibility to retry
the same openssl operation whenever it receives a WANT_READ or
WANT_WRITE, why cant we simply overwrite the buffer that is passed
to say SSL_write with the next payload that needs to be sent when we hit
that error code, in this
Original Message
Subject: Re: SSL_renegotiation using non block sockets
From:[EMAIL PROTECTED]
Date:Thu, June 2, 2005 8:41 pm
--
HI Lokesh.,
Thanks for the
Hi,
I am using Non Blocking sockets, and would like to
know the behaviour wrt SSL_renegotiation.
Once I make a call to do_handshake, as the FD is non
blocking it will return immediately with a success,
but from the application's point of view how will it come
to know that the renegotiation in
Original Message
Subject: RE:I am having a hard time getting SSL_Accept to work with a
non blocking socket From:Gayathri Sundar [EMAIL PROTECTED]
Date:Sun, June 5, 2005 11:33 pm
To: openssl-users@openssl.org
Hi,
while (((rc = SSL_accept(ssl)) = 0)
((SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ) ||
(SSL_get_error(ssl, rc) == SSL_ERROR_WANT_WRITE)))
{
/* as on wait application can do something else */
do_other_stuff();
}
hope you have called
Original Message
Subject: Need help on NonBlock SSL Renegotiation
From:Gayathri Sundar [EMAIL PROTECTED]
Date:Thu, June 9, 2005 1:39 am
To: 'openssl-users@openssl.org
Hi there,
Can any body please tell me,
where can I find the answers to these questions?
Thanks
-Rohan
Original Message
Subject: Re: Queries over OpenSSL programs
From:Rohan Shrivastava [EMAIL PROTECTED]
Date:Wed, June 8, 2005
Hi there,
Can any body please tell me,
where can I find the answers to these questions?
Thanks
-Rohan
Original Message
Subject: Re: Queries over OpenSSL programs
From:Rohan Shrivastava [EMAIL PROTECTED]
Date:Wed, June 8, 2005
Original Message
Subject: Re: Reducing size of the OpenSSL library
From:Gayathri Sundar [EMAIL PROTECTED]
Date:Fri, June 24, 2005 12:05 am
To: [EMAIL PROTECTED
Hi.
Have you imported the CA of the client cert on the server side?
A verify depth of 1 has been set, which could mean that the client
cert is self signed? Can you set it to some higher value and try?
Also can you check whether the option SSL_VERIFY_FAIL_IF_NO_PEER_CERT?
It looks to me a
Hi Again.,
This is what I found from the log file you sent..is this pointing to the
same CA cert itcilo-ca.crt, I put it in ssl.crt ?
debug] ssl_engine_init.c(1112): CA certificate:
/C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
CA/[EMAIL PROTECTED]
[Wed Jul 13 11:48:34 2005] [debug]
Hey can you try setting verify depth to Zero and not pointing to any CA cert
i.e SSLCACertificatePath pointing to null?
Thanks
--Gayathri
Hi Again.,
This is what I found from the log file you sent..is this pointing to the
same CA cert itcilo-ca.crt, I put it in ssl.crt ?
debug]
Hi.,
Have a small doubt on how the application needs to react for an
SSL_ERROR_SYSCALL. What do I have to do when I actually attempted
an SSL_READ and endedup with that error code, now should the operation
need to be retried based on errno or should this be regarded
as a fatal?
If it needs to be
Try using one of these two
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
in the command, btw u can get the whole list of options in man s_server
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Hi.,
I think that depends on the mode of SSL meaning blocking/non blocking,
If its the latter then you need to select again before calling the
2nd ssl shutdown and check whether the close notify from the peer is
received by checking the ssl_received_shutdown flag. If this flag is not
set, then
Gayathri Sundar wrote:
Hi.,
I think that depends on the mode of SSL meaning blocking/non blocking,
If its the latter then you need to select again before calling the
2nd ssl shutdown and check whether the close notify from the peer is
received by checking the ssl_received_shutdown flag
AFAIK, if a close notify is not sent, the the ssl connection termination
is considered premature and the session cannot be reused. The
specification does not define it as a MUST, rather it is defined as a
SHOULD. If session reuse is not a necessary criteria (if your willing to
compromise
Hi Pankaj.,
This difference in the HTTP response header is very critical.
It influences the way in which the Client is going to behave.
In case of 1, as the Connection: Close header is sent as part of the
response, the http server will initiate the tcp teardown and need not
bother sending the
Forgot to mention that perhaps your client does not understand HTTP 1.1?
Check whether the redirect request came back to the server.
Hi Pankaj.,
This difference in the HTTP response header is very critical.
It influences the way in which the Client is going to behave.
In case of 1, as the
edit ur openssl.cnf to point to the correct ca certificate and its private
key..obviously the file is not the path that the cnf is looking at..
hi everybody, well finally get install openssl v0.9.8a, now when i try to
generate certificates to be used with freeradius (eap-tls or eap-peap) i use
Original Message
Subject: Re:Re: BIO_read is continuously returning -1
From:Gayathri Sundar [EMAIL PROTECTED]
Date:Wed, December 28, 2005 4:59 am
To: openssl-users@openssl.org
Hi there.,
Have some queries on the way IE is handling SSL Renegotiation.
1. Whenever IE receives a Client Cert req from the Server, say when it
is talking for the 1st time (IE gonna connect to this ssl server for the
very 1st time), it immediately closes the TCP connection abrubtly by
sending a
I think you should load myside.com as well onto the browser..
as it is needed to verify part.myside.com.
Thanks
--G3
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Zaid
Sent: Sunday, February 12, 2006 5:33 AM
To: openssl-users@openssl.org
Subject:
Probably you can call the following
iRet = SSL_get_shutdown(pSSL);
if(iRet = 0) SSL_shutdown(pSSL);
This is because, SSL_shutdown writes data on the wire,
i.e the closure alerts..and if a FIN was received meanwhile,
you will catch a SIGPIPE..this piece of code, actually
saves me from this..
on (if you needed that).
-Kyle H
On 2/12/06, Gayathri Sundar [EMAIL PROTECTED] wrote:
Probably you can call the following
iRet = SSL_get_shutdown(pSSL);
if(iRet = 0) SSL_shutdown(pSSL);
This is because, SSL_shutdown writes data on the wire,
i.e the closure alerts..and if a FIN was received
Probably you can try the openssl verify command?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Julien ALLANOS
Sent: Monday, February 06, 2006 6:38 PM
To: openssl-users@openssl.org
Subject: Testing private key - public key consistency
Hello,
is there a
you can put CA2 as part of the revocation list?
if CA2 is part of the client's CRL, then it will automatically
be rejected..is this what you want?
Thanks
--G3
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Olaf Gellert
Sent: Tuesday, March 07, 2006 5:26 PM
I think verify depth of 1 will work only for self signed certificates,
in this case it wont work, you should override the default certificate
checking functions by registering ur own callback for this function
pointer in ssl_st.
int (*verify_callback)(int ok,X509_STORE_CTX *ctx)
as you already
Have you set the
the underlying FD to nonblocking (FIONBIO?)..I dont see why if the socket non
blocking flag is set, you should have this problem..it doesnt make
sense..
Thanks
--G3
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On
Behalf Of Henry Yip
The accept could have failed for any reason such as
mismatch of ssl versions/ no matching ciphers/ untrusted certificate /
so check on the wire whats going on. From your code snipped,
am not sure what exactly setup_client_ctx() does or what ciphers
have been set on the server ctx..the SSL_METHOD
AFAIK, tcp read can return Zero, as numbytes read, and does not
mean
than the fd is invalidated. I think you should use SSL_received_shutdown
or something
which checks if any close has been initiated by the
server..
Attempting write when a close was received will result in
sigpipe..
I too faced similar problem when I pumped heavy data via smart
bits..
this piece of code worked for me..btw the underlying bio in non
blocking..
do {
ERR_clear_error(); nbytesread =
SSL_read(pSSLObject,pBuffer,BufSize); if(nbytesread 0
) { totalbytesread
+= nbytesread; pBuffer =
.
thanks,Haridharan
On 4/20/06, Gayathri
Sundar [EMAIL PROTECTED]
wrote:
I too faced similar
problem when I pumped heavy data via smart bits..
this piece of code
worked for me..btw the underlying bio in non blocking..
do
{ ERR_clear_error(); nbytesread
what do you mean by decrypt a signed message? either u have to
decrypt the encrypted message, or rehash and check the msg digest i.e
the sha/md5 signature.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ambarish Mitra
Sent: Thursday, April 27, 2006 5:16 PM
did you try man ciphers?
EXP1024 has to work on 1024 bit key, which is why it is called so,
definitely they are stronger than normal EXP ciphers..once again EXP
ciphers are reduced in strength so that it can be exportable in US, and
I believe now there are no such restrictions..atleast thats what
Hi.,
Does openssl as such provide support for packet processing
from kernel..i.e what do I have to do to invoke SSL_read/write
from kernel..has anyone attempted this before.
Thanks
--Gayathri
__
OpenSSL Project
1 - 100 of 103 matches
Mail list logo