On Thu, Feb 14, 2013 at 5:58 AM, Ashok C wrote:
> Hi,
>
> As part of implementing certificate expiry related alarms for my SSL
> application, I would kindly require few suggestions and clarifications from
> the community.
Does that include OSCP checking? On a continuous basis? The CA will
not warr
Hi wenxue,
> Get hash failure
http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/1025761add9b41dc?
> NMAKE : fatal error U1077: 'c:\Perl\bin\perl.EXE' : return code '0x2'
> Stop.
On Windows, ERROR_FILE_NOT_FOUND is 0x0002.
Jeff
On Fri, Feb 15, 2013 at 7:21 PM, nys2013
On Mon, Feb 18, 2013 at 3:04 AM, Nick wrote:
> On Mon, 2013-02-18 at 00:37 +0100, Dr. Stephen Henson wrote:
>> That's because it is attempting to free up parts of a pointer that
>> haven't
>> been allocated with OPENSSL_malloc. See:
>>
>> http://www.openssl.org/docs/crypto/d2i_X509.html#WARNINGS
>
On Mon, Feb 18, 2013 at 7:58 AM, Nick wrote:
> On Mon, 2013-02-18 at 13:22 +0100, Dr. Stephen Henson wrote:
>> Here's what's happening in detail. If you pass a non-NULL pointer for
>> the
>> second parameter it will attempt to reuse the structure.
>>
>> In the case of the RSA structure the outer (
On Mon, Feb 18, 2013 at 8:31 AM, Nick wrote:
> On Mon, 2013-02-18 at 08:12 -0500, Jeffrey Walton wrote:
>> It looks like the GCC tool chain has let you down: "C/C++ Option to
>> Initialize Variables?",
>> http://gcc.gnu.org/ml/gcc/2013-02/msg00207.html.
>>
&
On Sun, Feb 17, 2013 at 10:02 AM, Jeremy Harris wrote:
> On 02/16/2013 10:51 PM, Dr. Stephen Henson wrote:
>>
>> So you could supply an application defined callback that just calls
>> X509_verify_cert too which keeps the current behaviour. If that call is
>> successful you can then note the chain
On Mon, Feb 18, 2013 at 2:38 PM, Jeffrey Walton wrote:
> Hi All,
>
> $ uname -a
> Linux ubuntu-12-x64 3.2.0-37-generic #58-Ubuntu SMP Thu Jan 24
> 15:28:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
>
> Any ideas?
>
> jeffrey@ubuntu-12-x64:~/openssl-1.0.1e$ ./Configure l
On Thu, Feb 21, 2013 at 1:37 AM, Nick wrote:
> On Mon, 2013-02-18 at 08:56 -0500, Jeffrey Walton wrote:
>> > g++-4.7.2 -g -Wall -Wextra -Weffc++ -Wno-missing-field-initializers
>> > -Wctor-dtor-privacy -Wnon-virtual-dtor -Wreorder -Wold-style-cast
>> > -Woverloa
On Wed, Feb 20, 2013 at 4:10 PM, Andreas Mattheiss
wrote:
>
> s_client doesn't like pipes
This works well for me:
$ echo "GET / HTTP1.0" | openssl s_client -connect example.com:443
It looks like you need something more like a response file.
Jeff
___
On Fri, Feb 15, 2013 at 9:25 AM, Ashok C wrote:
> On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton wrote:
>> On Thu, Feb 14, 2013 at 5:58 AM, Ashok C wrote:
>> >
>> > As part of implementing certificate expiry related alarms for my SSL
>> > application, I woul
Hi All,
OpenSSL 1.0.1e is not loading Intel's hardware random number
generator. ENGINE_load_rdrand() silently fails:
/*** eng_rand.c ***/
void ENGINE_load_rdrand (void)
{
extern unsigned int OPENSSL_ia32cap_P[];
if (OPENSSL_ia32cap_P[1] & (1<<(62-32)))
{
ENGINE *toadd = ENGIN
On Mon, Mar 4, 2013 at 11:19 PM, Jeffrey Walton wrote:
> Hi All,
>
> OpenSSL 1.0.1e is not loading Intel's hardware random number
> generator. ENGINE_load_rdrand() silently fails:
>
> /*** eng_rand.c ***/
> void ENGINE_load_rdrand (void)
> {
> exter
Hi All,
I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
Android environment with cross compilation. Both the FIPS Object
Module and FIPS Capable library built and installed without much
effort.
I'm trying to build a simple command line application which statically
links to the
On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson wrote:
> On Sat, Jun 22, 2013, Jeffrey Walton wrote:
>
>> Hi All,
>>
>> I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
>> Android environment with cross compilation. Both the FIPS O
On Sat, Jun 22, 2013 at 4:24 PM, Dr. Stephen Henson wrote:
> On Sat, Jun 22, 2013, Jeffrey Walton wrote:
>
>> On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson
>> wrote:
>> > On Sat, Jun 22, 2013, Jeffrey Walton wrote:
>> >
>> >> Hi All,
>
Hi All,
When linking to the FIPS Capable shared object, the program fails its
fingerprint check:
$ arm-linux-androideabi-gcc --sysroot="$ANDROID_SYSROOT"
-I/usr/local/ssl/android-14/include fips_hmac.c -o fips_hmac.exe
/usr/local/ssl/android-14/lib/libcrypto.so.1.0.0
$ adb push /usr/local/ssl/and
e the
makefile does not specify full pathnames:
sudo -E make install \
CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc \
RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib \
On Tue, Jun 25, 2013 at 8:46 PM, Jeffrey Walton wrote:
> Hi All,
>
> When linking to the FIPS
Hi All,
I'm trying to run OpenSSL through Clang's scan-build
(http://clang-analyzer.llvm.org/scan-build.html). According to the
page, I should be configuring and building a debug configuration (both
through scan-build).
Does OpenSSL supply a 'generic' debug configuration? Or should I use
Ben Laur
Hi All,
I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
then connected to api.pagepeeker.com, which uses StartCom.
When I use s_client and -CAfile, the verification completes
successfully. When I use c_client and SSL_CERT_FILE, verification
fails with "Verify return code: 19
supported
SSL-Session:
Protocol : TLSv1
Cipher: AES256-SHA
Session-ID:
Start Time: 1380749054
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
On Wed, Oct 2, 2013 at 4:56 PM, Jeffrey Walton wrote:
> Hi All,
>
> I
y works in real life? Or
is it more undocumented, broken cruft lying around?
Jeff
On Wed, Oct 2, 2013 at 4:56 PM, Jeffrey Walton wrote:
> Hi All,
>
> I fetched StartCom's ca-bundle from http://www.startssl.com/certs/. I
> then connected to api.pagepeeker.com, which uses StartCom
I'm trying to convert some scripts from OpenSSL 1.0.2 to OpenSSL 1.1.1d.
Configure is dying:
* Unsupported options: no-comp
--prefix=/home/jwalton/tmp/build-test
--libdir=/home/jwalton/tmp/build-test/lib
According to INSTALL at
https://github.com/openssl/openssl/blob/master/INSTALL, all
Hi Everyone,
I have a custom 15-android.conf that is used with a custom
setenv-android.sh. setenv-android.sh sets the environment and exports
the necessary variables for a cross-compile. 15-android.conf was
copied from the OpenSSL library, and then modified to avoid some
problems with the one supp
I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a
master process which calls:
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
The master then starts a number of child processes. It does so by
forking without an exec (if I am reading the
, Jeffrey Walton wrote:
> I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a
> master process which calls:
>
> SSL_library_init();
> SSL_load_error_strings();
> OpenSSL_add_all_algorithms();
>
> The master then starts a number of child proce
How does one verify use of AES-NI at runtime?
I know I can get 'capability' with:
crypto/evp/e_aes.c:#define AESNI_CAPABLE \
(OPENSSL_ia32cap_P[1]&(1<<(57-32)))
But grepping the sources for a runtime test does not produce anything
that looks useful:
$ grep -R -i AESNI *
and
On Sat, Jan 4, 2014 at 2:42 PM, Viktor Dukhovni
wrote:
> ... A substantive comment that argues that DANE adds
> nothing new to SMTP would begin by explaining in detail how SMTP
> to MX TLS security is possible without DNS data integrity (thus
> making it possible to not trust the root zone signatu
*) Integrate hostname, email address and IP address checking with certificate
verification. New verify options supporting checking in opensl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
functions. Add manual page.
[Florian
Can anyone confirm that ENGINE_rdrand is no longer a default engine
(if available).
The change log does not mention it.
http://www.openssl.org/news/changelog.html (the ENGINE is not
mentioned anywhere, including the change from 1.0.1e).
Thanks in advance.
_
I can't seem to find information on using the hostname and email
verification functionality.
* SSL_CTX_set_verify does not discuss it
* www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
* No mention if it was rolled into SSL_VERIFY_PEER
* s_client does not have any new switches
* no
On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
wrote:
> On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
>
>> I can't seem to find information on using the hostname and email
>> verification functionality.
>>
>> * SSL_CTX_set_verify does not
On Tue, Jan 7, 2014 at 12:58 AM, Jeffrey Walton wrote:
> On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
> wrote:
>> On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
>>
>>> I can't seem to find information on using the hostname and emai
I'm trying to declare a BN_CTX on the stack (with a subsequent call to
BN_CTX_init) to stay out of the memory manager.
When I do, I get an error:
aggregate ‘BN_CTX’ has incomplete type and cannot be defined
I've included , so I'm kind of surprised I can't
compile. ( has some typedefs and com
n the source code.
Jeff
>
> From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on
> behalf of Jeffrey Walton [noloa...@gmail.com]
> Sent: 16 January 2014 20:28
> To: OpenSSL Users List
> Subject: Declare BN_CTX on stack (not BN_CTX*)
>
> I
On Fri, Jan 17, 2014 at 11:16 AM, Viktor Dukhovni
wrote:
> On Fri, Jan 17, 2014 at 09:57:00AM -0500, Jeffrey Walton wrote:
>
>> > BN_CTX_init() (deprecated) initializes an existing uninitialized
>> > BN_CTX. This should not be used for new programs. Use BN_CTX_new()
>
I'm having trouble retrieving the random method being used after a
call to FIPS_mode_set.
ENGINE_get_default_RAND is returning NULL, so I can't use ENGINE_get_name.
RAND_get_rand_method is returning a pointer, but its not supposed to
be used and it has not way to fetch a name.
There is a RAND_se
I'm having a heck of a time getting the SAN into a server's CSR.
I believe the relevant sections are:
[ req ]
req_extensions= server_req_extensions
[ server_req_extensions ]
subjectKeyIdentifier= hash
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, dig
On Fri, Jan 24, 2014 at 12:02 PM, Dr. Stephen Henson wrote:
> On Fri, Jan 24, 2014, Jeffrey Walton wrote:
>
>> I'm having a heck of a time getting the SAN into a server's CSR.
>>
>> ...
>> Any ideas what I'm doing wrong?
>
> Hmm... it isn'
I don't see a dumb mistake with this one
First, the CSR has multiple SANs:
$ openssl req -text -noout -verify -in servercert.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=XX, ST=XX, L=XX, CN=Test Server/emailAddress=t...@example.com
Subject P
On Fri, Jan 24, 2014 at 1:18 PM, Jakob Bohm wrote:
> On 1/24/2014 6:54 PM, Jeffrey Walton wrote:
>>
>> I don't see a dumb mistake with this one
>>
>> ...
>> [ signing_req ]
>> subjectKeyIdentifier=hash
>> authorityKeyIdentifier=keyid
What is the name of the function to set the callback described below?
*) Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
su
> ... for >= TLSv1.2, protocol should be selected as SSLv23_method()?
Yes, but as Viktor pointed out, you also need:
options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2
Jeff
On Sat, Jan 25, 2014 at 10:40 AM, Devchandra L Meetei wrote:
> Just one more thing, for >= TLSv1.2,
>
> Protoco
I can create a CSR with the following:
$ openssl req -out ./test.csr -new -newkey rsa:2048 -nodes -keyout
./test.key -subj "/emailAddress=j...@example.com/CN=John Does/C=US"
However, the custom subject causes the CSR to lack other fields, like
State, Locality and Organization.
Is there a way to
On Wed, Jan 29, 2014 at 12:51 AM, Devchandra L Meetei wrote:
> when I run ./config, The final lines says following things
>
> "Since you've disabled or enabled at least one algorithm, you need to do
> the following before building:
>
> make depend
> "
> is there any way to check which algo
I know OpenSLL has DH_check and RSA_check_key.
Does OpenSSL have a generic key verification routine that can be used
for, say, any key in a EVP_PKEY?
Thanks in advance.
__
OpenSSL Project http://ww
I've set a servername callback using SSL_CTX_set_tlsext_servername_callback.
SSL_CTX_set_tmp_dh_callback(ctx, edh_cb);
SSL_CTX_set_tlsext_servername_callback(ctx, servername_cb);
I verified the callback was set in the context object:
gdb> p *server_ctx
...
client_cert_engine
OpenSSL has the following defined in thl1.h. They are used in
s_server.c for the SNI callback.
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_WARNING 1
#define SSL_TLSEXT_ERR_ALERT_FATAL 2
#define SSL_TLSEXT_ERR_NOACK 3
SSL_TLSEXT_ERR_OK 0 is self explanatory. It appears
SSL_TLS
I'm trying to remediate a couple of memory leaks on shutdown. I'm
having trouble: (1) locating a definitive guide that lists what should
be called during cleanup; and (2) what order they should be called in.
The closest I've find to answering the questions are (1) OpenSSL
source code; and (2)
http
d? Does order matter?
Jeff
On Mon, Feb 10, 2014 at 7:50 PM, Jeffrey Walton wrote:
> I'm trying to remediate a couple of memory leaks on shutdown. I'm
> having trouble: (1) locating a definitive guide that lists what should
> be called during cleanup; and (2) what order
ssl/ssl_ciphr.c has the following:
static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
ssl_comp_methods is allocated with SSL_library_init, but it does not
appear to be freed with any of the cleanup functions (ENGINE_cleanup,
CONF_modules_unload, EVP_cleanup, CRYPTO_cleanup_all_ex_data,
ERR_remove
(ssl_comp_methods);
ssl_comp_methods = NULL;
}
}
#endif
On Mon, Feb 24, 2014 at 9:40 PM, Jeffrey Walton wrote:
> ssl/ssl_ciphr.c has the following:
>
> static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
>
> ssl_comp_methods is allocated with SSL_library_init, but it does
On Wed, Feb 26, 2014 at 5:23 PM, Viktor Dukhovni
wrote:
> On Wed, Feb 26, 2014 at 04:41:33PM -0500, Jeffrey Walton wrote:
>
>> This worked well under Linux with GCC. It cleared the Valgrind squawks.
>
> Why is anyone obsessed about freeing memory that is assigned to
> static
What are the limits on PEM_write_RSAPrivateKey and EVP_CIPHER? Is it
possible to use 256-bit security levels with authentication tags?
I could not get "AES-256-HMAC-SHA-256" or "AES-256-CBC-HMAC-SHA1" to
work, and I could not get "AES-256-GCM" to work.
"AES-256-HMAC-SHA-256" and "AES-256-HMAC-SHA
I'm building a ca cert following .../demos/mkcert.c. The program is failing at:
X509_EXTENSION* ex4 =
X509V3_EXT_conf_nid(NULL, NULL, NID_subject_key_identifier, "hash");
err = ERR_get_error();
...
$ openssl errstr 0x22073072
error:22073072:X509 V3 routines:S2I_SKEY_ID:no public key
The publ
On Sat, Mar 1, 2014 at 1:14 AM, Viktor Dukhovni
wrote:
> On Sat, Mar 01, 2014 at 01:02:28AM -0500, Jeffrey Walton wrote:
>
>> X509_EXTENSION* ex4 =
>> X509V3_EXT_conf_nid(NULL, NULL, NID_subject_key_identifier, "hash");
>> err = ERR_get_error();
>&g
On Sat, Mar 1, 2014 at 7:29 AM, Dr. Stephen Henson wrote:
> On Sat, Mar 01, 2014, Jeffrey Walton wrote:
>
>> I'm building a ca cert following .../demos/mkcert.c. The program is failing
>> at:
>>
>> X509_EXTENSION* ex4 =
>> X509V3_EXT_conf_nid(NULL
I'm trying to add some key and certificate validation code to help
diagnose potential issues.
X509_verify allows me to verify an X509 and EVP_PKEY pair.
verify.c has certificate validation code, but it appears to work from
the file system (X509_STORE_add_lookup(), X509_LOOKUP_file(),
X509_LOOKUP_
Is there a list of EC curves to NIDs?
http://www.openssl.org/docs/crypto/EC_KEY_new.html and
http://www.openssl.org/docs/crypto/EC_GROUP_new.html discuss the
curves and the NIDs, but don't provide a list.
Or better, is there a function like EC_CURVE_by_name that returns a
nid given a curve like "
I've got a server that can't negotiate a cipher suite with a client
when using ECDSA certificates. When using ECDSA, the server reports
0x1408a0c1 (no shared cipher).
The same server can consume RSA and DSA certificates. (In fact, all
the public key and certificate routines are generic and only di
On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>
>> I've got a server that can't negotiate a cipher suite with a client
>> when using ECDSA certificates. When using ECDSA, the server reports
>
On Tue, Mar 4, 2014 at 10:03 AM, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
> wrote:
>> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>>...
>> What is in the (non-extended) keyUsage extension of the certificate?
>>
On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
>> wrote:
>> > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>> >
>> >>
On Tue, Mar 4, 2014 at 11:46 AM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson
>> wrote:
>> > On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>> >
>> >> On Tue, Mar
On Tue, Mar 4, 2014 at 11:51 AM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 05:46:45PM +0100, Dr. Stephen Henson wrote:
>
>> > NistCurveToNidByBits(256) returns NID_X9_62_prime256v1. I also tried
>> > returning NID_secp256k1 with the same result.
>> >
>> > I'm setting up Wireshark now on ano
On Tue, Mar 4, 2014 at 11:46 AM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson
>> wrote:
>> > On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>> >
>> >> On Tue, Mar
On Tue, Mar 4, 2014 at 11:41 AM, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson wrote:
>> ...
>
> I'm setting up Wireshark now on another machine to get the trace.
The Wireshark trace is useless (to me) because its only displaying TCP
traffic (
On Tue, Mar 4, 2014 at 1:28 PM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 11:59:42AM -0500, Jeffrey Walton wrote:
>
>> > Perhaps the server's EC private key is not being set correctly, so it
>> > can't use the certificate.
>> Is there a way to tes
On Tue, Mar 4, 2014 at 12:34 PM, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 11:41 AM, Jeffrey Walton wrote:
>> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson
>> wrote:
>>> ...
>>
>> I'm setting up Wireshark now on another machine to get the tr
On Tue, Mar 4, 2014 at 1:33 PM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 12:34:22PM -0500, Jeffrey Walton wrote:
>
>> > I'm setting up Wireshark now on another machine to get the trace.
>>
>> The Wireshark trace is useless (to me) because its only di
On Tue, Mar 4, 2014 at 6:35 AM, Jeffrey Walton wrote:
> I've got a server that can't negotiate a cipher suite with a client
> when using ECDSA certificates. When using ECDSA, the server reports
> 0x1408a0c1 (no shared cipher).
>
> The same server can consume RSA and D
On Tue, Mar 4, 2014 at 2:00 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
>> Sent: Tuesday, March 04, 2014 12:34
>> ...
>
> but that reminds me: does your ECDSA cert have the publickey in
> named=OID format, NOT exp
On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> If that's the case, then that's probably it. Below is a sample.
>>
>> I've been using PEM_write_PKCS8PrivateKey and PEM_write_X509. What
>> doe
On Tue, Mar 4, 2014 at 3:26 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote:
>> ...
>> > It is stored in the private key when the key is generated. How did you
>>
On Tue, Mar 4, 2014 at 3:26 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote:
>> ...
>> >
>> int nid = ...
>> EC_KEY* key = EC_KEY_new_by_curve_name(nid)
I'm reading a private key from disk and trying to validate it. The key
was saved with OPENSSL_EC_NAMED_CURVE.
After reading the key from disk, I perform the following:
__
OpenSSL Project http://www.
On Tue, Mar 4, 2014 at 6:46 PM, Jeffrey Walton wrote:
> I'm reading a private key from disk and trying to validate it. The key
> was saved with OPENSSL_EC_NAMED_CURVE.
>
[sorry about that half-post]
Here's what I needed:
int EC_KEY_get_asn1_flag(const EC_KEY* key)
{
ASSER
I'm probably missing something really obvious here
I've got a couple of non-makefile based scripts to build my program.
The program is a mix of C and C++, so the FIPSLD_CC/fipsld does not
work due to c++ name mangling.
The scripts have a couple of variables:
FIPS_PREMAIN=`find $OPENSSLDIR -i
I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
1, I'd like to remove it from the cache. (1 means the cache holds the
only copy, so I should be able to remove it and call SSL_CTX_free).
Is it possible to retrieve the reference count on a SSL_CTX?
Thanks in advance.
I still have not found a solution to using OpenSSL with a C++ compiler.
fips_premain.c makes the following declarations. They lack 'extern
"C"', so I've got unresolved symbols:
extern const void *FIPS_text_start(), *FIPS_text_end();
extern const unsigned char FIPS_rodata_start[], FIPS_ro
On Sat, Mar 8, 2014 at 3:52 PM, Viktor Dukhovni
wrote:
> On Fri, Mar 07, 2014 at 06:16:33PM -0500, Jeffrey Walton wrote:
>
>> I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
>> 1, I'd like to remove it from the cache. (1 means the cache ho
On Tue, Mar 11, 2014 at 6:24 AM, ajay.sonawane wrote:
> I have downloaded FIPs 2.0 source code and openssl 1.0.1f source code. I m
> trying to build FIPS on Windows/MAC but not sure if I could build shared
> library of FIPS. If shared library is possible, what is the command line to
> build it ?
T
On Sun, Mar 16, 2014 at 5:49 AM, srikanth wrote:
> Hi,
>
> We are working on making our application FIPS 140-2 Compliant.
There's no such thing as FIPS Compliant. You use validated
cryptography, or you don't use validated cryptography.
If your marketing department calls your product FIPS
{Complia
On Sun, Mar 9, 2014 at 9:06 AM, Dr. Stephen Henson wrote:
> On Sun, Mar 09, 2014, Jeffrey Walton wrote:
>
>> I still have not found a solution to using OpenSSL with a C++ compiler.
>>
>> fips_premain.c makes the following declarations. They lack 'extern
>> &
On Tue, Mar 18, 2014 at 1:02 PM, axisofevil wrote:
> I dug into source - it's in DER format so a sleezy hacked function is this: (
> I use curve NID_X9_62_prime256v1 )
> ECDSA_SIG * sig
> BIGNUM * r;
> BIGNUM * s;
>
> /* A correct DER-encoded signatu
On Fri, Mar 21, 2014 at 8:06 PM, Thomas Leavy wrote:
> Is there any way to accomplish building OpenSSL FIPS under the iOS 7 sdk?
>
See the OpenSSL FIPS User Guide, Appendix E.2.
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf.
> I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using VMware. I
> tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in any
> case.
> ...
> Any ideas why I can't do that with openssl?
Ubuntu disables TLS 1.1 and 1.2 in their version of OpenSSL. See, for
example, Op
On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek wrote:
> On 25.03.2014, at 17:44, Zack Williams wrote:
>
>> ...
>> 3. Is there a reason to not set a pathLen in the basicConstraints
>> section of the Root CA's (to 1, to allow a maximum of one layer of
>> CA's below the Root), but to do so on the I
On Mon, Mar 31, 2014 at 3:18 PM, Landen Landens wrote:
> My Mac still has OpenSSL 0.9.8. How may I update this to the latest stable
> version?
You can't because 0.9.8 and 1.0.1 are *not* binary compatible.
You can download OpenSSL, `./Configure darwin64-x86_64-cc`, `make`,
and then `sudo make in
On Tue, Apr 1, 2014 at 9:24 AM, Viktor Dukhovni
wrote:
> On Tue, Apr 01, 2014 at 05:37:05AM -0400, Jeffrey Walton wrote:
>
>> You can download OpenSSL, `./Configure darwin64-x86_64-cc`, `make`,
>> and then `sudo make install`. Your updated version will be located in
On Fri, Apr 11, 2014 at 2:20 PM, Ted Byers wrote:
> On Fri, Apr 11, 2014 at 1:23 PM, Steve Marquess
> wrote:
>> ...
>
> Have you checked out Google and Amazon's payment services? I have
> heard they exist, but haven't checked them out for cost (I may do so,
> and soon, as the Canadian bank's sup
On Sun, Apr 13, 2014 at 7:49 AM, Hanno Böck wrote:
> On Sun, 13 Apr 2014 13:12:41 +0200
> Graham Leggett wrote:
>
>> On 13 Apr 2014, at 12:25 PM, Hanno Böck wrote:
>>
>> > Is there any software out there that doees anything with heatbeat?
>> > And more specifically: If there is, is it using TCP
>> Just to clarify any possible confusion, whether or not a piece of software
>> actively uses the heartbeat makes no difference to the bug, you are still
>> vulnerable simply by virtue of the feature being there. Make sure that if
>> you are using an effected version of openssl, you patch openssl.
On Fri, Apr 18, 2014 at 12:24 PM, Floodeenjr, Thomas
wrote:
> Klocwork seems to have caught it:
>
> http://www.klocwork.com/blog/software-security/saving-you-from-heartbleed/?mkt_tok=3RkMMJWWfF9wsRolva7JZKXonjHpfsX56%2B4tX6CwlMI%2F0ER3fOvrPUfGjI4FTsZrI%2BSLDwEYGJlv6SgFSrbAMah1ybgNUxE%3D
>
It looks
RSA_print_fp eventually calls ASN1_bn_print (multiple times) with each
of the RSA parameters. ASN1_bn_print is shown below.
A couple of questions:
(1) why is the buffer 'buf' required for the function? What is its
size supposed to be? (I know 'BN_num_bytes(num)' is too small from a
seg fault, but
Are there any functions to determine the size of the preimage (i.e.,
plain text) that can be encrypted under RSA using various schemes
(e.g., no padding, PKCS#1.5, OAEP, etc)?
I know there's a RSA_size, but its not really helpful size it only
provides the size of the modulus in bytes.
Thanks in a
On Thu, Apr 24, 2014 at 1:49 PM, Bin Lu wrote:
> Thanks!
Ben Laurire checked it in recently (within the last week or so).
Until it makes it way into the the tar balls, I believe you should
try: https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest.
Jeff
___
According to
http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html:
To make this happen, [we] began implementing new algorithms --
ChaCha 20 for symmetric encryption and Poly1305 for
authentication -- in OpenSSL and NSS in March 2013.
But I have no
On Sat, Apr 26, 2014 at 3:18 PM, Anant Rao wrote:
> I'm doing password encryption (and decryption) in Java. I need to port this
> to C.
> In Java, I'm doing this:
>
> PBEKeySpec ("somepassphrase", some_salt, some iterations, 128
> /*key_length*/);
> Algorithm is "PBKDF2WithHmacSHA1"
>
> If I gener
On Sat, Apr 26, 2014 at 5:12 PM, Matt Caswell wrote:
> On 26 April 2014 20:38, Jeffrey Walton wrote:
>> ...
>> There are no docs on it, but a patch is sitting in RT at
>> https://rt.openssl.org/Ticket/Display.html?id=3293&user=guest&pass=guest.
>> Download t
On Wed, Apr 30, 2014 at 3:04 AM, zyf01...@gmail.com wrote:
> This time the client hello and server hello is done,but when client key
> exchange the server reply Alert (Level: Fatal, Description: Protocol
> Version).Shows bellow, what wrong with this? And I kown this alert means
> the client is not
301 - 400 of 760 matches
Mail list logo