ve there’s a good reason for it.
> Anyway, thanks for your answer!
>
> Regards
> Matt
>
> On 18. 11. 2022, at 17:13, Kyle Hamilton wrote:
>
>
> X25519?
>
> On Mon, Nov 14, 2022, 05:23 ORNEST Matej - Contractor via openssl-users <
> openssl-users@openssl.org> wrote:
&g
X25519?
On Mon, Nov 14, 2022, 05:23 ORNEST Matej - Contractor via openssl-users <
openssl-users@openssl.org> wrote:
> Hi all,
>
>
>
> I need to implement support for X52219/X448 for DH key exchange (and
> Ed52219/Ed448 for DSA) elliptic curves in our project. I need to export
> public key for DH
>From a conceptual perspective, I think "creating a CSR" should be different
than "signing a CSR with a given keypair", and on that reason alone I'd
separate them, allowing some small code duplication.
The difference between "signing with a certified key" and "signing with its
own key" is really
An EE certificate is an "end entity" certificate, which identifies an
entity that isn't a certifier.
On Wed, Jul 21, 2021, 18:23 Thejus Prabhu wrote:
> Thanks for your reply Viktor. I would like to add that this is a self
> signed certificate created on the server. What is EE certificate?
>
>
>
Also, OIDs for extendedKeyUsage can be defined per-application, so
there's no way to compile a full list of them.
-Kyle H
On Fri, Jul 16, 2021 at 4:23 AM Viktor Dukhovni
wrote:
>
> > On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote:
> >
> > I am looking for openssl APIs to get all the OIDs
If he's trying to muck with the library, he's probably struggling with a
precompiled binary he doesn't have the source code to.
-Kyle H
On Thu, Mar 11, 2021, 11:48 Viktor Dukhovni
wrote:
> > On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
> >
> > I am searching for the functions in
If you get SSL_ERROR_WANT_WRITE, call the same function with the same
parameters and same buffer content immediately. (Same with
SSL_ERROR_WANT_READ.)
If you need to, stash those parameters in variables for ease of reference.
But don't do anything else on the SSL layer until you get a different
There's another reason why you'll want to close your socket with
SSL_close(): SSL (and TLS) view a prematurely-closed stream as an
exceptional condition to be reported to the application. This is to
prevent truncation attacks against the data communication layer.
While your application may not
Could this be dealt with by the simple removal of any caching layer
between an SSL_CTX and a directory processed by openssl c_rehash?
Would reading the filesystem on every certificate verification be too
heavy for your use case?
On Sun, Aug 30, 2020 at 7:20 PM Jordan Brown
wrote:
>
> Well, I can
I'm not sure I can follow the "in all cases it's important to keep the key
and cert in the same file" argument, particularly in line with openat()
usage on the cert file after privilege to open the key file has been
dropped. I agree that key/cert staleness is important to address in some
manner,
It is never recommended to upgrade you distribution's version of OpenSSL
with one you compile yourself. Doing so will often break all software
installed by the distribution that uses it.
If you need functionality from newer versions of OpenSSL, your options are
to upgrade your OS version, or to
(I'm not an OpenSSL developer, but I know enough of development
processes to explain what I see here. Actual OpenSSL developers
should correct me if I'm wrong.)
Most likely, yes this is currently expected. Since it's a dev branch,
not a release branch, it's not expected to have everything
for me.)
-Kyle H
On Sun, May 24, 2020, 14:59 Kyle Hamilton wrote:
> From glancing at the abstract, https://patents.google.com/patent/US5799086
> looks like it might be the one? It also says that it is expired,
> expiration having been anticipated on 2014-01-13.
>
> -Kyle H
>
>From glancing at the abstract, https://patents.google.com/patent/US5799086
looks like it might be the one? It also says that it is expired,
expiration having been anticipated on 2014-01-13.
-Kyle H
On Sun, May 24, 2020, 11:54 Salz, Rich wrote:
>
>- In any case, I am unaware of any
There are two ways to handle multiple authorizations needed:
1) Secret data is shared across multiple locations/holders, or
2) Secret data is stored in a trusted system which itself requires multiple
authorizations.
You could perhaps put together multiple trusted systems, each of which has
a
application/pkix-pkipath
Defined in RFC4366 (section 8) and RFC6066 (section 10.1)
PkiPath ::= SEQUENCE OF Certificate
Within the sequence, the order of certificates is such that the subject of
the first certificate is the issuer of the second certificate, etc.
(It's also defined in ITU-T
There is a format that puts all DER certificates into a single
DER-formatted structure. It is called PKIpath, and it's defined as
`SEQUENCE OF Certificate`. The problem with it is that its order was
standardized by X.509 2001 TC1 to begin with the root and continue to the
leaf, which is
If you need multiple certificates in a single DER structure, you're looking
for something to create a "PKIpath". I've never heard of curl requiring
such, though. Chances are it will handle the PEM chain just fine.
What curl command line are you trying to use?
-Kyle H
On Thu, May 21, 2020,
Is there a way to have OpenSSL's command line generate OCSP responses
for every entry in index.txt, without having to go through the process
of generating a blank (no-nonce, unsigned) request and then generating
a response to each one for each serial number therein?
-Kyle H
On a tangent, this file format (and order) was actually finally
standardized as "application/pem-certificate-chain" by RFC 8555
section 9.1 (the Automatic Certificate Management Environment
protocol, or ACME).
On Wed, May 6, 2020 at 2:59 PM Michael Wojcik
wrote:
> Get rid of the call to
Note: This is better asked on the CentOS support forums, since it asks
about changes that CentOS made to OpenSSL.
This is an unsupported configuration, and will be overwritten if you audit
or reinstall the crypto-policies package. Also, I haven't looked to see
where
32 bytes means you're signing using RSA-WITH-SHA-256, yes?
tbs is the digest value you calculated, tbslen is the size in bytes of
the digest.
-Kyle H
On Tue, Apr 7, 2020 at 1:07 PM Jason Proctor wrote:
>
> Esteemed cryptologists,
>
> Question regarding the "tbslen" parameter to the sign and
ssl_prefer_server_ciphers on;
On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan
wrote:
>
>
> On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <
> michael.woj...@microfocus.com> wrote:
>
>> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*,
>> SSL_CTX_get_options(*ctx*) |
Be aware that you just posted your certificate's private key, and thus you
should regenerate a new keypair/certificate to use. Otherwise, anyone who
can manipulate traffic to your machine can execute a man-in-the-middle
attack.
-Kyle H
On Fri, Feb 14, 2020, 07:40 Jason Schultz wrote:
>
>
A CSR is self-signed to provide what's called "proof of possession" -- that
is, proof that the requester possesses the private key to the claimed
public key. It doesn't act as a CA in that case, because the CSR is not an
actual Certificate structure.
-Kyle H
On Thu, Jan 30, 2020, 18:26 Douglas
No, it's not possible,to use a webserver certificate to issue other
certificates of any kind. (Oh, it is technically possible with openssl to
create certificates which might seem valid on the surface -- just use the
webserver key to generate a self-signed CA certificate with the same
Subject as
OpenSSL is a toolkit, not a full implementation. More importantly, it is a
library, so anyone who can link against it can perform all operations that
the library can support, and the library has no concept of role separation
built in.
As such, the 'openssl' commandline tool allows the use of any
You might be able to set this in the equivalent of /etc/ld.so.conf and
rerun ldconfig(8), but those specific operations rely on the GNU dynamic
linker. The only clue that suggests it may be GNU's dynamic linker is the
LD_LIBRARY_PATH environment variable name. If it's not, you'll have to
look up
If a CA signs a certificate without proof of possession of the private key,
the CA is enabling whoever does have that private key to look as though
they are the one who they sign the certificate for (i.e., impersonation).
The entire structure of PKI (the binding of the public half of a keypair to
Also, on question b: No. You need to build a compatible version of openssl
as specified in the User Guide, and link that version. FIPS_mode_set()
tells the library to always and only use the implementations in the FIPS
canister; the canister does not replace the library entirely.
-Kyle H
On
Step a. needs to verified the digest with an existing FIPS 140-2 validated
cryptography implementation. Otherwise, to my understanding, this is the
correct sequence of events.
Do note that after building the fipscanister.lib, you will want to digest
it and print it on a certification letter that
> Good luck.
>>
>> -Kyle H
>>
>> On Mon, Jun 10, 2019, 03:34 Giovanni Fontana <
>> giovanni.fontan...@gmail.com> wrote:
>>
>>> The unmodified version works. As I said, it's sure the issue is on what
>>> I added, but info from the bui
issing are the following files:
>
>- libssl.map
>- libcrypto.so
> - libssl.so
>
>
> Il giorno dom 9 giu 2019 alle ore 19:30 Kyle Hamilton
> ha scritto:
>
>> Can you try building an unmodified version of the tarball, and see if it
>> has a problem?
Can you try building an unmodified version of the tarball, and see if it
has a problem?
-Kyle
On Sun, Jun 9, 2019, 07:31 Giovanni Fontana
wrote:
> Hello Kurt,
>
>
>- it's perl 5, version 26, subversion 1 (v5.26.1) built for
>x86_64-linux-gnu-thread-multi
>- ldd (Ubuntu GLIBC
That's a configuration issue with the servers, not an issue with the
openssl command itself.
There's no information on what the back-end HTTP server software is
being used. If it were Apache, there would be a ServerName directive
that could change the server's idea of what name it should refer
It appears you could create() a socket, bind() it to the interface you
want to use, possibly connect() it, and then pass it to either
BIO_s_connect() or BIO_s_socket() depending on which meets your needs.
-Kyle H
On Sat, Feb 9, 2019 at 7:21 AM Rajinder Pal Singh wrote:
>
> Thanks Mark for the
I would expect that correct results would be provided for all valid
inputs (including those inputs that are not otherwise constrained).
As such, I would class this as a bug in OpenSSL.
-Kyle H
On Mon, Jan 7, 2019 at 7:44 PM Patrick Steuer wrote:
>
> Dear Bo-Yin Yang,
>
> I looked into your
such degenerate cases.
Merry Christmas (or happy holidays!),
-Kyle H
On Sun, Dec 23, 2018 at 5:33 PM Viktor Dukhovni
wrote:
>
>
>
> > On Dec 23, 2018, at 6:01 PM, Kyle Hamilton wrote:
> >
> > You're right, I typoed. SubjectDN is non-optional. But it can, as
>
wrote:
>
>
>
> > On Dec 23, 2018, at 4:29 PM, Kyle Hamilton wrote:
> >
> > SubjectCN is an operational requirement of X.509, I believe.
>
> You're confusing the DN and the CN.
>
> > It's not optional in the data structure, at any rate.
>
> The subject
SubjectCN is an operational requirement of X.509, I believe. It's not
optional in the data structure, at any rate.
-Kyle H
On Sun, Dec 23, 2018 at 9:22 AM Michael Richardson wrote:
>
>
> Salz, Rich via openssl-users wrote:
> > Putting the DNS name in the CN part of the subjectDN has been
Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?
-Kyle H
On Sun, Dec 23, 2018 at 3:25 AM Walter H. wrote:
>
> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
> > > >. New certificates should only use the subjectAltName extension.
> >
> >> Are
Getting the key for any given communication from OpenSSL is definitely
doable if you're not using an engine. If you are using an engine, it may
or may not be even possible.
In any case, maintaining that key once you have it is definitely out of
scope of OpenSSL. As an app developer subject to
Because only showing the O= is insufficient, you also need to show the
jurisdiction the O= is based in. (In the case of Amazon, it's a Delaware
corporation.)
The fact that browsers are getting tricked into thinking EV doesn't help is
only because their UX designers refuse to allow the information
CAs *do* verify the attributes they certify. That they're not presented as
such is not the fault of the CAs, but rather of the browsers who insist on
not changing or improving their UI.
The thing is, if I run a website with a forum that I don't ask for money on
and don't want any transactions
Wireshark and other packet capture tools can help you determine
exactly what's in the chain sent by the client. If the self-signed
root isn't being sent, then the "self-signed certificate in
certificate chain" error should never have been sent, and a bug report
on that issue would be appropriate.
The DER (Distinguished Encoding Rules of ASN.1, which can be found in ITU-T
recommendation X.680 and X.681) requirement is that if a particular number
is positive, the highest-order bit can never be set (since the
highest-order bit is always the negative sign indicator). The rules further
explain
I thibk those are all the .asm modules. If they are, you'll probably want
to Configure with no-asm and rebuild in order to get the C implementations.
-Kyle H
On Wed, Nov 28, 2018, 01:07 Vinay Kumar via openssl-users <
openssl-users@openssl.org wrote:
> Hi All,
>
> The 32bit OpenSSL 1.1.0i
Generally, you don't want to replace any system-provided version of OpenSSL
with a different version that has a different ABI. The way you've done so
(without deleting the libraries from the older version) is safe, but don't
remove the system package of openssl-1.0.2. Other packages may link to
If subjectAltName exists, CN= is not evaluated. All the given
examples should work. (The only exceptions are validators that
haven't been current for more than 20 years.) None of the examples is
correct. CN= should not even be included in the certificate. If it
is, (d) is the closest to
...and once again FIPS screws those who don't want to adhere to its
mandates (which everyone in the know has always stated simply reduces
security by requiring the use of less-secure ciphers and implementations,
without allowing patches or modifications to deal with newly-discovered
classes of
Probably because the definition of X25519 requires that bits 0, 1, and 2 of
the first byte of the private key are set to 0 before being used, and
OpenSSL counts the number of bits including the highest-order set bit.
(Really, there's an additional 2 bits that are also set to known values:
bit 6 of
Generally, you *really* do not want to replace the vendor-provided
version. Vendors often alter things to be more compatible with their
ABIs, which are the binary interfaces that other programs use to link
to the vendor-provided libraries.
If you find you actually do want to, it's best to figure
> #$ openssl s_server -key privkey.pem -cert server.pem -accept 8446 -verify
> ca.pem
Change the '-verify' to '-CAfile' and it might work.
-Kyle H
On Sun, Mar 4, 2018 at 9:58 PM, salil GK wrote:
>
> #$ openssl s_client -cert tomcat.pem -key tomcat_priv.pem -CAfile
>
gt; On Tue, Feb 13, 2018 at 9:33 AM, Emmanuel Deloget <log...@free.fr> wrote:
>>
>> Hello,
>>
>> On Tue, Feb 13, 2018 at 7:14 AM, Kyle Hamilton <aerow...@gmail.com> wrote:
>>
>> > The only thing that the server can know is whether the client has
The only thing that the server can know is whether the client has
terminated the connection with a fatal alert. If the client validates
presented cert chains, then its continuation with the connection means
that it passed validation. If the client does not, or ignores any
given error, then it
On the algorithmic side of things, the ECDSA algorithm cannot encrypt.
It is signing-only.
In order to use Elliptical Curves to encrypt, you would have to use
the "Elliptical Curve Diffie-Hellman" algorithm to perform a key
agreement. This requires that both the sender and the recipient have
EC
It's important to note that NSS-based applications (such as Firefox)
will actually categorically refuse to connect to a site with an
Issuer/serial collision with another certificate it has seen before.
So yes, it can cause some applications to fail their SSL connections.
-Kyle H
On Tue, Jan 16,
On Mon, Dec 18, 2017 at 9:59 AM, Colony.three via openssl-users
wrote:
>
> Hear about the HP keylogging case recently? Do you think a keylogger is
> actually used in testing of a keyboard driver, in practice?
Yes.
More specifically, it's used to ensure that the
On Sun, Dec 17, 2017 at 3:58 PM, Salz, Rich via openssl-users
wrote:
>> If you follow Schnieder, elliptic curve is not an option.
>
> That’s interesting, you have a reference for that?
I'm guessing OP's referring to "Applied Cryptography, 2nd Edition".
There was one
SSL alert number 48 is specified in the documents that define SSL/TLS.
It is the code for "unknown_ca", which means that verification failed
because it didn't get set up with the correct CA to verify against.
You might wish to look up SSL_CTX_load_verify_locations(3). There may
also be other API
4Q? 8X? 1Z?
Those are not octets that can show up in serial numbers.
-Kyle H
On Fri, Dec 1, 2017 at 2:21 PM, FOURES TOM wrote:
> Hello,
>
> When I see SSL certificates, their serial number is like this :
> 0A:8D:9A:4Q:8X:1A:0B:88:18:1Z
>
> So, how could I set my serial
The -servername [host] is what causes the SNI extension to be sent. I
don't think its sending is put into the debug output. Do you really need it
there?
I'm pretty certain that s_server outputs it in debug output.
-Kyle H
On Nov 26, 2017 18:59, "John Jiang" wrote:
>
Use a publicly-trusted certification authority, such as Let's Encrypt.
The problem is from the remote side (it's sending the alert that it
does not recognize your certificate issuer).
-Kyle H
On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
wrote:
> On Sun, Nov 12,
What kind of stateful packet inspection are the NATs doing?
Can you run packet captures on each network that's being translated?
-Kyle H
On Thu, Nov 2, 2017 at 4:23 PM, Paul Greene wrote:
> Yes. I've made captures on both - the production client that I manage and
>
Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519?
-Kyle H
On Mon, Oct 23, 2017 at 3:24 PM, Jakob Bohm wrote:
> On 21/10/2017 15:38, Codarren Velvindron wrote:
>>
>> https://tls13.crypto.mozilla.org is using : The connection to this site is
>>
Important caveat: SSL_read() and SSL_write() don't directly return
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. Those values are returned
by SSL_get_error().
I apologize for the misstatement.
-Kyle H
On Sun, Oct 8, 2017 at 5:58 PM, Kyle Hamilton <aerow...@gmail.com> wrote:
> Do
7 4:17 AM, Kyle Hamilton wrote:
>>
>> The way to handle this situation is simply to never enter SSL_read() if
>> there isn't anything to read on the socket. select() or pselect() are
>> your
>> friends, here, because they'll tell you if there's data to read from the
>
The way to handle this situation is simply to never enter SSL_read() if
there isn't anything to read on the socket. select() or pselect() are your
friends, here, because they'll tell you if there's data to read from the
underlying file descriptor.
I hope this helps!
-Kyle H
On Oct 5, 2017
openssl x509 -noout -text -in clientcertificate.pem
You may need to extract the client certificate from wireshark, but you
could also get it from openssl s_server.
Specifically, that error message is suggesting that there's a message
digest encoded into the certificate which is unknown to the
On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore wrote:
>
> It's also worth pointing out that CAs are banned from running OCSP servers
> over HTTPS anyway and it isn't needed since the responses are already signed
> - http is fine.
That argument fails when you consider
Certificate serial numbers must be unique. They need not be sequential or
increasing. (Mozilla's NSS will complain and refuse to work if there are
duplicate serial numbers.)
I tend not to re-use keys, so I've found that putting 20 bytes (while
clearing the high bit) of a digest of the
The short answer is "no".
The long answer is, OpenSSL is not in the business of vetting trust roots.
Its business is ensuring that TLS-secured communications happen correctly
when it is used. If you want an 'endorsed' set of roots, you can find such
from other projects (that have no relation to
Every new version of TLS requires code to be written. Sometimes it can be
implemented in a binary compatible manner, and in those situations you can
get the implementation of a new TLS version by simply replacing a DLL or
equivalent dynamic library. However, it's much more likely that the
Enhancement request:
make 'pkcs12' support -inform and -outform.
On Mon, Mar 13, 2017 at 9:26 AM, Gary L Peskin wrote:
> Thanks VERY much Michael. That did the trick. This was a homegrown CA
> cert and I needed it to sign a certificate request for testing purposes.
>
>
>
You cannot keep the certificate from OpenSSL, as that's the piece that you
share with the remote side. This contains the public key, and the
information bound to that public key by the CA.
However, you can keep the private key from being seen by OpenSSL. There
exists what is called an ENGINE
disable O_NAGLE on the socket?
-Kyle H
On Sat, Dec 10, 2016 at 8:04 AM, Salz, Rich wrote:
> Heartbeats? Yuk, why.
>
>
>
> Most likely, TCP is buffering things until you get a big enough data
> packet. I don’t know how to address that.
>
> --
> openssl-users mailing list
>
On Thu, Sep 1, 2016 at 3:43 PM, Salz, Rich wrote:
> > The existence of the NSA agreement is a partial answer to the first
> question,
> > though it seems unclear if this license is recursively sublicensed
> through 3rd
> > parties or not.
>
> They knew they were licensing an
This is compiler-dependent, and because you didn't specify what platform
you're targeting or what compiler you're using, there's no way for us to
provide an answer. Check your compiler's documentation. GCC, for example,
provides software-emulated floating point for platforms without hardware
On 2/12/2016 2:03 PM, Steve Marquess wrote:
> On 02/12/2016 04:26 PM, Kyle Hamilton wrote:
>> I'm not seeing anything about openssl-fips-2.0.11 in
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
>> , so I'm not quite certain what its validati
I'm not seeing anything about openssl-fips-2.0.11 in
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
, so I'm not quite certain what its validation/certificate status is?
Also, is a new Security Policy in the works integrating the new HMAC
digests for the new versions of
My understanding is, you must follow the steps given in the Security
Guide *exactly*, with no deviation, in order to produce a validated
binary of the FIPS canister. In other words, you *must not* try to use
Configure when attempting to build the FIPS canister because it does not
match the steps
quot;./config tips" before run the Configure script, or should I just run
> "Configure fips" instead?
>
> Thanks,
> Rich
>
> On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <aerow...@gmail.com
> <mailto:aerow...@gmail.com>> wrote:
>
> My u
t;
> Thanks,
> Rich
>
>
> On Wed, Feb 10, 2016 at 12:57 PM, Kyle Hamilton <aerow...@gmail.com
> <mailto:aerow...@gmail.com>> wrote:
>
> ./config autodetects the platform and such, passing various
> parameters to Configure. So, after you've built the
On 2/10/2016 12:47 PM, Steve Marquess wrote:
> Since you're required to start with the official tarball, and aren't
> allowed to change the contents of the tarball, not even a teeny tiny
> little bit, there is no point in dumping the tarball contents into
> your local source code
On 2/9/2016 12:29 PM, Steve Marquess wrote:
> On 02/09/2016 03:19 PM, cloud force wrote:
>> Hello everyone,
>>
>> Would the FIPS Object Module v2.0 supposed to only work with the vanilla
>> openssl library? If I apply the security patches to the openssl library,
>> should the FIPS Object Module
I think you would probably do better to contact support for wanguard
than for openssl. Possible issues could involve ABI incompatibility or
library selection incompatibility; since there's no way for us to know
how wanguard is structured (we can't track every product that uses
openssl), they're
SSL_OP_* are bitmasks.
SSL_CTX_set_options(conn-ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
-Kyle H
On 11/14/2014 12:37 AM, Vaghasiya, Nimesh wrote:
Hi,
Thanks for the info.
(a typo in previous mail).
Could you please confirm whether following will ensure my SSLv23
methods will no
There's a fair amount of grumbling that I see on Twitter about how
SSLv23_method is confusing -- what it does is the autonegotiation
capability.
So, could it perhaps get a new name (or alias) of something like
SSLnegotiate_method?
What would be the pros and cons of such an aliasing?
-Kyle h
OpenSSL doesn't really have a lot to do with ssh-keygen (though
ssh-keygen might link against libcrypto, SSH is not SSL). You should
probably send to the OpenSSH mailing lists to get help there.
-Kyle H
On 10/12/2014 11:38 PM, Angelos Ching wrote:
Hi,
Can I always expect the following
Generally, a client doesn't bother checking a certificate that's in its local
trust store. The idea is, if it's in its trusted store, there's no need to
verify its integrity, because the administrator already performed that
verification.
Where this might have an impact is if your new
Check the digests used for signing. Windows (after updates) may refuse MD5
signatures on certificates; I would recommend regenerating new certs with at
least SHA256.
-Kyle H
On September 22, 2014 9:34:59 AM PST, Vellore-Arumugam, Jagdish (Svr
Automation) jagdish.arumu...@hp.com wrote:
Hi,
I
This may sound basic, but have you verified that the firewall on the server is
set up to allow communication from the client? I think Ubuntu's firewall
rejects all traffic to ports that don't match what its installed and configured
packages claim they run on, without external configuration.
I don't think this is the right place to ask on. This list is for OpenSSL
itself, not the python binding to it.
The PyOpenSSL folks may be watching this list, but this list is probably not
the official list to discuss it.
-Kyle H
On September 8, 2014 8:56:35 AM PST, Eric Chazan
At least 3DES is *some* encryption. The issue is that peoples' computers are
usually infested with malware; it's better to assume (for a software
distribution) that the disk is compromised, and always encrypt it before
writing.
Perhaps there should be a cipher option for the req -newkey
http://msdn.microsoft.com/en-us/windows/hardware/gg463180.aspx is the spec for
the Authenticode PE signature format.
http://msdn.microsoft.com/en-us/gg463119 is the Microsoft PE and COFF
Specification.
Better download them now before they disappear, they appear to be deprecated in
favor of
to submit a patch.
Michael Wojcik
Technology Specialist, Micro Focus
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, 09 September, 2014 13:43
To: openssl-users@openssl.org; Michael Wojcik
Subject: RE: Certificate pass phrase brute force...
At least 3DES is *some* encryption
like this.
And I am an old C fan programmer...
Pierre Delaage
Le 08/09/2014 00:04, Kyle Hamilton a écrit :
The reason is legacy. Eric Young was not conscious of namespace
pollution when he implemented SSLeay; since then, even after the
migration to the OpenSSL name and team, the focus has
The allocated buffer needs to be sizeof(char *). What's happening is the
address of the buffer (buffer[0]) gets written to the
pointer-to-pointer-to-char, data. If data == NULL, you're asking to write the
address of the buffer to unallocated memory.
It's done this way because the return value
The reason is legacy. Eric Young was not conscious of namespace pollution
when he implemented SSLeay; since then, even after the migration to the OpenSSL
name and team, the focus has been more on maintaining source compatibility than
in creating new interoperability opportunities.
To meet the
If someone has the encrypted key data, they can feed that data anywhere they
wish. In that case, they can feed it into processing systems that do not
enforce rate-limiting. Thus, there is no way to do what Dave Paxton suggests
in any case.
-Kyle H
On September 5, 2014 12:51:04 PM PST,
1 - 100 of 829 matches
Mail list logo