does a good job of covering both design and
implementation details. And he knows his stuff - he's one of the authors of the
TLS RFCs.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
. It has different semantics
for void* pointers. It has different rules for numeric-parameter promotions.
And so on.
People who think C++ is a superset of C are sadly mistaken, and programmers who
act on that assumption are dangerous.
Michael Wojcik
Technology Specialist, Micro Focus
actually
understand the C language.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
chance that an OpenSSL-based application
using the default suite list will encounter a peer that only supports RC4.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
one.
You can also do what you describe below, but not encrypt the private key the
first time, by using the -nodes option with openssl req; that saves decrypting
it before encrypting it with your preferred cipher.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Iñaki Baz Castillo
Sent: Tuesday, 09 September, 2014 09:10
To: openssl-users@openssl.org
Subject: Re: Why does OpenSSL own all the prefixes in the world?
2014-09-09 13:14 GMT+02:00 Michael Wojcik
,
which are NOT standards.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User
by
openssl_c_hdrs.h will preempt their inclusion within the namespace by the
OpenSSL headers.
Of course, for C++ code you normally wouldn't include the C standard headers;
you'd use their C++ versions (cstdlib, etc). But this sort of thing is a
special case.
--
Michael Wojcik
Technology Specialist
to submit a patch.
Michael Wojcik
Technology Specialist, Micro Focus
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, 09 September, 2014 13:43
To: openssl-users@openssl.org; Michael Wojcik
Subject: RE: Certificate pass phrase brute force...
At least 3DES is *some* encryption
, of OpenSSL's public functionality directly anyway.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Kyle Hamilton
Sent: Sunday, 07 September, 2014 18:04
To: openssl-users@openssl.org; Iñaki Baz Castillo
Subject
any of those figures.
Does that help?
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Friday, 05 September, 2014 16:32
To: Salz, Rich
Subject: Re: Certificate pass phrase brute force
declaration.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
, or an application developer did something wrong, or a
system administrator did something wrong.
I'm not in the business of issuing certificates and keys myself, so I don't
have any policies to share, I'm afraid.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org
password-rest
requests and the like).
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of dave paxton
Sent: Friday, 05 September, 2014 15:34
To: openssl-users@openssl.org
Subject: Re: Certificate pass
Reading the OpenSSL source code in an effort to learn how the SSL and TLS
protocols work is not a good idea. OpenSSL is an implementation, not a tutorial.
I suggest you get an actual description of how SSL/TLS works, such as Eric
Rescorla's book SSL and TLS.
(I believe Rich already suggested
;
if (l2 l1) return 1;
us1++, us2++;
}
return 0;
}
(Untested, but copied with some modifications from an existing implementation.)
That said, I agree that case-insensitive comparison would be a good idea here.
--
Michael Wojcik
Technology Specialist, Micro Focus
, but I'd say yes, it's probably
good to drain the error queue each time a thread picks up a new piece of work.
This hadn't occurred to me before your note - I'll have to investigate whether
any of my code needs to do this as well.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner
with the
Reset. When we receive the Reset, we clean up the connection
without any further communication.
--
Donald J.
dona...@4email.net
On Sat, Aug 9, 2014, at 09:44 AM, Michael Wojcik wrote:
Well, it sounds like someone needs to modify the client, then, if you
want to use SSL/TLS
to my last command. I don't remember off
the top of my head whether there's a straightforward FTP API on zOS.
--
Michael Wojcik
Technology Specialist, Micro Focus
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Donald J
] This assumes the application, if it's running in a POSIX environment, has
set the disposition of the SIGPIPE signal to ignore. SIGPIPE is a kluge for
applications that don't check the result of the write/send family of system
calls. Any well-written application should ignore it.
--
Michael
server certificate signed directly by the root, if you don't need an
intermediate for some reason.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Marco Bambini
Sent: Saturday, 26 July, 2014 04:26
is SSL_CTX_load_client_CA_file:
SSL_CTX_set_client_CA_list(CTX,
SSL_CTX_load_client_CA_file(/path/to/CAcerts.pem));
(or with, you know, error handling, if you want to be fancy). See
http://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html.
Michael Wojcik
Technology Specialist
infrequently
enough that we're unlikely to forget it - it's part of our documented process
for updating to a new release.
We've found that to be simpler than trying to override aspects of the existing
configurations when none of them match our build settings.
--
Michael Wojcik
Technology
others. It is not an unalloyed Good Thing.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
with sub-allocators.
In this case, the first two are probably the most likely.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project
(conn, get_index(), my_data_ptr);
...
/* In the verify callback, or wherever */
my_data_ptr = SSL_get_ex_data(conn, get_index());
But if all you need in the callback is the SSL object, you needn't worry about
all that.
--
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Jens Maus
Sent: Wednesday, 25 June, 2014 14:07
Am 25.06.2014 um 18:22 schrieb Michael Wojcik
michael.woj...@microfocus.com:
[...]
Now, if you need additional application-specific information
to your technical question is use cipher suites
that support anonymous key exchange. This is quite likely the Wrong Thing for
most real-world applications that have some perceived need for communications
security.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us
the reserved names
elsewhere in the source.
I suppose it's a bit quixotic to talk about the proper use of C in an OpenSSL
forum, but trying to follow the rules (even in code that's not part of the
library itself) would be a step in the right direction.
--
Michael Wojcik
Technology Specialist, Micro
. So do what
you like.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Tilman Sauerbeck
Sent: Friday, 09 May, 2014 18:57
Michael Wojcik [2014-05-09 21:12]:
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Tilman
and hairstyles that aren't identical to my hairstyle...
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http
any later than the indicated date.
So yes, you can issue a new CRL before the date in the Next Update field.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
certificate - why isn't it v3?
I admit I don't understand the problem description from the original note, but
it doesn't seem to match what we have with these three certificates.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense
. Are you using a
client certificate in the browser? Is it configured to send the certificate
automatically, or to prompt you? Where did the client certificate come from?
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense
, a better approach would probably be a
generic SSL/TLS tunnel utility like STunnel, or a VPN.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
:��IϮ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h
of the other proposals.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Tim Hudson
Sent: Tuesday, 29 April, 2014 16:32
To: openssl-users@openssl.org
Subject: Re: Increment certificate serial numbers randomly
, incrementing serials. Whether that's a risk depends on your
threat model.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
and does not carry hidden data around) thus cannot
know about any sockets?
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project
. On Linux, UNIX, and iOS, use uuidgen (you
may have to grab the source and build it). uuidgen is also available for
Windows, e.g. as part of Cygwin.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
it, under your threat model. SSL/TLS raises that cost over unencrypted
communications. But it doesn't raise it nearly as much as it ought to, thanks
to broken protocols, broken implementations, broken PKI, mismanagement, and
user error.
--
Michael Wojcik
Technology Specialist, Micro Focus
implementation, and the OpenSSL developers have, so that's hardly a compelling
critique. They do the work; they get to make the decisions.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
declared:
// string certificate (pp, length);
BIO_free (memoryBio);
(Untested.)
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
:��IϮ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h
compiler options list.
Michael Wojcik
Technology Specialist
Micro Focus
michael.woj...@microfocus.commailto:michael.woj...@microfocus.com
519 West Ash Street
Mason, MI 48854-1553
Direct:+1 517 639 0892
Mobile : +1 517 862 9464
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us
two quite different languages
apart.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
everyone has good intentions.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http
, but it appears to be
what you're looking for.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http
in certificate signature algorithms.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
:��IϮ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���
.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
://wiki.wireshark.org/SSL to
start; the wireshark.org search function finds a lot more information about
SSL/TLS dissection.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
-ctx
http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_store.html
This may also be useful:
http://stackoverflow.com/questions/16291809/openssl-programatically-verify-certificate-chain-in-c-in-memory-certs
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned
build.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing
standard, unfortunately) and
it's too much effort.
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University
-Original Message-
From: Andrew T. Finnell [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 18, 2002 7:51 AM
To: [EMAIL PROTECTED
/ #endif is unnecessary and clutters the source.
As of at least C90 #undef with a name that is not currently defined is
ignored. See ISO 9899-1990 6.8.3.5.
[And wouldn't openssl-dev be the more appropriate forum?]
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department
?
Michael Wojcik402 438-7842
Software Systems DeveloperMicro Focus
From: Mohan Atreya [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 30, 2002 8:03 AM
I am having trouble sending Base64 data over HTTPS POST. Does
anybody have
any sample code that can encode the Base64
to me whether Scott was looking for HTTP protocol
information, though, or OpenSSL API help. Scott?
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University
-Original Message-
From: Neff Robert A [mailto:[EMAIL PROTECTED]]
Sent: Thursday
.
However, typically ld's -L option appends the specified directory to the search path, which means .. is the *last* directory to be searched for libcrypto.a.
Does your system have another libcrypto.a, or shared object equivalent, that ld might be finding?
Michael Wojcik
Principal Software Systems
import/export files.)
Try
dump -nv *.a | awk '/ EXP / {print $NF}'
to see a list of symbols exported by shared objects in your archives.
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University
-Original Message-
From: Jason Jesso
information one way or another.
(By the way, first and second are already adverbs. No need to suffix them with ly.)
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University
-Original Message-
From: Jason Jesso [mailto:[EMAIL PROTECTED
. The Unix
Programming FAQ from comp.unix.programmer documents using O_RDWR with no
special cautions.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project
secure session from any
Java-equipped browser, SSH, and Kermit, and the infrastructure necessary to
support public authentication. Give the users some options and gradually
transition them away from the unsafe ones.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of Engli
that lack it.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL
But note in general that small signatures aren't going to be very secure.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.op
ontrol whether slow system calls restart (rather than
failing with EINTR) when particular signals are raised, using flags to
sigaction. I don't recall offhand whether UW is one.
Personally, I prefer the EINTR loop, since it's more portable than relying
on slow call restart.
Michael Wojcik
submit arbitrary SQL queries against web front-ended databases. That's a
hell of a lot easier than breaking an SSL session by trying to predict the
PRNG.)
Gather ye entropy while ye may, but don't make it an obsession. You may
overlook something else.
Michael Wojcik [EMAIL PROTEC
arget* is a DLL.)
I believe people have reported running into this in the past on
openssl-users.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project
DLL hygiene, like the grown-up operating systems do.)
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support
(or by me to someone else).
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
amespace. It's probably too
late to fix OpenSSL now, though.)
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://w
o vet
your application.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
se if the client did not include a valid Keep-alive header
requesting a persistent connection. (The server MAY close the connection
after returning the response even if the client did request a persistent
connection; it's not bound by the client's request.)
This isn't a OpenSSL problem.
Mic
SHOULD use "HTTP/1.1" as its HTTP-Version, and MUST use "HTTP/1.1" if it
uses any features not compatible with HTTP/1.0 - such as persistent
connections.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
ompression functions used to reduce bias in seed material, etc. Should be
easy to find from one of the online RFC sources.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Proj
oader work.)
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL
not a significant risk under my
threat model.)
A CA oversight or governing body might marginally increase safety, but there
are much bigger risks that ought to be addressed first.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
t be taken from the output of a cryptographically strong PRNG, for
example.)
(By the way, DES doesn't have a 24-byte key. It has a nominal 64-bit key
with 56 effective bits. 3DES with three distinct keys has a nominal key
length of 192 bits or 24 bytes, but its effective key length is 168 bits.
candidate - but on-line businesses typically aren't interested in
taking that chance. If you are, fine.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenS
ed attacker in the right
place.
With crypto PRNGs, you have two choices: use a complete implementation (from
seeding on up) designed for the purpose from a source you trust, or study
the subject in some depth before putting any trust in it whatsoever.
Michael Wojcik [EMAIL PROTECTED]
MERAN
pto is Schneier's _Applied
Cryptography_.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support Mailing
lementation
sufficient to pass all the BN tests? I don't know.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl
of course, a good HTTP/1.1 application should be paying attention to
the Content-length header if present, or the Transfer Encoding, or
whatever's applicable to that particular flow. (Content-length isn't
present if the "chunked" Transfer Encoding is being used. See RFC 26
501 - 581 of 581 matches
Mail list logo