Hi Eric,
Perhaps you should have a look at the 'X509V3 Extension code:
programmers guide' section in \doc\OpenssLtxt file.
I found also this link helpful :
http://kahdev.wordpress.com/2008/11/29/stack_of-subject-alternate-name-and-extended-key-usage-extensions/
Hope this helps.
Michel
Le
Hi Carolin,
It is just about half the length of the ...
[very] Quick response : Hex value is twice the lengh of binary data :
Have you checked the value of 'size' arg ?
Not sure this helps ...
Le 24/08/2012 16:38, Carolin Latze a écrit :
(sorry if this mail arrives twice. I send it first
Hi Thomas,
I don't know if it makes a real difference concerning memory leaks,
but I would have freed the TLS session *BEFORE* freing the context :
SSL_free(ssl);
...
SSL_CTX_free(ssl-ctx);
Does your app setup and free a context each time a client is connecting ?
Le 12/09/2012 16:58,
' during all your app 'run', even in
multi-threaded programs.
It would allow you to access some activity informations like the ones
documented in :
http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html
Hope this helps,
Regards
Le 13/09/2012 10:39, Thomas a écrit :
Hi Michel,
Thanks for trying
Hello,
I am using the the OpenSSL enc command to encrypt and decrypt a test file.
When using AES-GCM mode, I can encrypt but cannot decrypt the result.
Even though I succeed with all other modes.
Example is as follow :
openssl enc -e -a -aes-128-gcm -nosalt -p -K
I am guessing that 'special handling' is linked to the 'no additional
authentication data' issue discussed in :
http://incog-izick.blogspot.fr/2011_08_01_archive.html
Le 11/10/2012 22:33, Erik Tkal a écrit :
I think Steve posted a while back that those ciphers require special handling
and do
Thanks for the explanation Mr. Henson.
I do not wish to take up too much of your time, but as I am still trying
to understand OpenSSL, I would be grateful if you can add a few words on
how you cope with this in TLS, and point me to the corresponding source
code.
Thanks again,
Michel.
Le
Thanks,
Also it can be usefull to go back to the book 'Network Security with
OpenSSL', pages 128 to 138.
Michel.
Le 27/10/2012 17:00, Alban D. a écrit :
Hi everyone,
iSEC Partners just released a paper that provides detailed guidelines
and sample code on how to properly do certificate
I found in doc/ssleay.txt :
[...]
The PEM_write_SSL_SESSION(fp,x) and PEM_read_SSL_SESSION(fp,x,cb) will
write to a file pointer in base64 encoding.
What you can do with this, is pass session information between separate
processes.
[...]
Le 06/11/2012 12:11, Eisenacher, Patrick a écrit
Once
Hi,
Perhaps I misunderstand you, but wouldn't it be easier to just choose
eNULL cipher when no encryption is needed ?
Le 09/11/2012 06:08, Derek Cole a écrit :
Hello,
I have a server running that I am accepting both SSL and non SSL traffic.
Currently I check the traffic first and if the
? My client that sends
the unencrypted traffic knows nothing of SSL at all, and I can't modify it,
so it is just coming in a normal TCP stream.
On Fri, Nov 9, 2012 at 6:44 AM, Michel msa...@paybox.com wrote:
Hi,
Perhaps I misunderstand you, but wouldn't it be easier to just choose
eNULL cipher
Before trying to use it, I was misleaded by the documentation (and the
example) of the EVP_PKEY_sign() call at :
http://www.openssl.org/docs/crypto/EVP_PKEY_sign.html
I believed it was [quite] the same behavior than with
EVP_DigestSignFinal() before undestanding that the input has to be a
Thank you very much for the answer.
Le 30/11/2012 12:54, Dr. Stephen Henson a écrit :
On Fri, Nov 30, 2012, Michel wrote:
Before trying to use it, I was misleaded by the documentation (and
the example) of the EVP_PKEY_sign() call at :
http://www.openssl.org/docs/crypto/EVP_PKEY_sign.html
Le 12/12/2012 20:12, Alex Chen a écrit :
Another question is how to enforce the 'server' side preference of the
cipher suite selection? Is it also part of the SSL_CTX_set_options()
Isn't this what you are looking for ? :
SSL_OP_CIPHER_SERVER_PREFERENCE
in
Found interresting related article from Wikipedia :
http://en.wikipedia.org/wiki/Name_mangling
Note that the 64-bit convention on Windows (Microsoft C) is no leading
underscore.
This difference may in some rare cases lead to unresolved externals when
porting such code to 64 bits.
Le
Hope this helps : http://www.keylength.com/en/3/
Le 22/02/2013 08:38, Ashok C a écrit :
Hi,
What is the current industry standard for private key lengths?
As of now, my application supports 2048 bit-wide keys.
I'm planning to support higher key lengths now, and want your
suggestions on how
PKCS5_PBKDF2_HMAC implementation : [openssl-src-dir]\crypto\evp\p5_crpt2.c
in [openssl-src-dir]\crypto\evp\evp.h : PKCS5_SALT_LEN is defined as 8
Le 13/06/2013 08:39, Rengith M. a écrit :
Hi,
This is to know further about implementation of PBKDF2,
PKCS5_PBKDF2_HMAC.
1.Would like to know
Hi Rengith,
Sorry but I was referring to 1.0.1e source distribution.
I am not able to answer about FIPS ones.
Le 14/06/2013 11:06, Rengith M. a écrit :
Hi Michel,
I could not find the p5_crpt2.c under \crypto\evp after I unzipped the
openssl-fips-ecp-2.0.4.tar, could you please provide
Hi Yamini,
I would suggest looking at the 'EVP Envelope' API :
https://www.openssl.org/docs/crypto/EVP_SealInit.html
Le 17/06/2013 19:26, yamini a écrit :
Hello,
I am implementing the DES algorithm between my client and server systems for
encryption. The DES key is transmitted in encrypted
question was often discussed in the past on this list.
Search about the OpenSSL 'internal state machine'.
Michel
Le 11/09/2013 16:39, Jason Schultz a écrit :
I have a server that implements secure communication using OpenSSL.
The server does a listen() on a port and keeps track of what listens
Could it be because of a misuse of X509_dup() or CRYPTO_add( ..., 1,
CRYPTO_LOCK_X509 )
in a copy constructor or an assignment operator ?
#10 0x08052673 in CertificateRemote::cleanup_x509 (this=0x9bb55f0) at
syfer/crypto/Certificate.cpp:309
What could be possible reason for the above crash ?
If the negotiated cipher suite for an RSA encrypted client-server
session does not involve using the RSA public keys, then when is RSA
used in that session ?
Not sure to fully understand your question, but the answer may be :
'Just for [server] authentication'
Hope this helps.
|Did you see EVP_MD_size()
at http://www.openssl.org/docs/crypto/EVP_DigestInit.html
|Le 12/12/2013 09:29, Dereck Hurtubise a écrit :
Hello,
Is there an easy way in OpenSSL to call some function which returns
the length of the digest/hash it returns? Like SHA256 would return 32
(maximum
Hi,
I also experienced going into an infinite loop using
BN_generate_prime_ex() function.
I my case it was because I didn't fully understand how to use 'add' and
'rem' parameters.
I am now assuming they should be used as in dh_builtin_genparams(), in
dh_gen.c.
I am not qualified to discuss
to return immediatly with an error code and that it may be
possible to code the underlying logic with clear end/exit loop condition(s).
I was also hoping to draw attention to more qualified people on this matter.
Le 21/01/2014 10:45, Nischal a écrit :
Hi Michel,
In my case, 'add' and 'rem
I didn't see it before, but in fact, it is stated in the 'bugs' section :
|RSA_generate_key()| goes into an infinite loop for illegal input values.
Did you read :
http://www.openssl.org/docs/crypto/RSA_generate_key.html
||
Le 21/01/2014 17:50, Michel a écrit :
Hi Nischal,
As previously
Hi,
My build failed when compiling openssl 1.0.2 beta 1 with no-nextprotoneg
defined :
.\ssl\s3_clnt.c(413) : error C2065: 'SSL3_ST_CW_SUPPLEMENTAL_DATA_A'
I solved this just by moving line 636 of ssl3.h 3 lines above.
Diff file is attached.
Regards,
--- D:/openssl-1.0.2-beta1/ssl/ssl3.h
Pehaps you should rather look at the XMLSec project :
http://www.aleksey.com/xmlsec/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
the source code available here was also usefull for me :
http://www.opensslbook.com/
excerpt from the book can be found online with google preview
Le 06/01/2011 00:00, Bhola Ray a écrit :
Hello,
Can anyone provide me with a working client-server code with SSL.
If there is a pointer to a
Hi Jijo,
I believe interesting information can be found here :
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
Regards
Le 13/01/2011 17:16, Jijo a écrit :
Thanks for the response..
You have to get the IC to the client somehow. The usual method is to
have the server send it.
security. I mean when I will retire, around OpenSSL version
n° 9.487.12 or year 2039, whichever comes first.
But you'll need hundreds of people fixing my typos and poor English
sentences...
Hi Michel,
many thanks for this very quick reply !
If I saved you some time, great ! It was my pleasure.
Michel
Hi Dan,
You should look at :
http://www.rsa.com/rsalabs/node.asp?id=2127
http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
and a better OpenSSL implementation using PKCS5_PBKDF2_HMAC()
in crypto\evp\p5_crpt2.c
Le 01/07/2011 14:58, Daniel Wambold a écrit :
Hello list.
I started poring
Hi Mayur
Hope the links below help answer your question :
http://www.openssl.org/docs/crypto/pem.html
http://www.umich.edu/~x509/ssleay/x509_store.html
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#
Best regards
Michel
Le 18/07/2011 05:38, Mayur Premi a écrit :
[Mayur
you.
Michel
Le 03/11/2011 05:57, Mr.Rout a écrit :
Thanks Dave.
Probably i have not understood the things properly.
After surfing through Google i got confused.
Actually I am doing TLS Client Testing which authenticate the
Server(www.https.com in my example).
Steps I followed to achieve
If I don't misunderstand you, perhaps this little windows software could
help you :
http://sectools.free.fr/img/CryptoSym-EN.png
http://sectools.free.fr/CryptoSym-EN.txt
http://sectools.free.fr/CryptoSym-EN.zip
Hope this help...
Le 20/03/2012 05:35, pkumarn a écrit :
Now coming to the
Hello Mr. RIHAN,
You should find some clues searching around OBJ_NAME_do_all_sorted()
or looking at apps/enc.c, crypto/evp/names.c, crypto/objects/o_names.c.
Good luck.
Le 03/06/2012 09:00, Adnan RIHAN a écrit :
Hello again!
Nobody knows ?
--
Le jeudi 31 mai 2012 à 17:03, Adnan RIHAN a
,
Michel
Le 12/06/2012 11:32, Joshua Bowman a écrit :
On 6/10/2012 11:18 PM, vinayak.T.K wrote:
presently i m working on the project which includes the generation of
symmetric key from the public keyi m just a begginerso can u please
help me out.
Victor Duchovni wrote:
On Wed, Nov 21, 2007
Hi,
Here is a related previous discussion with some more details :
http://openssl.6102.n7.nabble.com/FW-Negotiating-TLS-1-0-from-1-2-td39516.html
Le 13/05/2014 12:45, Gayathri Manoj a écrit :
Hi All,
I am planning to upgrade my tls connection from 1.0 to 1.2. I have
made changes from the
Hi,
It is PKCS5_PBKDF2_HMAC(), in crypto/evp/p5_crpt2.c
Le 16/05/2014 10:14, Hooman Fazaeli a écrit :
Which openssl function does key derivation based on PKCS#5v2?
Hi,
When configure'd with no-engine and no-hw options, build of OpenSSL
1.0.1h on Windows 7 failed.
Although it might not be the best solution, the attached patch solved
this (for static linking) by adding or moving up some related
preprocessor directives.
But still leaves a problem when
Hi all,
I was surprised that decryption succeeded in GCM mode althought the tag
was shorter than the one produced when encrypting,
as it is not the case in CCM. Is it the intended behaviour ?
In order to rule out a possible bug in my program, I finally used the
example code at :
Thank for your answer.
But isn't this strategy very hazardous ?
And why just for GCM and not CCM ?
Le 18/06/2014 14:37, Thulasi Goriparthi a écrit :
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof(gcm_tag), gcm_tag);
When you change tag length with the above statement, you are
I tried all of 2, 4, 6, 8, 10, 12, 14, 16 values, and always got a
Plaintext not available: tag verify failed.
Even when tag length of decryption was equal to tag length of encryption.
:-(
It just works for : tag length of decryption = tag length of encryption
= 16.
Thanks again for your
within the IV(nonce).
On Wed, Jun 18, 2014 at 8:12 PM, Michel msa...@paybox.com
mailto:msa...@paybox.com wrote:
I tried all of 2, 4, 6, 8, 10, 12, 14, 16 values, and always got a
Plaintext not available: tag verify failed.
Even when tag length of decryption was equal to tag length
Hey, thanks Jeff !
I also inadvertently found an interresting article of a certain M. J. W. ...
;-)
I should have read more carefully :
http://www.codeproject.com/Articles/34380/Authenticated-Encryption
particularly when it states : It is up to the receiver to determine
whether to accept a tag
Excerpt from the book : Network Security with OpenSSL :
An SSL_CTX object will be a factory for producing SSL connection objects.
This context allows us to set connection configuration parameters before
the connection is made, such as protocol version, certificate
information, and verification
Hi again Phil,
May be I read your mail too quickly.
so we don't have the correct encrypted length value to pass to
the decryption routine.
How is it possible ?
If you stored the encrypted data, you should at least know the size of what
is in the file or the database column, don't you ?
...@openssl.org] De la part de
Michel
Envoyé : vendredi 27 mars 2015 18:27
À : openssl-users@openssl.org
Objet : Re: [openssl-users] Encryption length, OpenSSL_add_all_algorithm,
and OpenSSL_add_all_ciphers questions
Hi again Phil,
May be I read your mail too quickly.
so we don't have the correct
hope I did not misunderstand you,
And hope this helps,
Regards,
Michel
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Philip Bellino
Envoyé : vendredi 27 mars 2015 13:48
À : openssl-users@openssl.org
Objet : Re: [openssl-users] Encryption length
OpenSSL_add_all_algorithms() initially and
EVP_cleanup() before exiting.
https://www.openssl.org/docs/crypto/OpenSSL_add_all_algorithms.html
Also :
https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption
Hope this helps,
Regards,
Michel.
De : openssl-users
Thanks Viktor for your answer, and Jakob for clarifying my thought.
My english isn't good enough to argue with both of you, but obviously, I do
agree with what you have proposed.
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Jakob
Hi,
I believe it might be usefull to remind in the documentation that the
-cipher argment for openssl pkey command line tool is silently ignore when
combined with -outform DER.
May be it is worth to add a warning too ?
___
openssl-users mailing list
/X509_VERIFY_PARAM_set_flags.html
Hope this helps,
Regards,
Michel.
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Karl Denninger
Envoyé : lundi 11 janvier 2016 04:08
À : openssl-users@openssl.org
Objet : Re: [openssl-users] (Probably) Silly Application Programming
Hi Sugumar,
I might misunderstand your need but 'Hex' (as 'Base64') is just an encoding
method to ease use of characters that are not printable.
Your example hex string IV : "12345678901234567890123456789012" should be
converted to :
unsigned char IV[16] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0x12,
Hi Jeff,
The test I just ran was done with NO custom callback :
SSL_CTX_set_verify( pCtx, AUTH_REQUIRE, NULL );
with AUTH_REQUIRE defined as ( SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT )
-Message d'origine-
De : Jeffrey Walton [mailto:noloa...@gmail.com]
Envoyé : samedi 27
Really ?
As your post alarmed me, I tried my tests programs again and didn't noticed
anything wrong.
I have a server code whose context is configured with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call
SSL_CTX_set_client_CA_list().
In this case, handshake is failing as
As Rich already answered : "The IV, key, and ciphertext are all binary
arrays of bytes."
This is not specific to AES.
Converting from or to hex (or Base64) strings is needed only to read from or
print to outside your C program.
Values passed to EVP_*() calls are expected to be raw (binary) data :
io_SSL_SESSION( pBIO, NULL, 0, NULL );
PEM_write_bio_SSL_SESSION( pBIO, SSL_get_session( pSSL ) );
They finally call :
PEM_ASN1_write_bio()
PEM_ASN1_read_bio()
about which more info can be found on
http://www.umich.edu/~x509/ssleay/pem_io.html
Hope this helps,
Michel
e password (but are NOT prompted for).
In the hope it will save some time to others,
Michel.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,
IMHO, whether SSL2 is completly removed or disabled, I would have expected
opensslconf.h to reflect the situation to applications.
But now, it just contains :
#ifndef OPENSSL_NO_SSL3
# define OPENSSL_NO_SSL3
#endif
Was it really intended ?
Regards,
Michel.
--
openssl
ent release 1.1.0 (pre 4)
> The "OPENSSL_NO_..." macros specify disabled features, not deleted code.
Yes I understand this point, but I was thinking it was also used more
generally to inform about [un]available functionalities.
Anyway,
Thanks for your answer Viktor.
Michel.
--
opens
Thank you again and again Matt,
Regards,
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Matt Caswell
Envoyé : vendredi 18 mars 2016 13:08
À : openssl-users@openssl.org
Objet : Re: [openssl-users] Questions about OCB and Wrap
Hi Alphonso,
Did you see that :
https://wiki.openssl.org/index.php/EVP_Asymmetric_Encryption_and_Decryption_
of_an_Envelope
Hope this helps,
Regards,
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Alfonso Coscione
Envoyé
Hi,
Just a suggestion : did you see XCA : http://xca.sourceforge.net/ ?
Regards,
Michel
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
thirumalkumarkanakur...@bel.co.in
Envoyé : mercredi 2 mars 2016 09:37
À : openssl-users@openssl.org
Objet : [openssl
Hi,
> But i saw some online websites giving the original data by reversing the
hash data.
If they can, this is NOT by reversing the hash data.
You will find lots of articles on the web to explain how it can be
'cracked',
for example :
https://crackstation.net/hashing-security.htm
--
Hi steve,
Isn't it conceivable to ask one of the European payment service provider to
sponsor you by offering a free account / accesss to their plateform ?
I know some which are secured only with the help of your product.
They should be proud to help in return.
:-)
-Message d'origine-
Hi,
Quick answer : as you probably noticed, IV, ciphertext and tag are expected
to be distinct buffers.
Consequently, ciphertext is just ciphertext (without IV or Tag).
Regards,
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
,
Michel.
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Warron French
Envoyé : jeudi 7 juillet 2016 22:37
À : openssl-users@openssl.org
Objet : [openssl-users] When to use a key or password
Is there any good rule of thumb for when to use:
-k versus
-K
Also, what
docs/manmaster/man3/EVP_PKEY_CTX_set_rsa_padding.html
and :
https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying
(OpenSSL version >= 1.0)
Hope it helps,
Michel.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> You guys are both important contributors to the project.
+1
Personally I have learn a lot from your contributions.
Thanks Jakob and Michael.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,
As nmake is not in your current path, it looks like you didnt launch the
Developer Command Prompt for Visual Studio.
Regards,
Michel.
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Peissert, Roland (ext)
Envoyé : jeudi 3 novembre 2016 12:59
À
>> Another requirement is that a TLS server certificate shall have its identity
>> (FQDN) in the SAN extension. Use of the commonName attribute has been
>> deprecated long ago.
> Where is this documented ?
Might be of interest :
?
Regards,
Michel.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
,
Michel
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Thomas J. Hruska
Envoyé : dimanche 8 octobre 2017 22:56
À : openssl-users@openssl.org
Objet : Re: [openssl-users] Graceful shutdown of TLS connection for blocking
sockets
On 10/8
? ;-).
Anyway, thanks to have shared your opinion and advices with me.
Regards,
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Thomas J. Hruska
Envoyé : lundi 9 octobre 2017 15:32
À : openssl-users@openssl.org
Objet : Re: [openssl-u
[...]
> From that point, the only logical conclusion that can be drawn is that
> select() is for non-blocking I/O only.
[...]
Ouahhh, it looks to me as an over-simplistic conclusion !
select() was not designed and written with future TLS state machine
implementation in mind.
But maybe I
> With blocking sockets, you just loop back around and repeat the same call
if either of those messages are returned by SSL_get_error(). No select()
required.
Yes, you have to repeat the same call, but select() is still usefull,
especially with blocking sockets.
Regards,
Michel.
--
open
Thanks Matt for the reminder about the use of PSK in TLS 1.3.
This leads me to this other question :
Can someone please clarify what is the future of SRP starting with TLS 1.3 ?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
And I am one of those who appreciates very much your
explanations/clarifications for a long time.
Thank you again Michael.
> [...]
> And here on the openssl-users list there are people with widely varying
> experience with and understanding of these matters;
> [...]
> So it's useful to try to
st() and the like as mentioned in
X509_STORE_add_cert man page or something else ?
Regards,
Michel
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Viktor Dukhovni
Envoyé : lundi 30 mars 2020 23:19
À : openssl-users@openssl.org
Objet : Re: Peer certificate v
session (RSA, PSK, ...) ?
Or do we need to rely on a [/PSK like] callback ?
Regards,
Michel.
-Message d'origine-
[...]
A TLSv1.2 ciphersuite combines the symmetric cipher,
with the key exchange algorithm, the authentication algorithm and the hash.
In TLSv1.3 we just have the symmetric
nd PSK
on the same context and I don't recall having encountered any problem.
I believe it was OpenSSL 1.1.1f using TLS 1.2 under Windows 32bits.
Hope it helps,
Michel.
Hi Mariano,
My quick answer : your key file looks like an (old ?) custom *OpenSSH* format
that *OpenSSL* cannot read natively.
You should easily find an OpenSSH command or other free tools to converts
between formats.
Hope it helps,
Michel.
-Message d'origine-
De : openssl-users
t; Is EVP_PKEY_CTX_set_cb API replacement for the deprecated BN_GENCB_set_old
No, BN_GENCB_set[...] is a similar mechanism but for Big Number / Prime (not
*Key*) generation.
(https://www.openssl.org/docs/man3.0/man3/BN_GENCB_set_old.html)
Hope it helps,
Regards,
Michel.
Hi Hal,
Might be simpler to use the 'X509_VERIFY_PARAM...' interface.
Did you see :
https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set1_host.html
Hope it helps,
Regards,
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la
Hope it helps, it is very late in the night here.
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Hal Murray
Envoyé : dimanche 17 avril 2022 00:02
À : openssl-users@openssl.org
Objet : Re: How does a client get the server's SAN/DNS s
Really impressed.
I have a lot to learn from that.
:-)
Thanks again for the link.
Much appreciated.
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Viktor Dukhovni
Envoyé : dimanche 17 avril 2022 18:17
À : openssl-users@openssl.org
Waouh, waouh, waouh !!!
What a beautiful source code !
If only all software could be written like this !
Thanks for the example Viktor.
>
https://github.com/vdukhovni/postfix/blob/postfix-3.5/postfix/src/tls/tls_cl
ient.c#L756-L794
--
Viktor.
We currently have a Solaris server running apache that serves as a proxy in
front of our glassfish server which we use for web services. We are replacing
both the proxy and glassfish servers so are setting the new servers up in
parallel. The new proxy server already had apache and openssl
- Certificate Verification:
Error (20) when setting up replacement server
From: owner-openssl-us...@openssl.org On Behalf Of Michel, Audrey
Sent: Thursday, 18 July, 2013 15:24
Subject: SSL_connect:error in SSLv3 flush data - Certificate
Verification: Error (20) when setting up replacement server
user to the
group securing the directory with the ca it was able to find the ca and the
error was resolved. I appreciate the assistance as it has added to my
understanding and given me ideas for improvements (and documented a lesson
learned for sure).
Audrey Michel
+1 972.605.8085 / Tel
+1
I believe this [freely available] book should interest you :
Handbook of Applied Cryptography
http://www.cacr.math.uwaterloo.ca/hac/
Le 21/04/2011 00:03, Patrick Rutkowski a écrit :
I'm pretty new to this PKI stuff, but I'm very confused about why pkcs12 files
are encrypted.
As I understand
/node.asp?id=2124
or other web sites.
Michel
Le 21/04/2011 16:09, Patrick Rutkowski a écrit :
Wow, awesome. I just read the foreword and the preface before getting to work.
They're very well written, and now I'm excited for the coming chapters for sure
:-)
I'll probably read it over the coming week
Hi Albrecht,
I might be wrong, but I think you should use instead
SSL_CTX_get_cert_store() and then *X509_STORE_add_cert*
to add the certificate to the list of trusted ones that will be used for
verification.
Cerificates added using SSL_CTX_add_extra_chain_cert() are not trusted.
bits of their private key.
I still don't understand why 2) is the weakest step, nor how could I use
just client SSL certificates.
Once again, thanks,
Michel
- Original Message -
From: Vadim Fedukovich [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 03, 2003 6:53 PM
Subject
Hi there,
I've removed OpenSSL 0.9.6.b ( which was installed during the RH72 installation ) and
I installed OpenSSL 0.9.6.c.
Now I have the problem that certain applications ( sendmail as an example ) is complaining
that it can not find the library libssl.so.2
Now this library will
Needing public key encryption for an application, i took a look at
libcrypto.
The problem is coping with it...
I'm trying to use the rsa-algorithm.
How do I seperate the public and the private key? If I generate my key with
RSA_generate_key i'm getting a RSA* struct with both keys(a key pair).
();
sk_SSL_COMP_free( SSL_COMP_get_compression_methods());
_CrtDumpMemoryLeaks();
return 0;
}
Hope it helps,
Michel
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Avery A. Tarasov
Envoyé : samedi 24 janvier 2015 22:34
À : openssl-users@openssl.org
Objet : Re
in this case.
I am not sure to fully understand what your are doing now, but with the
modified version I've sent to you, _CrtDumpMemoryLeaks() doesn't report any
problem on my Windows 7 64 bits machine.
Just another quick idea : why not try _beginthread() instead of
CreateThread() ?
Michel
( SSL_COMP_get_compression_methods());
RAND_cleanup();
Hope it helps,
Michel.
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Avery A. Tarasov
Envoyé : jeudi 22 janvier 2015 06:36
À : openssl-users@openssl.org
Objet : [openssl-users] Proper cleanup functions being called
1 - 100 of 110 matches
Mail list logo