DES-CBC3-MD5
I know that there have been some problems in the past with DES-CBC3-MD5. I am having problems connecting to a server I am writing with browsers when using this cipher. All the fixes I have seen have been on the client side. I also have a client which is similar to s_client. This has the same problem when connecting to the server using this cipher. The error the client reports is: 14396:error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter:s23_clnt.c:445: Is there something I doing wrong in my server code that would make this specific cipher not work? Most others work. Generally RC4-MD5 is selected. DES-CBC3-SHA works fine. Thanks in advance. Tim __ Get Your Private, Free Email at http://www.hotmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AbouT Expiration Time
Stefan Kelm wrote: > > Moin, > > > > However, at least the current browsers will not check a > > > certificate's > > > validity based on hours and minutes but based on days. > > > > M$ IE definitely checks hours and minutes. > > IE version? Service Pack version? IE 4 something. I did not check that myself. The problem was reported to me. The problem was that I created a self-signed CA cert which issued several sub CA certs. Unfortunately the certs of the sub CA had a notAfter attribute five minutes(!) later than the root cert. IE refused to accept the cert chain. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What US companies need to know about RSA
Well if you want to be illegal why bother downloading RSARef. Also you cant legally donload it anymore because RSA doesnt offer it for download anymore. I asked them about it and tey said that i have to by BSAFE or any other toolkits available fronm them. (I cant even afford buy Books, how the hell am i supposed to be able to afford 100K piece of software ) Me i'm just waiting till Aug 20th 2000. When does RC5 patient expire ( if it does expire at all ) ? > I could just be illegal and download the RSAref[2] library and link > that with OpenSSL/Stunnel. And on Aug. 20th, 2000, when the RSA > patent expires, I'd be legal. (Though potentially liable for past > unlicensed use.) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Net::SSLeay, mod_perl and mod_ssl
Hi, Is it possible to use these things together? Net::SSLeay works when I start Apache without mod_ssl. With mod_ssl Apache gives [notice] caught SIGTERM, shutting down just after startup. What I need is to retrieve a page from remote https host. I probably can play with ProxyPass, but maybe there is some more straight way? Thanks, -- Ričardas Čepas ~~ ~ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: variable problem: OpenSSL 0.9.4 09 Aug 1999
Didn't finish my thought: Is it possible that you've accidentally included a trailing slash in the path when configuring, like: $ ./config --prefix=/var/ssl/ --openssldir=/var/ssl/openssl/ Try without the trailing slash, and then recompile. Good luck. -Mike "Matthew R. Ocasek" wrote: > I know this is a dumb question, but when trying to create a test > certificate using: openssl req I get the following error: Using > configuration from /var/ssl//etc/openssl.cnf > Unable to load config info > Where can I change that path? I have tried re-compiling with the > prefix and the openssldir specified, but it does not alter it... Any > help would be GREATLY appreaciated since I am pulling my hair out on > this one and I do not have much left ;) Thanks... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: variable problem: OpenSSL 0.9.4 09 Aug 1999
> Matthew R. Ocasek wrote: > > I know this is a dumb question, but when trying to create a test > certificate using: > > openssl req > > I get the following error: > > Using configuration from /var/ssl//etc/openssl.cnf > Unable to load config info > > Where can I change that path? I have tried re-compiling with the > prefix and the openssldir specified, but it does not alter it... > > Any help would be GREATLY appreaciated since I am pulling my hair out > on this one and I do not have much left ;) You can use the OPENSSL_CONF environment variable to directly point to openssl.cnf. You should be able to use the --openssldir option to Configure: check that the correct value appears in opensslconf.h Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What US companies need to know about RSA
I'll just add a few more bits of info to this... Aaron D. Turner wrote: > > This RSA library license that you recieve with Stronghold, etc, can > not be legally transfered to another piece of software, because the > license requires you to use the RSA approved implimentation of the RSA > algorithm. > I believe RSA has also on occasion just gone ahead and approved a piece of software with SSLeay's RSA implementation when asked nicely. Asking nicely generally involves a ***huge*** amount of money. I don't know the precise details of individual cases. > I could just be illegal and download the RSAref[2] library and link > that with OpenSSL/Stunnel. And on Aug. 20th, 2000, when the RSA > patent expires, I'd be legal. (Though potentially liable for past > unlicensed use.) > Well if someone decides to be illegal I obviously can't condone such activity. However you might as well just use OpenSSLs RSA implementation which is quite a bit faster than RSAref. I believe after the patent expiry you'll be able to use any implementation anyway: though I'm no expert on that. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: U.S. To Allow Export Of Encryption Products
At 02:29 AM 9/17/99 , Mark J Cox wrote: > > I read that as saying every program using strong encryption must > > still go through the approval process > >Right; it doesn't help us allow US people to get involved in the >development. It also means that browser manufacturers won't be able to >make full-strength versions their default download (because they have a >limit on countries allowed). Even within the US right now there is a >large percentage of browsers being used that are export-crippled. Another issue is that MOST people behind a firewall and cannot even download 128-bit encryption products! Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: variable problem: OpenSSL 0.9.4 09 Aug 1999
Hey, 1) It looks like you have an extra slash in your path between ssl and etc. 2) A really sleazy fix would be to put a sym link in the directory where it's looking that points to your actual openssl.cnf -Mike "Matthew R. Ocasek" wrote: > I know this is a dumb question, but when trying to create a test > certificate using: openssl req I get the following error: Using > configuration from /var/ssl//etc/openssl.cnf > Unable to load config info > Where can I change that path? I have tried re-compiling with the > prefix and the openssldir specified, but it does not alter it... Any > help would be GREATLY appreaciated since I am pulling my hair out on > this one and I do not have much left ;) Thanks... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
What US companies need to know about RSA
After a lot of research and talking with people from the Stunnel and OpenSSL lists, and 3 phone calls to RSA itself, I've learned far more than I ever wanted to know about RSA's patent and licensing. [Contrary to the last person who posted on this list, I found both Stunnel and OpenSSL lists very informative.] I figured there were a lot of people out there who would benifit from this info. Of course if you see any errors, feel free to let me know. Maybe I can get this added to some FAQ? Basically, all I wanted to do is run a generic SSL reverse proxy for a number of services/hosts. I also wanted Client Certificates for added security. All this was for internal use only type stuff like IMAP and secure access to internal web servers for my employees. None of this is stuff that I make any money off of directly- ie. I'm not trying to sell anything with SSL or RSA in it. Anyways, I found out that: SSLv3 supports numerous public-key encryption algorithms. However, most SSL clients only support RSA for public-key. So basically, unless you use RSA, you can't talk SSL to 99% of the world. If you are a U.S. company, you must somehow purchase a license for RSA[3]. If you purchase a piece of software (like Stronghold) that includes the RSA library, it will include an applicable license for RSA. Basically C2Net (the "author" of Stronghold) purchases a RSA license and then is allowed to distribute the RSA library with their product. This RSA library license that you recieve with Stronghold, etc, can not be legally transfered to another piece of software, because the license requires you to use the RSA approved implimentation of the RSA algorithm. The other option is to license the RSA library directly from RSA and link your software to that. To license RSA for use with OpenSSL/Stunnel for my "internal use only" purposes would cost me *at least* ONE HUNDRED THOUSAND DOLLARS. Basically they wanted .075% of my company's revenue, and that this $100K was just the DOWN PAYMENT. Your pricing my vary, but the sales rep indicated that this was what they charged everyone. Or- I could go out and buy one of the commercial[1] Stunnel-like implimentations for about $1,000 per SSL proxy server. Or- I could just be illegal and download the RSAref[2] library and link that with OpenSSL/Stunnel. And on Aug. 20th, 2000, when the RSA patent expires, I'd be legal. (Though potentially liable for past unlicensed use.) So my options were: 1) Pay nothing, use RSAref with OpenSSL and be illegal. 2) Pay about $3,000 for some closed-source software that didn't have all the features of the Open Source equivalent. 3) Pay at least $100,000 to use OpenSSL. Patents suck. 1) C2 Net's SafePassage Secure Tunnel http://www.c2net.com/ Celocom's SSR Server http://www.celocom.com/ 2) RSAref is a implimentation of the RSA algorthim for non-commercial use in the U.S. http://www.rsa.com/ 3) The RC5 algorithm is also patented and illegal to use in the US without the RSA license. -- Aaron Turner[EMAIL PROTECTED] 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]