AW: n-cipher does not work with openssl-engine-0.9.6a
Hello, after I grep the whole include/ssl directory in the source-tree I had found it. Thankyou Use chil instead of ncipher. The reason for this is that the interface used is called CHIL (C{something} Hardware Interface Library, IIRC, but nCipher folks will most probably have to correct me), which nCipher has tried to deploy as a standard interface for hadware access. -- -- Ralf Schwiete Dresdner Global IT Services Tel.: +49 69 263 52224 e-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: Hanging in SSL_connect !
Hi Marc, thanks for your help ! The problem for me was to find a function which switches the socket to nonblocking mode. Found function ioctlsocket(m_hSocket, FIONBIO, ulArg); with ulArg 0. :-) Thank you !!! -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Marc Sherman Gesendet: Donnerstag, 3. Mai 2001 18:32 An: '[EMAIL PROTECTED]' Betreff: RE: Hanging in SSL_connect ! How about setting m_hSocket to non-blocking mode. I think SSL_connect() will return SSL_ERROR_WANT_READ in the case you describe. Marc -Original Message- From: Rainer Kaufmann [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 03, 2001 11:12 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Hanging in SSL_connect ! Hi, has somebody an idea to avoid the SSL library to hang in SSL_connect when the other side does not respond ? Starting a timer and calling SSL_shutdown and closesocket on timeout, causes the SSL library to crash :-( I think the problem is the library waiting in socket::recv after ssl3_get_server_hello when there is nothing to read. A simple socket::select would solve this... Any ideas ? Thanks, Rainer -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Rainer Kaufmann Gesendet: Mittwoch, 2. Mai 2001 17:34 An: [EMAIL PROTECTED] Betreff: Ttimeout when trying to connect to an non-SSL port ? Hi, me again :-) I'm running into serious problems when trying to connect to a server which does know nothing about SSL. Connecting to a telnet server with the following code snippet runs into an infinite loop. --- SSL_METHOD* pSSLMeth; X509* pcrtCertificate; // Should timeout by itself if(connect(m_hSocket, psa, sizeof(SOCKADDR)) == SOCKET_ERROR) { throw CSSLSocket::Connect; } pSSLMeth = SSLv3_client_method(); m_psscContext = SSL_CTX_new (pSSLMeth); // Create context and connect file descriptor(handle) m_pSSL = SSL_new (m_psscContext); ASSERT(m_pSSL != NULL); SSL_set_fd(m_pSSL, m_hSocket); SSL_connect(m_pSSL); Thanks, Rainer __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: Compiling on Solaris 2.6 gcc-2.95.2
Hmmm... I've compiled it with the same solaris-version and the same compiler. I also have not the sys/bitypes.h and sys/cdefs.h. What development-packages from SUN do you have installed? Do you use any flags with ./compile? Ralf Schwiete -- Ralf Schwiete Dresdner Global IT Services Tel.: +49 69 263 52224 e-Mail: [EMAIL PROTECTED] Compiling on Solaris 2.6 with gcc-2.95.2 from ftp.sunfreeware.com ./congif says: solaris-sparcv9-gcc I got the following errors: gcc -I.. -I../../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c bss_fd.c -o bss_fd.o In file included from ../../include/openssl/e_os.h:354, from ../cryptlib.h:65, from bss_sock.c:64, from bss_fd.c:60: /usr/local/include/netdb.h:66: sys/bitypes.h: No such file or directory /usr/local/include/netdb.h:68: sys/cdefs.h: No such file or directory anywhere in my filesystem I found these two files. Maybe this is more a gcc libraries question, buy I was wondering why these sys files were not included. Thanks for your help! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client not sending CA's certificate
Hi all, Can anyone help me where to find sample code for "client certificate verification" regards, Siva K
how to create CRL with openssl?
How do you generate a CRL with the openssl tool? Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL in an embedded environment
My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5). I will also use it for certificate generation. I'm going to do some code and makefile editing to get rid of everything else I can, which I think includes bf, dh, dsa, hmac, idea, md2, md4, mdc2, pkcs7, rc2, rc4, rc5, and ripemd. Does that sound reasonable? From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 28 Apr 2001 13:45:09 -0700 You may well have some 'fiddling' to substantially reduce the size of OpenSSL. It all depends on what you want to use it for and what support you need. For example if you don't need PKCS#12 support you can delete everything in crypto/pkcs12. Then the fiddling starts because it probably wont compile any more and you'll have to edit makefiles and source files that reference PKCS#12 code. If you're just doing crypto without SSL or any ASN1 support you can probably delete almost everything. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ - Original Message - From: Gregg Gibson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 30, 2001 8:59 AM Subject: Resending: OpenSSL in an embedded environment I apoligize for sending this question again. The email account I was using has proved to be too unreliable, so I have switched to a different account. Has anyone had any experience with OpenSSL in an embedded environment? I'm trying to trim libcrypto.a and libssl.a down to a reasonable size for an embedded project. I've turned off all but the few ciphers that I need, and that only trimmed off about 200kB. (The ciphers that I kept are des, rsa, md5, and sha.) I'd like to get both of those libraries to be much smaller. Any suggestions? _ Get your FREE download of MSN Explorer at http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to create CRL with openssl?
On Fri, 4 May 2001 08:32:26 -0400 George Lind [EMAIL PROTECTED] wrote: How do you generate a CRL with the openssl tool? Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] $BO@CL!!!&!!#R#O#N#D#A#N(B $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp $BEE;R%a!<%k!'([EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL in an embedded environment
On Fri, 04 May 2001 08:52:13 -0400 "Gregg Gibson" [EMAIL PROTECTED] wrote: My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5). I will also use it for certificate generation. I'm going to do some code and makefile editing to get rid of everything else I can, which I think includes bf, dh, dsa, hmac, idea, md2, md4, mdc2, pkcs7, rc2, rc4, rc5, and ripemd. Does that sound reasonable? From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 28 Apr 2001 13:45:09 -0700 You may well have some 'fiddling' to substantially reduce the size of OpenSSL. It all depends on what you want to use it for and what support you need. For example if you don't need PKCS#12 support you can delete everything in crypto/pkcs12. Then the fiddling starts because it probably wont compile any more and you'll have to edit makefiles and source files that reference PKCS#12 code. If you're just doing crypto without SSL or any ASN1 support you can probably delete almost everything. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ - Original Message - From: "Gregg Gibson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 30, 2001 8:59 AM Subject: Resending: OpenSSL in an embedded environment I apoligize for sending this question again. The email account I was using has proved to be too unreliable, so I have switched to a different account. Has anyone had any experience with OpenSSL in an embedded environment? I'm trying to trim libcrypto.a and libssl.a down to a reasonable size for an embedded project. I've turned off all but the few ciphers that I need, and that only trimmed off about 200kB. (The ciphers that I kept are des, rsa, md5, and sha.) I'd like to get both of those libraries to be much smaller. Any suggestions? _ Get your FREE download of MSN Explorer at http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] $BO@CL!!!&!!#R#O#N#D#A#N(B $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp $BEE;R%a!<%k!'([EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to create CRL with openssl?
On Fri, 04 May 2001 21:55:21 +0900 RONDAN [EMAIL PROTECTED] wrote: On Fri, 4 May 2001 08:32:26 -0400 George Lind [EMAIL PROTECTED] wrote: How do you generate a CRL with the openssl tool? Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] $BO@CL!!!&!!#R#O#N#D#A#N(B $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp $BEE;R%a!<%k!'([EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] $BO@CL!!!&!!#R#O#N#D#A#N(B $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp $BEE;R%a!<%k!'([EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question : Verification callback (SSL_CTX_set_verify, SSL_set_verify)
On Fri, 4 May 2001 14:56:33 +0200 "Robin Gorris" [EMAIL PROTECTED] wrote: Hi, I have some questions on the verification callback function. By the way, I'm using the SSL_VERIFY_PEER mode. 1. Is it best practice to put all the certificate checks in this callback function? 2. Is it so that the number of times this function is called is equal to the verification depth used? 3. If so, how do I get to know the verification depth at runtime? I'll be more specific on this : if I wanted to add an extra check only for the last certificate in the chain (that of the client), how would I do this? Hope my questions make sense. Anyways, much thanx in advance, Robin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] $BO@CL!!!&!!#R#O#N#D#A#N(B $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp $BEE;R%a!<%k!'([EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: how to create CRL with openssl?
Title: RE: how to create CRL with openssl? Hi, Very simply : openssl ca -gencrl -config config_file -out out_file Then if You want to change format to DER openssl crl -in in_file -outform DER -out out_file To first command You can add information about next update if You don't want to use information from OpenSSL config file. Regards, Pawel -Original Message- From: George Lind [mailto:[EMAIL PROTECTED]] Sent: Friday, May 04, 2001 1:32 PM To: '[EMAIL PROTECTED]' Subject: how to create CRL with openssl? How do you generate a CRL with the openssl tool? Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL in an embedded environment
I am also thinking about to port openssl to an embedded system and noticed the the discussion. What sizes have you come down to ? and does your embeded system have filestorage ? fopen() or is the certificates stored in char []? The core question is what i takes to port it to an embeded system. Best Regards Andreas Bäck [EMAIL PROTECTED] 05/04/01 03:58PM On Fri, 04 May 2001 08:52:13 -0400 Gregg Gibson [EMAIL PROTECTED] wrote: My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5). I will also use it for certificate generation. I'm going to do some code and makefile editing to get rid of everything else I can, which I think includes bf, dh, dsa, hmac, idea, md2, md4, mdc2, pkcs7, rc2, rc4, rc5, and ripemd. Does that sound reasonable? From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 28 Apr 2001 13:45:09 -0700 You may well have some 'fiddling' to substantially reduce the size of OpenSSL. It all depends on what you want to use it for and what support you need. For example if you don't need PKCS#12 support you can delete everything in crypto/pkcs12. Then the fiddling starts because it probably wont compile any more and you'll have to edit makefiles and source files that reference PKCS#12 code. If you're just doing crypto without SSL or any ASN1 support you can probably delete almost everything. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ - Original Message - From: Gregg Gibson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 30, 2001 8:59 AM Subject: Resending: OpenSSL in an embedded environment I apoligize for sending this question again. The email account I was using has proved to be too unreliable, so I have switched to a different account. Has anyone had any experience with OpenSSL in an embedded environment? I'm trying to trim libcrypto.a and libssl.a down to a reasonable size for an embedded project. I've turned off all but the few ciphers that I need, and that only trimmed off about 200kB. (The ciphers that I kept are des, rsa, md5, and sha.) I'd like to get both of those libraries to be much smaller. Any suggestions? _ Get your FREE download of MSN Explorer at http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] http://www.rondan.co.jp [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL in an embedded environment
On Fri, 04 May 2001 21:58:44 +0900 RONDAN [EMAIL PROTECTED] wrote: On Fri, 04 May 2001 08:52:13 -0400 "Gregg Gibson" [EMAIL PROTECTED] wrote: My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5). I will also use it for certificate generation. I'm going to do some code and makefile editing to get rid of everything else I can, which I think includes bf, dh, dsa, hmac, idea, md2, md4, mdc2, pkcs7, rc2, rc4, rc5, and ripemd. Does that sound reasonable? From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 28 Apr 2001 13:45:09 -0700 You may well have some 'fiddling' to substantially reduce the size of OpenSSL. It all depends on what you want to use it for and what support you need. For example if you don't need PKCS#12 support you can delete everything in crypto/pkcs12. Then the fiddling starts because it probably wont compile any more and you'll have to edit makefiles and source files that reference PKCS#12 code. If you're just doing crypto without SSL or any ASN1 support you can probably delete almost everything. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ - Original Message - From: "Gregg Gibson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 30, 2001 8:59 AM Subject: Resending: OpenSSL in an embedded environment I apoligize for sending this question again. The email account I was using has proved to be too unreliable, so I have switched to a different account. Has anyone had any experience with OpenSSL in an embedded environment? I'm trying to trim libcrypto.a and libssl.a down to a reasonable size for an embedded project. I've turned off all but the few ciphers that I need, and that only trimmed off about 200kB. (The ciphers that I kept are des, rsa, md5, and sha.) I'd like to get both of those libraries to be much smaller. Any suggestions? _ Get your FREE download of MSN Explorer at http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] $BO@CL!!!&!!#R#O#N#D#A#N(B $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp $BEE;R%a!<%k!'([EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] $BO@CL!!!&!!#R#O#N#D#A#N(B $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp $BEE;R%a!<%k!'([EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How I can create a Cert STORE
Hello! Like I say in the subject How I can create a Cert Store? Thanks in advance, Regards, Antonio. -- -- Antonio Ruiz Martínez Facultad de Informática-Universidad de Murcia 30001 Murcia - España (Spain) Telf: +34-968-364644 e-mail: [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL in an embedded environment
I have (possibly) a similar problem. But just for the sake of completeness, is anyone aware of a port to VxWorks? If I could hook up with the poor sod that's been through this before that would probably save my hair at least. -lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
test vectors
Hello, Could someone tell me where I could find some test vectors for a DES in CBC mode? Thank you.
Info on keyEncipherment, dataEncipherment, keyUsage, keyAgreement
Hi, I am newbie to this group. I want to know more about keyEncipherment, dataEncipherment, keyUsage, keyAgreement. Can you please point to any documents or proper link to know the exact definitions and usage. Thanks in Advance. Ravi -- A man without a woman is like a statue without pigeons. begin:vcard n:Venkata Ravi Prakash;Burlagadda tel;home:08644 26681 tel;work:040 7814515/17/19 extn:387 x-mozilla-html:FALSE org:Tata Consultancy Services;Advanced Technology Centre version:2.1 email;internet:[EMAIL PROTECTED] title:ASE adr;quoted-printable:;;1-2-10, Coramandel House,=0D=0ASardar Patel Road;Secunderabad;AP;53;India x-mozilla-cpt:;20384 fn:Burlagadda Venkata Ravi Prakash end:vcard
Re: newbie question : Verification callback (SSL_CTX_set_verify, SSL_set_verify)
On Fri, May 04, 2001 at 02:56:33PM +0200, Robin Gorris wrote: I have some questions on the verification callback function. By the way, I'm using the SSL_VERIFY_PEER mode. 1. Is it best practice to put all the certificate checks in this callback function? Yes, I would recommend doing so, as by the return value of the verification callback you can decide whether you want to continue the handshake or stop with a corresponding alert. 2. Is it so that the number of times this function is called is equal to the verification depth used? Yes and no. Yes: If no error is encountered, the callback is called once for each level with preverify_ok = 1, so that the callback has the last word for each level. No: If errors are encounterd, the verify callback is called for each error found. 3. If so, how do I get to know the verification depth at runtime? I'll be more specific on this : if I wanted to add an extra check only for the last certificate in the chain (that of the client), how would I do this? The check is performed starting with the root CA, which has the highest level count. The check is finished for the server (or client) certificate at level 0. My email server's certificate (serv01) was issued by our universities CA (BTU CA), which was issued by the german research network's root CA (DFN-PCA). The extended logs of a connection from Postfix/TLS look like this: ... May 4 15:51:15 ws01 postfix/smtp[22785]: Peer cert verify depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] May 4 15:51:15 ws01 postfix/smtp[22785]: verify return:1 May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=1 /C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1 May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=0 /C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet Cottbus/OU=Allgemeine Elektrotechnik und Numerische [EMAIL PROTECTED] May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1 ... Therefore you have to make the last check, when level 0 is reached (and preverify_ok = 1). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
3DES implementation in openssl
Hi I have got a doubt regarding the 3DES-CBC implementation in openssl. Is it implementing OUTER CBC or INNER CBC mode. Thanks and Regards Ivan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Embedded SSL and randomness
At 04:10 PM 5/4/01 +0300, Andreas Bäck wrote: The core question is what [it] takes to port it to an embeded system. FWIW: my number one worry about porting SSL to an embedded system is where I get my entropy. Because my company sells embedded OS's to end developers, I need a general solution if possible. So where does the randomness come from on startup? No users, no mouse or keyboard input, no unpredictable thread activity... I can get a little randomness from clock skew, if I'm willing to wait forever to gather it. I can get some more from arrival of network packets -- except that by the time network packets start arriving I'd better already be seeded. That leaves two possibilities, external sources (including unused sound cards) and the Intel 81x chipset. Both of these have the drawback that no one solution is always available. Finally, I can start the system out insecure, have it train up to sufficient entropy, and then store the entropy for future use. The above is all I've been able to find on the Internet. Have I missed anything? ** This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please advise [EMAIL PROTECTED] ** __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Embedded SSL and randomness
Lee, unpredictable random numbers required for ssl client to set pre-master secret, client key exchange message, rsa mode. One can run a reverse solution with SSL client on a web server. Unfortunately this breaks HTTPS. However, you still have a secure solution and a CA in business :) would this fit your environment? gather initial entropy step? please be cautious and think twice before actually going this route. -vf On Fri, 4 May 2001, Lee Webber wrote: At 04:10 PM 5/4/01 +0300, Andreas Bäck wrote: The core question is what [it] takes to port it to an embeded system. FWIW: my number one worry about porting SSL to an embedded system is where I get my entropy. Because my company sells embedded OS's to end developers, I need a general solution if possible. So where does the randomness come from on startup? No users, no mouse or keyboard input, no unpredictable thread activity... I can get a little randomness from clock skew, if I'm willing to wait forever to gather it. I can get some more from arrival of network packets -- except that by the time network packets start arriving I'd better already be seeded. That leaves two possibilities, external sources (including unused sound cards) and the Intel 81x chipset. Both of these have the drawback that no one solution is always available. Finally, I can start the system out insecure, have it train up to sufficient entropy, and then store the entropy for future use. The above is all I've been able to find on the Internet. Have I missed anything? ** This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please advise [EMAIL PROTECTED] ** __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: test vectors
On Fri, 4 May 2001, Frédéric Viollet wrote: Hello, Could someone tell me where I could find some test vectors for a DES in CBC mode? You could have looked for DES test vectors in a good web search engine, such as Google. The second result gives you the URL: http://csrc/nist.gov/cryptval/#46-2 The last one on the first page is also interesting: http://grifter.hektik.org/Crypto/DESCRYPT.TXT It was posted 11 years ago. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - Time never started at all. Chaos never died. The Empire was never founded. We are not now never have been slaves to the past or hostages to the future. -Hakim Bey, /T.A.Z./ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Embedded SSL and randomness
It is critical to get the initial seed with as much entropy as possible and because you are the OS vendor I don't believe you can do it yourself. I think it's up to the end users to provide the seed. In the case of small embedded systems, it's a design issue, to provide the required level of security it may be necessary for the manufacturer to provide an initial random number in NV storage to each device. If the manufacture wants to provide rng h/w, all the better for a seed. -another lee -Original Message- From: Vadim Fedukovich [mailto:[EMAIL PROTECTED]] Sent: Friday, May 04, 2001 10:55 AM To: [EMAIL PROTECTED] Subject: Re: Embedded SSL and randomness Lee, unpredictable random numbers required for ssl client to set pre-master secret, client key exchange message, rsa mode. One can run a reverse solution with SSL client on a web server. Unfortunately this breaks HTTPS. However, you still have a secure solution and a CA in business :) would this fit your environment? gather initial entropy step? please be cautious and think twice before actually going this route. -vf On Fri, 4 May 2001, Lee Webber wrote: At 04:10 PM 5/4/01 +0300, Andreas Bäck wrote: The core question is what [it] takes to port it to an embeded system. FWIW: my number one worry about porting SSL to an embedded system is where I get my entropy. Because my company sells embedded OS's to end developers, I need a general solution if possible. So where does the randomness come from on startup? No users, no mouse or keyboard input, no unpredictable thread activity... I can get a little randomness from clock skew, if I'm willing to wait forever to gather it. I can get some more from arrival of network packets -- except that by the time network packets start arriving I'd better already be seeded. That leaves two possibilities, external sources (including unused sound cards) and the Intel 81x chipset. Both of these have the drawback that no one solution is always available. Finally, I can start the system out insecure, have it train up to sufficient entropy, and then store the entropy for future use. The above is all I've been able to find on the Internet. Have I missed anything? ** This email, and any files transmitted with it, are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please advise [EMAIL PROTECTED] ** __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: test vectors
- Original Message - From: Erwann ABALEA [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 04, 2001 5:10 PM Subject: Re: test vectors Could someone tell me where I could find some test vectors for a DES in CBC mode? The last one on the first page is also interesting: http://grifter.hektik.org/Crypto/DESCRYPT.TXT It was posted 11 years ago. They don't talk about any initial vector. Does this mean that the IV is set to 00h ? Thanks [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Embedded SSL and randomness
On Fri, 4 May 2001, Dilkie, Lee wrote: It is critical to get the initial seed with as much entropy as possible yes, it's traditional way to keep openssl' PRNG happy. However, a random inside server hello is sent in clear and it may be appropriate to use low-quality clock-based source here. One can outsource SSL client role out of embedded system to let the other party generate premaster secret. -vf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How I can create a Cert STORE
Antonio Ruiz Martínez wrote: Hello! Like I say in the subject How I can create a Cert Store? Thanks in advance, Regards, Antonio. Are you thinking about the Java Keystore (and certs... also)? -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How I can create a Cert STORE
Rabellino Sergio wrote: Antonio Ruiz Martínez wrote: Hello! Like I say in the subject How I can create a Cert Store? Thanks in advance, Regards, Antonio. Are you thinking about the Java Keystore (and certs... also)? No, I'm thinking about the X509_STORE_CTX of OpenSSL -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Antonio Ruiz Martínez Facultad de Informática-Universidad de Murcia 30001 Murcia - España (Spain) Telf: +34-968-364644 e-mail: [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: newbie question : Verification callback (SSL_CTX_set_verify, SSL_set_verify)
Thanx for your reply. But about question 3. : which API returns Peer cert verify depth=2? Which function returns the depth or where can I find it? Once more TIA, Robin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lutz Jaenicke Sent: vrijdag 4 mei 2001 15:59 To: [EMAIL PROTECTED] Subject: Re: newbie question : Verification callback (SSL_CTX_set_verify, SSL_set_verify) On Fri, May 04, 2001 at 02:56:33PM +0200, Robin Gorris wrote: I have some questions on the verification callback function. By the way, I'm using the SSL_VERIFY_PEER mode. 1. Is it best practice to put all the certificate checks in this callback function? Yes, I would recommend doing so, as by the return value of the verification callback you can decide whether you want to continue the handshake or stop with a corresponding alert. 2. Is it so that the number of times this function is called is equal to the verification depth used? Yes and no. Yes: If no error is encountered, the callback is called once for each level with preverify_ok = 1, so that the callback has the last word for each level. No: If errors are encounterd, the verify callback is called for each error found. 3. If so, how do I get to know the verification depth at runtime? I'll be more specific on this : if I wanted to add an extra check only for the last certificate in the chain (that of the client), how would I do this? The check is performed starting with the root CA, which has the highest level count. The check is finished for the server (or client) certificate at level 0. My email server's certificate (serv01) was issued by our universities CA (BTU CA), which was issued by the german research network's root CA (DFN-PCA). The extended logs of a connection from Postfix/TLS look like this: ... May 4 15:51:15 ws01 postfix/smtp[22785]: Peer cert verify depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] May 4 15:51:15 ws01 postfix/smtp[22785]: verify return:1 May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=1 /C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1 May 4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=0 /C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet Cottbus/OU=Allgemeine Elektrotechnik und Numerische [EMAIL PROTECTED] e May 4 15:51:16 ws01 postfix/smtp[22785]: verify return:1 ... Therefore you have to make the last check, when level 0 is reached (and preverify_ok = 1). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How I can create a Cert STORE
Antonio Ruiz Martínez wrote: Rabellino Sergio wrote: Antonio Ruiz Martínez wrote: Hello! Like I say in the subject How I can create a Cert Store? Thanks in advance, Regards, Antonio. Are you thinking about the Java Keystore (and certs... also)? No, I'm thinking about the X509_STORE_CTX of OpenSSL I use the X509_STORE_CTX __only__ in the verify_callback function (merely copied from the apps dir of openssl...) Maybe others in the list are more skilled about it. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
session manager
Hi, Iam a newbie to openssl, trying to implement a single threaded server and client. Does openssl come with a default session manager? if not is there any known implementation of session manager? My requirement is to re use the session id's up to a configurable time limit, ex: 10minutes. Thanks, Rob __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]