What is pempass in case of an encrypted private key??
Hi, Does encrypted private key in PEM format is same as the PKCS8 encrypted private key?? Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
On Tue, Aug 14, 2001 at 02:09:09PM -0400, Aslam wrote: How can I set or add specific TLS cipher suite in SSL_CTX. Cause what I found is in get_client_hello() there is some default sting for cipher suite and acoordingly all the default cipher suites r added. Isn't there any API which takes a cipher string and corrospondingly loads the cipher suit. man SSL_CTX_set_cipher_list!? man ciphers Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pem password ??
Hi.. What exactly is the use of pempass (PEM pasword string) when any private key is written on disk?? Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Cipher suites
Hi.. man SSL_CTX_set_cipher_list but what should be the string format for the last parameter of above function call.. Thanks Aslam -Original Message- From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 3:27 PM To: '[EMAIL PROTECTED]' Subject: Re: Cipher suites On Tue, Aug 14, 2001 at 02:09:09PM -0400, Aslam wrote: How can I set or add specific TLS cipher suite in SSL_CTX. Cause what I found is in get_client_hello() there is some default sting for cipher suite and acoordingly all the default cipher suites r added. Isn't there any API which takes a cipher string and corrospondingly loads the cipher suit. man SSL_CTX_set_cipher_list!? man ciphers Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cipher suites
Aslam [EMAIL PROTECTED] writes: Hi.. man SSL_CTX_set_cipher_list Yeah, read the man page. Check out the documents on www.openssl.org but what should be the string format for the last parameter of above function call.. This is described in the ciphers man page. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pem password ??
Aslam [EMAIL PROTECTED] writes: What exactly is the use of pempass (PEM pasword string) when any private key is written on disk?? That's the point. Since it's written on disk any idiot who can read the disk can read the private key file. You encrypt it with the password so that it's useless to such an attacker. There's quite a bit more information about this in Chapter 5 of SSL and TLS. -Ekr [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: pem password ??
Is PEM password encrypted private keys different from the PKCS8 password encrypted private keys??? -Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 3:55 PM To: [EMAIL PROTECTED] Subject: Re: pem password ?? Aslam [EMAIL PROTECTED] writes: What exactly is the use of pempass (PEM pasword string) when any private key is written on disk?? That's the point. Since it's written on disk any idiot who can read the disk can read the private key file. You encrypt it with the password so that it's useless to such an attacker. There's quite a bit more information about this in Chapter 5 of SSL and TLS. -Ekr [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
installing openssh
i'm trying to install openssh and it says i need openssl and zlib. i'm unsure on how i'm suppose to install these packages. can someone show me some documentation on how i can do this. thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Using DSA to sign a PKCS7 message
Steve: Excuse me to be so meticolous, but you mean demos/sign.c, right ? I could'nt find a sign.c in crypto. Anayway, is a good notice, as I wanted to use the demos/sign.c for building a tool to sign and verify files. Thks, Mauricio Salinas -Mensaje original- De: Dr S N Henson [SMTP:[EMAIL PROTECTED]] Enviado el: lunes, 13 de agosto de 2001 12:46 Para: [EMAIL PROTECTED] Asunto: Re: Using DSA to sign a PKCS7 message Frank Geck wrote: I have been looking at the crypto/sign.c. I see how yo can specify the hash to use but not the signature algorithm. How do you do that or what one does it use, does any one know? Don't rely on crypto/sign.c its obsolete. If you use the S/MIME API (example in apps/smime.c) its all automatic when a DSA key is specified. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pem password ??
Aslam [EMAIL PROTECTED] writes: Is PEM password encrypted private keys different from the PKCS8 password encrypted private keys??? Yes, it's a slightly different key derivation function and different formatting. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using DSA to sign a PKCS7 message
Sorry, I ment crypto/pkcs7/sign.c Mauricio Salinas wrote: Steve: Excuse me to be so meticolous, but you mean demos/sign.c, right ? I could'nt find a sign.c in crypto. Anayway, is a good notice, as I wanted to use the demos/sign.c for building a tool to sign and verify files. Thks, Mauricio Salinas -Mensaje original- De: Dr S N Henson [SMTP:[EMAIL PROTECTED]] Enviado el: lunes, 13 de agosto de 2001 12:46 Para: [EMAIL PROTECTED] Asunto: Re: Using DSA to sign a PKCS7 message Frank Geck wrote: I have been looking at the crypto/sign.c. I see how yo can specify the hash to use but not the signature algorithm. How do you do that or what one does it use, does any one know? Don't rely on crypto/sign.c its obsolete. If you use the S/MIME API (example in apps/smime.c) its all automatic when a DSA key is specified. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ssl read time out
Hi, I am currently using openssl 0.9.6 with my web server. My web server is kind of proprietary one. There is a problem I have with this server. When a https request comes in, the server spawns a thread to handle the request. At the end, client sends a FIN or RST packet to close the connection. If that packet get lost, then the thread keep hanging with open socket. So how can I setup the ssl connection to timeout on read after n seconds? Any advice appreciated. Thanks in advance, -Wei-Hsin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating / verifying certificates
Hi! I would like to know how to create a 128bit server certificate or how to verify it is 128bit... Thank you! Uro¹ GaberPowerCom Gaber Globoènik d.n.o.http://www.powercom-si.comeMail: [EMAIL PROTECTED]GSM: 040/848-001Fax: 040/848-026Tel: 01/724-84-26Fax: 01/724-84-27 BEGIN:VCARD VERSION:2.1 N:Gaber;Uro FN:Uro Gaber ORG:PowerCom Gaber Globoènik d.n.o. TITLE:direktor TEL;WORK;VOICE:01/724-84-26; 040/848-001 TEL;WORK;FAX:01/724-84-26; 040/848-026 ADR;WORK:;;Cesta talcev 19b;Domale;;1230;Slovenija LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Cesta talcev 19b=0D=0ADom=9Eale 1230=0D=0ASlovenija EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20010811T141917Z END:VCARD
SSL_get_app_data/SSL_set_app_data
hai, i am looking out for information on SSL_get_app_data and SSL_set_app_data. i could not find any documentation on the openssl website http://www.openssl.org/docs/ssl/ssl.html). i had gone through the code of ssl.h to see how the functions are handled. they look pretty simple, but i am facing the following problem. i am storing some data in the ssl structure using ssl_set_app_data(ssl,data_structure); and retreving using stored_data = (data_structure *) ssl_get_app_data(ssl); it is giving me no compilation error. but is causing broken pipe error at run-time. can any one tell me what is the use of these functions?? Thanks in advace ganesh _ For Rs. 2,000,000 worth of Aptech scholarships click below http://clients.rediff.com/clients/aptechsch/index1.htm __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
session caching
hai, i am writting a minimal concurrent ssl server, i am planning to use external session caching for this. i am using the the following hooks. SSL_CTX_sess_set_remove_cb(ctx, cb) void call_back(SSL_CTX,SSL_SESSION) i am calling the callback functions before opening the connection. i am getting the following * Warning: assignment from incompatible pointer type * i looked for information in docs on openssl website, and also on ssleay.txt(comes with source though obsolete) but i could not find information. can anyone tell me if the arguments for the callback function are right or not. i want to test if the hook is called perfectly or not. can anyone tell me a way to delete the session information from openssl internal cache? Thanks in advance ganesh _ For Rs. 2,000,000 worth of Aptech scholarships click below http://clients.rediff.com/clients/aptechsch/index1.htm __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client certificate verify...
Hi all, I'm using self-singned certificates and when my client connects to the SSL server, he gets the CA, but the result of the verify function is: That CA is not in the list of trusted CAs... How can I add or modify the list of trusted CAs? Thx all Carlo Medas
Re: Creating / verifying certificates
I would like to know how to create a 128bit server certificate or how to verify it is 128bit... You are confusing the session key (typically RC4) with the certificate (typically RSA 1024 bit). You can limit what crypto suites are used. See the ciphers manpage. -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 11, 2001 1:11 AMTo: [EMAIL PROTECTED]Subject: Time to Refinance? MORTGAGE QUOTESDEBT CONSOLIDATION-REFINANCING-SECOND MORTGAGES-HOME IMPROVEMENTCLICK HEREINTEREST RATES GOING DOWN!You can:GET OUT OF DEBT!GET A BETTER % RATE ON YOUR LOAN!IMPROVE YOUR HOME!HAVE EXTRA SPENDING MONEY!CLICK HEREFor a FREE Quote!It'sQUICK , EASY and COMPLETE Want to be removed from our list of Home Owners? Simply reply to this email with "REMOVE" in the subject line only,and you will proptly be deleted!__ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL IO_ERROR
Hi, I am noticing this strange behaviour of apache running on openssl and mod_ssl. Session establishment works just fine but when I start browsing I get error messages on my browser. IE5 says that data area passed to a system call is too small and Netscape Navigator says Security library has experienced an error. You will probably be unable to connect to this site securely. When I look at ssl log file of apache, I get following entries: [14/Aug/2001 19:39:45 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#041F61E8 [mem: 04294500] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#00812C38 [mem: 0424FED0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#041F61E8 [mem: 04294500] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#041F3828 [mem: 042734B0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [info] Connection to child 3 closed with standard shutdown (server IMRAN_PC:443, client 192.168.1.100) [14/Aug/2001 19:39:48 01504] [info] Connection to child 7 closed with standard shutdown (server IMRAN_PC:443, client 192.168.1.100) [14/Aug/2001 19:39:48 01504] [info] Connection to child 8 closed with standard shutdown (server IMRAN_PC:443, client 192.168.1.100) Can anyone please help? Thanks, Imran. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Function Definition?
Hi, Where does actual function definition for SHA exists in openssl lib? I found only function declaration. I could not find function definition for SHAInit(),SHAUpdate(),SHAFinal() in openssl lib. Whether we have to implement them? Can anybody help me? Thanks in advance. Prasanna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7 verification between CryptoAPI OpenSSL
Hi,
I've encountered the following problem:
I generate PKCS#7 detached signed data using CryptSignMessage() in
CryptoAPI and try to verify it using OpenSSL but I get an OpenSSL Error:
{error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to fi
nd message digest}.
I tried using PKCS7_dataVerify() and PKCS7_signatureVerify() invoked for
each signer certificate in the PKCS#7 object. PKCS7_DataVerify() finds the
certifcate status valid before invoking PKCS7_signatureVerify() and failing
as stated above...
CryptoAPI manages to verify its own PKCS#7 data however, is this due to the
byte ordering of signatures which some other people have been refering to
over the past or did I miss something fundamental ?
Thanks for any help
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
