Re: public and private keys
That's more or less what I thought, but I wanted to make sure that there wasn't an better/easier/whatever way of doing it before I have a working CA implementation. Thanks! -Kevin On Fri, 2002-03-15 at 12:31, Eric Rescorla wrote: > "Kevin J. Schmidt" <[EMAIL PROTECTED]> writes: > > On this this list, I've seen how to create a private and public keys > > using the openssl command. I'm new to all of this, so I apologize if my > > question doesn't make sense. Let's say I have a bunch of clients that > > will be connecting to a server using SSL (OpenSSL). I want to generate a > > private key on the server, then create a public key from the private. > > This public key will be copied to the clients. When the clients connect > > to the server, via SSL, they will presumably use this public key during > > the handshake. This how this is normally handled? > Kevin, > > SSL really doesn't know how to work with raw private keys. > Your best bet is to use self-signed certificates, which > have the same security properties but fit the SSL operations > model better. > > -Ekr > > -- > [Eric Rescorla [EMAIL PROTECTED]] > http://www.rtfm.com/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: public and private keys
"Kevin J. Schmidt" <[EMAIL PROTECTED]> writes: > On this this list, I've seen how to create a private and public keys > using the openssl command. I'm new to all of this, so I apologize if my > question doesn't make sense. Let's say I have a bunch of clients that > will be connecting to a server using SSL (OpenSSL). I want to generate a > private key on the server, then create a public key from the private. > This public key will be copied to the clients. When the clients connect > to the server, via SSL, they will presumably use this public key during > the handshake. This how this is normally handled? Kevin, SSL really doesn't know how to work with raw private keys. Your best bet is to use self-signed certificates, which have the same security properties but fit the SSL operations model better. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Commercial support for OpenSSL
Are there any companies out there that provide commercial support for OpenSSL? Thanks, -Kevin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Self-signed certs
Yeah, IE will complain. And how would people know you are who you say you are. thanks ! Aditya Roy - Original Message - From: Darren Smith To: [EMAIL PROTECTED] Sent: Friday, March 15, 2002 06:44 PM Subject: Self-signed certs Hello All, Are there any inherent dangers in using self-signed certificates over those available from Thawte, VeriSign, etc? Thanks.
public and private keys
Hi, On this this list, I've seen how to create a private and public keys using the openssl command. I'm new to all of this, so I apologize if my question doesn't make sense. Let's say I have a bunch of clients that will be connecting to a server using SSL (OpenSSL). I want to generate a private key on the server, then create a public key from the private. This public key will be copied to the clients. When the clients connect to the server, via SSL, they will presumably use this public key during the handshake. This how this is normally handled? Are there any HOW-TOs on how to use OpenSSL to load the public and private keys, do the handshake, and so on? I have a good book that has OpenSSL code in it, but the examples all use CAs, which I assume is different from generating and using public/private keys. Any help would be greatly appreciated. Thanks, -Kevin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
LOAD_DATA define
Can someone tell me what the E0 and E1 values of the LOAD_DATA #define are ?
Self-signed certs
Hello All, Are there any inherent dangers in using self-signed certificates over those available from Thawte, VeriSign, etc? Thanks.
Re: Net::SSLeay .. https-proxy-sniff.pl .. How can I snoop an MSIE browser session.
thanks, looks like it might help. - Original Message - From: GOLDING,CHARLTON (Non-HP-Corvallis,ex1) <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 15, 2002 12:45 AM Subject: RE: Net::SSLeay .. https-proxy-sniff.pl .. How can I snoop an MSIE browser session. > WinPcap came in handy for me at one stage, you might find some tools here: > > > http://security.oreilly.com/news/securingnt2_1200.html > > > Chet > > -Original Message- > From: Martin Witzel [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 13, 2002 2:59 AM > To: [EMAIL PROTECTED] > Subject: Re: Net::SSLeay .. https-proxy-sniff.pl .. How can I snoop an MSIE > browser session. > > > Check out ettercap ( ettercap.sourceforge.net ) > No personal experience, though. > > Regards, Martin > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Information sought on Error Nos.
Hi, While creating the Self Signed certificate I got the following error: 0x2006E079. And test got failed. Could you please guide me on how to look at these error messages? And how to proceed further? For Certificate Request , got the following error : 0x2206506f. Please clarify the same. Thanks a ton, -Surendra -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bodo Moeller Sent: Friday, March 15, 2002 3:59 PM To: John Hughes Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: SSL_pending() and SSL_ERROR_WANT_READ On Thu, Mar 14, 2002 at 01:00:46PM -0800, John Hughes wrote: > Since s->rstate is set to SSL_ST_READ_HEADER prior to record > decryption and decompression, wouldn't SSL_pending() still > incorrectly indicate that there is data ready to be read in cases > where either of these fail? I guess so, but applications should not continue to use the SSL object after such fatal errors. I'm not sure what happens if you use SSL_read() in this case -- wouldn't it return some (garbage) data anyway even though decryption or decompression has failed? Probably ssl3_get_record() should reset the record after such errors to make the library more robust. I think there may be more cases where the library behaves strangely if an application uses an SSL object after a failure for this object. -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_pending() and SSL_ERROR_WANT_READ
On Thu, Mar 14, 2002 at 01:00:46PM -0800, John Hughes wrote: > Since s->rstate is set to SSL_ST_READ_HEADER prior to record > decryption and decompression, wouldn't SSL_pending() still > incorrectly indicate that there is data ready to be read in cases > where either of these fail? I guess so, but applications should not continue to use the SSL object after such fatal errors. I'm not sure what happens if you use SSL_read() in this case -- wouldn't it return some (garbage) data anyway even though decryption or decompression has failed? Probably ssl3_get_record() should reset the record after such errors to make the library more robust. I think there may be more cases where the library behaves strangely if an application uses an SSL object after a failure for this object. -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
