RE: RSA key sizes

[Steven Reddie]

I believe it's a matter of efficiency.  There are optimisations that can be
performed on the math of integers of length power-of-2.  It's possible that
there are implementations out there that won't work with non-standard sizes.

I have seen 4096 bit keys in the wild.  In fact, the Microsoft Root
Certificate Authority key in the Microsoft Certificate Store is 4096 bits in
length.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni
Sent: Wednesday, 17 August 2005 4:45 PM
To: openssl-users@openssl.org
Subject: Re: RSA key sizes

On Wed, Aug 17, 2005 at 02:21:30PM +0800, Tan Eng Ten wrote:

>   This is a general crypto question and I hope someone could help me 
>   out.
> 
>   Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are 
>   other sizes such as 520/1045 bit "valid"? Mathematically, it should 
> work, but are there reasons why odd sizes are not to be used?

Well RSA 512 is not (or should not be) used. As for the others, 768 is in
fact used, then 1024 and 2048, I've not seen 4096 in real applications, one
is likely better off with a different algorithm at that point.

Non-standard sizes add no value, each incremental "standard" key size
supports a particular expected security range. Stick to the standard sizes.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

What size is this key?

[Tan Eng Ten]

A local certification authority has issued a cert and the public is as 
below (parsed with openssl) :


-
Modulus (1023 bit):
5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0:
6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50:
fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c:
b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a:
38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3:
d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99:
90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68:
be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2:
f7:16:79:a8:35:3d:f2:ad
Exponent: 3 (0x3)
-

The key pair was generated by the CA (smart-card based) and it was 
supposed to be a 1024-bit RSA key. I retrieved the certificate from the 
smart card and parsed it with openssl.


I am just wondering why did openssl report it as 1023-bit?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: What size is this key?

[Steven Reddie]

It probably is 1023 bit, but you can think of that as being 1024 bit with
the top bit zero.  Since the modulus is effectively random (the product or
two randomly chosen large primes) then it makes sense that some of the
generated moduli will not completely fill the 1024 bits, just as choosing a
number randomly between 0 and 100 won't always have the top decimal place
filled.  If the top bit was always set it would reduce the search space when
attacking the key, thereby weakening it.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tan Eng Ten
Sent: Wednesday, 17 August 2005 5:17 PM
To: openssl-users@openssl.org
Subject: What size is this key?

A local certification authority has issued a cert and the public is as below
(parsed with openssl) :

-
Modulus (1023 bit):
 5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0:
 6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50:
 fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c:
 b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a:
 38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3:
 d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99:
 90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68:
 be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2:
 f7:16:79:a8:35:3d:f2:ad
Exponent: 3 (0x3)
-

The key pair was generated by the CA (smart-card based) and it was supposed
to be a 1024-bit RSA key. I retrieved the certificate from the smart card
and parsed it with openssl.

I am just wondering why did openssl report it as 1023-bit?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

AW: RSA key sizes

[thomas . beckmann]

The main reason why we take 512, 768, 1024, 2048, 4096,... bit is, that
these numbers are multiples of 8 ans though can be fractioned into bytes
(1024 bit = 128 byte).
Withe the increase of calculation power the key size was increased, in the
end by doubling the number of bits.

To answer our second question: A real 1024-bit-key must have at least 1017
bit, so it consits of 128 byte (= 1024 bit) with 7 leading zeros.

Regards

Thomas Beckmann

> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Auftrag von Tan Eng Ten
> Gesendet: Mittwoch, 17. August 2005 08:22
> An: openssl-users@openssl.org
> Betreff: RSA key sizes
> 
> 
> Hi all,
> 
>   This is a general crypto question and I hope someone 
> could help me out.
> 
>   Often we use RSA of 512, 1024, 2048, 4096, etc. bit 
> lengths. Are other 
> sizes such as 520/1045 bit "valid"? Mathematically, it should 
> work, but 
> are there reasons why odd sizes are not to be used?
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: What size is this key?

[David Schwartz]

> A local certification authority has issued a cert and the public is as
> below (parsed with openssl) :
>
> -
> Modulus (1023 bit):
>  5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0:
>  6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50:
>  fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c:
>  b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a:
>  38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3:
>  d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99:
>  90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68:
>  be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2:
>  f7:16:79:a8:35:3d:f2:ad
> Exponent: 3 (0x3)
> -
>
> The key pair was generated by the CA (smart-card based) and it was
> supposed to be a 1024-bit RSA key. I retrieved the certificate from the
> smart card and parsed it with openssl.
>
> I am just wondering why did openssl report it as 1023-bit?

Suppose I ask you to pick a random number between 1 and 1000. You tell 
me.
I think ask someone "do you think he picked a random number between 1 and
1000 or between 1 and 500?". Half the time, the other person will say
"probably between 1 and 500". So half of the 1,024 bit random numbers fit in
1,023 bits.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: AW: RSA key sizes

[Tan Eng Ten]

Cool.. but the key below has 128 bytes in total, but reported as being 
1023-bit


-
Modulus (1023 bit):
 5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0:
 6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50:
 fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c:
 b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a:
 38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3:
 d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99:
 90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68:
 be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2:
 f7:16:79:a8:35:3d:f2:ad
Exponent: 3 (0x3)
-

I notice that for 1024-bit RSA key generated by openssl, the modulus has 
129 bytes but having the first byte = 0. Why is this?, for example:


-
Modulus (1024 bit):
00:d8:6e:77:67:5e:29:bb:4e:83:52:fe:fa:fc:58:
04:d8:07:3e:43:11:92:10:45:dc:f2:f7:7a:77:49:
91:cf:cc:0d:5e:ec:d9:44:15:2d:61:19:cd:9d:79:
9e:27:80:61:6c:a3:db:34:21:cf:87:60:7a:e4:d9:
a5:02:59:57:fb:4e:8c:e4:32:fb:5e:cb:1a:99:7b:
76:b2:79:ae:2f:1f:62:1d:f6:fc:9e:32:e5:bd:46:
8f:c7:05:63:aa:10:2c:be:60:46:4a:44:c5:63:94:
b1:ab:d5:c5:33:cd:d7:69:f0:2b:36:54:dd:82:92:
66:6c:0d:50:81:a1:23:79:67
Exponent: 65537 (0x10001)
-


[EMAIL PROTECTED] wrote:

The main reason why we take 512, 768, 1024, 2048, 4096,... bit is, that
these numbers are multiples of 8 ans though can be fractioned into bytes
(1024 bit = 128 byte).
Withe the increase of calculation power the key size was increased, in the
end by doubling the number of bits.

To answer our second question: A real 1024-bit-key must have at least 1017
bit, so it consits of 128 byte (= 1024 bit) with 7 leading zeros.

Regards

Thomas Beckmann



-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag von Tan Eng Ten
Gesendet: Mittwoch, 17. August 2005 08:22
An: openssl-users@openssl.org
Betreff: RSA key sizes


Hi all,

	This is a general crypto question and I hope someone 
could help me out.


	Often we use RSA of 512, 1024, 2048, 4096, etc. bit 
lengths. Are other 
sizes such as 520/1045 bit "valid"? Mathematically, it should 
work, but 
are there reasons why odd sizes are not to be used?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: AW: RSA key sizes

[David Schwartz]

> Cool.. but the key below has 128 bytes in total, but reported as being
> 1023-bit
>
> -
> Modulus (1023 bit):
>   5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0:
>   6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50:
>   fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c:
>   b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a:
>   38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3:
>   d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99:
>   90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68:
>   be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2:
>   f7:16:79:a8:35:3d:f2:ad
> Exponent: 3 (0x3)
> -

Half of the 128-byte numbers can be expressed in 1,023 bits. This one 
can,
since it's high nibble is '5' or '0100'. The leading zero can be omitted,
resulting in 1,023 bits.

> I notice that for 1024-bit RSA key generated by openssl, the modulus has
> 129 bytes but having the first byte = 0. Why is this?, for example:
>
> -
> Modulus (1024 bit):
>  00:d8:6e:77:67:5e:29:bb:4e:83:52:fe:fa:fc:58:
>  04:d8:07:3e:43:11:92:10:45:dc:f2:f7:7a:77:49:
>  91:cf:cc:0d:5e:ec:d9:44:15:2d:61:19:cd:9d:79:
>  9e:27:80:61:6c:a3:db:34:21:cf:87:60:7a:e4:d9:
>  a5:02:59:57:fb:4e:8c:e4:32:fb:5e:cb:1a:99:7b:
>  76:b2:79:ae:2f:1f:62:1d:f6:fc:9e:32:e5:bd:46:
>  8f:c7:05:63:aa:10:2c:be:60:46:4a:44:c5:63:94:
>  b1:ab:d5:c5:33:cd:d7:69:f0:2b:36:54:dd:82:92:
>  66:6c:0d:50:81:a1:23:79:67
> Exponent: 65537 (0x10001)
> -

Why is what? This number requires 1,024 bits to express it. The lead 
nibble
is 'd' in hex, which is '1101', so there's no leading zero in the nibble
that can be dropped.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

AW: AW: RSA key sizes

[thomas . beckmann]

see below

> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Auftrag von Tan Eng Ten
> Gesendet: Mittwoch, 17. August 2005 11:28
> An: openssl-users@openssl.org
> Betreff: Re: AW: RSA key sizes
> 
> 
> Cool.. but the key below has 128 bytes in total, but reported 
> as being 
> 1023-bit

Because it only consits of 1023 bit and a leading zero... which is not
counted.

> 
> -
> Modulus (1023 bit):
>   5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0:
>   6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50:
>   fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c:
>   b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a:
>   38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3:
>   d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99:
>   90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68:
>   be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2:
>   f7:16:79:a8:35:3d:f2:ad
> Exponent: 3 (0x3)
> -
> 
> I notice that for 1024-bit RSA key generated by openssl, the 
> modulus has 
> 129 bytes but having the first byte = 0. Why is this?, for example:

This is correct because in BER a leading "1" tells you, that this is a
negativ integer. But while we are working with positve integer we have to
add at least one leading "0"... so we have to add one byte.

> 
> -
> Modulus (1024 bit):
>  00:d8:6e:77:67:5e:29:bb:4e:83:52:fe:fa:fc:58:
>  04:d8:07:3e:43:11:92:10:45:dc:f2:f7:7a:77:49:
>  91:cf:cc:0d:5e:ec:d9:44:15:2d:61:19:cd:9d:79:
>  9e:27:80:61:6c:a3:db:34:21:cf:87:60:7a:e4:d9:
>  a5:02:59:57:fb:4e:8c:e4:32:fb:5e:cb:1a:99:7b:
>  76:b2:79:ae:2f:1f:62:1d:f6:fc:9e:32:e5:bd:46:
>  8f:c7:05:63:aa:10:2c:be:60:46:4a:44:c5:63:94:
>  b1:ab:d5:c5:33:cd:d7:69:f0:2b:36:54:dd:82:92:
>  66:6c:0d:50:81:a1:23:79:67
> Exponent: 65537 (0x10001)
> -
> 
> 
> [EMAIL PROTECTED] wrote:
> > The main reason why we take 512, 768, 1024, 2048, 4096,... 
> bit is, that
> > these numbers are multiples of 8 ans though can be 
> fractioned into bytes
> > (1024 bit = 128 byte).
> > Withe the increase of calculation power the key size was 
> increased, in the
> > end by doubling the number of bits.
> > 
> > To answer our second question: A real 1024-bit-key must 
> have at least 1017
> > bit, so it consits of 128 byte (= 1024 bit) with 7 leading zeros.
> > 
> > Regards
> > 
> > Thomas Beckmann
> > 
> > 
> >>-Ursprüngliche Nachricht-
> >>Von: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] Auftrag von Tan Eng Ten
> >>Gesendet: Mittwoch, 17. August 2005 08:22
> >>An: openssl-users@openssl.org
> >>Betreff: RSA key sizes
> >>
> >>
> >>Hi all,
> >>
> >>This is a general crypto question and I hope someone 
> >>could help me out.
> >>
> >>Often we use RSA of 512, 1024, 2048, 4096, etc. bit 
> >>lengths. Are other 
> >>sizes such as 520/1045 bit "valid"? Mathematically, it should 
> >>work, but 
> >>are there reasons why odd sizes are not to be used?
> >>
> __
> >>OpenSSL Project 
http://www.openssl.org
>>User Support Mailing Listopenssl-users@openssl.org
>>Automated List Manager   [EMAIL PROTECTED]
>>
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> 
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

strange error when trying to sign CSR

[Gerd Schering]

Hi,

when trying to sign a CSR I get the following error:

Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName:ASN.1 12:'xxx'
organizationName  :ASN.1 12:'xxx'
organizationalUnitName:ASN.1 12:'XXX'
countryName   :ASN.1 12:'DE'
stateOrProvinceName   :ASN.1 12:'Berlin'
localityName  :ASN.1 12:'Berlin'
The countryName field needed to be the same in the
CA certificate (DE) and the request (DE)

Well, the countryName field is dfinitely the same.
I'm using OpenSSL 0.9.8-dev XX xxx .
Is this a version issue?

Gerd

--
--
-- Gerd Schering, Email: [EMAIL PROTECTED]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum  --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin  --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: strange error when trying to sign CSR

[Arsen Hayrapetyan]

Gerd Schering wrote:

> Hi,
>
> when trying to sign a CSR I get the following error:
>
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> commonName:ASN.1 12:'xxx'
> organizationName  :ASN.1 12:'xxx'
> organizationalUnitName:ASN.1 12:'XXX'
> countryName   :ASN.1 12:'DE'
> stateOrProvinceName   :ASN.1 12:'Berlin'
> localityName  :ASN.1 12:'Berlin'
> The countryName field needed to be the same in the
> CA certificate (DE) and the request (DE)
>
> Well, the countryName field is dfinitely the same.
> I'm using OpenSSL 0.9.8-dev XX xxx .
> Is this a version issue?
>
> Gerd
>
What is in your config file [policy_match] section?

-- 
PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03)
Fingerprint: 1C3B 2C01 40DF ED87 23B1  BF6F 95C4 2E77 BBE3 DFD8



smime.p7s
Description: S/MIME Cryptographic Signature

Setup Help

[Paull Dodemaide]

Hi All,
 
I am having no end of trouble trying to get this 
OpenVpn to work. Here is what I have done so far. I am all out of 
ideas.
 
I am trying to create a bridged connection (for 
gaming with a few mates). I have setup the server side exactly as per 
instructions however it just does not want to work.
 
I have created a bridge, between the Onboard 
Ethernet Card and the Tap-bridge connection. Set its IP to 
10.8.0.4/255.255.255.0. as per the instructions.
 
I start up the server, and get my friends to 
connect, however they never get an IP address from me.
 
What I dont understand is, in the setup you need to 
forward packets from 1194 to the IP of the server, however on my router thats 
set to 192.168.0.5, so how do the packets ever get to 10.8.0.4 ??
 
very very confused, hope someone can spare 5 
minutes to give me a hand. I sure would appreciate it.
 
thanks
 
Paull

AW: Setup Help

[thomas . beckmann]

Are 
you sure this is the right community to ask?

  -Ursprüngliche Nachricht-Von: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Im 
  Auftrag von Paull DodemaideGesendet: Mittwoch, 17. August 2005 
  13:38An: openssl-users@openssl.orgBetreff: Setup 
  Help
  Hi All,
   
  I am having no end of trouble trying to get this 
  OpenVpn to work. Here is what I have done so far. I am all out of 
  ideas.
   
  I am trying to create a bridged connection (for 
  gaming with a few mates). I have setup the server side exactly as per 
  instructions however it just does not want to work.
   
  I have created a bridge, between the Onboard 
  Ethernet Card and the Tap-bridge connection. Set its IP to 
  10.8.0.4/255.255.255.0. as per the instructions.
   
  I start up the server, and get my friends to 
  connect, however they never get an IP address from me.
   
  What I dont understand is, in the setup you need 
  to forward packets from 1194 to the IP of the server, however on my router 
  thats set to 192.168.0.5, so how do the packets ever get to 10.8.0.4 
  ??
   
  very very confused, hope someone can spare 5 
  minutes to give me a hand. I sure would appreciate it.
   
  thanks
   
  Paull

Re: Setup Help

[Paull Dodemaide]

sorry, i though i had copied the openvpn email 
address... please accept my apologies

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: openssl-users@openssl.org 
  Sent: Wednesday, August 17, 2005 9:45 
  PM
  Subject: AW: Setup Help
  
  Are 
  you sure this is the right community to ask?
  
-Ursprüngliche Nachricht-Von: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]Im Auftrag von Paull 
DodemaideGesendet: Mittwoch, 17. August 2005 13:38An: 
openssl-users@openssl.orgBetreff: 
Setup Help
Hi All,
 
I am having no end of trouble trying to get 
this OpenVpn to work. Here is what I have done so far. I am all out of 
ideas.
 
I am trying to create a bridged connection (for 
gaming with a few mates). I have setup the server side exactly as per 
instructions however it just does not want to work.
 
I have created a bridge, between the Onboard 
Ethernet Card and the Tap-bridge connection. Set its IP to 
10.8.0.4/255.255.255.0. as per the instructions.
 
I start up the server, and get my friends to 
connect, however they never get an IP address from me.
 
What I dont understand is, in the setup you 
need to forward packets from 1194 to the IP of the server, however on my 
router thats set to 192.168.0.5, so how do the packets ever get to 10.8.0.4 
??
 
very very confused, hope someone can spare 5 
minutes to give me a hand. I sure would appreciate it.
 
thanks
 
Paull__ 
  NOD32 1.1175 (20050721) Information __This message was checked 
  by NOD32 antivirus system.http://www.nod32.com

Re: strange error when trying to sign CSR

[Gerd Schering]

Arsen Hayrapetyan wrote:


What is in your config file [policy_match] section?


[ policy_match ]
countryName = supplied
stateOrProvinceName = optional
organizationName= supplied
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional


B.t.w. I tried to sign the CSR with a test-ca which uses openssl-0.9.7e.
It worked just fine, so it seems to be an version issue.
Unfortunately openssl-0.9.7e does not support muttiple certs for the 
same DN, which is a feature I need.


Gerd
--
--
-- Gerd Schering, Email: [EMAIL PROTECTED]  --
--


smime.p7s
Description: S/MIME Cryptographic Signature

[TSA] i2d TS_RESP problem

[meat2]

Hi,

I have already written an OCSP server, now I want to write TSA server. I thought I would reuse some code, bot it is not so easy. I have problem with converting TR_RESP structure into DER format. In OCSP server i used the following function:

i2d_OCSP_RESPONSE_bio(_cbio, _resp);

where _cbio is BIO (socket) and _resp is OCSP_RESPONSE structure. So, I wanted to send my TS_RESP structure in the same way, but the function is not the same as for the OCSP structure.

i2d_TS_RESP_bio(_cbio, _resp);   // resp is TS_RESP structure

However, _resp structure seems to be filled correctly, function:

TS_RESP_print_bio(out, _resp);

gives the following output:

Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 1.3.9
Hash Algorithm: sha1
Message data:
 - 09 17 ff 9e b0 53 47 44-39 5e 2e 7a c1 8f 64 c2   .SGD9^.z..d.
0010 - b9 8f 97 06   
Serial number: 0x14
Time stamp: Aug 17 13:39:43 2005 GMT
Accuracy: unspecified
Ordering: yes
Nonce: 0x08B6
TSA: unspecified
Extensions:

The function  i2d_TS_RESP(_resp, NULL)  always returnes 7, no matter _resp structure has status Granted with TST info included or status Rejected without the TST info included.
I discovered thad there is another function i2d_TS_TST_INFO_bio(out, tst_info) that converts only the TS_TST_INFO structure. 
So now is my question (finally) - how can I store TS_RESP structure, containing TST info, that will be possible to read and show with:

openssl ts -reply -in response.re -text  

I suppose I have to write status info with i2d_TS_RESP_bio and after that TST info with  i2d_TS_TST_INFO_bio, but the file created causes sementation fault when I am trying to open it with 'openssl ts'.
It only works, when i use i2d_TS_RESP_bio with Rejected status without TST info.

--
Jack

Re: strange error when trying to sign CSR

[Dr. Stephen Henson]

On Wed, Aug 17, 2005, Gerd Schering wrote:

> Hi,
> 
> when trying to sign a CSR I get the following error:
> 
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> commonName:ASN.1 12:'xxx'
> organizationName  :ASN.1 12:'xxx'
> organizationalUnitName:ASN.1 12:'XXX'
> countryName   :ASN.1 12:'DE'
> stateOrProvinceName   :ASN.1 12:'Berlin'
> localityName  :ASN.1 12:'Berlin'
> The countryName field needed to be the same in the
> CA certificate (DE) and the request (DE)
> 
> Well, the countryName field is dfinitely the same.
> I'm using OpenSSL 0.9.8-dev XX xxx .
> Is this a version issue?
> 

Are you using an old openssl.cnf format? The ASN.1 12 stuff is indicating a
UTF8String. If you use the new format (the name_opt, cert_opt options in
CA_default both set to ca_default) you should get this displayed correctly.

However back to the original query. The countryName in the two certificates is
a different character type, in one it is PrintableString the other UTF8String.
The 'ca' utility currently regards those as different.

However in countryName only PrintableString is allowed so if you have a
certificate request with UTF8String in there it is broken anyway. So that's
the main problem: an invalid certificate request.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: RSA key sizes

[Dr. Stephen Henson]

On Wed, Aug 17, 2005, Tan Eng Ten wrote:

> Hi all,
> 
>   This is a general crypto question and I hope someone could help me 
>   out.
> 
>   Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are 
>   other sizes such as 520/1045 bit "valid"? Mathematically, it should 
> work, 
> but are there reasons why odd sizes are not to be used?

One reason is interoperability. Some software (notably MS stuff based on
CryptoAPI including MSIE) places restrictions on the key sizes and parameters.

For public keys the only restriction is that the public exponent (e) can't
exceeed 32 bits.

For private keys the key size must be also be a multiple of 64 bits and every
CRT parmeter must be either the key size of half the key size, this means that
the two primes p and q must have the ame size for example.

The main reason for this is that the internal format (PRIVATEKEYBLOB) has
problems representing parameters which don't fit these criteria.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: please help me on OCSP

[Dr. Stephen Henson]

On Tue, Aug 16, 2005, varma d wrote:

> 
> But, In this command what is the purpose of OCSPServer.pem, i still dont 
> understand the purpose of OCSPServer.pem as we need to just send our request 
> and expect a response from OCSP responder irrespective of OCSPServer.pemfile.
> 

This is an issue of how you trust the reponse from the OCSP responder. There
are three cases:

1. Response signed by the same key as the CA that issued the certificate.
2. Response signed by a key in a certificate delegated by the issuing CA.
3. A key locally configured as trusted.

In case #1 and #2 the trust can be determined automatically from the
certificate being validated.

In case #3 the relevant key needs to be determined by some other means.

So its a case of how the responder is configured. In some cases the responder
is misconfigured and you have to use option #3.

> 2)I tested by giving latest user certificates other than
> openvalidation.orgcertificates, but i am
> getting this error
> 
> user.pem:WARNING: Status times invalid.
> 3220:error:2707307D:OCSP
> routines:OCSP_check_validity:status
> expired:.\crypto\ocsp\ocsp_cl.c:357:
> unknown
> This Update: Oct 24 06:00:11 2004 GMT
> Next Update: Oct 25 06:00:11 2004 GMT
> 

The responder is saying that its response is valid between those dates: so it
is sending out of date information.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: RSA key sizes

[Uri]

Please note that the importance of RSA is going to decline in favor of 
Elliptic Curve Crypto over GF(p). In particular, by 2010 ECC will be 
mandated. I suspect there are cryptographic reasons for it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

AW: RSA key sizes

[thomas . beckmann]

Who will mandate ECC by 2010???

> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Auftrag von Uri
> Gesendet: Mittwoch, 17. August 2005 14:54
> An: openssl-users@openssl.org
> Betreff: Re: RSA key sizes
> 
> 
> Please note that the importance of RSA is going to decline in 
> favor of 
> Elliptic Curve Crypto over GF(p). In particular, by 2010 ECC will be 
> mandated. I suspect there are cryptographic reasons for it.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Documentation on Sendmail TLS

[Stephen T Albright]

Hello to all.

First let me apologize for this message if it is not
the correct list, but I need to start somewhere.

Now my question.
I have recently been tasked with recompiling Sendmail
on a Sunfire 120 to include TLS support.  I understand
I need OpenSSL, and I have found some sites with
information, but not enough to answer all of my
questions.  Does anyone know of a site, or recommend a
book about OpenSSL configuration for this.  Thanks to
all for your time.

Stephen Albright
Enterprise Information Solutions
MeadWestvaco
10 West Second Street
Dayton, OH 45463
Office:  937.495.1260
Cell:     937.344.9907
[EMAIL PROTECTED]




This email has been scanned for all viruses by the MessageLabs SkyScan
service.___

This electronic message contains information from MeadWestvaco
Corporation or subsidiary companies, which may be confidential,
privileged or otherwise protected from disclosure.  The
information is intended to be used solely by the recipient(s)
named.  If you are not an intended recipient, be aware that
any review, disclosure, copying, distribution or use of this
transmission or its contents is prohibited.  If you have
received this transmission in error, please notify MeadWestvaco
immediately at [EMAIL PROTECTED]
___

Re: strange error when trying to sign CSR

[Gerd Schering]

Dr. Stephen Henson wrote:



However in countryName only PrintableString is allowed so if you have a
certificate request with UTF8String in there it is broken anyway. So that's
the main problem: an invalid certificate request.


Thanks a lot for your help.
B.t.w. is there an rfc or something else where the allowed string types 
are defined?


Gerd
--
--
-- Gerd Schering, Email: [EMAIL PROTECTED]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum  --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin  --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Documentation on Sendmail TLS

[Rabellino Sergio]

Stephen T Albright wrote:


Hello to all.

First let me apologize for this message if it is not
the correct list, but I need to start somewhere.

Now my question.
I have recently been tasked with recompiling Sendmail
on a Sunfire 120 to include TLS support.  I understand
I need OpenSSL, and I have found some sites with
information, but not enough to answer all of my
questions.  Does anyone know of a site, or recommend a
book about OpenSSL configuration for this.  Thanks to
all for your time.



I'm running sendmail with TLS enabled since Y2K, but no particular openssl 
configuration is requested.
You must compile it and configure sendmail to use openssl API to achieve TLS 
channels for your MTA/MSA.

If you have any question, send to me in private mail, this is not the right 
list.
--
Dott. Mag. Sergio Rabellino

 Technical Staff
 Department of Computer Science
 University of Torino (Italy)

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL on VxWorks

[Fell, Anthony]

I don't have an answer, but I can commiserate.  We have built OpenSSL
for VxWorks and are having trouble during the certificate verification
process; in our case, a server certificate that is valid and is verified
correctly by an SSL client on Windows XP (using the CA's certificate),
is declared expired by the OpenSSL client running on VxWorks.  I will
post again if we resolve the issue.

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, August 16, 2005 5:37 PM
To: openssl-users@openssl.org
Subject: Re: OpenSSL on VxWorks

One more try... anyone? :-)


K

- Original Message -
From: [EMAIL PROTECTED]
To: openssl-users@openssl.org
Subject: Re: OpenSSL on VxWorks
Date: Sat, 13 Aug 2005 13:01:55 -0500

> 
>  From what I've read about it, this error seems to indicate that the 
> server certificate could not be verified by the client opening the 
> connection. Is this correct?
> 
> If so, that would indicate a problem with the certificates I've 
> generated, but I've followed the OpenSSL book to do so, and the same 
> certificate files are used with this code on other OSes with no 
> difficulty.
> 
> What could the problem be?
> 
> Thanks in advance for any ideas.
> 
> 
> K
> 
> - Original Message -
> From: [EMAIL PROTECTED]
> To: openssl-users@openssl.org
> Subject: OpenSSL on VxWorks
> Date: Wed, 10 Aug 2005 15:19:04 -0500
> 
> >
> > Hello,
> >
> > This is a follow up to an earlier post I made with regard to some 
> > problems I'm facing in running some code that uses OpenSSL on 
> > VxWorks. The same code, with the same certificate files runs on 
> > Solaris, Linux and Windows. On VxWorks, however, I get:
> >
> > 30209:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
> > certificate:s3_pkt.c:1054:SSL alert number 42
> >
> > This happens when I try to initiate a TLS client connection to a 
> > previously opened TLS server.
> >
> > What is this error usually caused by, and where should I begin to 
> > look for a solution?
> >
> > Thanks much for any ideas.
> >
> >
> > K
> >
> >
> > --
> > ___
> > Sign-up for Ads Free at Mail.com
> > http://promo.mail.com/adsfreejump.htm
> >
> >
__
> > OpenSSL Project
http://www.openssl.org
> > User Support Mailing List
openssl-users@openssl.org
> > Automated List Manager
[EMAIL PROTECTED]
> 
> 
> --
> ___
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]


--
___
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: strange error when trying to sign CSR

[Gerd Schering]

Gerd Schering wrote:

B.t.w. is there an rfc or something else where the allowed string types 
are defined?


Sorry for this question, of course we have rfc2459.

Gerd


--
--
-- Gerd Schering, Email: [EMAIL PROTECTED]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum  --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin  --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: strange error when trying to sign CSR

[Gerd Schering]

Dr. Stephen Henson wrote:



However back to the original query. The countryName in the two certificates is
a different character type, in one it is PrintableString the other UTF8String.
The 'ca' utility currently regards those as different.

However in countryName only PrintableString is allowed so if you have a
certificate request with UTF8String in there it is broken anyway. So that's
the main problem: an invalid certificate request.



Thanks for your help.
But how could it work on our test-ca using openssl-0.9.7e?
Im shure the countryName of the CA cert is a PrintableString.

Gerd

--
--
-- Gerd Schering, Email: [EMAIL PROTECTED]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum  --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin  --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: strange error when trying to sign CSR

[Richard Levitte]

Gerd Schering writes: 


Sorry for this question, of course we have rfc2459.


*ahem* 3280 


Cheers,
Richard 


-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details. 


--
Richard Levitte [EMAIL PROTECTED]
  http://richard.levitte.org/ 


"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
  -- C.S. Lewis 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: COMP_zlibd don't return a valid method

[prakash babu]

Hi Ignacio ,
 
I think that the problem is that your are not linking the appropriate libraries.
Try the following steps
 # ./config zlib #  gmake #  gcc test.c -L -I -lssl -lcrypto -lz -ldl #./a.out compression name: zlib compression
Your Method
#gcc test.c -lssl -lcrypto 
//this will use the crypto and ssl libraries that comes OS which is present in the /usr/lib directory and this may not be built with zlib support
# ./a.outcompression name: (null)
Thanks,
Prakash
Ignacio Butler <[EMAIL PROTECTED]> wrote:
hi,well, i'm using Linux, with a 2.4.xx kernel and the 0.9.8 version ofthe ssl library,to compile it i do: gcc -o master master.c -lssl -lcrypto -lpthread(same as you do it)i've compiled the library configurating using "./config zlib" thelibrary is compiled with this parameter...thanks prakash,ignacioOn 8/16/05, prakash babu <[EMAIL PROTECTED]>wrote:> Hello Ignacio, > > I tried the program you attached and it seems to work> fine . > > #include > #include > int main()> {> COMP_METHOD *comp_method;> comp_method = COMP_zlib();> if(comp_method != NULL)> {> printf("compression name: %s\n", (comp_method->name !=> NULL? comp_method->name:""));> if (comp_method->type !
 =
 NID_undef)> SSL_COMP_add_compression_method(1,> comp_method);> else> printf("Compression not suported"); > exit(1);> }> }> > # cc test2.c -lcrypto -lssl> # ./a.out> compression name: zlib compression > > Can you give me more details such as the platform, compilation steps etc ? > > Thanks, > Prakash> > > Ignacio Butler <[EMAIL PROTECTED]>wrote: > Hello,> > first of all, sorry by my english...> > The problem is,> i have started to develop a simple application that uses SSL with> compression, but when i try to add the zlib compression method to my> server it is imposible> > the code that i use is:> > comp_method = COMP_zlib();> > if(comp_method != NULL)> {> printf("compression name: %s\n", (comp_method->name !=> NULL?
 comp_method->name:""));> if (comp_method->type != NID_undef)> SSL_COMP_add_compression_method(COMP_ZLIB, comp_method);> else> warning2("Compression not suported");> > exit(1);> }> > obiuosly, the output is "Compression not suported"...> > i recompiled my openSSL library with zlib support and nothing...> my openssl version is 0.9.8> > thank all!> ignacio> -- > -o)> / \\> _\_V> cuando no tenes paredes, no necesitas ventanas> __> OpenSSL Project http://www.openssl.org> User Support Mailing List openssl-users@openssl.org> Automated List Manager [EMAIL PROTECTED]> > > __> Do You Yahoo!?> Tired of spam? Yahoo! Mail has the best spam protection around >
 ;
 http://mail.yahoo.com -- -o)/ \\_\_Vcuando no tenes paredes, no necesitas ventanas__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]__Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around http://mail.yahoo.com 

How to validate UTF-8 in a file

[Silvia Gisela Pavon Velasco]

Hello,

I would like some advice about how can I validate that a file is in utf-8
format. I have set the proper unix environment variables to work with the
utf-8 format; but however, I have the need to validate if a file is in that
format.

Regards,

Silvia Pavón
_
Prepárate para hablar y navegar sin límite... visita www.masternet.com.mx


NOTA: La información de este correo es de propiedad exclusiva y
confidencial. Este mensaje es sólo para el destinatario señalado, si usted
no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
quien recibe este correo de asegurarse que esté libre de virus, por lo
tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
alguna.
NOTE:  The information in this email is proprietary and confidential. This
message is for the designated recipient only, if you are not the intended
recipient, you should destroy it immediately. Any information in this
message shall not be understood as given or endorsed by Alestra, its
subsidiaries or their employees, unless expressly so stated. It is the
responsibility of the recipient to ensure that this email is virus free,
therefore neither Alestra, its subsidiaries nor their employees accept any
responsibility.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL on VxWorks

[Dr. Stephen Henson]

On Wed, Aug 17, 2005, Fell, Anthony wrote:

> I don't have an answer, but I can commiserate.  We have built OpenSSL
> for VxWorks and are having trouble during the certificate verification
> process; in our case, a server certificate that is valid and is verified
> correctly by an SSL client on Windows XP (using the CA's certificate),
> is declared expired by the OpenSSL client running on VxWorks.  I will
> post again if we resolve the issue.
> 

Haven't seen that one reported before. The usual check is that the system time
is set correctly and that OpenSSL can correctly generate an appropriate
certificate time fields. The way OpenSSL checks certificate validity is
closely related to generation of time fields (UTCTime usually but
occasionally GeneralizedTime).

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to validate UTF-8 in a file

[Peter BENKO,VSE IT Sluzby,+421-55-610-2045,+421-903-855532]

On Wed, Aug 17, 2005 at 10:01:26AM -0500, Silvia Gisela Pavon Velasco wrote:
> 
> 
> 
> 
> Hello,
> 
> I would like some advice about how can I validate that a file is in utf-8
> format. I have set the proper unix environment variables to work with the
> utf-8 format; but however, I have the need to validate if a file is in that
> format.
Using the 'file' command under the linux you can realize if file is
UTF8.

Example:
file aaa.txt
aaa.txt: UTF-8 Unicode English text

> 
> Regards,
> 
> Silvia Pavón
> _
> Prepárate para hablar y navegar sin límite... visita www.masternet.com.mx
> 
> 
> NOTA: La información de este correo es de propiedad exclusiva y
> confidencial. Este mensaje es sólo para el destinatario se?alado, si usted
> no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
> ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
> empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
> quien recibe este correo de asegurarse que esté libre de virus, por lo
> tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
> alguna.
> NOTE:  The information in this email is proprietary and confidential. This
> message is for the designated recipient only, if you are not the intended
> recipient, you should destroy it immediately. Any information in this
> message shall not be understood as given or endorsed by Alestra, its
> subsidiaries or their employees, unless expressly so stated. It is the
> responsibility of the recipient to ensure that this email is virus free,
> therefore neither Alestra, its subsidiaries nor their employees accept any
> responsibility.
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: How to validate UTF-8 in a file

[mclellan, dave]

Probably the file command regonizes the UTF-8 Byte Order Mark as it does
other magic numbers.  

UTF-8 BOM is 0xEFBBBF, a signature that indicates the encoding of the file
is UTF-8.  If you have an application that is reading the file and needs to
know, read the first six bytes of the file and act accordingly

FWIW:  Here's a useful URL: http://www.unicode.org/faq/utf_bom.html#22

Dave McLellan --Consulting Software Engineer - SPEA Engineering
EMC Corporation
228 South St. Mail Stop: 228 LL/AA-24
Hopkinton, MA 01748  USA
+1-508-249-1257 F: +1-508-497-8030  [EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter BENKO,VSE IT
Sluzby,+421-55-610-2045,+421-903-855532
Sent: Wednesday, August 17, 2005 1:11 PM
To: openssl-users@openssl.org
Subject: Re: How to validate UTF-8 in a file

On Wed, Aug 17, 2005 at 10:01:26AM -0500, Silvia Gisela Pavon Velasco wrote:
> 
> 
> 
> 
> Hello,
> 
> I would like some advice about how can I validate that a file is in utf-8
> format. I have set the proper unix environment variables to work with the
> utf-8 format; but however, I have the need to validate if a file is in
that
> format.
Using the 'file' command under the linux you can realize if file is
UTF8.

Example:
file aaa.txt
aaa.txt: UTF-8 Unicode English text

> 
> Regards,
> 
> Silvia Pavón
>

_
> Prepárate para hablar y navegar sin límite... visita www.masternet.com.mx
> 
> 
> NOTA: La información de este correo es de propiedad exclusiva y
> confidencial. Este mensaje es sólo para el destinatario se?alado, si usted
> no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
> ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
> empleados, salvo cuando ello expresamente se indique. Es responsabilidad
de
> quien recibe este correo de asegurarse que esté libre de virus, por lo
> tanto ni Alestra, sus subsidiarias ni sus empleados aceptan
responsabilidad
> alguna.
> NOTE:  The information in this email is proprietary and confidential. This
> message is for the designated recipient only, if you are not the intended
> recipient, you should destroy it immediately. Any information in this
> message shall not be understood as given or endorsed by Alestra, its
> subsidiaries or their employees, unless expressly so stated. It is the
> responsibility of the recipient to ensure that this email is virus free,
> therefore neither Alestra, its subsidiaries nor their employees accept any
> responsibility.
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: How to validate UTF-8 in a file

[Silvia Gisela Pavon Velasco]

Thanks for the advice.

Silvia Pavón


   
 "mclellan, dave"  
 <[EMAIL PROTECTED] 
 c.com> To
 Sent by:  "'openssl-users@openssl.org'"   
 owner-openssl-use  
 [EMAIL PROTECTED] cc
   
   Subject
 17/08/2005 12:44  RE: How to validate UTF-8 in a file
 p.m.  
   
   
 Please respond to 
 [EMAIL PROTECTED] 
 nssl.org  
   
   




Probably the file command regonizes the UTF-8 Byte Order Mark as it does
other magic numbers.

UTF-8 BOM is 0xEFBBBF, a signature that indicates the encoding of the file
is UTF-8.  If you have an application that is reading the file and needs to
know, read the first six bytes of the file and act accordingly

FWIW:  Here's a useful URL: http://www.unicode.org/faq/utf_bom.html#22

Dave McLellan --Consulting Software Engineer - SPEA Engineering
EMC Corporation
228 South St. Mail Stop: 228 LL/AA-24
Hopkinton, MA 01748  USA
+1-508-249-1257 F: +1-508-497-8030  [EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter BENKO,VSE IT
Sluzby,+421-55-610-2045,+421-903-855532
Sent: Wednesday, August 17, 2005 1:11 PM
To: openssl-users@openssl.org
Subject: Re: How to validate UTF-8 in a file

On Wed, Aug 17, 2005 at 10:01:26AM -0500, Silvia Gisela Pavon Velasco
wrote:
>
>
>
>
> Hello,
>
> I would like some advice about how can I validate that a file is in utf-8
> format. I have set the proper unix environment variables to work with the
> utf-8 format; but however, I have the need to validate if a file is in
that
> format.
Using the 'file' command under the linux you can realize if file is
UTF8.

Example:
file aaa.txt
aaa.txt: UTF-8 Unicode English text

>
> Regards,
>
> Silvia Pavón
>


_
> Prepárate para hablar y navegar sin límite... visita www.masternet.com.mx
>
>
> NOTA: La información de este correo es de propiedad exclusiva y
> confidencial. Este mensaje es sólo para el destinatario se?alado, si
usted
> no lo es, destrúyalo de inmediato. Ninguna información aquí contenida
debe
> ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
> empleados, salvo cuando ello expresamente se indique. Es responsabilidad
de
> quien recibe este correo de asegurarse que esté libre de virus, por lo
> tanto ni Alestra, sus subsidiarias ni sus empleados aceptan
responsabilidad
> alguna.
> NOTE:  The information in this email is proprietary and confidential.
This
> message is for the designated recipient only, if you are not the intended
> recipient, you should destroy it immediately. Any information in this
> message shall not be understood as given or endorsed by Alestra, its
> subsidiaries or their employees, unless expressly so stated. It is the
> responsibility of the recipient to ensure that this email is virus free,
> therefore neither Alestra, its subsidiaries nor their employees accept
any
> responsibility.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Mana

Re: please help me on OCSP

[varma d]

Hi,
 Is the following command for requesting OCSP status using openSSL is correct?
 
1) "ocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem".
 
If i  change above command, BY REMOVING OCSPServer.pem file i am getting status as good but with a message stating that "unable to get local issuer certificate"
 
But when i change my OCSP responder to verisign like
"ocsp -url http://ocsp.verisign.com -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem"{1}.
 
i am getting "Responder Error: Unauthorized<6>" which means unauthorized request.
So for getting OCSP response from verisign, what should we do, like to overcome this error.
 
Also you said  "The responder is saying that its response is valid between those dates: so itis sending out of date information.". So what should we need to do get latest status information from OCSP responder. Something without like this

 
user.pem:WARNING: Status times invalid.> 3220:error:2707307D:OCSP> routines:OCSP_check_validity:status> expired:.\crypto\ocsp\ocsp_cl.c:357:> unknown> This Update: Oct 24 06:00:11 2004 GMT
> Next Update: Oct 25 06:00:11 2004 GMT
 
I would be grateful to you if you would answer my questions
 
Thanks 
On 8/17/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Tue, Aug 16, 2005, varma d wrote:>> But, In this command what is the purpose of OCSPServer.pem
, i still dont> understand the purpose of OCSPServer.pem as we need to just send our request> and expect a response from OCSP responder irrespective of OCSPServer.pemfile.>This is an issue of how you trust the reponse from the OCSP responder. There
are three cases:1. Response signed by the same key as the CA that issued the certificate.2. Response signed by a key in a certificate delegated by the issuing CA.3. A key locally configured as trusted.
In case #1 and #2 the trust can be determined automatically from thecertificate being validated.In case #3 the relevant key needs to be determined by some other means.So its a case of how the responder is configured. In some cases the responder
is misconfigured and you have to use option #3.> 2)I tested by giving latest user certificates other than> openvalidation.org<
http://openvalidation.org>certificates, but i am> getting this error>> user.pem:WARNING: Status times invalid.> 3220:error:2707307D:OCSP> routines:OCSP_check_validity:status> expired:.\crypto\ocsp\ocsp_cl.c:357:
> unknown> This Update: Oct 24 06:00:11 2004 GMT> Next Update: Oct 25 06:00:11 2004 GMT>The responder is saying that its response is valid between those dates: so itis sending out of date information.
Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: 
http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.orgAutomated List Manager   [EMAIL PROTECTED]

Re: AW: RSA key sizes

[Uri]

[EMAIL PROTECTED] wrote:


Who will mandate ECC by 2010???
 


NIST. Most likely Europe will follow.



-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag von Uri
Gesendet: Mittwoch, 17. August 2005 14:54
An: openssl-users@openssl.org
Betreff: Re: RSA key sizes


Please note that the importance of RSA is going to decline in 
favor of 
Elliptic Curve Crypto over GF(p). In particular, by 2010 ECC will be 
mandated. I suspect there are cryptographic reasons for it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

   


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

 



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Can SSL work with IP Address instead of FQDN?

[Pj]

Hi all,

How can a self signed certificate in X509 format be distinguished from a
bought one?
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.12/75 - Release Date: 17/08/2005
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]