query reg disabling hanshake and key exchange mechanism openssl
Hi, I am a network security researcher. We have designed and developed a multifactor authentication and secure key exchange protocol that can counter man in the middle attack. I want to integrate my protocol with SSL on apache. I have written my own protocol for authentication and key exchange. My protocol will be hosted on some port X. User app on client will call our protocol for two way one time password authentication and key exchange. Once user is authenticated and session key is generated, I will write that key to key store of apache. Now I will forward the traffic to port 443 for use of SSL. I dont want to use SSL's handhsake and key exchange protocols since this part is already done by my protocol. Can you please help me regarding how to configure open SSL in apache to stop the use of hanshake layer, that takes care of authentication and key exchange. I still want SSL to change cipher suite and do rest of the normal stuff. Will appreciate your help. regards, Sid
Re: TLS 1.0 cracked...
On Fri, Sep 23, 2011 at 4:54 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Sep 23, 2011, Jakob Bohm wrote: Is openssl running out of bit values for SSL_OP_ constants? Well more ran out of contants. When a new flag was needed for TLS v1.2 all 32 bits were used but fortunately two ancient ones were never used by anything AFAIK so could be reassigned. There is one left now. It will need redoing at some point so more flags are available. Splitting it up into separate fields for bug workaround and protocol selection options is one possibility. Sounds like that last bit needs to be reserved for enable all future SSL_OP_ALL options. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
certificate problems http://www.rtfm.com/openssl-examples/
In regards to the examples given at http://www.rtfm.com/openssl-examples/ I have been trying to set up pem files so that the connection will work by self signed certificates. I can get the wclient to connect only with the -i option, as I understand the example pem files expired long ago. I have been looking for instructions on how to set up these files however none of them have worked. If someone could please help me out with the short list of commands to generate these files that would be great. Matt. -- View this message in context: http://old.nabble.com/certificate-problems-http%3A--www.rtfm.com-openssl-examples--tp32503893p32503893.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Unable to enable GOST ciphers support
You config file is incorrect. It should looks something like this: == openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] gost = gost_section == On 19 September 2011 12:31, Peter Volkov p...@gentoo.org wrote: Hi! I'm trying to enable GOST ciphers in openssl-1.0.0e and so far I failed. What I've done so far: 1. built openssl with ./config shared zlib enable-rfc3779 --prefix=/tmp/gost-ssl-new 2. updated config file as described in README.gost. I've straced openssl run and I'm sure it reads my configuration file (attached to this mail) and I'm sure there is /tmp/gost-ssl-new/lib/engines/libgost.so. But nevertheless openssl does not open this binary (conclusions from strace) and no GOST ciphers available. I've tried to do exactly same steps installing openssl system wide (prefix=/usr) but still no luck. Could you help me to understand what am I doing wrong? Is there any way to debug what openssl loads from configuration file and how it parses that? Thank you in advance for any pointers, -- Peter. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: c/c++ and GOST is russian ciphers.
You need to initiualie engine first: static ENGINE *e = NULL; e = ENGINE_by_id(gost); if (!e){ printf(Can't find engine \n); return 1; } if (!ENGINE_init(e)){ printf(Engine initialization failed!\n); ENGINE_free(e); return 1; } /* ENGINE_init() returned a functional reference, so free the structural * reference from ENGINE_by_id(). */ ENGINE_free(e); if (ENGINE_set_default(e, ENGINE_METHOD_ALL)) { printf(Engine %s(%s): Activated.\n, ENGINE_get_name(e), ENGINE_get_id(e)); } else { printf(Engine %s(%s): Initialized but not usable.\n, ENGINE_get_name(e), ENGINE_get_id(e)); return 1; } // Optional? OpenSSL_add_all_algorithms(); OpenSSL_add_ssl_algorithms(); Then do whatever you want. On 19 September 2011 15:30, Dmitrij K kdi...@live.ru wrote: Hi guys! I need help, please. I don't know, how do it. Maybe anyone has experience with signing/verify a docs/strings with GOST, and he will help me with... I have little code, which has can't load `md_gost94'... And I don't know how to use API for the GOST... :( My code are: [CODE=cpp] #include openssl/conf.h #include openssl/err.h #include openssl/rsa.h #include openssl/sha.h #include openssl/md5.h #include openssl/pem.h #include openssl/x509.h #include openssl/x509v3.h #include openssl/crypto.h #include openssl/ssl.h #include openssl/ssl2.h #include openssl/ssl3.h #include openssl/ssl23.h #include openssl/evp.h #include openssl/engine.h #include stdio.h // g++ gost.cxx -o gost -lssl int main(){ int ret = -1; SSL_library_init(); const EVP_MD *md = NULL; if((md = EVP_get_digestbyname(md_gost94)) == NULL){ printf(cannot load the `md_gost94'!\n); goto ENDFUNC; } else { printf(Ok!\n); } ret = 0; ENDFUNC: md = NULL; return ret; } [/CODE] PS: Platform: Linux Version of OpenSSL: 1.0.0e -- Regards. -- Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org