Re: Passing TLS sessions between programs
Did you had nay luck with moving connection (SSL object) ? -- View this message in context: http://openssl.6102.n7.nabble.com/Passing-TLS-sessions-between-programs-tp10087p47679.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
use openssl function in own application
Hello, in our public hospital we have a application that has to encrypt data with a certificate. At the moment we call a batch files that does openssl.exe rsautl -encrypt -in %1 -out %1.enc -inkey SanitelCF.cer -certin -pkcs IS it possible to implement this in our application using openssl libraries ? Can anyone please tell me if there are sample file that implement that encryption ? Thanks Andreas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Validate Two Way SSL Certificates
Hi, Is there a way to validate Two Way SSL Certificates using openssl tool? Regards, Kaushal
RE: [openssl-users] Somewhat conflicting configuration and strange behaviour
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Walter H. > The server is capable of ciphers DHE-* and others; > the list is quite longer than the avaiable ciphers of the client ..., > so I think this is quite strange ... > > openssl ciphers -V > > shows e.g. ECDHE-ECDSA-DES-CBC3-SHA > the site https://cc.dcsec.uni-hannover.de/ shows this: > ECDHE-ECDSA-3DES-EDE-SHA > > are these the same cipher suites but two confusing names? > Yes. 3DES, 3DES*EDE, DES*EDE, DES*EDE*3, DES*3 and TDES are all the same algorithm (whose rarely-used official name is TDEA). 'EDE' is superfluous now; back in the nineties when (what is now) TDES was being developed there was some discussion whether to use all 'forward' primitives (EEE) or a mix (EDE). EDE was selected and has long been the only one used. The TLS RFCs use _3DES_EDE_CBC_, originally named during the time it was worthwhile to say EDE, and since retained for compatibility and consistency. I believe SSL 3 spec did also. OpenSSL for some reason, way back when, used -DES-CBC3-, and now needs to keep that for compatibility, except on the (much newer and disjoint) PSK and SRP suites. Leaving out 'CBC' for block ciphers, as that website does (for all not just TDES), seemed reasonable before TLSv1.2. Now it's inconsistent and could be confusing. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Convert .pem to .crt and .key files
Hi, I have a .pem file. Is there a way to get it converted into .crt and .key files using openssl tool. Please suggest. Regards, Kaushal
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
On Fri, Dec 13, 2013, Walter H. wrote: > On 13.12.2013 21:16, andrew cooke wrote: > >well, i realised i couldn't answer the question seriously... what is > >ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to > >google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to > >find > >it). does any server actually provide it? if so, what mode does it use (EDE > >is saying something about DES - how to build 3DES from DES - rather than > >giving a mode, isn't it?)? > > > >andrew > > > exact this is my problem - I need a ciphersuite from the OpenSSL > list, that matches one of the FF list and doesn't make use of RSA > for key exchange ... > How are you disabling RSA key exchange? If you disable RSA for authentication too you'll hit problems if you don't have a non-RSA certificate. So for example: ECDHE-ECDSA-3DES-EDE-SHA needs an ECDSA certificate (that's the same as ECDHE-ECDSA-DES-CBC3-SHA). You can disable RSA key exchange by appending the string !kRSA to the cipher string, for example: "DEFAULT:!kRSA". Also if you want to support EDH ciphersuites you need to set some DH parameters and for ECDH a suitable curve. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
well, not really, because in practice the name has to match, so you are stuck (as the earlier answer says). i guess the answer is somewhere in the nss code... andrew On Fri, Dec 13, 2013 at 10:04:52PM +0100, Walter H. wrote: > On 13.12.2013 21:16, andrew cooke wrote: > >well, i realised i couldn't answer the question seriously... what is > >ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to > >google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to > >find > >it). does any server actually provide it? if so, what mode does it use (EDE > >is saying something about DES - how to build 3DES from DES - rather than > >giving a mode, isn't it?)? > > > >andrew > > > exact this is my problem - I need a ciphersuite from the OpenSSL > list, that matches one of the FF list and doesn't make use of RSA > for key exchange ... > > Thanks, > Walter > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
On 13.12.2013 21:16, andrew cooke wrote: well, i realised i couldn't answer the question seriously... what is ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find it). does any server actually provide it? if so, what mode does it use (EDE is saying something about DES - how to build 3DES from DES - rather than giving a mode, isn't it?)? andrew exact this is my problem - I need a ciphersuite from the OpenSSL list, that matches one of the FF list and doesn't make use of RSA for key exchange ... Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
well, i realised i couldn't answer the question seriously... what is ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find it). does any server actually provide it? if so, what mode does it use (EDE is saying something about DES - how to build 3DES from DES - rather than giving a mode, isn't it?)? andrew On Fri, Dec 13, 2013 at 08:51:44PM +0100, Erwann Abalea wrote: > Don't regret it, it wasn't that bad ;) > > -- > Erwann ABALEA > > Le 13/12/2013 20:39, andrew cooke a écrit : > >sorry, that was a bad joke i now regret sending. andrew > > > >On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote: > >>it dpends how many characters differ when sorted. > >> > >>in this case: > >> > >>ECDHE-ECDSA-DES-CBC3-SHA -> 3AABDDDHHSSS > >>* *** ** > >>ECDHE-ECDSA-3DES-EDE-SHA -> 3AACCEEHHSSS > >> > >>you can see (marked by *) that 6 characters don't match. > >> > >>now 6 is a triangular number, but the length of the entire cipher suite is > >>24, > >>which isn't triangule (the closest is 21). > >> > >>so they're only going to inter-operate on tuesdays. > >> > >>andrew > >> > >> > >>On Fri, Dec 13, 2013 at 07:30:02PM +0100, Walter H. wrote: > >>>On 12.12.2013 14:16, Erwann Abalea wrote: > It's not strange. > You removed the RSA-* from client side, the result is that the > server can't match anything in common between what the client > proposed and what the server accepts. The error you get has been > sent by the server. > > >>>The server is capable of ciphers DHE-* and others; > >>>the list is quite longer than the avaiable ciphers of the client ..., > >>> so I think this is quite strange ... > >>> > >>>openssl ciphers -V > >>> > >>>shows e.g. ECDHE-ECDSA-DES-CBC3-SHA > >>>the site https://cc.dcsec.uni-hannover.de/ shows this: > >>>ECDHE-ECDSA-3DES-EDE-SHA > >>> > >>>are these the same cipher suites but two confusing names? > >>> > >>>Walter > >>> > >>> > >>> > >> > >__ > >OpenSSL Project http://www.openssl.org > >User Support Mailing Listopenssl-users@openssl.org > >Automated List Manager majord...@openssl.org > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
Don't regret it, it wasn't that bad ;) -- Erwann ABALEA Le 13/12/2013 20:39, andrew cooke a écrit : sorry, that was a bad joke i now regret sending. andrew On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote: it dpends how many characters differ when sorted. in this case: ECDHE-ECDSA-DES-CBC3-SHA -> 3AABDDDHHSSS * *** ** ECDHE-ECDSA-3DES-EDE-SHA -> 3AACCEEHHSSS you can see (marked by *) that 6 characters don't match. now 6 is a triangular number, but the length of the entire cipher suite is 24, which isn't triangule (the closest is 21). so they're only going to inter-operate on tuesdays. andrew On Fri, Dec 13, 2013 at 07:30:02PM +0100, Walter H. wrote: On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. The server is capable of ciphers DHE-* and others; the list is quite longer than the avaiable ciphers of the client ..., so I think this is quite strange ... openssl ciphers -V shows e.g. ECDHE-ECDSA-DES-CBC3-SHA the site https://cc.dcsec.uni-hannover.de/ shows this: ECDHE-ECDSA-3DES-EDE-SHA are these the same cipher suites but two confusing names? Walter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
sorry, that was a bad joke i now regret sending. andrew On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote: > > it dpends how many characters differ when sorted. > > in this case: > > ECDHE-ECDSA-DES-CBC3-SHA -> 3AABDDDHHSSS >* *** ** > ECDHE-ECDSA-3DES-EDE-SHA -> 3AACCEEHHSSS > > you can see (marked by *) that 6 characters don't match. > > now 6 is a triangular number, but the length of the entire cipher suite is 24, > which isn't triangule (the closest is 21). > > so they're only going to inter-operate on tuesdays. > > andrew > > > On Fri, Dec 13, 2013 at 07:30:02PM +0100, Walter H. wrote: > > On 12.12.2013 14:16, Erwann Abalea wrote: > > >It's not strange. > > >You removed the RSA-* from client side, the result is that the > > >server can't match anything in common between what the client > > >proposed and what the server accepts. The error you get has been > > >sent by the server. > > > > > The server is capable of ciphers DHE-* and others; > > the list is quite longer than the avaiable ciphers of the client ..., > > so I think this is quite strange ... > > > > openssl ciphers -V > > > > shows e.g. ECDHE-ECDSA-DES-CBC3-SHA > > the site https://cc.dcsec.uni-hannover.de/ shows this: > > ECDHE-ECDSA-3DES-EDE-SHA > > > > are these the same cipher suites but two confusing names? > > > > Walter > > > > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
it dpends how many characters differ when sorted. in this case: ECDHE-ECDSA-DES-CBC3-SHA -> 3AABDDDHHSSS * *** ** ECDHE-ECDSA-3DES-EDE-SHA -> 3AACCEEHHSSS you can see (marked by *) that 6 characters don't match. now 6 is a triangular number, but the length of the entire cipher suite is 24, which isn't triangule (the closest is 21). so they're only going to inter-operate on tuesdays. andrew On Fri, Dec 13, 2013 at 07:30:02PM +0100, Walter H. wrote: > On 12.12.2013 14:16, Erwann Abalea wrote: > >It's not strange. > >You removed the RSA-* from client side, the result is that the > >server can't match anything in common between what the client > >proposed and what the server accepts. The error you get has been > >sent by the server. > > > The server is capable of ciphers DHE-* and others; > the list is quite longer than the avaiable ciphers of the client ..., > so I think this is quite strange ... > > openssl ciphers -V > > shows e.g. ECDHE-ECDSA-DES-CBC3-SHA > the site https://cc.dcsec.uni-hannover.de/ shows this: > ECDHE-ECDSA-3DES-EDE-SHA > > are these the same cipher suites but two confusing names? > > Walter > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
Le 13/12/2013 19:30, Walter H. a écrit : On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. The server is capable of ciphers DHE-* and others; the list is quite longer than the avaiable ciphers of the client ..., so I think this is quite strange ... The ClientHello message will show what ciphersuite is proposed by the client. You'll have to match it with what the server is willing to accept. openssl ciphers -V shows e.g. ECDHE-ECDSA-DES-CBC3-SHA the site https://cc.dcsec.uni-hannover.de/ shows this: ECDHE-ECDSA-3DES-EDE-SHA are these the same cipher suites but two confusing names? I'd say yes, but what is really exchanged is a list of 16 bits numbers, not names. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. The server is capable of ciphers DHE-* and others; the list is quite longer than the avaiable ciphers of the client ..., so I think this is quite strange ... openssl ciphers -V shows e.g. ECDHE-ECDSA-DES-CBC3-SHA the site https://cc.dcsec.uni-hannover.de/ shows this: ECDHE-ECDSA-3DES-EDE-SHA are these the same cipher suites but two confusing names? Walter smime.p7s Description: S/MIME Cryptographic Signature
Default compression in openssl 1.0.1e
Hi, I want to know what is the default compression algorithm used in openssl 1.0.1e. I am using openssl 1.0.1e built against libz library. I searched on web didn't get any clue. Any help would be really appreciated. Thanks, Sam DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
