Re: Symmetric key renegotiation
That's depend on the traffic of the points that are using the symmetric encryptation, you can put delimitation with the time, or with the bytes... are you making unidirection or bidirectional encriptation? (maybe VPN ore only SSL ore TTL?) Regards... Adriano. El mar, 19-11-2002 a las 20:13, Vishal Mittal escribió: Hi, Where can I find some documentation regarding how often (based on time or amount of traffic) should a symmetric key (AES-128) be renegotiated when using TLS. Thanks -VM - Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Symmetric key renegotiation
There is a standard of the Aes algorithm, there should be statistical information that you are asking about... Regards Adriano.. El mié, 20-11-2002 a las 14:19, Vishal Mittal escribió: I am looking for some statistical figures as to what is considered safe, i.e. how often should you renegotiate the key if you are using AES 128 bit encryption (bidirectional). Thanks -VM Adriano Devillaine [EMAIL PROTECTED] wrote:That's depend on the traffic of the points that are using the symmetric encryptation, you can put delimitation with the time, or with the bytes... are you making unidirection or bidirectional encriptation? (maybe VPN ore only SSL ore TTL?) Regards... Adriano. El mar, 19-11-2002 a las 20:13, Vishal Mittal escribió: Hi, Where can I find some documentation regarding how often (based on time or amount of traffic) should a symmetric key (AES-128) be renegotiated when using TLS. Thanks -VM - Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: to secure a directory
The data you're talking is some configuration file or something? The application that use this data ... can decrypt the data?, or could you add this functionality to those applications... i think your using symmetric cryptography... that's easy... you have to use the EVP librery... if not... your loss... that's the meaning of security... confidentiality and message integrity (and authentication sometimes...) Regards AD El jue, 31-10-2002 a las 15:40, Karim escribió: Hello ! Here is my problem : I wrote 2 codes : a server under linux and client for linux (and windows). The server sends datas to a client (which is on an other computer denoted by C) and the connection is secured using openssl. The client stores those datas in a directory of C but I would like that nobody could access to this directory but the administrator of C (the root) can :( . So I thought that I could crypt the files which are in this directory using functions of openssl. But the datas which are in the directory have to be used by a code which is in this directory and I want the datas still remain crypted. So is it possible to do all that ? Thanks a lot for your help ! Karim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem creating signed certs
Mike... In the log you send shows: -The countryName field needed to be the same in the -CA certificate (AU) and the request (US) that's mean that you have in your configuration file (openssl.cnf) a sentence that don't let that the CA authority be from another country that the country of the client. That's why your certificate is left in blank... Regards, Adriano El mié, 30-10-2002 a las 01:01, MikeCC escribió: Hello, I am trying to create a signed client certificate, but when I execute the command openssl ca -in req.pem -out newcert.pem The newcert.pem file is created but it is created as an empty file. Here is what I see on the display: /openssl-engine-0.9.6g/apps openssl ca -in req.pem -out newcert.pem Using configuration from /usr/local/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'MA' localityName :PRINTABLE:'Arlington' organizationName :PRINTABLE:'Brandywine mills' organizationalUnitName:PRINTABLE:'Hobbiton' commonName:PRINTABLE:'Frodo' emailAddress :IA5STRING:'[EMAIL PROTECTED]' The countryName field needed to be the same in the CA certificate (AU) and the request (US) /openssl-engine-0.9.6g/apps ls -l newcert.pem -rw-r--r--1 root root0 Oct 29 22:29 newcert.pem Can anyone help me understand what I'm missing or doing incorrectly? == Mike Cerone, CISSP, CCNA Ad Astra! == __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Remove passprase
What is your problem..? perhaps you can't open the PEM file? even if you purchase thecorrect passphrase? Regards, Adriano El vie, 25-10-2002 a las 10:45, Rabellino Sergio escribió: Robbert Hardin wrote: Hello Bruno I tried, but it doesn't work: # openssl rsa -in cakey.pem -out canokey.pem read RSA key Enter PEM pass phrase: unable to load key 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp _enc.c:277: 15251:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem _lib.c:452: # I forgot to tell you I lost the pass phrase, which is why I wanted to change it. Sorry. Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? Cheers, Robbert Only by brute force, I suppose, or everything we do is not security -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: installation openssl urgent!
Hi Jose... First of all..don't unistall the openssl rpm's that comes with the redhat distriution, because many packages uses libraries and headers that are not suplied eith anothers distribiutons... Second... when you run the configure script, make shore you run it with the shared parameter like ./Configure shared. That's the only way that openssl creates the libraries that you are talking about... Regards Adriano Devillaine... El mié, 23-10-2002 a las 21:05, José Alberto Patiño Limón escribió: On Tue, 2002-10-22 at 19:32, Ivone Uribe wrote: Hi all! I have problems with the openssl in an installation of a wap gateway, I'm using the RedHat 7.2. When I was trying to install the gateway rpm I got this messages: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. To solve it I removed the openssl0.9.6 rpm (is it right?) and I just downloaded openssl source code (openssl-0.9.6g) and compiled this to usr/local/ssl: ./config make make test make install after I wrote the path /usr/local/ssl/lib/usr/local/ssl/lib in the ld.so.config and the command ldconfig Do I forget some important step in the installation of the openssl? Are you sure that the libcryto.so* and libsss l.so* are installed under /usr/local/ssl/lib? Chances are that you just have got the static version of the OpenSSL libraries. ... After I tried to install the gateway rpm again, but I got the same reply: libcrypto.so.0.9.6 required libssl.so.0.9.6 required. Could anybody explain me how I can solve it? please! Looking for another solution, To solve it I tried to install the gateway source (tar.gz) But when I configure the gateway with ./configure --prefix=/usr/local/kannel_test --with-ssl=/usr/local/ssl --with-wtls=openssl --enable-start-stop-daemon --enable-ssl --disable-docs I get this: ... Configuring OpenSSL support ... checking whether to compile with SSL support... trying /usr/local/ssl/lib /usr/local/ssl/include checking for openssl... /usr/local/ssl/bin/openssl checking for CRYPTO_lock in -lcrypto... yes checking for SSL_library_init in -lssl... yes checking for SSL_connect in -lssl... yes checking for openssl/x509.h... no checking for openssl/rsa.h... no checking for openssl/crypto.h... no checking for openssl/pem.h... no checking for openssl/ssl.h... no checking for openssl/err.h... no checking whether the OpenSSL library is multithread-enabled... yes checking whether to compile with SSL support... yes Configuring MySQL support ... checking whether to compile with MySQL support... disabled Configuring WTLS support ... checking for WTLS library... openssl checking for RSA_new in -lcrypto... yes checking for openssl/objects.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! checking for openssl/rc5.h... no configure: warning: OpenSSL installation seems to lack RC5 algorithm! but my openssl have the rc5 algorithm! and openssl/x509.h,openssl/rsa.h,openssl/crypto.h,openssl/pem.h,openssl/ssl.h, openssl/err.h, openssl/objects.h and the openssl/rc5 are in the directory usr/local/ssl/include/openssl, so I don't know why the kannel gateway don't recognize it. Please, anybody could help me with this problem? any idea? Am I installing well the openssltar.gz? Thanks in advance, Ivone _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.microsoft.com/es __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]