Re: Wasn't someone joking about the virus being posted by an autoresponder
On Thu, 23 Aug 2001 10:03:10 -0500 (EST), "Mark H. Wood" <[EMAIL PROTECTED]> wrote: >On Wed, 22 Aug 2001, Caliban Tiresias Darklock wrote: >> Just out of curiosity, why are attachments allowed on the list in the >> first place? Is there any legitimate reason for it? > >Well, why not? Is there any legitimate reason *not* to? Well, there exist common mail clients with buggy scriptable interfaces that allow malicious programs to send other malicious programs to everyone in the address book and/or everyone the user emails. That seems like a pretty legitimate reason not to allow attachments on a list. The submission of patches is a good point, but to date I have not seen a single patch submitted on the list as an attachment -- and I've been here several months. It seems to me that any patch large enough to need an attachment would be more properly placed on an FTP site somewhere, anyway. Just a thought. I'm not really bothered by any of the message-bouncing and virus-detection spam, myself, and tend to think it's funny instead of getting mad over it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Wasn't someone joking about the virus being posted by an autoresponder
On Wed, 22 Aug 2001 08:05:24 -0600, Nathan Bell <[EMAIL PROTECTED]> wrote: >I still think this would all stop if the openssl mail server rejected (and >deleted) the virus before sending the message to everyone on the list. Just out of curiosity, why are attachments allowed on the list in the first place? Is there any legitimate reason for it? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please reconfigure majordomo to not set Reply-To (was: Failed to clean virus file Emanuel.exe)
On Mon, 20 Aug 2001 13:33:18 +0200, Michael Ströder <[EMAIL PROTECTED]> wrote: >Because the mailing list processor is configured to set the Reply-To >address to the list address. IMHO this should be changed to reduce >such problems with automatic replies (vacation e-mails, virus-scans >etc.). But that would make *regular* replies a pain in the ass for list members. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory leaks!
On Thu, 2 Aug 2001 20:17:52 +0100, "Mike Scriven" <[EMAIL PROTECTED]> wrote: >I've written a Windows app. using OpenSSL and I'm getting memory >leaks when I close it, even if I haven't connected a socket. I'm no expert, but I've been reading the man pages a lot... so here are my thoughts. >At startup I do the following: > >SSLeay_add_ssl_algorithms(); I think you should be using OpenSSL_add_all_algorithms() here. >SSL_load_error_strings(); >m_pSSLctx = SSL_CTX_new(SSLv23_client_method()); > >and at shutdown I do this: > >SSL_CTX_free(m_pSSLctx); >ERR_free_strings(); Looks like you missed EVP_cleanup(). From the OpenSSL_add_all_algorithms(3) man page: - OpenSSL keeps an internal table of digest algorithms and ciphers. It uses this table to lookup ciphers via functions such as EVP_get_cipher_byname(). OpenSSL_add_all_digests() adds all digest algorithms to the table. OpenSSL_add_all_algorithms() adds all algorithms to the table (digests and ciphers). OpenSSL_add_all_ciphers() adds all encryption algorithms to the table including password based encryption algorithms. EVP_cleanup() removes all ciphers and digests from the table. - This may solve your problem. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DH and key space question
On 31 Jul 2001 02:43:12 -0400, Haig C Didizian <[EMAIL PROTECTED]> wrote: >I was just wondering if using DH for key negociation (say, to generate a >128 bit blowfish key) reduces the number of potential keys in a way that >significantly affects security. Okay, this is a VERY BRIEF explanation of DH negotiation. The system has two public values A and B. Value A is prime. Value B is a little more complex. Specifically, B < A, and for every positive integer N such that N < A, there exists some number C such that B to the power of C modulo A = N. So, provided value A is sufficiently large, DH does *not* reduce the number of potential keys. If the bit length of A exceeds the desired encryption key's bit length, the number of potential encryption keys by definition exceeds the number of potential *acceptable* encryption keys because value B will provide at least A-1 keys. Now, Bob and Joe want to talk. Bob selects a positive integer W such that W < (A - 1). He holds onto W, and computes B to the power of W modulo A to result in a number X. He sends X to Joe. Joe also selects a positive integer Y such that Y < (A - 1). He holds onto Y, and computes B to the power of Y modulo A to result in a number Z. He sends Z to Bob. Bob raises Z to the power of W, and Joe raises X to the power of Y. These two values are identical. (Do the math if you feel so inclined.) Bob and Joe now have the same value K, and can use it as a symmetric encryption key. However, anyone *eavesdropping* can only see parameters X and Z. In order to obtain K, he must solve for both W and Y -- and this is computationally infeasible. Even if he knows what A and B are, this is of no help in solving the problem. >How much less safe is using a DH key as >a blowfish key than using a random string, for example? How do you get that random string from one person to the other? Anyone eavesdropping will see it and be able to use it for decryption of traffic. That's the problem DH solves, and it doesn't sacrifice any existing security to do so. It would, of course, be more secure (and not subject to man-in-the-middle attacks) to use an asymmetric public-key algorithm on both ends -- but it would also be significantly slower. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem with certificates
On 30 Jul 2001 19:38:04 -, "ganesh kumar godavari" <[EMAIL PROTECTED]> wrote: >*** on the server * >1906:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:769: >Error: error in SSL_accept() >*** >and on the client the connection is being disconnected >(as there are no common cipheres) It appears that you have forgotten to call OpenSSL_add_all_algorithms() before attempting to make the connection. Don't forget to call EVP_cleanup() to remove them before exiting. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: TCP/IP with SSL: close TCP/IP socket first?
On Mon, 30 Jul 2001 18:15:04 -0400, Joseph Su <[EMAIL PROTECTED]> wrote: >Please excuze me for a simple question. For all intents and purposes, please >refer to the sample server program included in the OpenSSL package. My >questions is: why do we need to *CLOSE* the TCP/IP listening socket, i.e., >closesocket (listen_sd), before initiating a SSL handshaking process You don't. Normally, you would keep the listening socket around and continue listening on it. But the server provided accepts one and only one connection during the run, so rather than hold onto the listening socket for no good purpose, it closes it. That's the *conclusion* of the "accepting connections" phase, and should not be considered part of the SSL initiation process. The server's one and only reason for accepting connections is to get a single socket it can do the SSL connection over. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re:
On Mon, 30 Jul 2001 12:40:37 +0100, "O'SULLIVAN JOHN" <[EMAIL PROTECTED]> wrote: > >Hi everyone, >I am running Red-Hat Linux Release 7.1 and I am trying to >learn how to use OpenSSL from scratch(I have version .9.6.b installed) >.Could anyone please direct me to some simple, working code to get me >started . The distribution archive contains a sample client and server in the demos/ssl directory. It's reasonably straightforward. The process of generating certificates is a little convoluted, but there's a HOWTO on it at http://www.openssl.org/docs/HOWTO/certificates.txt which can be helpful. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
