Re: [openssl-users] [openssl-dev] dates, times, durations in next release (commands)

2016-09-06 Thread Dongsheng Song 
On Wed, Sep 7, 2016 at 3:14 AM, Salz, Rich  wrote:

>
> > It's not a huge step to support full blown ISO 8601 (which has a few more
> > alternatives to specify time intervals *).  I like the idea.
>
> No, it *is* a huge step.  There's a reason why W3C XML schema language
> (XSD), not known for being lightweight, profiled the ISO standard.
>
>
Support RFC3339[1] is relative easy.

[1] https://tools.ietf.org/html/rfc3339
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-announce] OpenSSL version 1.0.1k released

2015-01-08 Thread Dongsheng Song 
test failure on custom build:

perl Configure ^
no-comp no-dso no-idea no-ssl2 no-ssl3 no-psk no-srp ^
--prefix=D:/var/pool/openssl-win32 ^
VC-WIN32
...

D:\var\tmp\openssl-1.0.1knmake -f ms\ntdll.mak
...

D:\var\tmp\openssl-1.0.1knmake -f ms\nt.mak test

Microsoft (R) Program Maintenance Utility Version 12.00.21005.1
Copyright (C) Microsoft Corporation.  All rights reserved.

cd out32
..\ms\test
rsa_test
PKCS #1 v1.5 encryption/decryption ok
OAEP encryption/decryption ok
PKCS #1 v1.5 encryption/decryption ok
OAEP encryption/decryption ok
PKCS #1 v1.5 encryption/decryption ok
OAEP encryption/decryption ok
PKCS #1 v1.5 encryption/decryption ok
OAEP encryption/decryption ok
PKCS #1 v1.5 encryption/decryption ok
OAEP encryption/decryption ok
PKCS #1 v1.5 encryption/decryption ok
OAEP encryption/decryption ok
destest
Doing cbcm
Doing ecb
Doing ede ecb
Doing cbc
Doing desx cbc
Doing ede cbc
Doing pcbc
Doing cfb8 cfb16 cfb32 cfb48 cfb64 cfb64() ede_cfb64() done
Doing ofb
Doing ofb64
Doing ede_ofb64
Doing cbc_cksum
Doing quad_cksum
input word alignment test 0 1 2 3
output word alignment test 0 1 2 3
fast crypt test
ideatest
'ideatest' is not recognized as an internal or external command,
operable program or batch file.
problems.

On Thu, Jan 8, 2015 at 11:39 PM, OpenSSL open...@openssl.org wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


OpenSSL version 1.0.1k released
===

OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/

The OpenSSL project team is pleased to announce the release of
version 1.0.1k of our open source toolkit for SSL/TLS. For details
of changes and known issues see the release notes at:

 http://www.openssl.org/news/openssl-1.0.1-notes.html

OpenSSL 1.0.1k is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
http://www.openssl.org/source/mirror.html):

  * http://www.openssl.org/source/
  * ftp://ftp.openssl.org/source/

The distribution file name is:

 o openssl-1.0.1k.tar.gz
   Size: 4434910
   MD5 checksum: d4f002bd22a56881340105028842ae1f
   SHA1 checksum: 19d818e202558c212a9583fcdaf876995a633ddf

The checksums were calculated using the following commands:

 openssl md5 openssl-1.0.1k.tar.gz
 openssl sha1 openssl-1.0.1k.tar.gz

Yours,

The OpenSSL Project Team.

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1

 iQEcBAEBAgAGBQJUro4+AAoJENnE0m0OYESRxuQH/2TFznmtvL92IMO6rjeCClYM
 bBqxvIaVs/l7sflcsENo67HNCn0/RmblmfULVY96Pvoin7z19wMyEFL+3NSM1w8v
 HkX2mRz23V8PEDxn23f3i1ltCCZgc+aQyKoOf6Rbo4WHxgIHKXdKqm8dhyVj6ODw
 s2Go3TvaUNtG1BoW6AJtr1ZHosq+WKaOjq5yiRdFb1o/00GipSOb6gRsT2qJHEXS
 NpFEJm1CRguJ7qe3SPgu7gGyQ34MVl9jO1onRlMqsE4anvZBtm5sK97YXRrc4fqK
 0E/SO1sW+mz359fHJMYmYnefG0hs1+KNnA1ydEfLLrf1Bc8Lqft37rN0cVfKdzg=
 =oLV9
 -END PGP SIGNATURE-
 ___
 openssl-announce mailing list
 openssl-annou...@openssl.org
 https://mta.openssl.org/mailman/listinfo/openssl-announce
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-users

How to check the client use which protocol or extensions to connect the server ?

2014-01-17 Thread Dongsheng Song 
Hi,

I write a SSL server, enable zlib, TLS 1.0/1.1/1.2, can I check the
client use which TLS protocol, or whether the client use zlib
compression ?

Thanks,
Dongsheng
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to check the client use which protocol or extensions to connect the server ?

2014-01-17 Thread Dongsheng Song 
Hi,

I write a SSL server, enable zlib, TLS 1.0/1.1/1.2, can I check the
client use which TLS protocol, or whether the client use zlib
compression ?

Thanks,
Dongsheng
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: A small note on Windows 8 GetVersion() depreciation

2014-01-08 Thread Dongsheng Song 
[1] GetVersionEx may be altered or unavailable for releases after
Windows 8.1. Instead, use the Version Helper APIs.

I thinks use 'Version Information Functions'[2] is the better choice.

[1] 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724451%28v=vs.85%29.aspx
[2] 
http://msdn.microsoft.com/en-us/library/windows/desktop/ff468915%28v=vs.85%29.aspx

--
Dongsheng

On Thu, Jan 9, 2014 at 3:11 AM, Jakob Bohm jb-open...@wisemo.com wrote:
 While I have not specifically checked the Windows 8 SDK, my extensive
 experience with the version detection APIs in Windows tells me the
 following:

 1. GetVersion() is the only version-detection API available on older
   platform versions.  Later platform versions added variants of
   GetVersionEx(), with each newer variant being available on less
   platforms.

 2. The order of the bit fields returned by GetVersion() has
   historically confused many developers, therefore Microsoft has long
   told people to avoid it if they don't know what they are doing.
At one point, even the editor of the GetVersion() documentation
   got confused!

 3. Starting a few years ago, Microsoft began a trend of using the
   compiler __declspec(deprecate) mechanism to scare developers
   away from functions that are not really deprecated, just not
   recommended for some other reason.  Those deprecations can
   usually be ignored safely by those with good reason to use those
   more portable APIs.

 So, if this is just another political compiler warning, there is
 little reason to head it.

 Otherwise, the GetVersionEx() function can be used as a replacement,
 but only by dropping support for Windows NT 3.10 and maybe Win32s
 (NT 3.50 and all the Win9x and WinCE variants include the basic
 form of GetVersionEx()).

 P.S.

 If there is still code in there to support 16 bit Windows 3.x, then
 that API includes only GetVersion(), and with a different
 specification than its 32/64 bit namesake.


 Enjoy

 Jakob
 --
 Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
 Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
 This public discussion message is non-binding and may contain errors.
 WiseMo - Remote Service Management for PCs, Phones and Embedded
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: overflow when calling X509_gmtime_adj() on 32-bit systems

2013-02-03 Thread Dongsheng Song 
On Sun, Feb 3, 2013 at 7:01 PM, Dr. Stephen Henson st...@openssl.org wrote:
 In that above code example if you do:

 X509_gmtime_adj_ex(X509_get_notAfter(x), days, 0, NULL);

 that should resolve your problem.


Maybe it should be better:

X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL);
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl EC PEM to Java Keystore (JKS)

2013-02-02 Thread Dongsheng Song 
On Sat, Feb 2, 2013 at 10:01 PM, redpath redp...@us.ibm.com wrote:

 *I get this ERROR*
 keytool error: java.security.NoSuchAlgorithmException: SHA1withECDSA
 Signature not available

It's very clear your jdk does not support SHA1withECDSA, you can use
Bouncy Castle Crypto API, or upgrade to Java 7.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [FWD] Apache 2.2.17 and OpenSSL 1.0.0c - Crash with SSLVirtualHost ServerName set.

2011-02-04 Thread Dongsheng Song 
On Fri, Feb 4, 2011 at 19:08, Ryan Wehrle ryaner...@gmail.com wrote:
 I forgot to add, I am using client certificate authentication.
 httpd.conf
 Directory Z:/Apache/_MilesMilitusCallidus.com_SSL
 SSLVerifyClient require
 SSLVerifyDepth 1
 SSLRequireSSL
 SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128
 Options FollowSymLinks ExecCGI
 Order allow,deny
 Allow from all
 /Directory

 Configuration changed with no set servername in the SSL config.
 Logs when using Opera to connect to https://milesmilituscallidus.com. Opera
 has a VALID user cert that works in every other browser, but Opera never
 loads the page. It stays as a white page, reloading every so often.
 Logs:
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1993): [client
 67.167.32.58] No matching SSL virtual host for servername
 milesmilituscallidus.com found (using default/first virtual host)
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL:
 Write: SSLv3 read client hello C
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
 SSLv3 read client hello A
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
 SSLv3 write server hello A
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
 SSLv3 write certificate A
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1274): [client
 67.167.32.58] handing out temporary 1024 bit DH key
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
 SSLv3 write key exchange A
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
 SSLv3 write certificate request A
 [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
 SSLv3 flush data
 [Fri Feb 04 04:53:58 2011] [debug] ssl_engine_io.c(1900): OpenSSL: I/O
 error, 5 bytes expected to read on BIO#290def0 [mem: 27ea44b]
 [Fri Feb 04 04:53:58 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
 error in SSLv3 read client certificate A
 [Fri Feb 04 04:53:58 2011] [error] [client 67.167.32.58] Re-negotiation
 handshake failed: Not accepted by client!?

Please comment out the following line:
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128

Maybe your SSL_CIPHER_USEKEYSIZE tool restrict.

--
Dongsheng song
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SHA1 Message Digest Getting Generated less than 160 Bits i.e. 152 bits.

2010-09-27 Thread Dongsheng Song 
On Sat, Sep 25, 2010 at 21:09, Kedar Sabnis kedar.sab...@tcs.com wrote:


 HI,

 I am an openSSL User. We implemented SHA1 algorithm.

 Here in some specific case SHA1 digest is coming as 152 bits long instead
 of 160 bits long.

 Please suggest if any bug fix is there for this issue.

 Thanking you in anticipation.


According to *FIPS 180-1*, SHA1 is fixed 160 bit long:
http://www.itl.nist.gov/fipspubs/fip180-1.htm

But you can truncate the 160 bit result to 152 bit as your like.

Windows Certificate Store with OpenSSL Certificate

2010-09-07 Thread Dongsheng Song 
Hi,

When I install my self-signed certificate to 'Certificate Store' of Windows
2008,
if I select 'Automatically select the certificate store based on the type of
certificate',
then the self-signed certificate will be in the 'Intermediate Certification
Authorities',
not 'Trusted Root Certification Authorities'.

How can I create self-signed certificate with correct certificate TYPE ?

Regards,
Dongsheng

Re: Windows Certificate Store with OpenSSL Certificate

2010-09-07 Thread Dongsheng Song 
Are you test with 2008/win7 ?

My self-signed certificate can automatically goto 'Trusted Root
Certification Authorities'
on XP/2k3 box, but not 2008 box.

If the answer is 'YES', could you share the configuration ?

Because I compared my self-signed certificate with microsoft 2010 ROOT CA,
no valuable
difference.

Thanks,
Dongsheng

On Wed, Sep 8, 2010 at 01:59, Jakob Bohm jb-open...@wisemo.com wrote:

 On 07-09-2010 09:59, Dongsheng Song wrote:

 Hi,

 When I install my self-signed certificate to 'Certificate Store' of
 Windows 2008,
 if I select 'Automatically select the certificate store based on the
 type of certificate',
 then the self-signed certificate will be in the 'Intermediate
 Certification Authorities',
 not 'Trusted Root Certification Authorities'.

 How can I create self-signed certificate with correct certificate TYPE ?

 Regards,
 Dongsheng


 Note that this did NOT happen with the self-signed CA root cert that I
 created with openssl (via a GUI front end) for our internal network CA.
 (Used for such boring tasks as SSL certificates for domain controllers
 etc.).

 It has the following attributes (anonymised here):

 Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:dd:1a:38:49:01:61:a4
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc.
Validity
Not Before: Apr 19 18:41:02 2010 GMT
Not After : Apr 16 18:41:02 2020 GMT
Subject: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
   (Omitted)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35
X509v3 Authority Key Identifier:

 keyid:9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35
DirName:/C=XX/L=Somecity/O=OurComapany/CN=OurCompany Inc.
serial:F8:DD:1A:38:49:01:61:A4

X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 Issuer Alternative Name:
EMPTY

Netscape Comment:
WiseMo Internal CA
Netscape CA Revocation Url:
https://SomeInternalServer/somename.crl
Netscape Revocation Url:
https://SomeInternalServer/somename.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
(omitted)


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

How to generate private key format accept by microsoft signcode ?

2004-03-05 Thread Dongsheng Song 

Hello,

How to generate private key format accept by microsoft signcode tool ?

Thanks for advance
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

How to setup cert server using openssl ?(No Content)

2001-12-12 Thread Dongsheng Song 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]