Re: [openssl-users] [openssl-dev] dates, times, durations in next release (commands)
On Wed, Sep 7, 2016 at 3:14 AM, Salz, Richwrote: > > > It's not a huge step to support full blown ISO 8601 (which has a few more > > alternatives to specify time intervals *). I like the idea. > > No, it *is* a huge step. There's a reason why W3C XML schema language > (XSD), not known for being lightweight, profiled the ISO standard. > > Support RFC3339[1] is relative easy. [1] https://tools.ietf.org/html/rfc3339 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [openssl-announce] OpenSSL version 1.0.1k released
test failure on custom build: perl Configure ^ no-comp no-dso no-idea no-ssl2 no-ssl3 no-psk no-srp ^ --prefix=D:/var/pool/openssl-win32 ^ VC-WIN32 ... D:\var\tmp\openssl-1.0.1knmake -f ms\ntdll.mak ... D:\var\tmp\openssl-1.0.1knmake -f ms\nt.mak test Microsoft (R) Program Maintenance Utility Version 12.00.21005.1 Copyright (C) Microsoft Corporation. All rights reserved. cd out32 ..\ms\test rsa_test PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok destest Doing cbcm Doing ecb Doing ede ecb Doing cbc Doing desx cbc Doing ede cbc Doing pcbc Doing cfb8 cfb16 cfb32 cfb48 cfb64 cfb64() ede_cfb64() done Doing ofb Doing ofb64 Doing ede_ofb64 Doing cbc_cksum Doing quad_cksum input word alignment test 0 1 2 3 output word alignment test 0 1 2 3 fast crypt test ideatest 'ideatest' is not recognized as an internal or external command, operable program or batch file. problems. On Thu, Jan 8, 2015 at 11:39 PM, OpenSSL open...@openssl.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1k released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1k of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1k is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1k.tar.gz Size: 4434910 MD5 checksum: d4f002bd22a56881340105028842ae1f SHA1 checksum: 19d818e202558c212a9583fcdaf876995a633ddf The checksums were calculated using the following commands: openssl md5 openssl-1.0.1k.tar.gz openssl sha1 openssl-1.0.1k.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUro4+AAoJENnE0m0OYESRxuQH/2TFznmtvL92IMO6rjeCClYM bBqxvIaVs/l7sflcsENo67HNCn0/RmblmfULVY96Pvoin7z19wMyEFL+3NSM1w8v HkX2mRz23V8PEDxn23f3i1ltCCZgc+aQyKoOf6Rbo4WHxgIHKXdKqm8dhyVj6ODw s2Go3TvaUNtG1BoW6AJtr1ZHosq+WKaOjq5yiRdFb1o/00GipSOb6gRsT2qJHEXS NpFEJm1CRguJ7qe3SPgu7gGyQ34MVl9jO1onRlMqsE4anvZBtm5sK97YXRrc4fqK 0E/SO1sW+mz359fHJMYmYnefG0hs1+KNnA1ydEfLLrf1Bc8Lqft37rN0cVfKdzg= =oLV9 -END PGP SIGNATURE- ___ openssl-announce mailing list openssl-annou...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-announce ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
How to check the client use which protocol or extensions to connect the server ?
Hi, I write a SSL server, enable zlib, TLS 1.0/1.1/1.2, can I check the client use which TLS protocol, or whether the client use zlib compression ? Thanks, Dongsheng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to check the client use which protocol or extensions to connect the server ?
Hi, I write a SSL server, enable zlib, TLS 1.0/1.1/1.2, can I check the client use which TLS protocol, or whether the client use zlib compression ? Thanks, Dongsheng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: A small note on Windows 8 GetVersion() depreciation
[1] GetVersionEx may be altered or unavailable for releases after Windows 8.1. Instead, use the Version Helper APIs. I thinks use 'Version Information Functions'[2] is the better choice. [1] http://msdn.microsoft.com/en-us/library/windows/desktop/ms724451%28v=vs.85%29.aspx [2] http://msdn.microsoft.com/en-us/library/windows/desktop/ff468915%28v=vs.85%29.aspx -- Dongsheng On Thu, Jan 9, 2014 at 3:11 AM, Jakob Bohm jb-open...@wisemo.com wrote: While I have not specifically checked the Windows 8 SDK, my extensive experience with the version detection APIs in Windows tells me the following: 1. GetVersion() is the only version-detection API available on older platform versions. Later platform versions added variants of GetVersionEx(), with each newer variant being available on less platforms. 2. The order of the bit fields returned by GetVersion() has historically confused many developers, therefore Microsoft has long told people to avoid it if they don't know what they are doing. At one point, even the editor of the GetVersion() documentation got confused! 3. Starting a few years ago, Microsoft began a trend of using the compiler __declspec(deprecate) mechanism to scare developers away from functions that are not really deprecated, just not recommended for some other reason. Those deprecations can usually be ignored safely by those with good reason to use those more portable APIs. So, if this is just another political compiler warning, there is little reason to head it. Otherwise, the GetVersionEx() function can be used as a replacement, but only by dropping support for Windows NT 3.10 and maybe Win32s (NT 3.50 and all the Win9x and WinCE variants include the basic form of GetVersionEx()). P.S. If there is still code in there to support 16 bit Windows 3.x, then that API includes only GetVersion(), and with a different specification than its 32/64 bit namesake. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: overflow when calling X509_gmtime_adj() on 32-bit systems
On Sun, Feb 3, 2013 at 7:01 PM, Dr. Stephen Henson st...@openssl.org wrote: In that above code example if you do: X509_gmtime_adj_ex(X509_get_notAfter(x), days, 0, NULL); that should resolve your problem. Maybe it should be better: X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl EC PEM to Java Keystore (JKS)
On Sat, Feb 2, 2013 at 10:01 PM, redpath redp...@us.ibm.com wrote: *I get this ERROR* keytool error: java.security.NoSuchAlgorithmException: SHA1withECDSA Signature not available It's very clear your jdk does not support SHA1withECDSA, you can use Bouncy Castle Crypto API, or upgrade to Java 7. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [FWD] Apache 2.2.17 and OpenSSL 1.0.0c - Crash with SSLVirtualHost ServerName set.
On Fri, Feb 4, 2011 at 19:08, Ryan Wehrle ryaner...@gmail.com wrote: I forgot to add, I am using client certificate authentication. httpd.conf Directory Z:/Apache/_MilesMilitusCallidus.com_SSL SSLVerifyClient require SSLVerifyDepth 1 SSLRequireSSL SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 Options FollowSymLinks ExecCGI Order allow,deny Allow from all /Directory Configuration changed with no set servername in the SSL config. Logs when using Opera to connect to https://milesmilituscallidus.com. Opera has a VALID user cert that works in every other browser, but Opera never loads the page. It stays as a white page, reloading every so often. Logs: [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1993): [client 67.167.32.58] No matching SSL virtual host for servername milesmilituscallidus.com found (using default/first virtual host) [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read client hello C [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read client hello A [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write server hello A [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write certificate A [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1274): [client 67.167.32.58] handing out temporary 1024 bit DH key [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write key exchange A [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write certificate request A [Fri Feb 04 04:48:58 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 flush data [Fri Feb 04 04:53:58 2011] [debug] ssl_engine_io.c(1900): OpenSSL: I/O error, 5 bytes expected to read on BIO#290def0 [mem: 27ea44b] [Fri Feb 04 04:53:58 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A [Fri Feb 04 04:53:58 2011] [error] [client 67.167.32.58] Re-negotiation handshake failed: Not accepted by client!? Please comment out the following line: # SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 Maybe your SSL_CIPHER_USEKEYSIZE tool restrict. -- Dongsheng song __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SHA1 Message Digest Getting Generated less than 160 Bits i.e. 152 bits.
On Sat, Sep 25, 2010 at 21:09, Kedar Sabnis kedar.sab...@tcs.com wrote: HI, I am an openSSL User. We implemented SHA1 algorithm. Here in some specific case SHA1 digest is coming as 152 bits long instead of 160 bits long. Please suggest if any bug fix is there for this issue. Thanking you in anticipation. According to *FIPS 180-1*, SHA1 is fixed 160 bit long: http://www.itl.nist.gov/fipspubs/fip180-1.htm But you can truncate the 160 bit result to 152 bit as your like.
Windows Certificate Store with OpenSSL Certificate
Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng
Re: Windows Certificate Store with OpenSSL Certificate
Are you test with 2008/win7 ? My self-signed certificate can automatically goto 'Trusted Root Certification Authorities' on XP/2k3 box, but not 2008 box. If the answer is 'YES', could you share the configuration ? Because I compared my self-signed certificate with microsoft 2010 ROOT CA, no valuable difference. Thanks, Dongsheng On Wed, Sep 8, 2010 at 01:59, Jakob Bohm jb-open...@wisemo.com wrote: On 07-09-2010 09:59, Dongsheng Song wrote: Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng Note that this did NOT happen with the self-signed CA root cert that I created with openssl (via a GUI front end) for our internal network CA. (Used for such boring tasks as SSL certificates for domain controllers etc.). It has the following attributes (anonymised here): Certificate: Data: Version: 3 (0x2) Serial Number: f8:dd:1a:38:49:01:61:a4 Signature Algorithm: sha1WithRSAEncryption Issuer: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Validity Not Before: Apr 19 18:41:02 2010 GMT Not After : Apr 16 18:41:02 2020 GMT Subject: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): (Omitted) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 X509v3 Authority Key Identifier: keyid:9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 DirName:/C=XX/L=Somecity/O=OurComapany/CN=OurCompany Inc. serial:F8:DD:1A:38:49:01:61:A4 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Issuer Alternative Name: EMPTY Netscape Comment: WiseMo Internal CA Netscape CA Revocation Url: https://SomeInternalServer/somename.crl Netscape Revocation Url: https://SomeInternalServer/somename.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption (omitted) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to generate private key format accept by microsoft signcode ?
Hello, How to generate private key format accept by microsoft signcode tool ? Thanks for advance __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to setup cert server using openssl ?(No Content)
__ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]