HMAC-128
Hi Everyone, I know that OpenSSL has the following HMAC(EVP_sha1 (), ) which supports 160 bits. But does OpenSSL support HMAC-128 as well? If yes, could you please tell me where/how I can get information about it. If no, Could you point me to a place where I can get it. OpenSSL version that I am using is openssl-0.9.7d. Thanks, Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question about extension of a certificate
Hi All, Is it necessary to call a certificate with extension of .0? For example, if we have a certificate of type PEM, is it ok to name it certificate.pem or we have to name it certificatepem.0? I am using openssl-0.9.7d Thanks in advance for the help. Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about extension of a certificate
Hi, Thx for the reply. The software doesn't expect .0, but I read it somewhere and I wanted to make sure that it is not the case. Elie At 02:27 PM 10/20/2004 -0400, you wrote: No, you can use whatever extension you want. .pem and .cer are often used. Is there some piece of software expecting .0? Hi All, Is it necessary to call a certificate with extension of .0? For example, if we have a certificate of type PEM, is it ok to name it certificate.pem or we have to name it certificatepem.0? I am using openssl-0.9.7d Thanks in advance for the help. Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: TLS and TOS
You are right. We updated the keys in the registry to make TOS works. Thanks Elie At 01:12 PM 6/17/2004 -0400, Lee Dilkie wrote: Are you sure it *actually* worked? The function call will appear to succeed, but win2K and above don't allow programs to set TOS anymore, unless you fiddle with the registry to override the default behaviour. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Elie Lalo Sent: Thursday, June 17, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TOS Mike, I just wanted to let you know that I tried it on W2k Pro and it works. Thanks, Elie At 08:46 AM 6/17/2004 -0600, Mike Sontum wrote: This code is for UNIX. I don't have an answer for Windows, but we are compiling the same code from www.openssl.org and I have to believe the TCP and SSL layer are separate and your socket is going to behave exactly like it use to. Thanks, Mike [EMAIL PROTECTED] 6/16/2004 5:00:28 PM Hi Mike, Does this work for Windows (I am writing my program on Windows platform, and Windows presents a socket as a HANDLE )? It seems that this code is for Unix. Thanks, Elie At 04:31 PM 6/16/2004 -0600, Mike Sontum wrote: You can set any option you want for the socket. I set the linger option. The SSL layer is above the TCP layer and really does not affect the layer below it. After you get your socket's accept or connect you can then do the ssl = SSL_new (ctx); /* sd is the socket */ SSL_set_fd (ssl, sd); handshake .. you can then do a select on the socket and do a read with SSL_read (ssl, buffer,sizeof(buffer)). The point is the socket behaves exactly like it use to. You can set some TCP options, with setsockopt. Thanks, Mike [EMAIL PROTECTED] 6/16/2004 4:09:33 PM Hi, Could you please tell me how I enable IP_TOS using OpenSSL (if it can be done)? I know how to do it using regular/non secure socket. For example: int result = setsockopt(m_hSocket, IPPROTO_IP, IP_TOS, (char *)ucTOS, 1); if (SOCKET_ERROR == result) { error(); } else ... Thanks, Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: TLS and TOS
Mike, I just wanted to let you know that I tried it on W2k Pro and it works. Thanks, Elie At 08:46 AM 6/17/2004 -0600, Mike Sontum wrote: This code is for UNIX. I don't have an answer for Windows, but we are compiling the same code from www.openssl.org and I have to believe the TCP and SSL layer are separate and your socket is going to behave exactly like it use to. Thanks, Mike [EMAIL PROTECTED] 6/16/2004 5:00:28 PM Hi Mike, Does this work for Windows (I am writing my program on Windows platform, and Windows presents a socket as a HANDLE )? It seems that this code is for Unix. Thanks, Elie At 04:31 PM 6/16/2004 -0600, Mike Sontum wrote: You can set any option you want for the socket. I set the linger option. The SSL layer is above the TCP layer and really does not affect the layer below it. After you get your socket's accept or connect you can then do the ssl = SSL_new (ctx); /* sd is the socket */ SSL_set_fd (ssl, sd); handshake .. you can then do a select on the socket and do a read with SSL_read (ssl, buffer,sizeof(buffer)). The point is the socket behaves exactly like it use to. You can set some TCP options, with setsockopt. Thanks, Mike [EMAIL PROTECTED] 6/16/2004 4:09:33 PM Hi, Could you please tell me how I enable IP_TOS using OpenSSL (if it can be done)? I know how to do it using regular/non secure socket. For example: int result = setsockopt(m_hSocket, IPPROTO_IP, IP_TOS, (char *)ucTOS, 1); if (SOCKET_ERROR == result) { error(); } else ... Thanks, Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
TLS and firewall
Hi, I know that TLS protocol doesn't work with proxy servers (i.e., firewalls) because a proxy is a man-in-the-middle, and these protocols are designed to provide security between a client and a server. Is there a work around for this problem/limitation? Thank you in advance for your help. Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
TLS and TOS
Hi, Could you please tell me how I enable IP_TOS using OpenSSL (if it can be done)? I know how to do it using regular/non secure socket. For example: int result = setsockopt(m_hSocket, IPPROTO_IP, IP_TOS, (char *)ucTOS, 1); if (SOCKET_ERROR == result) { error(); } else ... Thanks, Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com
Re: TLS and TOS
Hi Mike, Does this work for Windows (I am writing my program on Windows platform, and Windows presents a socket as a HANDLE )? It seems that this code is for Unix. Thanks, Elie At 04:31 PM 6/16/2004 -0600, Mike Sontum wrote: You can set any option you want for the socket. I set the linger option. The SSL layer is above the TCP layer and really does not affect the layer below it. After you get your socket's accept or connect you can then do the ssl = SSL_new (ctx); /* sd is the socket */ SSL_set_fd (ssl, sd); handshake .. you can then do a select on the socket and do a read with SSL_read (ssl, buffer,sizeof(buffer)). The point is the socket behaves exactly like it use to. You can set some TCP options, with setsockopt. Thanks, Mike [EMAIL PROTECTED] 6/16/2004 4:09:33 PM Hi, Could you please tell me how I enable IP_TOS using OpenSSL (if it can be done)? I know how to do it using regular/non secure socket. For example: int result = setsockopt(m_hSocket, IPPROTO_IP, IP_TOS, (char *)ucTOS, 1); if (SOCKET_ERROR == result) { error(); } else ... Thanks, Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
parsing SSL/TLS packet
Hi All, I'm currently implementing a server using overlapped I/O completion ports (Async socket), and I am using 2 BIOs (network/internal) to take care of encrypted/decrypted data. In my server, I need to know when the packet begins and ends so that I can executed accordingly. Is there a way to find out the length of a packet (for example reading a header first and then read the rest of the packet) or am I way off? Thank you in advance for your help. Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: parsing SSL/TLS packet
Hi David, I think I need to explain my problem a little bit more. I am going to break the problem into 2 parts. Part 1: handshake How do we know how many bytes does the I/O completion port need to read without waiting forever (note that I can solve this problem by reading one byte at a time from the I/O completion port but this is not feasible solution)? Hence I would like to read the header first to get the length of the packet and then read the whole packet before sending it to the (BIO -- SSL_READ) for more processing. Part 2: My own protocol/messages When we write a packet, the first two bytes of our packet indicates the length of the entire packet. From that, we know how many additional bytes to read to get a complete message. The problem that we face now is that 1) The initial 2 bytes may no longer be 2 bytes after encryption 2) Assuming that we could decrypt those to bytes and find out the length, the length will not match the actual number of bytes sent on the network due to the encryption (i.e. after the packet is encrypted it is larger than the original message size). We are trying to understand how to read the packet using WSARecv since we don't know the actual size of our packet because of the encryption. Thanks Elie At 09:20 AM 6/7/2004 -0700, David Schwartz wrote: I'm currently implementing a server using overlapped I/O completion ports (Async socket), and I am using 2 BIOs (network/internal) to take care of encrypted/decrypted data. In my server, I need to know when the packet begins and ends so that I can executed accordingly. Is there a way to find out the length of a packet (for example reading a header first and then read the rest of the packet) or am I way off? Thank you in advance for your help. You should not care. If you find that you care, you are most likely doing something wrong. SSL operates over TCP. It provides a TCP-compatible interface for the encrypted side and a nearly-TCP-compatible interface for the unencrypted side. TCP has no notion of record boundaries and therefore SSL's input and output sides don't either. Look at the BIO-pair example code. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com
RE: parsing SSL/TLS packet
Hi David, Thanks for your help. I think that I misunderstood how I/O completion port works. I believe that I/O doesn't wait for all specified bytes. Thanks again. Elie At 10:44 AM 6/7/2004 -0700, David Schwartz wrote: For some reason, my email client didn't want to indent your message. So I'll put your text on the left and mine indented. Sorry about that. I think I need to explain my problem a little bit more. I am going to break the problem into 2 parts. Part 1: handshake How do we know how many bytes does the I/O completion port need to read without waiting forever (note that I can solve this problem by reading one byte at a time from the I/O completion port but this is not feasible solution)? Hence I would like to read the header first to get the length of the packet and then read the whole packet before sending it to the (BIO -- SSL_READ) for more processing. Just post a reasonably-sized buffer, say 2Kb to 8Kb. Give whatever you get to OpenSSL and ask it if the handshake is finished. Part 2: My own protocol/messages When we write a packet, the first two bytes of our packet indicates the length of the entire packet. From that, we know how many additional bytes to read to get a complete message. The problem that we face now is that 1) The initial 2 bytes may no longer be 2 bytes after encryption 2) Assuming that we could decrypt those to bytes and find out the length, the length will not match the actual number of bytes sent on the network due to the encryption (i.e. after the packet is encrypted it is larger than the original message size). We are trying to understand how to read the packet using WSARecv since we don't know the actual size of our packet because of the encryption. Pass it a reasonably-sized buffer, say 2Kb to 8Kb. Give whatever you get to OpenSSL and ask it if it has any data for you. You are still missing the big picture -- as far as the encrypted side of the data goes, your job is to be *invisible* and make it look to OpenSSL like it's seeing a normal TCP connection. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL with Java?
Hi, I know that OpenSSL supports both windows and Unix, and it is used from C and C++ programs. My question is the following: Can we use OpenSSL from Java programs as well ( I am a new OpenSSL user)? I am planning on using OpenSSL on Linux and Windows OS, C++ and Java programs. Thanks Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]