FW: Netscape International step-up
Hi, Somehow it didn't appear in the mailing list. I am submitting it again. Does Netscape international step-up work with openssl s_server? My initial thought was that one just needed the global_id certificate with s_server and hit it with an old Netscape browser like Communicator 4.7 International version. I have Netscape Communicator 4.7 installed on my Windows machine. "about:" tells me: "This version supports International security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4". According to the Netscape documentation (http://developer.netscape.com/tech/security/stepup/overview.html#configure) , this version of browser should do step-up handshake if the server presents a global_id certificate. I am running OpenSSL (0.9.7) s_server on my Linux machine and use the global certificate from Verisign. Here is how I start the server: openssl s_server -accept 443 -cert cert-global-server-id-chained.cer -key verisign-global-server-1024key -state -debug -www Now when I access this server using the Communicator, it doesn't step-up. Rather it just completes the handshake using EXP-RC4-MD5 which is export mode 40-bit RC4-MD5 cipher. I was expecting to see it step up to the next strong cipher because the server presented the global_id cert. I will really appreciate suggestions/comments. Thanks, Imran. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl for windows?
http://www.iconsinc.com/~agray/ossldev/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of park hkSent: Wednesday, October 31, 2001 5:51 PMTo: [EMAIL PROTECTED]Subject: openssl for windows? I'm poor at English. I'd like to know there is the openssl for windows. Thank you!!
RE: porting openssl to linux kernel
I think Eric Rescorla responded to a similar question sometimes ago that RSA operation would be a limiting factor. But if you take that bottleneck away then I think putting SSL handshake and record porcessing layers in kernel space would be a next better thing to do because we can see many new hardware accelerators out there in the near future market which are 10-20 times better than what we have today. We can have certficate management in the user space for the sake of simplicity. Any comments ??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Imran Badr Sent: Wednesday, October 31, 2001 12:15 PM To: [EMAIL PROTECTED] Subject: RE: porting openssl to linux kernel The (un)encrypted data stream is already coming from the kernel ( socket read/write ) calls. So if everyting is in kernel space then you again save yourself from the overhead of context switch in reading/writing sockets ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rich Salz Sent: Wednesday, October 31, 2001 5:53 AM To: [EMAIL PROTECTED] Subject: Re: porting openssl to linux kernel > > The matter here is not to be more secure but definitely one can go faster. > > The guys who use hardware acceleration normally use device drivers which > > reside in kernel space. Now for every operation, the system has to take a > > context switch which could be expensive. But if openssl resides in kernel > > space then instead of calling a device driver it would be just another > > function call. Does it make sense now?? If you put the hardware crypto into the kernel, then you replace the crypto context switch -- which only transfers a small amount of data, typically an RSA-encrypted RC4 session key -- with a new context switch that transfers a LARGE amount of data, the (un)encrypted data stream. Performance would probably be MUCH WORSE. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: porting openssl to linux kernel
The (un)encrypted data stream is already coming from the kernel ( socket read/write ) calls. So if everyting is in kernel space then you again save yourself from the overhead of context switch in reading/writing sockets ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rich Salz Sent: Wednesday, October 31, 2001 5:53 AM To: [EMAIL PROTECTED] Subject: Re: porting openssl to linux kernel > > The matter here is not to be more secure but definitely one can go faster. > > The guys who use hardware acceleration normally use device drivers which > > reside in kernel space. Now for every operation, the system has to take a > > context switch which could be expensive. But if openssl resides in kernel > > space then instead of calling a device driver it would be just another > > function call. Does it make sense now?? If you put the hardware crypto into the kernel, then you replace the crypto context switch -- which only transfers a small amount of data, typically an RSA-encrypted RC4 session key -- with a new context switch that transfers a LARGE amount of data, the (un)encrypted data stream. Performance would probably be MUCH WORSE. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
porting openssl to linux kernel
Hi, Has anyone ported openssl (completely or partially) to the linux kernel 2.4 or earlier? Thanks, Imran. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Client encrypt on SSL Web site
all http requests from client to server ( in an ssl session) are encrypted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Knight Sent: Thursday, August 16, 2001 1:10 PM To: '[EMAIL PROTECTED]' Subject: Client encrypt on SSL Web site I have an Apache web server on Linux which is SSL-enabled. So far I have successfully created https pages which -- am I right? -- encrypts the page as it is downloaded to the client. Is there a simple example of having the client send something back to the server encrypted? Thanks, Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Regarding read & write buffer sizes : pls help
>>If I am not wrong, it takes (1000*48)k >>memory ?? So Can I avoid preallocating 16k for each >>buffer, since it is believed that it is very rare for >>a client to send the maximum aloowable 16k data to >>server. Dynamic allocation would be expensive as you would have to realloc buffers each and everytime it runs out of space. As far as 16k length is concerned, yes it is rarely possible that a client sends a buffer upto 16k length but only during ssl handshake ( unless it has a very long cert chain). But, believe me, application data could reach that level (server ->client). So be careful when you change those max sizes. If you are planning to have 1000 or more simultaneous ssl connections then you might need to get some hardware accelerator. I haven't seen most of the software servers doing that other than if you have a very high end server. -Imran. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rahul S Sent: Thursday, August 16, 2001 11:35 AM To: [EMAIL PROTECTED] Subject: Regarding read & write buffer sizes : pls help Hi All, I am very new to SSL.My knowledge says ,for each session the openssl by default sets the sizes of init_buf(for holding handshake data),rbuf(for reading data ),wbuf(for writing data) to 16k each. Is there any way I can dynamically adjust the sizes of the buffers, as and when my server receives the data . My concern is that if 48k(3*16k) is used by a given connection in the session, what happens if suppose 1000 simultanious connections are handled by the server. If anybody has any idea, please help me. I am not sure how correct is this my understanding. Thanks in advance, Rahul. __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL IO_ERROR
Hi, I am noticing this strange behaviour of apache running on openssl and mod_ssl. Session establishment works just fine but when I start browsing I get error messages on my browser. IE5 says that "data area passed to a system call is too small" and Netscape Navigator says "Security library has experienced an error. You will probably be unable to connect to this site securely". When I look at ssl log file of apache, I get following entries: [14/Aug/2001 19:39:45 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#041F61E8 [mem: 04294500] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#00812C38 [mem: 0424FED0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#00812C38 [mem: 042586E0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#041F61E8 [mem: 04294500] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F61E8 [mem: 0429CD10] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#041F3828 [mem: 042734B0] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [debug] OpenSSL: I/O error, 23 bytes expected to write on BIO#041F3828 [mem: 04289710] [14/Aug/2001 19:39:48 01504] [info] Connection to child 3 closed with standard shutdown (server IMRAN_PC:443, client 192.168.1.100) [14/Aug/2001 19:39:48 01504] [info] Connection to child 7 closed with standard shutdown (server IMRAN_PC:443, client 192.168.1.100) [14/Aug/2001 19:39:48 01504] [info] Connection to child 8 closed with standard shutdown (server IMRAN_PC:443, client 192.168.1.100) Can anyone please help? Thanks, Imran. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Where s->ctx->cert_store is getting created?
I was looking at the relevant openssl code where it verifies client certificate. I fugured out that it creates a STACK_OF x509 cert store and pushes client certificate to it. It then passes this stack to a verify function which verfies the whole cert chain against s->ctx->cert_store. I was unable to find the place where this context cert_store is created. Can anyone help me? Thanks, Imran Badr. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Indirection in Digests
Hi , I am new to openSSL. I am looking at the code in md32_common.h file which has a single method HASH_UPDATE(..) for MD5 and SHA-1 etc. I tried to figure out how does the program knows which digest to use at run time but failed? any help would be highly appreciated. Thanks, Imran. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AES support in crypto Library ..
I donot see AES support in the crypto library. Are we going to have that soon ? Thanks, Imran Badr. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]