Re: I can't believe how much this sucks
On Thu, Nov 15, 2012 at 09:52:49AM -0500, Sanford Staab(Gmail) wrote: > In the case of openssl, a big gain would be to simply document the command > line interface better and create a doc centric forum for people to add their > lessons learned filed around the particular feature area of openssl. > WORKING EXAMPLES would be REAL cool. Does anyone on this alias want to let > me or others know how we can update the docs somehow? I concurr. Life is too short for each of us to have to plod the same ugly goat trail to make it work. > > -Original Message- > From: Carlo Wood > Sent: Thursday, November 15, 2012 8:31 AM > To: openssl-users@openssl.org > Subject: Re: I can't believe how much this sucks > > On Tue, 13 Nov 2012 14:11:17 -0700 > t...@terralogic.net wrote: > > This is just a NORMAL way for a programmer to work IMHO. I HATE > > comming into undocumented code years after its been written and IMHO > > its a big booby trap because its very easy to miss something and that > > creates hard to find bugs. Really criptic error messages don't help > > this. I've looked in the OOS community and there are attempts to put > > together systems and one I looked at was OXYGEN. > > I concur. When I was 12, I wrote compact code with only single > character variables and no documentation. For some reason I was able to > have thousands of code lines all in my head at once and I had no idea > why I'd need to add documentation. > > When I got older, I started to use more descriptive variable and > function names, mostly for the purpose of being able to > 'grep' (reg.exp) them in large code. At some point I completely did > away with abbreviations and only used complete English words, > discovering that code is incredibly better to understand when the > variable names express exactly what they mean (to the point that it > avoids bugs). I still didn't see the point in documentation however: > the code explained itself as if it was English. > > Only when my memory started to get worse and I couldn't remember > Megabytes of code anymore, especially when my code became so complex > that I had to use Object Orientation because it was impossible to keep > an overview, I started to document code. The funny thing is: I did this > mostly because I knew that a year later I wouldn't be able to > understand it myself anymore if I didn't; not because I thought that > anyone else might need it. > > Now, after more than 30 years of coding experience I have reached the > same conclusion as terra wrote: Code is only as useful as it's > documentation. Don't bother to write code without good COMPLETE > documentation as it's worthless: only you, the developer (with a good > memory on top of that) will think it's trivial and usable. Everyone > else will not be able to use it. > > > > > http://www.stack.nl/~dimitri/doxygen/ > > > > > > I have no idea at this time how useful this would be. > > > > > > Perhaps the best we might be able to do on the user side is a wiki > > and perhaps one exists. > > > > > > I did a google search on this. > > > > https://help.ubuntu.com/community/OpenSSL > > > > ^ I did find this and I did not look very hard. Maybe there is > > something better. If there is then it doesn't come up in the 1st > > hits google finds. > > > > > > So I think we can do much better. > > > > Just my 2 cents. > > -- > Carlo Wood > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
I beg to differ and this is one reason I am not very active. Several years ago I contributed a function to determine endianess. I had done it years and years before so it was quite simple for me. I took the time to put documentation in the function. Also I am a professional consulting programmer adn I know both what to document, how to document and how to write code. Someone came in and removed the documentation. At the time I voluntered to start putting some documentation together. I saw no interest. I agree with those who point out the dreath in OSS documentation and the fact that years after problems have been identified that the docs are still not upgraded and moreover I never found out HOW to do any documentation. Besides which when I contributed a function someone went to the effort to remove the documentation. I have ALWAYS written the documentation for a function before the code because it is much faster and one can design the interface in about 1/4 of the time that it takes to code it. Then if I come back to the function years later I can read the documentation and I know how the function should work! I keep the documenation and the code in the same source file. Then I have utilities which will read the source file and split out the documentation and prepare a printable manual if I want. I've had clients ask me how long to document a rather large system which I wrote and my comment was I can have the manual by noon - which I did and it was 3 cm thick. they were quite impressed. This is just a NORMAL way for a programmer to work IMHO. I HATE comming into undocumented code years after its been written and IMHO its a big booby trap because its very easy to miss something and that creates hard to find bugs. Really criptic error messages don't help this. I've looked in the OOS community and there are attempts to put together systems and one I looked at was OXYGEN. http://www.stack.nl/~dimitri/doxygen/ I have no idea at this time how useful this would be. Perhaps the best we might be able to do on the user side is a wiki and perhaps one exists. I did a google search on this. https://help.ubuntu.com/community/OpenSSL ^ I did find this and I did not look very hard. Maybe there is something better. If there is then it doesn't come up in the 1st hits google finds. So I think we can do much better. Just my 2 cents. On Tue, Nov 13, 2012 at 01:33:48PM -0600, John Hascall wrote: > > > It's a GREAT product and I love it and am grateful but why after > > years and years do the man pages still say "under construction"? > > Because it is an open source project and the things that get done > are the things people volunteer to do. Most programmers would > much rather create cool things than write about them. > > That said, perhaps this is something that a Google Summer Of Code > project could help get off the ground (money being a pretty decent > motivator for poor students). > > John > > --- > John Hascall, j...@iastate.edu > Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services) > IT Services, The Iowa State University of Science and Technology > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: build openssl for android
I don't at this point own an android and I am thinking of getting one. I'd like to ask of the environment. Will I need to root it? I expect the answer is yes and I'll have to install all the development tools as well. Its there a website which provides instructions. Next what of cross compilers or a development environment which runs on say the desktop and provides the test bed that the phone uses. THanks. On Thu, Sep 13, 2012 at 09:56:03AM +0530, Indtiny s wrote: > Hi, > My android for the TAB is HoneyComb and its API level is 12 so I have > wriiten it as > TARGET_ABI:=android-12-armeabi > > I put the above line in android-config.mk just below the first LOCAL_CFLAGS > and excuted the ndk-build but I got the following error . > > linux-androideabi/bin/ld: warning: libz.so, needed by > ./obj/local/armeabi/libcry > ./obj/local/armeabi/libcrypto.so: undefined reference to `zError' > ./obj/local/armeabi/libcrypto.so: undefined reference to `inflateEnd' > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflate' > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflateInit_' > > Rgds > Indu > > > > > > On Thu, Sep 13, 2012 at 8:06 AM, farmdve data.bg wrote: > > > Oh, and I highly suggest specifying the TARGET_ABI so that the code is > > optimized(considerable boost compared to without specifying it). > > > > So either add TARGET_ABI := android-APILEVEL-armeabi to android-config.mkOR > > open Android.mk in the crypto and ssl folders, and add it just before > > $(BUILD_SHARED_LIBRARY). > > Be sure to replace APILEVEL with the API level you target. And if you want > > static libraries, replace $(BUILD_SHARED_LIBRARY) where encountered to > > $(BUILD_STATIC_LIBRARY) > > > > > > On Thu, Sep 13, 2012 at 5:30 AM, farmdve data.bg wrote: > > > >> Do not use that one, it's old. Use this one > >> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid > >> > >> Just calling ndk-build should work. > >> > >> On Wed, Sep 12, 2012 at 8:34 PM, Jason Goldberg wrote: > >> > >>> For Android, check out this project as an example: > >>> > >>> https://github.com/eighthave/openssl-android > >>> > >>> They have the Android-specific Makefile configs for doing an NDK build. > >>> You could patch it with your changes and generate the .so libraries you > >>> need. > >>> > >>> On Sep 12, 2012, at 12:05 PM, Indtiny s wrote: > >>> > >>> > >>> Hi, > >>> > >>> I have to build the openssl 1.0.1c for the android , I have added new > >>> ECC-CCM chiper key support at the openssl , hence i want build the same > >>> for android-ndk and use in my application as shared libraries . is there > >>> any guide to build the same ..? > >>> > >>> Rgds > >>> Indu > >>> > >>> > >>> > >> > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: About compression in SSL.
I would want to double check this. The APACHE docs found here state the
following:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
"How do I get SSL compression working?
Although SSL compression negotiation was defined in the specification of SSLv2
and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as a negotiable
standard compression method.
OpenSSL 0.9.8 started to support this by default when compiled with the zlib
option. If both the client and the server support compression, it will be used.
However, most clients still try to initially connect with an SSLv2 Hello. As
SSLv2 did not include an array of prefered compression algorithms in its
handshake, compression cannot be negotiated with these clients. If the client
disables support for SSLv2, either an SSLv3 or TLS Hello may be sent, depending
on which SSL library is used, and compression may be set up. You can verify
whether clients make use of SSL compression by logging the
%{SSL_COMPRESS_METHOD}x variable.
On Tue, Jan 17, 2012 at 11:43:55AM +0100, Jakob Bohm wrote:
> On 1/17/2012 11:27 AM, nilesh wrote:
> > Hi,
> >
> > As per the RFC2246, the data might be compressed and then encrypted.
> > And the decryption function does the reverse operations.
> >
> > But when I setup server to capture SSL3.0 and TLS1.0 traces, I have
> > never observed any compression algorithm being used.
> > The record is just encrypted and sent.
> >
> > Could someone please explain if compression operation is configurable
> > option on Server? Is it not always present?
> >
> 1. I think OpenSSL implements this feature, but I don't know
> how a server and client might request it from the OpenSSL code.
>
> 2. Most protocols used with SSL/TLS already include their own
> means of compressing data before handing it to SSL, so for
> those protocols, enabling SSL/TLS compression would be of so
> little use that few implementations would enable it for those
> applications. The most notable example is HTTP/1.x over SSL
> (https), where there are HTTP headers for requesting
> compression independently of the use of SSL.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: MISC request - Job opportunity - contract - Redmond, WA - IMMEDIATE NEED
I wom't do windows When I get paid back then I might. I have three (3) unopened copies of NT 4.0 and I take it personally since it personally came from my bank account. Besides which you should not be soliciting in this channel. On Tue, Dec 06, 2011 at 05:06:52PM -0800, barbara.purrington-e...@alstom.com wrote: > Immediate need at a large power transmission company located in Redmond, > WA USA: we are developing a product for a project for one of our > clients. We have an immediate need for an openSSL resource experienced > with SSL/TLS protocol, openSSl, C/C++ and TCP/IP programming on Windows > and Linux for a contract position to inplement SSL/TLS Proxy using open > SSL and integrate it with our proprietary software. Must be able to work > independently and have good communication skills. > The contract is expected to be for 2-3 months, Please contact Barbara > Purrington at barbara.purring...@alstom.com, or call at 425.250.0216. > Thanks! > > > Barbara Purrington > Alstom Grid | Human Resources | Recruiter > Phone: 00-1-425-250-0216 | Fax: 00-1-425-650-7022 | E-mail: > barbara.purrington-e...@alstom.com > 10865 Willows Road NE, Redmond, WA 98052 USA > Site: www.alstom.com > ** Please consider the environment before printing this e-mail ** > > :.___ > CONFIDENTIALITY : This e-mail and any attachments are confidential and > may be privileged. If you are not a named recipient, please notify the > sender immediately and do not disclose the contents to another person, use > it for any purpose or store or copy the information in any medium. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Very good! I can write a little code to do that! Thanx On Thu, Aug 25, 2011 at 05:24:14PM -0400, Crypto Sal wrote: > You typically import certs through the Firefox certificate manager found > via "Edit -> Preferences -> Adv. -> Encryption -> View Certificates". It > should be self explanatory from here. The only other question that > remains is which Root CA. That can only be done by reading the > certificate hierarchy that is presented by the bank's server, which it > should provide you upon making an s_client connection. > > > > On 08/25/2011 05:15 PM, t...@terralogic.net wrote: > > I know the theory. I'm also a programmer. I just never bothered to > > install a root cert before. But I do know how to make them. > > > > I'll dig around in FireFox and see where it is and how its done. > > > > As for the bank. We build it and they break it. Not my fault. > > > > > > On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: > >> the answer lies with the people who wrote the software for the certificate > >> store since the whole point is trust. > >> > >> If users could manipulate the root certificate store, then it would be > >> impossible to trust anything. > >> > >> Generally, you can add certificates by double clicking them and choosing > >> the correct answer (where to store, how much to trust) > >> > >> You can open 'keychain access' on a Macintosh or use Windows MMC to delete > >> certificates. > >> > >> Banks are entirely sensitive to the issue of SSL and Certificates - they > >> have to be. If your computer doesn't automatically trust your bank's > >> certificates, then you either need to fix your computer or get a new bank. > >> > >> The real answer to your problem is this... If you can't trust the root > >> certificates that are part of your OS, then copy everything off the hard > >> drive and re-install a fresh copy of your OS. That is the only way you can > >> trust that your root certificates do what they are supposed to do. > >> > >> Craig > >> > >> On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: > >> > >>> I already know its my certificate store. I only asked how to load in > >>> their noew root cert > >>> > >>> On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: > Go to an entirely different computer and try accessing - you will know > if it's your computer or their certificates. > > If it's your computer, it's either your browser or your OS Certificate > store (Windows and Macintosh use entirely different methods to > accomplish). > > Firefox uses it's own certificates... if it's Firefox on your > computer... uninstall it completely and re-install it. > > If it's Chrome, Safari or Internet Explorer, it uses the OS certificate > store and you will probably need to get the OS to update the Root > Certificates. > > This is all pretty much beyond what a user can manage but some users can > manage them, but this is the wrong list... it would be an OS problem. > > Craig > > On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: > > > TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to > > reboot my computer when their Apache servers in TO send me a > > misconfiguration message. I told them yesterday we build it and you > > break it. Something is desperatly wrong. > > > > > > On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: > >> Firefox has its own certificate store. It doesn't share > >> '/etc/ssl/certs'. > >> > >> If we had the bank URL, we would be able to better help you to resolve > >> this issue. > >> > >> > >> On 08/25/2011 01:45 PM, t...@terralogic.net wrote: > >>> I know you are trying to help. But it doesn't help me to defer to a > >>> package manager because I'm trying to fix what the last package > >>> managers screwed up. > >>> > >>> On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > On Wed August 24 2011, t...@terralogic.net wrote: > Top posting to a hijacked thread is not the way to get > a quick and useful reply. > Next time, start your own. Mailing list threads are cheap. > > > I see my bank has an invalid cert. Likely I have an old cert > > chain. I'm running Debian Linux and firefox. > > > Use anyone of the distribution provided package managers to download > and > install the most recently released package of certificates. > > > Can anyone tell me where to install a valid root cert? Like what > > directory? > > I would think the bank should be able to provide the root of the > > chain. > > I'll need to know SPECICALLY what to ask them for. > > > Asking the operator of the site you wish to authenticate for the > cer
Re: My bank has an invalid cert
Web broker. Also they seem to have broken their web site in other ways. I just hate it when they figure they should reprogram my browser so I can't right click on a link and open in a new window. I do run multiple monitors and its nice to put a press release on one monitor and another press release on another monitor while having the main window on yet a 3rd monitor. Their mind set seems to be like if you want to use our service then switch your machine to windows... toss out the extra monitors and set the display to 800x600. Well not quite that bad but close. If I have much more trouble with them I'm going to close my accounts. On Thu, Aug 25, 2011 at 05:08:40PM -0400, Crypto Sal wrote: > Do you log into 'Web Broker' or 'Easy Web'? > > > On 08/25/2011 04:50 PM, t...@terralogic.net wrote: > > Sorry > > > > http://www.tdwaterhouse.ca/ > > > > Its my old cert chain which is broken. I jsut want to go to them and ask > > them to supply the root cert so I can install it and get rid of the error > > message which Firefox generates because I can't find the root cert. > > > > > > On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: > >> Can you please *be* specific and provide us with an exact URL for those > >> of thus that don't live in Canada or use TDWaterhouse? I see TD has > >> several sites and this is why we need you to be specific so we can tell > >> you which root to get. > >> > >> > >> On 08/25/2011 03:06 PM, t...@terralogic.net wrote: > >>> TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot > >>> my computer when their Apache servers in TO send me a misconfiguration > >>> message. I told them yesterday we build it and you break it. Something > >>> is desperatly wrong. > >>> > >>> > >>> On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: > Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. > > If we had the bank URL, we would be able to better help you to resolve > this issue. > > > On 08/25/2011 01:45 PM, t...@terralogic.net wrote: > > I know you are trying to help. But it doesn't help me to defer to a > > package manager because I'm trying to fix what the last package > > managers screwed up. > > > > On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > >> On Wed August 24 2011, t...@terralogic.net wrote: > >> Top posting to a hijacked thread is not the way to get > >> a quick and useful reply. > >> Next time, start your own. Mailing list threads are cheap. > >> > >>> I see my bank has an invalid cert. Likely I have an old cert chain. > >>> I'm running Debian Linux and firefox. > >>> > >> Use anyone of the distribution provided package managers to download > >> and > >> install the most recently released package of certificates. > >> > >>> Can anyone tell me where to install a valid root cert? Like what > >>> directory? > >>> I would think the bank should be able to provide the root of the > >>> chain. > >>> I'll need to know SPECICALLY what to ask them for. > >>> > >> Asking the operator of the site you wish to authenticate for the > >> certificate > >> is similar to asking the Fox to guard your Chicken House. > >> > >> Get the root certificate from an "independent", trusted, source. > >> Using your distribution's package management will take care of that > >> concern. > >> > >>> I've created my own certs of course but just not recently. > >>> Also I never tried to install the CA cert for firefox. > >>> > >> Your distribution's package manager already has that handled. > >> All you have to do is use it. > >> > >> Mike > >> __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing Listopenssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > >>> __ > >>> OpenSSL Project http://www.openssl.org > >>> User Support Mailing Listopenssl-users@openssl.org > >>> Automated List Manag
Re: My bank has an invalid cert
Good idea. Ya. I know. But what percentage of the computers the bank deals with are filled with malware? On Thu, Aug 25, 2011 at 04:06:02PM -0500, Michael S. Zick wrote: > On Thu August 25 2011, t...@terralogic.net wrote: > > Sorry > > > > http://www.tdwaterhouse.ca/ > > > > Its my old cert chain which is broken. I jsut want to go to them and ask > > them to supply the root cert so I can install it and get rid of the error > > message which Firefox generates because I can't find the root cert. > > They are the wrong people to ask. > > Capture the certificate chain being sent by their server, > examine it to find what "root cert" you need, > then get that "root cert" from somewhere else, somewhere you can trust. > > The entire concept of "third party trust" is broken when you by-pass > the third party. ;-) > > Mike > > > > > > On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: > > > Can you please *be* specific and provide us with an exact URL for those > > > of thus that don't live in Canada or use TDWaterhouse? I see TD has > > > several sites and this is why we need you to be specific so we can tell > > > you which root to get. > > > > > > > > > On 08/25/2011 03:06 PM, t...@terralogic.net wrote: > > > > TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to > > > > reboot my computer when their Apache servers in TO send me a > > > > misconfiguration message. I told them yesterday we build it and you > > > > break it. Something is desperatly wrong. > > > > > > > > > > > > On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: > > > >> Firefox has its own certificate store. It doesn't share > > > >> '/etc/ssl/certs'. > > > >> > > > >> If we had the bank URL, we would be able to better help you to resolve > > > >> this issue. > > > >> > > > >> > > > >> On 08/25/2011 01:45 PM, t...@terralogic.net wrote: > > > >>> I know you are trying to help. But it doesn't help me to defer to a > > > >>> package manager because I'm trying to fix what the last package > > > >>> managers screwed up. > > > >>> > > > >>> On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > > > On Wed August 24 2011, t...@terralogic.net wrote: > > > Top posting to a hijacked thread is not the way to get > > > a quick and useful reply. > > > Next time, start your own. Mailing list threads are cheap. > > > > > > > I see my bank has an invalid cert. Likely I have an old cert > > > > chain. I'm running Debian Linux and firefox. > > > > > > > Use anyone of the distribution provided package managers to download > > > and > > > install the most recently released package of certificates. > > > > > > > Can anyone tell me where to install a valid root cert? Like what > > > > directory? > > > > I would think the bank should be able to provide the root of the > > > > chain. > > > > I'll need to know SPECICALLY what to ask them for. > > > > > > > Asking the operator of the site you wish to authenticate for the > > > certificate > > > is similar to asking the Fox to guard your Chicken House. > > > > > > Get the root certificate from an "independent", trusted, source. > > > Using your distribution's package management will take care of that > > > concern. > > > > > > > I've created my own certs of course but just not recently. > > > > Also I never tried to install the CA cert for firefox. > > > > > > > Your distribution's package manager already has that handled. > > > All you have to do is use it. > > > > > > Mike > > > __ > > > OpenSSL Project > > > http://www.openssl.org > > > User Support Mailing List > > > openssl-users@openssl.org > > > Automated List Manager > > > majord...@openssl.org > > > >>> __ > > > >>> OpenSSL Project http://www.openssl.org > > > >>> User Support Mailing Listopenssl-users@openssl.org > > > >>> Automated List Manager majord...@openssl.org > > > >>> > > > >> __ > > > >> OpenSSL Project http://www.openssl.org > > > >> User Support Mailing Listopenssl-users@openssl.org > > > >> Automated List Manager majord...@openssl.org > > > > __ > > > > OpenSSL Project http://www.openssl.org > > > > User Support Mailing Listopenssl-users@openssl.org > > > > Automated List Manager majord...@openssl.org > >
Re: My bank has an invalid cert
I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: > the answer lies with the people who wrote the software for the certificate > store since the whole point is trust. > > If users could manipulate the root certificate store, then it would be > impossible to trust anything. > > Generally, you can add certificates by double clicking them and choosing the > correct answer (where to store, how much to trust) > > You can open 'keychain access' on a Macintosh or use Windows MMC to delete > certificates. > > Banks are entirely sensitive to the issue of SSL and Certificates - they have > to be. If your computer doesn't automatically trust your bank's certificates, > then you either need to fix your computer or get a new bank. > > The real answer to your problem is this... If you can't trust the root > certificates that are part of your OS, then copy everything off the hard > drive and re-install a fresh copy of your OS. That is the only way you can > trust that your root certificates do what they are supposed to do. > > Craig > > On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: > > > > > I already know its my certificate store. I only asked how to load in their > > noew root cert > > > > On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: > >> Go to an entirely different computer and try accessing - you will know if > >> it's your computer or their certificates. > >> > >> If it's your computer, it's either your browser or your OS Certificate > >> store (Windows and Macintosh use entirely different methods to accomplish). > >> > >> Firefox uses it's own certificates... if it's Firefox on your computer... > >> uninstall it completely and re-install it. > >> > >> If it's Chrome, Safari or Internet Explorer, it uses the OS certificate > >> store and you will probably need to get the OS to update the Root > >> Certificates. > >> > >> This is all pretty much beyond what a user can manage but some users can > >> manage them, but this is the wrong list... it would be an OS problem. > >> > >> Craig > >> > >> On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: > >> > >>> TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot > >>> my computer when their Apache servers in TO send me a misconfiguration > >>> message. I told them yesterday we build it and you break it. Something > >>> is desperatly wrong. > >>> > >>> > >>> On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: > Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. > > If we had the bank URL, we would be able to better help you to resolve > this issue. > > > On 08/25/2011 01:45 PM, t...@terralogic.net wrote: > > I know you are trying to help. But it doesn't help me to defer to a > > package manager because I'm trying to fix what the last package > > managers screwed up. > > > > On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > >> On Wed August 24 2011, t...@terralogic.net wrote: > >> Top posting to a hijacked thread is not the way to get > >> a quick and useful reply. > >> Next time, start your own. Mailing list threads are cheap. > >> > >>> I see my bank has an invalid cert. Likely I have an old cert chain. > >>> I'm running Debian Linux and firefox. > >>> > >> Use anyone of the distribution provided package managers to download > >> and > >> install the most recently released package of certificates. > >> > >>> Can anyone tell me where to install a valid root cert? Like what > >>> directory? > >>> I would think the bank should be able to provide the root of the > >>> chain. > >>> I'll need to know SPECICALLY what to ask them for. > >>> > >> Asking the operator of the site you wish to authenticate for the > >> certificate > >> is similar to asking the Fox to guard your Chicken House. > >> > >> Get the root certificate from an "independent", trusted, source. > >> Using your distribution's package management will take care of that > >> concern. > >> > >>> I've created my own certs of course but just not recently. > >>> Also I never tried to install the CA cert for firefox. > >>> > >> Your distribution's package manager already has that handled. > >> All you have to do is use it. > >> > >> Mike > >> __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing Listopenssl-users@openssl.org > >> Automated List Manager
Re: My bank has an invalid cert
Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: > Can you please *be* specific and provide us with an exact URL for those > of thus that don't live in Canada or use TDWaterhouse? I see TD has > several sites and this is why we need you to be specific so we can tell > you which root to get. > > > On 08/25/2011 03:06 PM, t...@terralogic.net wrote: > > TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot > > my computer when their Apache servers in TO send me a misconfiguration > > message. I told them yesterday we build it and you break it. Something is > > desperatly wrong. > > > > > > On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: > >> Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. > >> > >> If we had the bank URL, we would be able to better help you to resolve > >> this issue. > >> > >> > >> On 08/25/2011 01:45 PM, t...@terralogic.net wrote: > >>> I know you are trying to help. But it doesn't help me to defer to a > >>> package manager because I'm trying to fix what the last package managers > >>> screwed up. > >>> > >>> On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > On Wed August 24 2011, t...@terralogic.net wrote: > Top posting to a hijacked thread is not the way to get > a quick and useful reply. > Next time, start your own. Mailing list threads are cheap. > > > I see my bank has an invalid cert. Likely I have an old cert chain. > > I'm running Debian Linux and firefox. > > > Use anyone of the distribution provided package managers to download and > install the most recently released package of certificates. > > > Can anyone tell me where to install a valid root cert? Like what > > directory? > > I would think the bank should be able to provide the root of the chain. > > I'll need to know SPECICALLY what to ask them for. > > > Asking the operator of the site you wish to authenticate for the > certificate > is similar to asking the Fox to guard your Chicken House. > > Get the root certificate from an "independent", trusted, source. > Using your distribution's package management will take care of that > concern. > > > I've created my own certs of course but just not recently. > > Also I never tried to install the CA cert for firefox. > > > Your distribution's package manager already has that handled. > All you have to do is use it. > > Mike > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > >>> __ > >>> OpenSSL Project http://www.openssl.org > >>> User Support Mailing Listopenssl-users@openssl.org > >>> Automated List Manager majord...@openssl.org > >>> > >> __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing Listopenssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: > Go to an entirely different computer and try accessing - you will know if > it's your computer or their certificates. > > If it's your computer, it's either your browser or your OS Certificate store > (Windows and Macintosh use entirely different methods to accomplish). > > Firefox uses it's own certificates... if it's Firefox on your computer... > uninstall it completely and re-install it. > > If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store > and you will probably need to get the OS to update the Root Certificates. > > This is all pretty much beyond what a user can manage but some users can > manage them, but this is the wrong list... it would be an OS problem. > > Craig > > On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: > > > TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot > > my computer when their Apache servers in TO send me a misconfiguration > > message. I told them yesterday we build it and you break it. Something is > > desperatly wrong. > > > > > > On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: > >> Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. > >> > >> If we had the bank URL, we would be able to better help you to resolve > >> this issue. > >> > >> > >> On 08/25/2011 01:45 PM, t...@terralogic.net wrote: > >>> I know you are trying to help. But it doesn't help me to defer to a > >>> package manager because I'm trying to fix what the last package managers > >>> screwed up. > >>> > >>> On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > On Wed August 24 2011, t...@terralogic.net wrote: > Top posting to a hijacked thread is not the way to get > a quick and useful reply. > Next time, start your own. Mailing list threads are cheap. > > > I see my bank has an invalid cert. Likely I have an old cert chain. > > I'm running Debian Linux and firefox. > > > Use anyone of the distribution provided package managers to download and > install the most recently released package of certificates. > > > Can anyone tell me where to install a valid root cert? Like what > > directory? > > I would think the bank should be able to provide the root of the chain. > > I'll need to know SPECICALLY what to ask them for. > > > Asking the operator of the site you wish to authenticate for the > certificate > is similar to asking the Fox to guard your Chicken House. > > Get the root certificate from an "independent", trusted, source. > Using your distribution's package management will take care of that > concern. > > > I've created my own certs of course but just not recently. > > Also I never tried to install the CA cert for firefox. > > > Your distribution's package manager already has that handled. > All you have to do is use it. > > Mike > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > >>> __ > >>> OpenSSL Project http://www.openssl.org > >>> User Support Mailing Listopenssl-users@openssl.org > >>> Automated List Manager majord...@openssl.org > >>> > >> > >> __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing Listopenssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > -- > Craig White ~~ craig.wh...@ttiltd.com > 1.800.869.6908 ~~~ www.ttiassessments.com > > Need help communicating between generations at work to achieve your desired > success? Let us help! > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Pr
Re: My bank has an invalid cert
TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: > Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. > > If we had the bank URL, we would be able to better help you to resolve > this issue. > > > On 08/25/2011 01:45 PM, t...@terralogic.net wrote: > > I know you are trying to help. But it doesn't help me to defer to a > > package manager because I'm trying to fix what the last package managers > > screwed up. > > > > On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > >> On Wed August 24 2011, t...@terralogic.net wrote: > >> Top posting to a hijacked thread is not the way to get > >> a quick and useful reply. > >> Next time, start your own. Mailing list threads are cheap. > >> > >>> I see my bank has an invalid cert. Likely I have an old cert chain. I'm > >>> running Debian Linux and firefox. > >>> > >> Use anyone of the distribution provided package managers to download and > >> install the most recently released package of certificates. > >> > >>> Can anyone tell me where to install a valid root cert? Like what > >>> directory? > >>> I would think the bank should be able to provide the root of the chain. > >>> I'll need to know SPECICALLY what to ask them for. > >>> > >> Asking the operator of the site you wish to authenticate for the > >> certificate > >> is similar to asking the Fox to guard your Chicken House. > >> > >> Get the root certificate from an "independent", trusted, source. > >> Using your distribution's package management will take care of that > >> concern. > >> > >>> I've created my own certs of course but just not recently. > >>> Also I never tried to install the CA cert for firefox. > >>> > >> Your distribution's package manager already has that handled. > >> All you have to do is use it. > >> > >> Mike > >> __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing Listopenssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: > On Wed August 24 2011, t...@terralogic.net wrote: > > > > Top posting to a hijacked thread is not the way to get > a quick and useful reply. > Next time, start your own. Mailing list threads are cheap. > > > I see my bank has an invalid cert. Likely I have an old cert chain. I'm > > running Debian Linux and firefox. > > > > Use anyone of the distribution provided package managers to download and > install the most recently released package of certificates. > > > Can anyone tell me where to install a valid root cert? Like what > > directory? > > I would think the bank should be able to provide the root of the chain. > > I'll need to know SPECICALLY what to ask them for. > > > > Asking the operator of the site you wish to authenticate for the certificate > is similar to asking the Fox to guard your Chicken House. > > Get the root certificate from an "independent", trusted, source. > Using your distribution's package management will take care of that concern. > > > I've created my own certs of course but just not recently. > > Also I never tried to install the CA cert for firefox. > > > > Your distribution's package manager already has that handled. > All you have to do is use it. > > Mike > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
My bank has an invalid cert
I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. On Wed, Aug 24, 2011 at 05:22:26PM -0400, Eduardo Navarro wrote: > You need to have your Root CA certificate (the one used to issue the > intermmediate CAs and the HTTP cert) to be added to the Trusted Root > Certificates store. Firefox manages this separately, same as Apple. Apple > needs to add the CA to the Keychain as a trusted root. Firefox, you need to > add it to the Security Settings (don't remember exact name of menu/tab) > > -Eduardo > > -Original Message- > From: Craig White > Sent: Wednesday, August 24, 2011 4:54 PM > To: openssl-users@openssl.org > Subject: being my own ca > > I've been at this for too many hours and too many web pages and I'm so > close... I think I could use a little help over the final obstacle. > > I'm trying to be my own CA and what I want to accomplish is to be able to > sign web server certificates that are automatically accepted by our LAN > users if they have the CA certificate installed. > > My CA certificate verifies fine... > root@ubuntu:/etc/ssl# openssl verify cacert.pem > cacert.pem: OK > > My host web server certificate (generated with the key removed) verifies > fine... > root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem > ubuntu/http.pem: OK > > I signed all the certificates that I generated with the CA key file that was > used for the CA certificate. > > and If I load either the DER or the PEM version of my self-signed CA into > Firefox or Apple's Keychain access, I would expect that it should just be > accepted (but it's not). Of course users can choose to 'accept' but I'm > looking to get past that. > > If someone can help me get over the hurdle, I would appreciate it. > > The code I use to generate the web cert is... > > openssl req -new -nodes \ > -out $CERTPATH/http.csr \ > -keyout $CERTPATH/http.key \ > -days 3650 \ > -config $CONFIG > > openssl ca \ > -config $CONFIG \ > -policy policy_anything \ > -out $CERTPATH/http.pem \ > -infiles $CERTPATH/http.csr > > TIA > > -- > Craig White ~~ craig.wh...@ttiltd.com > 1.800.869.6908 ~~~ www.ttiassessments.com > > Need help communicating between generations at work to achieve your desired > success? Let us help! > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question regarding to memory leak
Bob,
Just a little more explanation here. Suppose we have a bunch of structures
allocted into the pages of memory and a connection goes sour and is timing out.
Suppose our server is under substantial memory pressure. In a situation like
this if _any_ structure on any active connection happens to live in a memory
page otherwise or even largely used by the dead connection, then the machine
CANNOT swap that page. The way malloc() works this will be the normal
situation because stuctures are alloacted temporaly (in the time domain) and by
size. It becomes a real problem when many small structs are malloc()ed.
next, in order to optimize allocation and freeing malloc() actually does quite
a lot of work.
When I wrote that poor boy code I looked for as simple a solution as possible.
In OpenSSL I would make the assumption that the high water mark on pretty much
any connection will be about as high as the high water mark on any other. This
is measured by the total amount of memory needed for all structures relavent to
the given connection. But if this is not so its not really all that terrible
because if the pool of pages is reused then it just grows back into the old
page set as required. Memory pages sitting in a swap file are something I
consider free. It might require more I/O to free them up than to just let them
fester on disk.
Note that I didn't bother with a free space chain. Depending on the nature of
the code if something like the pfa_blah() functions are to be used then a free
chain might be necessary and it might make sense to organise some sort of a
stack as well. Maybe they did this. I never looked. What I am thinking here
is that whenever a function is called it gets a stack marker and automatic
variables are allocated into the stack... but in a forked or threaded model I'm
not sure if each fork() or thread() gets its own stack and how this might
interact with a pfa_blah() scheme indexed by an fd.
Regardless if an fd is not known and is not relevent to a function then I
suppose one could index via a pid? This of course depends on the specfic way
the code is written and a lot of assumptions may not be valid.
To me however I think one observation has to be correct but this will have to
be confirmed. We should be able to collect all malloc()s into a pool of pages
organised around an fd which is what the operating system uses to identify the
connection. If so then we should NOT need to care if that fd is alive or dead.
Somehow the o/s and the code knows about this and hopefully will eventually
close the file if the connection dies. regardless of how this might happen.
If a connection dies then the O/S will collect all control blocks associated
with the fd and somehow make the memory and the fd number available for another
connections.
What this means is that in the code, select() will re-use a dead fd#. If so
then all one really needs to do is call pfa_init() at the time one calls
fopen(). pfa_init() will reset the page pool for the fd or initializes one if
there is none there.
Note the maximum number of file descriptors is FD_SETSIZE which is defined in
.
So it should work and should be easy to layer in.
On Fri, Jun 24, 2011 at 04:35:57PM -0700, Yan, Bob wrote:
> Thank you and Eric for the inputs. I will look at them and see what I should
> do with this.
>
> Have a nice weekend.
> Bob
>
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of t...@terralogic.net
> Sent: Friday, June 24, 2011 4:52 PM
> To: openssl-users@openssl.org
> Subject: Re: Question regarding to memory leak
>
> I have suggested this before. Write your own memtools.
>
>
> http://www.terralogic.net/developer/developer.html
>
>
> I tossed up a couple poor boy examples.
>
> Note the calls:
>
> struct pfa_ControlBlock chain1 = { ipfa_ControlBlock }
> , chain2 = { ipfa_ControlBlock };
>
> pfa_Init( &chain1, 8172 );
> pfa_Init( &chain2, 8172 );
>
> p = pfa_alloc( &chain1, 10, &ierr );
>
>
>
>
> In OpenSSL for instance each connection is identified by an fd (for the
> socket) and there are a fixed number of these.
>
> One can set up an array of pointers and allocate a page of memory for each
> connection at the time the connection is opened.
>
> One wants a 1:1 correspondence between the fd flags from select() and the
> pfa_Control_Block pointer array.
>
> Then when _ANY_ memory is needed simply use pfa_alloc() with the approriate
> control block of which the address can easily be looked up from the pointer
> array.
>
> At any time if the connection is lost... forget it. Close the socket and the
> next time the fd is used the old pages will be fetched from virtual memory as
> required. No leaks! Also all memory for a connection will be in a small
> group of pages which will be flushed to the swap file and they will stay
> there b
Re: Question regarding to memory leak
I have suggested this before. Write your own memtools.
http://www.terralogic.net/developer/developer.html
I tossed up a couple poor boy examples.
Note the calls:
struct pfa_ControlBlock chain1 = { ipfa_ControlBlock }
, chain2 = { ipfa_ControlBlock };
pfa_Init( &chain1, 8172 );
pfa_Init( &chain2, 8172 );
p = pfa_alloc( &chain1, 10, &ierr );
In OpenSSL for instance each connection is identified by an fd (for the socket)
and there are a fixed number of these.
One can set up an array of pointers and allocate a page of memory for each
connection at the time the connection is opened.
One wants a 1:1 correspondence between the fd flags from select() and the
pfa_Control_Block pointer array.
Then when _ANY_ memory is needed simply use pfa_alloc() with the approriate
control block of which the address can easily be looked up from the pointer
array.
At any time if the connection is lost... forget it. Close the socket and the
next time the fd is used the old pages will be fetched from virtual memory as
required. No leaks! Also all memory for a connection will be in a small group
of pages which will be flushed to the swap file and they will stay there
because there will never be any competing connections using that pool of pages!
(malloc will shuffle memory for many connections into a given set of pages).
If we want to actally free the memory because we are closing the fd then its
simple... follow the linked list and free the pages.
-
Next it really doesn't matter if malloc and pfa_alloc() are both used. Any
structres which use pfa_blah will live in a world of their own which is totally
compatible with anything malloc() might do. We just wouldn't want a struct
allocated with pfa_blah() pointed to by something allocated with malloc()
because if we call pfa_init() then all those pointers in the malloc()ed structs
are invalid. However by definition if we call pfa_init() then that fd is dead
so anything that points to anything allocated for that dead fd is likely
invalid anyways.
The thing is this. One can free and reallocate in a pfa_blah page pool. I
didn't need to do this so I never bothered. But it can be done. Anything
which is not actually freed can be re-initialized at any time by calling
pfa_init(). At that point all pages are wiped and ready for re-use. One
doesn't have to go through all sorts of linked structures and determine peice
by piece what was and what was not allocated and whether something has been
freed. There is one master and simple linked list structure and that is found
from the fd which identifies the socket.
-
As I said I offered this a few years ago. I was told there is already some
sort of memory management being used. But I keep seeing comments on leaks so
I'm not sure what is done because I think if one uses the fd one can sort of
allocate a pool of pages for each connection and as long as all malloc() is
done within that pool then we shouldn't have leaks.
Also if all malloc()s for an fd are in their own pool of pages then the machine
can swap that connection out if required and if the connection times out and
dies jsut re-initialize it when the fd is re-opened (on another connection).
On Fri, Jun 24, 2011 at 01:20:42PM -0700, Eric S. Eberhard wrote:
> As a general comment not all memory leaks reported by these tools are
> a bad thing. I often write code that has these type of leaks on
> purpose for performance reasons. For example a function that is
> called often and malloc's memory ... rather than malloc and free each
> time (causing context switching and generally slow) I just make the
> pointer static and a size variable static. I use the pointer until
> it is too small, then I realloc to a larger size. In modern systems
> often the "leak" is worth the performance gain. I run on IBM
> AIX. Having said that, I have not dug in to your specifics which may
> just be bugs, an error with the tool, or deliberate. Eric
>
>
> At 11:58 AM 6/24/2011, Yan, Bob wrote:
> >Hi,
> >
> >I have used IBM purify to check my test program which invokes
> >openssl library. There are some memory leaks reported by Purify,
> >please see below. Could somebody point to me from which function
> >those leaks were generated, and how to avoid those leaks? Thanks, Bob
> >
> >
> > MLK: 1104 bytes leaked in 46 blocks
> > This memory was allocated from:
> >malloc [rtlib.o]
> >CRYPTO_malloc [libcrypto.so.1.0.0]
> >ASN1_STRING_type_new [libcrypto.so.1.0.0]
> >ASN1_primitive_new [libcrypto.so.1.0.0]
> >asn1_item_ex_combine_new [libcrypto.so.1.0.0]
> >asn1_item_ex_combine_new [libcrypto.so.1.0.0]
> >ASN1_item_ex_d2i [libcrypto.so.1.0.0]
> >asn1_template_noexp_d2i [libcrypto.so.1.0.0]
> > Block of 24 bytes (46 times); last
Openssl: bio/crypto orthoganalization
I've not looked at the OpenSSL code for a few years now. Last time I looked the only way to do things was via a "BIO" and the BIO functions did the crypto. This is totally inappropriate for many server designs. I would like to ask if the crypto/bio functions have been factored apart so they are orthoganal. To my way of thinking we should have a way to basically do this: 1) define a single structure which will carry all data for a connection. This can be referenced from say an fd which is returned by fopen(). 2) define a single function which might for instance use a state flag and plug it into a case statement in order to call the appropriate step in the crypto pipeline. Thus the interface might work something like this: A packet comes in via say fread(). This packet is then passed into OpenSSL as follows: ierr=OpenSSL(control_code, fd, p_fd->OpenSSL_connection_data, &packet_in, &packet_out); In this case the control_code might be a constant which might have values like "initialize", "release", "abort", "establish_connection" (many steps), "encrypt", decrypt" and whatever else is appropriate. 3) with something like this the bio() functions I looked at before are easy to implement... but if the application needs to do the I/O then it can. 4) another thing that should be done if it is not already done is that all malloc()ing should be controlled such that malloc() takes place a page at a time and the needed space is allocated from the pages in a pool indexed by the fd number. If this is done then the memory for a connection can be released easily adn memory leaks cannot occur. The point here is that if a connection is lost we simply blow away all the data held in OpenSSL_connection_data and blow away all pages associated with the page pool holding allocated memory and we are done. The crypto functions don't even need to know it happened. I'm not looking for details at this point. I just want to know what the status of the code is. Thanx. Terrell __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: man in the middle attack over https
Right. With server auth you elimate the weakenss I was thinking about a few years back. As was pointed out I didn't check for html. On Wed, Oct 03, 2007 at 03:55:21PM -0700, Michael Sierchio wrote: > [EMAIL PROTECTED] wrote: > > I'd like to ask the group about a possible man in the middle attack over > > https. > > What you've described (though see Viktor's post about what you didn't > really include in your message) is not MITM -- it's just a fake URL > scheme. SSL v3.0 and TLS with server auth are not subject to MITM. > > Regards, > > Michael > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
Thank you very much! I never realised there was even an html attachment! I use mutt and never looked for it. Of course I know why I use mutt and this is one of the reasons why. Since I never looked at the html I never saw the bogus address. How cute eh! These financial instutions have a major major problem. Then they recomend to people to use insecure systems. I expect within a few few years we are going to see some MAJOR hiests! Also IMHO man in the middle is possible even over https. The issue is that you need to create what looks to be a valid cert and this means you need to have what looks to be a valid root CA. The weak link might be updating the Browser's recognised root CA's. I did some work on this a few years back and it looked quite doable to me then but I never actually followed up and looked in detail or looked at the security a browser must implement in order for it to be non-hackable. Its a bit of a catch-22 situtation. If you cannot confirm the validity of the browser's accptable root CA's then I would think one can be chucked in that makes any old self generated cert trustworthy. Again. Thanks for the tip. Again. I never thought to check for html code. On Wed, Oct 03, 2007 at 05:43:22PM -0400, Robert Butler wrote: > That's right- > > nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, > since everything is encrypted using TLS or SSL. > If you get extremely lucky and catch the browser at the wrong moment, > you can sniff the server key and browser key, > but apart from that, it really depends on the strength of the server's > key. > > What they do, is they spoof the certificate and point you to a hijacked > webpage (us.etrade.com.mypaidhost.net), from > which they can easily collect your login information. They then access > your E*Trade account and have lots of fun with it, > leaving you holding an empty bag. > > > That's my take on all of this. > - Robert > > On Wed, 2007-10-03 at 15:39 -0400, Victor Duchovni wrote: > > > On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote: > > > > > Here is the URL they direct the victim too: > > > > > > https://us.etrade.com/login/challange/2b593cba/logon.htm > > > > > > > This is not the actual booby-trapped URL that users who click on the > > phishing links would use. You are not looking at the HTML source of > > the email. > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL versus Verisign
Go with OpenSSL On Thu, Apr 27, 2006 at 03:39:47AM -0700, Wakatou (sent by Nabble.com) wrote: > > Hello, > > My commercial company needs to secure its databases and file transmissions. > We need to reassure the client that our site and his datas are secured on > our application. Therefore, we need to make sure he knows the security > standard we are using. We would like to use OpenSSL but we need to make sure > it is fully secured and that an OpenSSL logo will make our clients > confident. > > What is your opinion on this ? Should we go for OpenSSL or pay for a > Verisign licence and logo ? > > Thanks for your help. > > Wakatou. > -- > View this message in context: > http://www.nabble.com/OpenSSL-versus-Verisign-t1517446.html#a4118535 > Sent from the OpenSSL - User forum at Nabble.com. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Crypted Message trasfer across OS
Why don't you spin through the file in the two machines and determine if they are (1) the eact same length and (2) if their contents match. While I have not been doing openssl programming for a while I am a programmer and that would the 1st thing I'd check. You should look for byte ordering as well. You would not actually have to run a MD5 checksum but it would be ok to do so. I can offer you a little C hexdump routine if you need one. I think it might even be on my website. However you could simply write a little C program to read them in and then use printf() and it might give you an idea what you are up against. Endian issues are not likely to be the issue. Whatever it is it will likely be a little more subtle. Terrell On Mon, Nov 14, 2005 at 05:15:47PM +0530, Dorairaj B - CTD, Chennai. wrote: > > Hello, > > > > I am transferring a AES encrypted buffer by writing to a file in Windows > > and then trying to decrypt the buffer from the transferred file in Linux. > > Though i use the same key both sides, the decryption does not work. > > > > I use the following: > > > > windows 2000 professional with openssl-0.9.8a > > Linux 2.4.20 with openssl-0.9.8a > > Used fgets, fputs for transferring contents from buffer to file. > > > > I suspect doing the file operation would add '\0' at the end and might > > cause problems. > > > > Is there a standard method of transferring the encrypted message from > > Windows to Linux and viceversa? > > Any help on this would be useful. > > > > Thanks, > > -Dorai > DISCLAIMER > This message and any attachment(s) contained here are information that is > confidential, proprietary to HCL Technologies > and its customers. Contents may be privileged or otherwise protected by law. > The information is solely intended for the > individual or the entity it is addressed to. If you are not the intended > recipient of this message, you are not authorized to > read, forward, print, retain, copy or disseminate this message or any part of > it. If you have received this e-mail in error, > please notify the sender immediately by return e-mail and delete it from your > computer > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: need function to get cube root
I'll toss in my 2 cents and perhaps say something either stupid or obvious. That is that if you have a number of say 1024 bits then you can compute the cube root in 1024/3 operations where each operation in z^3. I do not know why you need the number and I do not know if this is an acceptable cost. On Sat, Aug 06, 2005 at 09:26:09PM -0400, Victor Duchovni wrote: > On Sat, Aug 06, 2005 at 05:36:52PM -0700, Anirban Banerjee wrote: > > > Can someone please let me have a pointer to how I may obtain a cube root > > of > > a BIGNUM > > Wrong question. BIGNUMs are for high precision *integer* arithmetic, > often in a finite ring (e.g. Z/pqZ). In this context cube roots either > don't exist for most inputs (Z) or are computationally infeasible (Z/nZ). > > For numbers that do have cube roots in the integer case, you can use a > half-interval search. In the discrete (Z/nZ) case you are on your own, > there are no known effective algorithms. > > What problem are you trying to solve? > > -- > Viktor. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Signed data in CMS format
Why is this message 38K?
On Tue, Jun 14, 2005 at 04:55:01PM +0530, Madhu Sudhan Reddy wrote:
>
>
>
>
> Hello All,
>
>
>
> I have the requirement to sign the data in CMS format. I
> used PKCS7_sign function , which outputs data in PKCS#7 format.
>
>
>
> After creating signed data, I am passing the data to the function
> "Verify_CMS()" (This function is not listed below, part of JAVA script)
> to verify. But this function is returning "Incorrect CMS" error.
>
>
>
> Is there any mistake in the following piece of code in
> creating signed data in PKCS#7 format?
>
>
>
> Any comment on this will help me greatly. Thanking you...
>
>
>
>
>
>
>
> PBYTE PKI_SignData (PBYTE pbByteArraytoAuthenticate,
> unsigned int uiByteArraytoAuthenticate_len,
>
>
> int ioptions, char* pcCertName)
>
> {
>
> unsigned char* pcTempAuthData = NULL;
>
> unsigned short usDataLength = 0;
>
> X509 *pSignerCert = NULL;
>
> EVP_PKEY *pkey = NULL;
>
> BIO *InputData = NULL;
>
>
>
> if (pbByteArraytoAuthenticate == NULL)
>
> return 0;
>
>
>
> /* check options parameters and validate the platform
> support */
>
> if ( (ioptions & 1) && (bSupportingOpaqueSignatures ==
> false) )
>
> {
>
> g_pkiReasonCode = CMS_NO_OPAQUE_SIGNATURES;
>
> return 0;
>
> }
>
> if ( (!(ioptions & 1)) && (bSupportingDitachedSignatures ==
> false) )
>
> {
>
> g_pkiReasonCode = CMS_NO_DETACH_SIGNATURE;
>
> return 0;
>
> }
>
> if ( (ioptions & 2) && (bStoringCertificate == false) )
>
> {
>
> g_pkiReasonCode = CMS_NO_CERTIFICATE;
>
> return 0;
>
> }
>
> pSignerCert = GetCertifcateByCertName(pcCertName); // get
> certificate from Cert store
>
> if(!pSignerCert)
>
> {
>
> g_pkiReasonCode = CMS_NO_CERTIFICATE;
>
> return 0;
>
> }
>
>
>
> pkey = GetRSAPrivateKeyByCertName(pcCertName); // gets
> corresponding private key
>
> if(!pkey)
>
> {
>
> g_pkiReasonCode = CMS_NO_CERTIFICATE;
>
> return 0;
>
> }
>
> InputData = GetBIOBydata((char*)pbByteArraytoAuthenticate,
> uiByteArraytoAuthenticate_len); // converts array of data to bio, since
> PKCS7_sign takes data in
>
>
> //bio format
>
> if(!InputData)
>
> {
>
> g_pkiReasonCode = CMS_FAILURE;
>
> return 0;
>
> }
>
>
>
> EVP_add_digest(EVP_sha1());
>
> EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
>
>
> EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
>
> EVP_add_digest(EVP_dss1());
>
> EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
>
> EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
>
> EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
>
>
>
> pkcs7 = PKCS7_sign (pSignerCert, pkey, NULL, InputData,
> options); // here options = 0
>
>
>
>
>
> usDataLength = ASN1_item_i2d(pkcs7,
> &pcTempAuthData,ASN1_ITEM_rptr(PKCS7));
>
>
>
> if (!usDataLength)
>
> {
>
> g_pkiReasonCode = CMS_FAILURE;
>
> return 0;
>
> }
>
>
>
> Return pcTempAuthData;
>
>
>
> }
>
>
>
>
>
> Thanks,
>
> Madhu
>
> #
> This Email Message is for the sole use of the intended recipient(s) and May
> contain CONFIDENTIAL and PRIVILEGED information.
> LG Soft India will not be responisible for any viruses or defects or
> any forwarded attachements emanating either from within
> LG Soft India or outside. Any unauthorised review , use, disclosure or
> distribution is prohibited. If you are not intentded
> recipient, please contact the sender by reply email and destroy all
> copies of the original message.
> #
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: CPU horsepower needed to run openssl
It depends what you mean by small. A good idea would be to see of a 200 mHz P1 will do the job. Next - if you can forward your results to me I'd be very interested. Depending what you are serving a power power processor like this should be able to keep a T1 full. But this will depend on the mix you have running. Most things in a website do not have to be encrypted. Also - please advise what manufacturer is building those ARM machines. I've been looking for something like this. Thanks. Terrell Larson On Tue, Apr 26, 2005 at 12:03:24PM -0500, Stuart Yoder wrote: > > We are making a CPU selection for a system and are wondering how much in > terms of CPU horsepower/MIPS it takes to run Openssl. > > Specific question-- would a 180 Mhz ARM processor with 64MB of SDRAM be > enough to run a small SSL enabled webserver with decent performance? > Any experience out there with low end processors and OpenSSL? > > Thanks much. > > Stuart Yoder __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL on a hosted site
Usually I lurk but I can offer some suggestions. 1) it will depend on the hosting company 2) certs are the same. The issue is that windows knows about certs from companies like verisign and does know know about anything you generate yourself - however technically they are the same. 3) Technically it should be possible to install your own root cert in a client computer. This would make sense if you are doing this in an intranet environment (IE say corporate or government). This totally defeats the premise of having a certification authority. However we all know there is no security in most client computers anyways. (ha!) Furthermore any felon in jail can have his lawyer register a company and then obtain a legit cert from pretty much any official certification authority. On Wed, Jan 12, 2005 at 02:14:52PM -0800, Michael Jackson wrote: > Can I install this on a hosted site? How does this ensure protection for my > costomers? Besides the cost, is there a difference between these SSL certs > and ones from Versign or another company? > > Mike > > > Life is that which you make of it! > > - > Do you Yahoo!? > The all-new My Yahoo! Get yours free! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Stripping the OpenSSL library
I would be interested in looking at what you did. I and others in the past have run into issues with the way OpenSSL does server side I/O. Perhaps this will be part of a solution. Please advise how I can get the code. [EMAIL PROTECTED] Thanx On Thu, Jan 09, 2003 at 02:07:03PM -0500, Sidney Fortes wrote: > Dear OpenSSL users, > > I have sucessfully implemented a message system mechanism using the OpenSSL > library as the foundation for all the cryptography operations. The system > was deployed and now, the client asked me to > do a dependency checking and find all the OpenSSL source files that are > being used by my code and > with this information to produce a makefile to compile only what I really > need from OpenSSL. > I have tried to find the dependencies using a map from all the linked > functions from OpenSSL and > it turns to be something around 1700 functions. > My Question is, Is anybody out there that have done that sucessfully? > If so, what is the best approach to get it done? > Is that going to make easy for me to port my app to another "not yet ported > OS" ? > > PS.( I don't really agree with the client's idea (but they are "Client" > anyway), So if anybody else has an good > idea in how to convince them that we need to keep the OpenSSL library as a > single unit, that would be > very appreciated) > > Thanks for any and all replies, > > Sidney Fortes > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Major problems with OpenSSL and Apache 1.3.x
check ldconfig On Mon, Jun 24, 2002 at 01:10:08PM -0700, Hendrick Chan wrote: > Michael, > > You missed the libexec that mentioned in the example of httpd.conf: > > LoadModule foo_module libexec/mod_foo.so > > Michael Piskol wrote: > > > Hello, > > > > I'm currently working on installing OpenSSL 0.9.6 under my Apache 1.3.x > > webserver. Unfortunately, major problems occurred during testing the new > > configuration. In detail, the Apache constantly conplains that he cannot > > find the SSL-Module although I have got the following two lines in my > > httpd.conf: > > > > LoadModule ssl_module modules/mod_ssl.so > > AddModule mod_ssl.c > > > > What's my mistake? > > > > Help! ;-) > > > > Michael > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Errors
I sort of agree with the sentiments expressed by Shalendra Chhabra. The value added by M$ or verisign is questionable. I would rather I could pop over to my local bank and get a cert. They know me and I trust them. I do not trust Verisign. I have said this before in this group and I will repeat it. I see nothing that would stop a felon in prison from incorporating a company and getting a cert. The bottom line is that the theory is fine... but in practice I feel commercial CA's should be institututions that we already trust - like the local bank or law office. Trusting verisign or Microsoft is questionable. I also feel it is somewhat ludicrus that my local bank should be expected to shell out $1000's so they can get a cert that allows them to re-issue certs. IMHO this is just a racket. In practice I think "good" works like this. Any cert that does not fire up a warning message from the windows machine running the browser would be considered good. This means that one can use any of many ways to load a "good" cert into the machine. Windows has a LOT of exploits. Security is only as strong as the weakest link. This means the end user is probably the biggest security weakness in most cases. Simply pop up a dialog that asks the user to download the cert you want as a prior step. Perhaps write a signed active-x control and use it to install your own cert. If the machine is vulnerable to a virus then one can use that hole to install a cert. Am I wrong? On Tue, Jun 04, 2002 at 10:27:34AM -0500, Mark H. Wood wrote: > On 4 Jun 2002, Shalendra Chhabra wrote: > > 1. I am able to generate Certificate and Private Key > > using command line options in Openssl. > > can someone tell me are they considered good? and if they are good > > why do we need Certificates from companies like > > Microsoft, Verisign??? > > Considered good by whom, and what does "good" mean? Certificates produced > using OpenSSL ought to be just as good in the mathematical sense as anyone > else's. What those certificates *mean* depends on just how hard the > issuer works to prove that the entity requesting the certificate is > providing a valid identity to be bound to the requested certificate. > > Certificates from recognized commercial CAs have considerable value > because we believe that those CAs do a reasonable job of verifying > identity. Certificates issued by the experimental OpenSSL-based CA I have > on my office workstation have no particular value, and in fact my CPS says > so. Certificates issued by random CAs set up with Microsoft's cert. > management tools have value in proportion to the trust you place in the > person running the CA and the security of the CA host machine. > > Commercial certificates for e.g. web servers have other value as well, in > that most Web browsers will already be set up to trust those CAs. If you > mint your own cert.s using OpenSSL or the Windows gadget, nobody will have > heard of your CA so you have to convince them that you're trustworthy > before they'll add your CA's self-signed cert. to their store of trusted > authorities. (Of course, some people don't require much convincing.) A > private CA is probably best used for internal projects only, since it's a > lot easier to develop the necessary trust within a small, closed > community. > > The MS gadget has one other thing going for it: it's all wrapped up in a > pretty package so that you can just push a few buttons and have a private > CA ready for use. OTOH OpenSSL lets you see what it is doing, and it's > flexible enough to do a lot more than just issue magic numbers. > > -- > Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] > MS Windows *is* user-friendly, but only for certain values of "user". > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Can I be my own CA?
You can do it on a linux box and the only drawback that I can think of is that people will simply need to accept your certificate. If you check out equifax I think you will find that they also are a CA and you may want to check around for alternatives to Verisign. On Mon, Feb 04, 2002 at 12:58:53PM -0500, bjw wrote: > Hi again, > > I have a second question... > > Can I host my own CA. Say on a Linux box (I think I can do it on NT, but I'd > rather not!) > > What are the draw backs to being my own CA (if it can be done) I am not > currently providing e-commerce but I would like to have my web based data > encrypted, but don't wish to shell out $250 (at this time) for a verisign > approved CA. > > Thanks again for any (and all) responses!!! > > Bert Woods > [EMAIL PROTECTED] > www.efotoboths.com www.fantasyent.com > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.320 / Virus Database: 179 - Release Date: 1/30/2002 > > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.320 / Virus Database: 179 - Release Date: 1/30/2002 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.320 / Virus Database: 179 - Release Date: 1/30/2002 > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Majestr Virus - Strange? MSG Body is gone but attachment looks ok.
On Tue, Oct 23, 2001 at 04:37:53AM -0600, [EMAIL PROTECTED] wrote: I did include a note and its gone so I'll resend it. I figured out what happened. I use Mutt so these viruses won't affect me... and as I was including the attachment I got the wrong file... so I postponed the message and got the right one and in the process of deleteing the wrong one I deleted the note. Sorry. Here is the URL: http://www.trendmicro.co.uk/frame2.asp?usURL=http://wtc.trendmicro.com/wtc/&returnURL=http://www.trendmicro.co.uk/ The attachment is for Magistr.A and not Magistr.B This could be a "C" variant - I don't know. But I do know the "A" cleans some of it up and if anyone's infected at least you know where to look (one source anyway) for help. For those poor souls running Windows emailers. IMHO you're asking for trouble. THere has been a steady demonstration of security problems and this is escalating. At best - virus scanners are reactive and not proactive. If this is varient "C" for instance then the "fix" code may still leave you vulnerable. This virus is very tame I'd say. In about a month it will erase the BIOS and EEPROMS. It will overwrite the files in your HDD and go after some sectors on the 1st HDD. THere is a month to respond. The ticker could have been set to 30 minutes. The payload could have tweaked the CRTC registers and that can smoke monitors. TO the openssl-users. I addressed the note to the chap who's system was infected and CC'd the group. I did this because I suspect that there may be others in the group who are now infected and facing this problem. Here is what I suggested: 1) Look for more secure mailers. Eudora is a possibility. I know that Netscape has a more secure mailer in it. I also know that Majistr will scan the Eudora and Netscape address lists. But perhaps these mail clients still offer more protection. 2) I checked out Opera (www.opera.com) and it seems to have the features that a windows user would like - nice - simple - seemed to be clean and certainly seems fast. We can ask them if the mail system is safe. IMHO there is absolutly no excuse whatsoever for a mail client to be able to run code arriving from the wild. Let the user save the file. Then at least he has to do something out of the ordinary that he can be held accountable for. -- Sorry I spammed the list folks. If the note had been present you'd have known what was going on. I included an attachment because I know that my associate who got Majistr yesterday was unable to access the WWW part of the web and EMAIL was her only hope. I didn't know that the server filters were so non specific in this case that they bark and the solution more than the problem. onon. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
off topic. re valloc
www.gnu.org documents valloc as follows:
Function: void * valloc (size_t size)
Using valloc is like using memalign and passing the page size as the value of the
second argument. It is implemented like
this:
void *
valloc (size_t size)
{
return memalign (getpagesize (), size);
}
I want to allocate exactly one page - not a byte more or less. I have not found what
to feed valloc(). If someone knows please advise.
Thanks.
Terrell
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Reply-to: originator ??
Maybe this will work - setting the reply to back to the originator. Those boobs were bouncing mail to the "repy to" instead of return path - then they blame everyone but themselves. At least if we set the reply to back to the originator their mail server could have flooded itself - haha. I don't think you should blame RSE. For all we know he may be visiting friends. On Sun, Feb 25, 2001 at 08:45:22PM -0800, Michael Sierchio wrote: > Rich Salz wrote: > > > They also said they are not going to be nice any longer. After all, > > they "explained," it is not their mailing list sending spam, but that > > it is the fault of, I think they believe, the host of the openssl-users > > mailing list. > > Have you ever tried getting action, or even a response from Ralf? > He's pretty lame. At the very least, it would be *trivial* to > exclude non-subscribers from submitting messages. Another change > would be to set the 'reply-to' header to the originator, > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
my posts for help getting DSO and mod_blah running
DUe to a malformed lib.so it didn't work. in apache_1.3.14+openssl_1.42 it appears the apxs script gets broken. I have it running now. I also have a sample script from a friend who helped me and I'll start going thru ot tomorrow. ... still don't know why apxs broke. I'll look into that too. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Resources about setting up CA?
Raymond. We may be doing similar things and it may be useful to sahre knowledge. On Wed, Feb 07, 2001 at 09:08:16AM +0100, Elisee NGAN TAMBA wrote: > > Go to http://www.openca.org > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of LI CHEUK FAI > Sent: Wednesday, February 07, 2001 8:41 AM > To: [EMAIL PROTECTED] > Subject: Resources about setting up CA? > > > Hello, > > I have worked with Openssl to do various tasks like self cert signing by > setting up simple CA with script sign.sh came with modssl. > > > But if I am going to setup a formal CA for my company's internal use, I > think I may need more preparation. For instance, I have to setup a LDAP > server for CRL publishing. I have to setup a web server and related CGI so > that cert application could be done through browser. And I have to plan > the hiarchy of the CAs and RAs. > > > All of these would be a big task. Are there any Internet resources about > setting up a CA with open-source software? I think Openssl could do the > core work. But I would still need more for the a full-function CA. > > > Besides, it seems that Openssl is not GPL. Would there be any concerns in > building a CA with it? > > > Yours, > > Raymond > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problems resolved w/o openssl shared libs.
This has me stumped. Do libraries cache or something? I went through this at least 10 times and used a bash script to do it all - same session even - and suddenly it is runnning. I was damn careful to try to reporoduce EXACTLY what I did before. Perhaps there is somthing in the make install that doesn't work properly in all cases but I can not see anything. Clearly there does seem to be a repeatable problem with the installation of the shared libs. But this is totally unrelated to what I was running in to. The problem from the apache side is that gen_test_char found in src/main would not run and it complained about a missing library. The one thing I did differently is go into /usr/local and remove both ssl and apache before this latest rebuild. Perhaps there was something in the old ssl directory that triggered this but I doubt it and I can't see anything that should not be there. Anyway, if anyone has encountered anything like this I'd like to know. I'll be rebuilding on a regular basis I think and if I see anything I'll try to reproduce and track it down. If anyone else has any ideas please advise. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.6 + apache-1.3.14 make errors
There seem to be a problem with ./config shared in openssl-0.9.6 that occurs completely independantly of apache. Os=RH6.1 The problem I am running into seems to be an apache-ssl problem so I ask the pure openssl people to ignore that part of the email. This is weird. I _had_ it all working after following Ben Laurie's instructions. Then something funny seems to have happened. I think this may have been triggered by something I did but I can not find it. Enlightnment would be appreciated. apache will no longer link. It gives the error that the "shared library" libcrypto.so is not availaible. So... after many attempts I blew everything away and started from scratch. 1) tar -xzvf openssl-0_0_6_tar.gz All looks fine. No errors nor warnings. 2) ./config It does not build the shared libs. Apache seems to need shared libs but I don't know why. After several failed attempts I decide to try: 3) ./config shared This seems to work. Final message is Configured for linux-elf 4) make This appears to work properly. 5) make install This does _attempt_ to install the shared libs however it gives and error message to the effect that there is an unknown file format. The specific messages are: installing libcrypto.so /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so: File format not recognized installing libcrypto.so.0 /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so.0: File format not recognized installing libcrypto.so.0.9.6 /usr/bin/ranlib: /usr/local/ssl/lib/libcrypto.so.0.9.6: File format not recognized installing libssl.so /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so: File format not recognized installing libssl.so.0 /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so.0: File format not recognized installing libssl.so.0.9.6 /usr/bin/ranlib: /usr/local/ssl/lib/libssl.so.0.9.6: File format not recognized I specifically remember reading Ben's step 0 and it seems to me there is _something_ that I needed to do to openssl 0.9.6 in the way of a patch. But I can see no relevant patch. There is a patch for 0.9.5a but this is not relevant to 0.9.6. If anyone has tried compliling and linking apache 1.3.14 into openssl using the tar from apache-ssl.org - specifically apache_1_3_14+ssl_1.1.42_tar.gz In any event it appears to me that the shared option is not working. The system is redhat 6.1 and it is the server edition. Now - there is something that I did which I don't think is related. I was trying to figure out the ld commands for creating a DSO because I have not done this before. So I cd'd to the openssl source tree and typed make libcrypto.so This _should_ be pretty harmless. After this nothing ran. Even blowing everything away and starting fresh does not seem to work. ANyway... I do not remember building ssl for shared library support and I don't think it needs to be in a shared library. I think there may be a link or something that is bad. If anyone has any ideas please let me know. Thanx __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape accepts cert from evil empire - found it!!
Micheal, thankyou. I did find it under "more info". This sure is not obvious mind you... thanx for the clarification. On Sun, Feb 04, 2001 at 06:08:20PM +0100, Michael Ströder wrote: > [EMAIL PROTECTED] wrote: > > > > I created a cert with the host name known as www.evilempire.com > > and netscape was quite happy to accept it and never reported that > > the URL I typed in does not match the name carried within the cert. > > You're wrong. Even those old Netscape Navigator 4.0x certainly asks > if the host name component of the URL does not match CN attribute of > the server cert. > > There was a bug in Netscape browser (4.72 and earlier version) > related to session caching. Maybe this is what you're experiencing. > (But I doubt it.) > > Compare with: > http://www.cert.org/advisories/CA-2000-05.html > http://www.cert.org/advisories/CA-2000-08.html > > Ciao, Michael. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape accepts cert from evil empire
First off - I am new to this and I'm learning. I do not claim to know very much about it and asked the question in openssl-dev because it seemed to me that if the DNS is highjacked that the transaction can be masqueraded. I did a test with Netscape 4.07. This browser is not terribly old. I created a cert with the host name known as www.evilempire.com and netscape was quite happy to accept it and never reported that the URL I typed in does not match the name carried within the cert. However - it did warn me all over the place that I was accepting a cert from an known CA. It properly displayed the identification information but NOT the recorded host name. Perhaps this works differently in a proper cert issued by say Verisign. I do know that they put the host name in the CommonName field of the cert. It is just that in my test I was quite surprised that Netscape did not tell me that there is a mismatch. So I may well have come to an improper conclusion. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
trying to understand handshake in s23_srvr.c apache 1.3.14 + openssl 0.9.6 solutions
OK - I think I found it. For anyone trying to configure this there are aome pointers. 1) The httpsd.conf file found in the apache directory, typically in /usr/local/apache_1.3.14/conf is not used. The server instead looks for httpd.conf. You can grab the one Ben Laurie created and mofify it heavily. Pay careful attention to the paths where things are found. 2) Ben has set up heap as his virtual machine. The server seems to key on the port number as follows: - standard http port is 80 - secure https port is 443 - you typically want the server to listen to both ports (and you can use Ben's 8887 and for testing if you wish) - Apache is dumb as a brick and does NOT KNOW which protocol is running on which port. You need to tell it like this. Port 80 Listen 80 Listen 443 NameVirtualHost www.mydomain.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /webroot/ ServerName www.mydomain.com ServerPath /mydomain ErrorLog logs/error-log-mydomin TransferLog logs/access-log-mydomin SSLDisable When the http requst comes in on port 80 it is directed to a virtual host which does NOT run https. If you do not do this then apache will fire the handshake into the openSSL code and it will result in a trap in routine s23_srvr.c around line 285 or so. Of course the error message will not clue you in to the fact that apache is trying to feed http protocol into https code. 3) Debugging output is enabled in the code. Before you put it into production you will probably want to disable it and recompile. 4) There is a LOT of configuration that you need to do. 5) Note: the above example has somne special directives that are designed for Name Based Virtual Hosting. In particular the ServerPath directive allows you some support for brain dead old browsers such the one shipped in OS/2. Read all about it in the apache docs. It really does not belong in here but there's a tip anyway. 6) You do not seem to have to do any patching to openSSL 0.9.6 (0.9.5a does require the patch) If peeople want I'll document all this and put it up on my website. Just let me know. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: trying to understand handshake in s23_srvr.c
I'm having a problem getting apache and openssl 0.9.6 running. I'm getting the following message. [Sat Feb 3 18:40:27 2001] [notice] Apache/1.3.14 Ben-SSL/1.42 (Unix) configured -- resuming normal operations [Sat Feb 3 18:40:27 2001] [info] Server built: Feb 3 2001 18:40:04 [Sat Feb 3 18:40:57 2001] [debug] apache_ssl.c(369): Random input /dev/urandom(1024) -> 1024 [Sat Feb 3 18:40:58 2001] [error] SSL_accept failed [Sat Feb 3 18:40:58 2001] [error] error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request So I put some debugging code in and found out that the server is recieving the following request: GET / HTTP/ This is in the buffer (char *)p I am under the impression that this is correct. Can someone enlightn me? thanx __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Call them ask for accts payble and bill them Re: Message status - undeliverable
Yes - send them a bill. I think there were about 200 messages and they impacted over 100 people so that is about 20,000 messages. Management will not even HEAR about it unless you call accounts payable. SO call accounts payable and ask for the billing address... they you can be sure that management will hear the message. On Wed, Jan 10, 2001 at 04:01:57PM -0700, Varga, Jack wrote: > Call and complain. They're aware their server is spamming > but didn't want to shut it down because it's their main > outbound mail queue... > > Novell, Inc. (NOVELL-DOM) >122 East 1700 South >Provo, UT 84606 US > >Domain Name: NOVELL.COM > > Technical Contact: > Johnson, David N. (DNJ4) [EMAIL PROTECTED] > 122 East 1700 South > Provo, UT 84606 > 801-861-2561 (FAX) (801) 861-5556 > > > -Original Message- > > From: Jeff Magnusson [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 10, 2001 3:18 PM > > To: CVS-devel List; [EMAIL PROTECTED] > > Subject: RE: Message status - undeliverable > > > > > > I'm getting a whole shitload of these. > > > > - > > Jeff Magnusson ([EMAIL PROTECTED]) > > River Styx Internet > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: January 10, 2001 1:14 PM > > > To: [EMAIL PROTECTED] > > > Subject: Message status - undeliverable > > > > > > > > > The message that you sent was undeliverable to the following: > > > RShyamsundar > > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: your mail
IMHO you should tell your 3rd party to use SSH and you need to do a little "educating" in your organisation. On Wed, Nov 08, 2000 at 02:56:05PM +, Ian Diddams wrote: > > I've been tasked into investigating a link a 3rd party may be making to our > servers shortly over SSL. > > I've downloaded OpenSSL and installed it etc... but frankly I don;t know > what I'm supposed to do with it! > > The 3rd party mentioned will basically be telneting in over an SSL link I > am told (but nobody knows any more :-( ) ... so how exactly would such an > arrangmet normally occur? Any ideas? > Apologies for the ignorance, but I have to start somewhere (the 3rd party > is not available for questioning AFAIUI). > Ian > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: (HotStocks Spam) Solutions
IMHO this is quite relevant. If you don't want people to comment on the spam then how about you show leadership here. There probably is a way - perhaps a direct tap into orbs - BUT that would affect us more than them. See - if they ISP the emails are originating from is in say ORBS then all mail from that ISP will get bounced - hense we will not get it... But - if one of OUR members is running through that ISP that that members posts - not the deliveries - just the posts will also get blocked. Now - in order for said jokers to dump the mail into the server - they must first join the group. We can block it by dropping their membership. However - they will just rejoin. This is still controllable because wit a little effort we can screen the junk from new members and if fact automate the expel process. They will catch on quickely. If it takes them a considerable amount of work to join and we can expel them quickly - they will soon grow tired and look for greener pastures. Perhaps Ralph should look into this. But it might make more sense for some savy programmers and sysadmins to help Ralph because I'm sure he is up to his eyeballs in real work and not dealing with these nuisanses. Terrell On 29 Sep 2000, Lewis McCarthy wrote: > "Dearnaley (EXT), Roger" wrote to openssl-users: > > Is there some way to block these jokers from the list? > > Since it has nothing to do with OpenSSL, could you please not > discuss spam on this list? Pretty please, with sugar on top? > > Thanks > -Lewis > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Spam Re Your mail
From: "raffa aste" <[EMAIL PROTECTED]> There has been more than a little spam running through this list. Is there some way we can block the hosts? I'm thinking a link to orbs may be in order - or perhaps contact the relay admin and / or the ISP that these jerks connect to. I realise this might piss of some people who subscribe to the list - but what other choice do we have? Note: Telstra was blackholed by ORBS last week. This meant that a big chunk of Australian email bounced. Its tough medicine but it works. On Wed, 30 Aug 2000, raffa aste wrote: > > - > Click here for Free Video!! > http://www.gohip.com/free_video/ > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Legality - just heated up
You don't play poker do you. There is not way that RSA has any claim to openSSL at all and outside of the US they have no claim to patent protection either. Of course, if you were a salesman sitting behind an RSA desk and you had someone dumb enough to ask - what do you think the response will be? The salesman has a duty to his employer and he is entitled to his opinion. No salesman worth his salt will tell a potential licensee that he doesn't want the money and oh... go use a better competing product that is for free. I mean come on! Now, it is possible that RSA just _might_ launch a frivolous lawsuit with the intention of trying to scare people away from using openssl (and hense paying licensing fees to RSA). There are many lawsuits of this nature. If so, some poor smuck will have to fork over a hell of a lot in legal fees (possible up to 100,000) and if they don't hire competant legal advise and end up losing the case - this would give RSA the right to claim president... So lets not waste our time calling up RSA and asking stupid questions, ok? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: patent issues (multiprimes)
ok - I just read part of the paper. I'm not a cryptographer but I am a
mathemetician and here are some trivial conclusions.
the algorithm is looking for a number: N where N=p*q for two primes p and
q of relatively the same size.
If you look at the _original_ equations developed by Pohlig-Hellman what
you have for the encryption operation is simply this:
C = M^e mod p for some message M and exponent e and _relatively large_
prime number p.
Now - there is no fundemental reason why the number "p" has to be prime or
even that it has to be large. But there are some things I'll speculate
about - and maybe check out when I have more time. And here are some
simple observations:
1) The number of bits in M must be less than in p... the reason is as
follows... since we are taking a modulo - if M is greater than p then any
additional bits will be lost... that is if M has one more bit than p, then
there will be two messages that map the same way, etc.
2) We end up with a number C (cypher) and this number as it turns out can
be viewed as the last digit of M expressed in base p. This is obvious.
Suppose p = 3. Then we have in base 3 numbers of the form a0 + a1*3 +
a2*3^2 + a3*3^3 + ... and since we're talking modulo it is obvious that
a1, a2, a3, ... drop off. In this sense - modulo arithmetic is sort of
like a base conversion.
3) ok, we're raising a number by a power. On each step we can throw away
the digits above the a0 digit. Again - this is obvious.
4) This gives us a mapping with a finite length. Suppose we start by
converting M to a "digit" in a numbering system of base p - I'll notate
each digit (which might be a rather large string) as #1, #2, #3, ...
So we get something like this. x * x yeilds #a0 + #a1*p + #a2*p^2 + ...
but everything after #a0 drops off so we get a series of jumps through the
possible digits that comprise the base.
Since there are "p" digits... no path through these digits can exceed the
number of digits (obvious).
Here's an example - base 10:
starting number: sequence... note the path length.
0) 0*0=0 we're done - path length is one.
1) 1*1=1 path length is 1
2) 2-4-8-6-2
3) 3-9-7-1-3
4) 4-6-4
5) 5-5 path length is one
6) 6-6 path length is one
7) 7-9-3-1-7
8) 8-4-2-6-8
9) 9-1-9
So, base 10 is made up of 2*5, both of which are prime and we have two
paths of length 4 and two paths of length 2 and four paths of length 1.
both paths of length >2 are traversed both ways.
This makes sense to me.
ok - here is the base 12 table.
0) 0-0
1) 1-1
2) 2-4-8-4-8
3) 3-9-3-9
4) 4-4
5) 5-1-5-1
6) 6-0-0
7) 7-1-7-1
8) 8-4-8-4
9) 9-9
a) a-4-4
b) b-1-b-1
This looks a lot like repeating fractions... hmm - and combinatorics.
what this means is knowing what the base is - which is the number we
start with - we can easily generate all message chains and simply search
using the cypher to find which one is which.
Now - the LONGEST chain is p steps long. I suspect this may occur when
the base is prime. But I haven't looked into it much.
If so - then the number of distinct circuits through the field of digits
might be related to the factors in the base... and if so - then whenever
the base is chosen to be "multiprime" - the encryption weakens.
Here is p=7:
0) 0-0
1) 1-1
2) 2-4-1-2
3) 3-2-6-4-5-1-3
4) 4-2-1-4
5) 5-4-6-2-3-1-5
6) 6-1-6
Another way of looking at this is as follows.
In Pohlig-Hellman they chose p in the equation to be prime. In RSA they
chose "p" to be a product of two primes. Presumably the product is easier
to crack - but has the wonderful benefit that we can use both private and
public parts.
But if this is extended I suspect that all that happens is that it gets
weaker. If one relaxes the minimization of the number of factors
comprising "P" then we can choose any old number.. who cares how many
factors...
Please don't stomp on me... I'm not a cryptographer and have done little
work in number theory.
On Thu, 4 May 2000, Lutz Jaenicke wrote:
> On Thu, May 04, 2000 at 10:39:05AM +0100, Mark J Cox wrote:
> > > Which is about to expire in a few months, if I remember correctly :-)
> >
> > Then we get into the new MultiPrimes patent instead. For details:
> > http://www.apacheweek.com/issues/00-04-21#rsa2000
>
> Well, but then, who cares?
>
> The MultiPrime patent does not cover the "old" RSA techniques. It will
> only hit me, when I want to use this new technique.
> It is not even part of the TLS standard, such that all products offering
> SSL ("old" techniques) or TLS (upcoming standard) will interoperate with
> old "unlicensed" software.
> As of today, with Netscape and InternetExplorer having nearly all of the
> market: as long as they support "old" RSA, we won't miss MultiPrime support.
> How long is SSLv2 outdated? It is still in these products...
>
> Best regards,
> Lutz
> * Even though it should be clear:
> - Every technique that is covered by the "old" RSA patent is covered by
> the
Re: patent issues
OpenSSL so far is patent free and probably will remain generally so unless some hotshot chooses to try to patent something which has already been done - but they don't know about. This has happened - I have examples. RSA's stuff is patented in the US only and it expires as you say in Sept. Thus - if you simply exclude it then you are fine (Use blowfish or DSA) - or if you use it outside of the USA then you are fine and finally - just wait until September. Good luck. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Verisign/NSI/Thawte monopoly
You missed my point. Read on... > b) Certificates authenticate that the person is who they say they > are. > > Trust goes to trusting that second statement, not the trustworthiness > of the company behind the statement. > People in general presume that when they see the little key that they are dealing with a "bonified" business. Yes, I know that the certification process does not do this. And since it doesn't do this it isn't worth much. > Getting a bank account is just as trivial and does NOT add anything > to the value of the trustworthiness of the company. It just says that > (in your example) that the fraudster went with a piece of ID such as > a birth certificate, drivers license (again easily duplicated) and > his company papers and opened up an account for that company. It SURE IS worth something. Banks have filing requirments and they generally KNOW their customers. Furthermore there are a number of credit reporting agencies affiliated and you can contact a number of them and get credit information before you deal with the company. But I think you sort of made my point here - if the bank - which generally KNOWS its customers - doesn't provide much of anything in the way of saying anything about the "legitimacy" of a business, then a cert from any of the present CA's says even less. You note tht the bank is not in the position of charging you several hundered per year for your bank account number. Verisign is exactly in this position and is doing it. Furthermore - if you bill over the internet via say VISA or pretty much ANY credit card for that matter - the banks will require you to deposit sufficient funds so that if there is ANY dispute over whether the transaction is legitimate - then YOU, as the MERCHANT, carry full responsibility and the customer need only complain and ask for his money returned. And if you end up with a sizeable number of chargebacks I can assure you that your merchant VISA account will be cancelled. So there is accountability imposed by the banking side of the e-commerse system. To put it succintly - if you have a merchant VISA account and can bill via the net - this means something - and in fact the merchant VISA number which shows up on your visa bill is a GOOD measure of authenticity. Anyone can get Verisign to issue a cert - but the standards for a merchant account aren't quite so simple. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verisign/NSI/Thawte monopoly
I looked closely into purchasing a cert from Thawte and it is still something WE'll have to do. What strikes me though is that it seems to me that there is no real value in such a thing. I can for instance incorporate a company and shell out about $200 and get my cert. After that everyone trusts me. Total cost is oh about $500 or so if I do the incorportion myself. This is pretty trivial actually. I could be in jail for FRAUD and still get a cert. So it seems to me that while the cert may certify that said organization is who they say they are - nobody seems to ask if who they say they are has any relevance to anything. I fact - I'll bet I can go down to our local government offices in Canada and register Ajax Web Contractors and then send a cert request on to Thawte and since Ajax now exists and is legitamately registered as say a "sole proprietorship" - the cert will be issued. Last time I registered a "sole proprietorship" it cost me $5.00 and I don't recall them asking for ID. The problem of course is that a chain is only as strong as its weakest link and the threads that bind cert security together appear really tenuous to me. = That having been said - we have a very practical problem on our hands. Microsoft saw fit to include a very LIMITED number of cert issuing authorities in IE and the majority of people use IE. IMHO there IS no security in a windows system anyway and precious little in the fact that somebody issued said cert to said fly-by-night ecommerce organization. Still - people want to see the little key-lock on and certain commercial interests know this and are busy purchasing the key players in the interest of milking cyberspace - with I might add - little consern as to the INTENT of a certification process. I therefore see no moral reasons why we just don't go into IE and patch a few files to introduce a few new players. I suspect there will be a moral outcry over such a suggestion but the other alternative seems to be for each of us who has an e-commerce interest - to quietly hand over to some wealthy American interests a ransom for the priviledge of doing e-commerce. Or to put it another way - I do business and I deal with my bank for instance. I trust my bank... and I would be quite happy if my bank issued a cert for me to use that authenticates that my company is a good corporate citizen and in good standing with the bank at least. A cert from my bank would mean something. A cert from Thawte does not and neither does a cert from Verisign. Since my bank for instance would be considered probably by the vast majority of customers to be a far more reliable measure of e-commerce trustworthiness, why should my bank be forced into the situation of having to fork over hundred's of thousands or even millions for literally NOTHING... if it wants to issue a cert? This is a ransom fee and little more. = I think it is quite germain to us who develope the keys that enable internet commerce and security to look at the broader issue of who controls and profits from the technology we develop. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
