Re: Remove from mailing list
El día sábado, mayo 29, 2021 a las 01:02:52a. m. -0400, Amber Shepherd escribió: > Hi, > Can you please let me know what I need to do in order to unsubscribe > from this list? Look into the header lines of the mails from the list for List-Unsubscribe: matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ¡Con Cuba no te metas! «» Don't mess with Cuba! «» Leg Dich nicht mit Kuba an! http://www.cubadebate.cu/noticias/2020/12/25/en-video-con-cuba-no-te-metas/
Remove from mailing list
Hi, Can you please let me know what I need to do in order to unsubscribe from this list? Thank you Amber shepherd
Re: Remove All Software Generators
On Wed, Oct 30, 2019 at 02:12:19PM -, Frederick Gotham wrote: > > It appears that OpenSSL will kick and scream and refuse to die not > matter how hard you hit it. If I try to generate a random number like > this: > > openssl rand -hex 8 > > Then it seems it will try in this order: > > 1) The TPM2 chip > 2) The software simulator of the TPM2 chip > 3) The built-in RDRAND number > 4) Another one that I can't find Which version of OpenSSL are you using? > I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of > the in-built engine. I have even done "rm /dev/random" and "rm > /dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I > run openssl rand -hex 8. Depending on the version of OpenSSL and the kernel, you might also use the getentropy()/getrandom() cal. Since 1.1.0 we Configure supports the --with-rand-seed=none option. Kurt
Re: Remove All Software Generators
Why not just change things so that if your module fails to load, the library exits? Don't change the RAND code, change the INIT code.
Re: Remove All Software Generators
Frederick Gotham wrote:
> static int drbg_bytes(unsigned char *out, int count)
> {
> int const retval = drbg_bytes_REAL(out, count);
>
> /* Try to get a semi-unique value for the first byte */
> char unsigned rotating_value = (unsigned)out ^ ((unsigned)count <<
> 4u);
>
> while ( count-- )
> *out++ = rotating_value++;
>
> return retval;
> }
Ugh This doesn't work either. It fails to boot up when it tries to
generate keys for SSH.
Next I'll try to make every nibble sequential -- instead of just every byte.
Re: Remove All Software Generators
Frederick Gotham wrote:
>
> I will change the random number generator built into OpenSSL to always
> return sequential numbers, something like:
Here's what I have:
static int drbg_bytes(unsigned char *out, int count)
{
int const retval = drbg_bytes_REAL(out, count);
/* Try to get a semi-unique value for the first byte */
char unsigned rotating_value = (unsigned)out ^ ((unsigned)count <<
4u);
while ( count-- )
*out++ = rotating_value++;
return retval;
}
Re: Remove All Software Generators
Frederick Gotham
wrote:
>
> And anyway this behaviour didn't come from deleting /dev/random, but
> rather from making the default generator inside OpenSSL always give 0
> for a random byte.
I will change the random number generator built into OpenSSL to always
return sequential numbers, something like:
{
static char unsigned val = 0;
while ( num-- )
*buff++ = val++;
}
This shouldn't break anything.
Then if ever I am in doubt about where a random number came from, I just
check to see if it's something like 0102030405.
Re: Remove All Software Generators
Frederick Gotham wrote in news:XnsAAF8BACC24C3Bfgotham@195.159.176.226: > Jochen Bern > wrote: > >> SSH logins from remote that fail > > > This is my exact problem right now. My device has booted up and I > can't SSH into it.But this doesn't entirely make sense since it should > be getting random numbers from the TPM2 chip anyway. And anyway this behaviour didn't come from deleting /dev/random, but rather from making the default generator inside OpenSSL always give 0 for a random byte.
Re: Remove All Software Generators
Jochen Bern wrote: > SSH logins from remote that fail This is my exact problem right now. My device has booted up and I can't SSH into it.But this doesn't entirely make sense since it should be getting random numbers from the TPM2 chip anyway.
Re: Remove All Software Generators
On 10/30/2019 04:19 PM, openssl-users-requ...@openssl.org digested: > From: Frederick Gotham > To: openssl-users@openssl.org > > I even tried deleting /dev/random and /dev/urandom ... don't do that. The Linux kernel is both a provider and a consumer of entropy, e.g., to randomize the TCP sequence numbers as it establishes TCP connections on behalf of applications. Unless you go all the way and add a TPM driver (as the only source of entropy) to *the kernel*, you risk ending up with "good crypto" on the application layer but easily hijacked connections, defeated stack randomization, SSH logins from remote that fail, etc. etc.. Kind regards, -- Jochen Bern Systemingenieur E jochen.b...@binect.de W www.binect.de
Re: Remove All Software Generators
Dmitry Belyavsky wrote: > You should do in your engine the following: Just so you know, I'm not a developer of the TPM2 engine for OpenSSL. Of course though I can still go in and edit the code here and there. > Implement the TPM-provided RAND_METHOD in the engine > call ENGINE_set_RAND for RAND method in the engine bind fuction > > and write a config file similar to > Even if I do all that, there is still the possibility that OpenSSL might use its built-in generator (for example if my library fails to load). So it seems I must get the built-in generator to either: 1) Always return 0 2) Call 'abort'
Re: Remove All Software Generators
On Wed, Oct 30, 2019 at 6:58 PM Frederick Gotham
wrote:
> Dmitry Belyavsky wrote
> in
> news:cadqlbz+jctu_yqiw9w-fyo0o56mqua2nri6helr6pggxqdh...@mail.gmail.com:
>
> > On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> > wrote:
> >
> >> Dmitry Belyavsky
> >> wrote:
> >>
> >> >> You still have the OpenSSL built-in RNG.
> >>
> >>
> >>
> >> Is there a simple compiler flag to remove this?
> >>
> >> Or do I need to go into the source code and stick a "return -1;"
> >> somewhere?
> >>
> >> No. Openssl will not work if you do not provide a valid RAND_METHOD
> >> except
> > a very minimal set of operations.
> >
>
>
> So I have to go into the source code and do the following?
>
> int RAND_bytes(unsigned char *buf, int num)
> {
> memset(buf,0,num);
> return 1;
> }
>
> I can either make this function fail (e.g. call 'abort'), or I can always
> make it return 0.
>
> What do you think?
>
> No. It just makes the RNG unsuitable for any purpose but does not help you.
You should do in your engine the following:
Implement the TPM-provided RAND_METHOD in the engine
call ENGINE_set_RAND for RAND method in the engine bind fuction
and write a config file similar to
=
openssl_conf = openssl_def
[ openssl_def ]
engines = engines_section
[ engines_section ]
cryptocom = my_section
[ my_section ]
engine_id = myengine.so
default_algorithms = RAND
=
--
SY, Dmitry Belyavsky
Re: Remove All Software Generators
Dmitry Belyavsky wrote
in
news:cadqlbz+jctu_yqiw9w-fyo0o56mqua2nri6helr6pggxqdh...@mail.gmail.com:
> On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> wrote:
>
>> Dmitry Belyavsky
>> wrote:
>>
>> >> You still have the OpenSSL built-in RNG.
>>
>>
>>
>> Is there a simple compiler flag to remove this?
>>
>> Or do I need to go into the source code and stick a "return -1;"
>> somewhere?
>>
>> No. Openssl will not work if you do not provide a valid RAND_METHOD
>> except
> a very minimal set of operations.
>
So I have to go into the source code and do the following?
int RAND_bytes(unsigned char *buf, int num)
{
memset(buf,0,num);
return 1;
}
I can either make this function fail (e.g. call 'abort'), or I can always
make it return 0.
What do you think?
Re: Remove All Software Generators
On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham wrote: > Dmitry Belyavsky wrote: > > >> You still have the OpenSSL built-in RNG. > > > > Is there a simple compiler flag to remove this? > > Or do I need to go into the source code and stick a "return -1;" somewhere? > > No. Openssl will not work if you do not provide a valid RAND_METHOD except a very minimal set of operations. -- SY, Dmitry Belyavsky
Re: Remove All Software Generators
Dmitry Belyavsky wrote: >> You still have the OpenSSL built-in RNG. Is there a simple compiler flag to remove this? Or do I need to go into the source code and stick a "return -1;" somewhere?
Re: Remove All Software Generators
On Wed, Oct 30, 2019 at 6:20 PM Frederick Gotham wrote: > Dmitry Belyavsky wrote > > >> /etc/ssl/openssl.cnf > > > > Yes, or any custom. > > But the engine must provide the RAND_METHOD and set it as default. > > > > > > > > But if my TPM2 engine fails to load, then OpenSSL will just use the > 'rdrand' engine. > > So my defense agains this is to rebuild OpenSSL with the flag > OPENSSL_NO_RDRAND. > It means that you've disabled the RDRAND engine. > After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's > no engine at all. > > I tried running OpenSSL at my commandline just now, and here's what I got: > > ~# openssl > OpenSSL> engine > (dynamic) Dynamic engine loading support > OpenSSL> rand -hex 10 > f49ca711e3056cf9064a > OpenSSL> > > > Where is it it getting that random data from ? ? ? There's no engine and > yet it can still get a random number! I even tried deleting /dev/random > and > /dev/urandom, but it somehow is still getting random data from somewhere! > But where? > > > > You still have the OpenSSL built-in RNG. -- SY, Dmitry Belyavsky
Re: Remove All Software Generators
Dmitry Belyavsky wrote >> /etc/ssl/openssl.cnf > > Yes, or any custom. > But the engine must provide the RAND_METHOD and set it as default. > > But if my TPM2 engine fails to load, then OpenSSL will just use the 'rdrand' engine. So my defense agains this is to rebuild OpenSSL with the flag OPENSSL_NO_RDRAND. After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's no engine at all. I tried running OpenSSL at my commandline just now, and here's what I got: ~# openssl OpenSSL> engine (dynamic) Dynamic engine loading support OpenSSL> rand -hex 10 f49ca711e3056cf9064a OpenSSL> Where is it it getting that random data from ? ? ? There's no engine and yet it can still get a random number! I even tried deleting /dev/random and /dev/urandom, but it somehow is still getting random data from somewhere! But where?
Re: Remove All Software Generators
On Wed, Oct 30, 2019 at 6:08 PM Frederick Gotham wrote: > Dmitry Belyavsky wrote: > > > >> It can be done via the engine code and config. > > > Do you mean > > /etc/ssl/openssl.cnf > > ? > Yes, or any custom. But the engine must provide the RAND_METHOD and set it as default. -- SY, Dmitry Belyavsky
Re: Remove All Software Generators
Dmitry Belyavsky wrote: >> It can be done via the engine code and config. Do you mean /etc/ssl/openssl.cnf ?
Re: Remove All Software Generators
On Wed, Oct 30, 2019 at 6:00 PM Frederick Gotham wrote: > Dmitry Belyavsky wrote: > > > Did you try to create your own RAND_METHOD and set it as default on > > loading the engine? > > > No, I didn't try that. > > Note that I'm only using the OpenSSL binary, I'm not interfacing with an > API. > > It can be done via the engine code and config. -- SY, Dmitry Belyavsky
Re: Remove All Software Generators
Dmitry Belyavsky wrote: > Did you try to create your own RAND_METHOD and set it as default on > loading the engine? No, I didn't try that. Note that I'm only using the OpenSSL binary, I'm not interfacing with an API.
Re: Remove All Software Generators
Did you try to create your own RAND_METHOD and set it as default on loading the engine? On Wed, Oct 30, 2019 at 5:40 PM Frederick Gotham wrote: > > I'm working on Linux with a x86-64 CPU. > > I have a TPM2 chip, and so I want OpenSSL to do all of its encryption > and random number generation through the TPM2 chip. > > In the event that the chip fails, I do NOT want there to be a backup > system. I do NOT want any kind of software psuedorandom number generator > nor any software encryption routines. > > The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine > library requires two more libraries, "libtss2-tcti-device.so" and > "libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas > the latter is a software simulator). > > As I don't want to have a simulator, I tried simply deleting the > simulator library, but this caused linkage problems for the mother > engine library. As an alternative, I made a new dummy library in which > all of the functions return an error value, and I put this dummy library > in the place of the simulator. This transplant went fine. > > It appears that OpenSSL will kick and scream and refuse to die not > matter how hard you hit it. If I try to generate a random number like > this: > > openssl rand -hex 8 > > Then it seems it will try in this order: > > 1) The TPM2 chip > 2) The software simulator of the TPM2 chip > 3) The built-in RDRAND number > 4) Another one that I can't find > > I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of > the in-built engine. I have even done "rm /dev/random" and "rm > /dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I > run openssl rand -hex 8. > > How on earth to get OpenSSL to simply give up? I simply cannot have it > use anything other than my TPM2 chip. > > Frederick > > > -- SY, Dmitry Belyavsky
Remove All Software Generators
I'm working on Linux with a x86-64 CPU. I have a TPM2 chip, and so I want OpenSSL to do all of its encryption and random number generation through the TPM2 chip. In the event that the chip fails, I do NOT want there to be a backup system. I do NOT want any kind of software psuedorandom number generator nor any software encryption routines. The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine library requires two more libraries, "libtss2-tcti-device.so" and "libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas the latter is a software simulator). As I don't want to have a simulator, I tried simply deleting the simulator library, but this caused linkage problems for the mother engine library. As an alternative, I made a new dummy library in which all of the functions return an error value, and I put this dummy library in the place of the simulator. This transplant went fine. It appears that OpenSSL will kick and scream and refuse to die not matter how hard you hit it. If I try to generate a random number like this: openssl rand -hex 8 Then it seems it will try in this order: 1) The TPM2 chip 2) The software simulator of the TPM2 chip 3) The built-in RDRAND number 4) Another one that I can't find I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of the in-built engine. I have even done "rm /dev/random" and "rm /dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I run openssl rand -hex 8. How on earth to get OpenSSL to simply give up? I simply cannot have it use anything other than my TPM2 chip. Frederick
Re: Proposal to remove some platforms
>Yes NetBSD cares about PARISC... We still build and run on it. Thanks. The targets removed in that PR were for hpux-parisc.
Proposal to remove some platforms
I created a handful of PR’s to remove support for some platforms. The project would like to hear from people about this. The pull requests are as follows: Remove HP PARISC support https://github.com/openssl/openssl/pull/9210 Remove HP/MPE and Tru64 Unix support https://github.com/openssl/openssl/pull/9209 Remove VOS support https://github.com/openssl/openssl/pull/9208 Remove NextStep support https://github.com/openssl/openssl/pull/9204 Remove BS2000/OSD support https://github.com/openssl/openssl/pull/9185 PLEASE review the comments before posting, as most of these have issues beyond just removing config stanza’s.
Re: [openssl-users] Should I / How to remove expired certificates from CRL
On 09-02-17 10:58, PM Extra wrote: Should I remove expired certificates from CRL? No. The date of the revocation, which can be found in the CRL, is still relevant for checking when older certificates were revoked, in case you ever need to check signatures on older messages. -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Should I / How to remove expired certificates from CRL
If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid. This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates. I've seen a number of discussions on this topic, in such places as the IETF PKIX list. See for example this thread: https://www.ietf.org/mail-archive/web/pkix/current/msg03776.html It seems to be difficult to find relevant material with simple web searches, though. The search terms are too common. I'm sure there are other people on the list who know more about current practices in this area than I do. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Should I / How to remove expired certificates from CRL
On 09/02/2017 10:58, PM Extra wrote: Should I remove expired certificates from CRL? If so, how to do this? Depends if any relying parties are checking old signatures "as of" some securely recorded date of receiving the signature. In that case, they will still need to be able to see, in the latest CRL, if and when a (now expired) certificate was revoked before it expired. This is also the reason it can be important to add a "backdated" revocation to a CRL, e.g. if a breach of a private key has been detected as happening around a specific time. As always there is the fundamental issue of deciding if the party reporting loss of a private key is lying to deny responsibility for something that was recently signed by that party. So I would not remove actual revocations from CRL lists, but would instead rotate issuing intermediary certificates such that a new intermediary (with its own CRL) is introduced a few times/year. Some time after all certificates issued by an old intermediary expire, but before the intermediary itself expires, it should sign a "final" CRL that doesn't expire. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Should I / How to remove expired certificates from CRL
Should I remove expired certificates from CRL?? If so, how to do this?-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Remove Anchor
Hi All Please let me know if I am posting to the correct list. I set up a reverse proxy for my website using nginx and I had to export the certificate from my web server to put on the proxy. On windows I exported the certs to a .pfx file. On my Unix box, I used the command below to export all the certs to a file. Then I manually removed the private key. *openssl pkcs12 -in file_name.pfx -out outputfile.txt –nodes* Afterwards when I ran a test against it using ssllabs it said that my cert contained an anchor. Does anyone know how to remove this anchor and leave only the necessary certs for my proxy to use? Regards ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: Remove SSLv2 via #ifdef
On 10-05-2013 21:24, Salz, Rich wrote: Would there be any interest (and support) from the dev team for patches that completely remove SSLv2 API’s? /r$ Already there: ./Configure -no-ssl2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Remove SSLv2 via #ifdef
I guess I was confused, expecting to see the ssl23 stuff removed as well, but I guess it's okay to leave it. -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Remove SSLv2 via #ifdef
Would there be any interest (and support) from the dev team for patches that completely remove SSLv2 API's? /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: Remove SSLv2 via #ifdef
On Fri, May 10, 2013, Salz, Rich wrote: Would there be any interest (and support) from the dev team for patches that completely remove SSLv2 API's? What would the difference be between this and the no-ssl2 switch to Configure? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to remove certificate from X509_STORE?
Thanks Dave, I tried with the 2nd option. But people here didn't agree so finally went ahead with the 3rd option. Thanks for soln. Sri On Fri, Jan 11, 2013 at 3:25 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Srivardhan Hebbar Sent: Tuesday, 08 January, 2013 08:34 X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? I presume you mean an SSL_CTX and certs trusted for SSL authentication. (OpenSSL can use, and trust, certs for other purposes.) 1. An X509 object representing a cert in OpenSSL has an associated aux field of OpenSSL-added data including (optionally?) some trust settings. There are too many twisty passages for me to track down exactly what values can be in here, and what if any does what you want. 2. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see any official API, but you could just grab x-objs and sk_*_delete from it. You probably need to do downref/free to avoid a leak, and to do locking if your program(s) will or might use this while multithreading. 3. If you want an official if clumsy way, create a new X509_STORE, initialize and fill it with everything from the existing one except the cert(s) you want to omit, and then use it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is there a function to remove cert from X509_Store.
Hi, X509_STORE_add_cert() adds certificate to the trusted store. Is there a function to remove this added certificate from this store? Can anybody respond pls. Thank-you, Sri
RE: How to remove certificate from X509_STORE?
From: owner-openssl-us...@openssl.org On Behalf Of Srivardhan Hebbar Sent: Tuesday, 08 January, 2013 08:34 X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? I presume you mean an SSL_CTX and certs trusted for SSL authentication. (OpenSSL can use, and trust, certs for other purposes.) 1. An X509 object representing a cert in OpenSSL has an associated aux field of OpenSSL-added data including (optionally?) some trust settings. There are too many twisty passages for me to track down exactly what values can be in here, and what if any does what you want. 2. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see any official API, but you could just grab x-objs and sk_*_delete from it. You probably need to do downref/free to avoid a leak, and to do locking if your program(s) will or might use this while multithreading. 3. If you want an official if clumsy way, create a new X509_STORE, initialize and fill it with everything from the existing one except the cert(s) you want to omit, and then use it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Fwd: How to remove certificate from X509_STORE?
Hi, X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? Thank-you, Sri
How to remove certificate from X509_STORE?
Hi, X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? Thank-you, Sri
RE: REMOVE my address from your mailing list, please
unsubscribe here: http://www.openssl.org/support/community.html From: owner-openssl-us...@openssl.org on behalf of Anh Pham Sent: Wed 9/7/2011 3:23 AM To: openssl-users@openssl.org Subject: REMOVE my address from your mailing list, please Remove my address from the mailing list, please
REMOVE my address from your mailing list, please
-- Mayra
Remove me please
Sorry to use this list for this. But I have tried every way I know to get off the list suggestions?? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: Friday, December 03, 2010 1:04 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store Hi, In order to enable the CAPI engine, you have to use the enable-capieng switch : this will compile the CAPI engine statically inside OpenSSL. Here is a example of configure command line for this : perl Configure VC-WIN32 --prefix=c:/openssl enable-capieng I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/3/2010 6:21 PM, Fili, Tom wrote: Ok, so I realized if I run Configure with no-static-engine I'll get the separate dlls. These are the commands I run C:\Documents and Settings\tfili\Desktop\openssl-0.9.8kperl Configure VC-WIN32 --prefix=c:\temp\openssl no-static-engine ms\do_ms.bat nmake -f ms\ntdll.mak Unfortunately I now get the following errors: link /debug /nologo /subsystem:console /opt:ref /debug /dll /out:out32dl l.dbg\4758cca.dll @C:\DOCUME~1\tfili\LOCALS~1\Temp\nm2E34.tmp Creating library out32dll.dbg\4758cca.lib and object out32dll.dbg\4758cca.exp e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_get_ex_data referenced in function _cca_rsa_pub_enc e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_size referenced in function _cca_rsa_pub_enc e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_free referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _OPENSSL_cleanse referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_malloc referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _i2d_X509_SIG referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _OBJ_nid2obj referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_put_error referenced in function _ERR_CCA4758_error e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_get_next_error_library referenced in function _ERR_CCA4758_error e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_set_implementation referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_ex_data_implementation referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_destroy_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_lock_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_create_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_add_lock_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_locking_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_mem_functions referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_get_static_state referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_cmd_defns referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_load_pubkey_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_load_privkey_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_ctrl_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_finish_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_init_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_destroy_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_RAND referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_RSA referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_name referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_id referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_load_strings referenced in function _ERR_load_CCA4758_strings e_4758cca.obj :
RE: Remove me please
Go to http://www.openssl.org/support/community.html Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Richard Buskirk Sent: Friday, December 03, 2010 2:39 PM To: openssl-users@openssl.org Subject: Remove me please Sorry to use this list for this. But I have tried every way I know to get off the list suggestions?? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: Friday, December 03, 2010 1:04 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store Hi, In order to enable the CAPI engine, you have to use the enable-capieng switch : this will compile the CAPI engine statically inside OpenSSL. Here is a example of configure command line for this : perl Configure VC-WIN32 --prefix=c:/openssl enable-capieng I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 12/3/2010 6:21 PM, Fili, Tom wrote: Ok, so I realized if I run Configure with no-static-engine I'll get the separate dlls. These are the commands I run C:\Documents and Settings\tfili\Desktop\openssl-0.9.8kperl Configure VC-WIN32 --prefix=c:\temp\openssl no-static-engine ms\do_ms.bat nmake -f ms\ntdll.mak Unfortunately I now get the following errors: link /debug /nologo /subsystem:console /opt:ref /debug /dll /out:out32dl l.dbg\4758cca.dll @C:\DOCUME~1\tfili\LOCALS~1\Temp\nm2E34.tmp Creating library out32dll.dbg\4758cca.lib and object out32dll.dbg\4758cca.exp e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_get_ex_data referenced in function _cca_rsa_pub_enc e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_size referenced in function _cca_rsa_pub_enc e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_free referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _OPENSSL_cleanse referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_malloc referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _i2d_X509_SIG referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _OBJ_nid2obj referenced in function _cca_rsa_verify e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_put_error referenced in function _ERR_CCA4758_error e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_get_next_error_library referenced in function _ERR_CCA4758_error e_4758cca.obj : error LNK2019: unresolved external symbol _ERR_set_implementation referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_ex_data_implementation referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_destroy_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_lock_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_dynlock_create_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_add_lock_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_locking_callback referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _CRYPTO_set_mem_functions referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_get_static_state referenced in function _bind_engine e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_cmd_defns referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_load_pubkey_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_load_privkey_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_ctrl_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_finish_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_init_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_destroy_function referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_RAND referenced in function _bind_helper e_4758cca.obj : error LNK2019: unresolved external symbol _ENGINE_set_RSA referenced in function _bind_helper
How do I remove OpenSSL 0.9.8m
Hello, I have OpenSSL installed on a Windows server, and a security vulnerability was identified with v.0.9.8m, which I believe came with my Apache 2.2 installation. Separate from Apache, I installed the v0.9.8n light binary version to generate the key/cert files. How can I uninstall v0.9.8m? Any suggestions from the user community would be appreciated. Thanks in advance. Tina Thank you, Tina Olson
remove
This communication is intended only for use by the addressee(s) named herein and may contain business confidential and/or legally privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, disclosure or copying of this e-mail and its contents is strictly prohibited. If you have received this e-mail in error, kindly notify the sender by replying to this message. In addition, please permanently delete the message and any attachments without copying or disclosing the contents. Thank you for your cooperation. THIS DOCUMENT AND/OR SHIPMENT MAY CONTAIN COMMODITY ITEMS, SOFTWARE OR TECHNICAL DATA THAT IS CONTROLLED BY U.S. EXPORT LAW, AND MAY NOT BE EXPORTED OUTSIDE THE UNITED STATES OR TO NON U.S. PERSONS WITHOUT THE APPROPRIATE EXPORT LICENSE FROM EITHER THE U.S. DEPARTMENT OF STATE OR DEPARTMENT OF COMMERCE.
How to remove prior FIPS build option
I attempted to build openssl using the FreeBSD port of openssl. Options are set using make config as follows: Options for openssl 0.9.8l_2 [ ] I386 Use optimzed assembler for 80386 [X] SSE2 Use runtime SSE2 detection [X] ZLIB Build with zlib compression and the Makefile shows PORTVERSION=0.9.8l PORTREVISION= 2 Whe I tried to make this a few days ago, I believe there were two additional options: FIPS and SCTP. I tried selecting SCTP, it didn't work, then I tried selecting FIPS, and got the error: (after making all in crypto/pqueue...) making all in fips... make: don't know how to make /usr/local/ssl/fips-1.0/lib/fipscanister.o. Stop *** Error code 2 Stop in /var/build/ports/security/openssl/work/openssl-0.9.8l/fips. *** Error code 1 Stop in /var/build/ports/security/openssl/work/openssl-0.9.8l. *** Error code 1 Stop in /ports/security/openssl. *** Error code 1 thus killing the make. I set it aside at that time, then came back to it today. Even after doing the make config I continue to get the fips-related errors. I see from the FreeBSD ports Web site that there was in fact a Makefile revision 1.161 yesterday to remove FIPS and SCTP support. So I'm guessing that this is why I no longer see FIPS and SCTP as options. But it also seems that make is holding on to my prior setting of the FIPS option. So, my question is, how do I obliterate this obsolete option, so that I can make openssl without the FIPS error? Thank you, Charles Belov __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to remove prior FIPS build option
You must download the openssl-fips.1.2.0.tar.gz package, and follow the instructions in the companion Security Policy *precisely*. That is the only package that can build a fipscanister.o. Once the fipscanister.o exists and is installed properly, then you can build with the fips option. Not before. And to fix the fips problem in your source tree: 'make clean' -Kyle H On Wed, Jan 13, 2010 at 6:16 PM, Charles Belov docor...@sonic.net wrote: I attempted to build openssl using the FreeBSD port of openssl. Options are set using make config as follows: Options for openssl 0.9.8l_2 [ ] I386 Use optimzed assembler for 80386 [X] SSE2 Use runtime SSE2 detection [X] ZLIB Build with zlib compression and the Makefile shows PORTVERSION= 0.9.8l PORTREVISION= 2 Whe I tried to make this a few days ago, I believe there were two additional options: FIPS and SCTP. I tried selecting SCTP, it didn't work, then I tried selecting FIPS, and got the error: (after making all in crypto/pqueue...) making all in fips... make: don't know how to make /usr/local/ssl/fips-1.0/lib/fipscanister.o. Stop *** Error code 2 Stop in /var/build/ports/security/openssl/work/openssl-0.9.8l/fips. *** Error code 1 Stop in /var/build/ports/security/openssl/work/openssl-0.9.8l. *** Error code 1 Stop in /ports/security/openssl. *** Error code 1 thus killing the make. I set it aside at that time, then came back to it today. Even after doing the make config I continue to get the fips-related errors. I see from the FreeBSD ports Web site that there was in fact a Makefile revision 1.161 yesterday to remove FIPS and SCTP support. So I'm guessing that this is why I no longer see FIPS and SCTP as options. But it also seems that make is holding on to my prior setting of the FIPS option. So, my question is, how do I obliterate this obsolete option, so that I can make openssl without the FIPS error? Thank you, Charles Belov __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Remove RSA from EVP_PKEY structure
Hello, How can I remove RSA structure form EVP_PKEY previosly added to EPP_PKEY with EVP_PKEY_assign_RSA function? I have one RSA object named rsa and EVP_PKEY object named evp and their relation is : rsa = evp-pkey.rsa How to remove their bound and then delete EVP_PKEY (with EVP_PKEY_free(evp)) without deleting rsa. -- View this message in context: http://old.nabble.com/Remove-RSA-from-EVP_PKEY-structure-tp27108392p27108392.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Remove RSA from EVP_PKEY structure
On Mon, Jan 11, 2010, rale77 wrote: Hello, How can I remove RSA structure form EVP_PKEY previosly added to EPP_PKEY with EVP_PKEY_assign_RSA function? I have one RSA object named rsa and EVP_PKEY object named evp and their relation is : rsa = evp-pkey.rsa How to remove their bound and then delete EVP_PKEY (with EVP_PKEY_free(evp)) without deleting rsa. If you use EVP_PKET_set1_RSA() instead of EVP_PKEY_assign_RSA() the reference count of the added RSA structure is incremented and you can free up the EVP_PKEY structure later without freeing up the reference RSA structure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Remove RSA from EVP_PKEY structure
rale77 wrote: Hello, How can I remove RSA structure form EVP_PKEY previosly added to EPP_PKEY with EVP_PKEY_assign_RSA function? I have one RSA object named rsa and EVP_PKEY object named evp and their relation is : rsa = evp-pkey.rsa How to remove their bound and then delete EVP_PKEY (with EVP_PKEY_free(evp)) without deleting rsa. if someone know please give me the code :) -- View this message in context: http://old.nabble.com/Remove-RSA-from-EVP_PKEY-structure-tp27108392p27108407.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
remove
Felipe Aramburu Software Consultant Oncology Consultants Direct Line: 713 800-3270 E-mail faramb...@oncologyconsultants.com mailto:swoid...@oncologyconsultants.com Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by a reply e-mail and destroy all copies of the original message.
Remove
remove
remove
Regarding the corresponding remove functions
We are currently using OpenSSL 0.9.8j and have a question related to X509_LOOKUP_ctrl and X509_LOOKUP_load_file. Basically, we are using one of the above functions to add the files to the LOOKUP, however, under some conditions, it is required to remove the file. Would there be any document or function description mentions this with any implications? Also, going ahead and deleting the whole LOOKUP is no preferred. Thanks, Tushar
Re: Does AES_cbc_encrypt remove PKCS5 padding
I use that function, and it does not remove padding. 1 - How would it even know what is padding and what is your data? 2 - Why do you think it removes the padding? The function does not return a length. Here's a really wild guess: Are you perhaps padding your data with zeros and then using strlen() to determine the length of the result? owner-openssl-us...@openssl.org wrote on 05/06/2009 05:53:27 PM: AngelWarrior srikanth.bemin...@gmail.com But I am experimenting with the code which is actually removing the padding by calling AES_cbc_encrypt(unsigned char*)input, (unsigned char*)(output), (const unsigned long)(length), ks, (unsigned char*)ivec, AES_DECRYPT). What is EVP layer? On Wed, May 6, 2009 at 3:45 PM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, May 06, 2009, AngelWarrior wrote: Hi, Does AES_cbc_encrypt add or remove the padding, if I provide an un-padded data in the multiples of 16 bytes? I wrote a piece code where I am manually adding the padding but when I decrypt using AES_cbc_encrypt the padding is automatically removed. None of the low level cipher routines including AES_cbc_encrypt() add or remove padding. That is handled in the EVP layer.
Does AES_cbc_encrypt remove PKCS5 padding
Hi, Does AES_cbc_encrypt add or remove the padding, if I provide an un-padded data in the multiples of 16 bytes? I wrote a piece code where I am manually adding the padding but when I decrypt using AES_cbc_encrypt the padding is automatically removed. -- _/\_ With Regards SB Angel Warrior
Re: Does AES_cbc_encrypt remove PKCS5 padding
On Wed, May 06, 2009, AngelWarrior wrote: Hi, Does AES_cbc_encrypt add or remove the padding, if I provide an un-padded data in the multiples of 16 bytes? I wrote a piece code where I am manually adding the padding but when I decrypt using AES_cbc_encrypt the padding is automatically removed. None of the low level cipher routines including AES_cbc_encrypt() add or remove padding. That is handled in the EVP layer. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Does AES_cbc_encrypt remove PKCS5 padding
But I am experimenting with the code which is actually removing the padding by calling AES_cbc_encrypt(unsigned char*)input, (unsigned char*)(output), (const unsigned long)(length), ks, (unsigned char*)ivec, AES_DECRYPT). What is EVP layer? On Wed, May 6, 2009 at 3:45 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Wed, May 06, 2009, AngelWarrior wrote: Hi, Does AES_cbc_encrypt add or remove the padding, if I provide an un-padded data in the multiples of 16 bytes? I wrote a piece code where I am manually adding the padding but when I decrypt using AES_cbc_encrypt the padding is automatically removed. None of the low level cipher routines including AES_cbc_encrypt() add or remove padding. That is handled in the EVP layer. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- _/\_ With Regards SB Angel Warrior
Re: Remove Ask for a pass phrase
char passwd[] = {0}
2008/8/27 delcour.pierre [EMAIL PROTECTED]
Hello everyone,
I'm trying to load a private key with this function :
/EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,pem_password_cb *cb,
void *u);/
I use it this way :
EVP_PKEY* key = PEM_read_Privatekey(file,NULL,NULL,passwd);
with file a File* containing the correct file, and passwd a char*.
In this case : passwd = NULL;
If I load a private key which need a passphrase, the function ask me the
pass phrase (in konsole). I would like to remove this feature.
How can i have a NULL value as return instead of typing the required pass
phrase ?
Thank's in advance,
Have a nice day,
pierre
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Remove ask for a pass phrase
Hello everyone, I'm trying to load a private key with this function : /EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,pem_password_cb *cb, void *u);/ I use it this way : EVP_PKEY* key = PEM_read_Privatekey(file,NULL,NULL,passwd); with file a File* containing the correct file, and passwd a char*. In this case : passwd = NULL; If I load a private key which need a passphrase, the function ask me the pass phrase (in konsole). I would like to remove this feature. How can i have a NULL value as return instead of typing the required pass phrase ? Thank's in advance, Have a nice day, pierre
Remove Ask for a pass phrase
Hello everyone, I'm trying to load a private key with this function : /EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,pem_password_cb *cb, void *u);/ I use it this way : EVP_PKEY* key = PEM_read_Privatekey(file,NULL,NULL,passwd); with file a File* containing the correct file, and passwd a char*. In this case : passwd = NULL; If I load a private key which need a passphrase, the function ask me the pass phrase (in konsole). I would like to remove this feature. How can i have a NULL value as return instead of typing the required pass phrase ? Thank's in advance, Have a nice day, pierre __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Remove
Remove
remove
RE: Please Remove [EMAIL PROTECTED]
I beg your pardon. Can you redirect you request to [EMAIL PROTECTED] or [EMAIL PROTECTED] Thank you kindly Carrie Schlagenhauser 3-D Graphics and Web Design [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Sent: Tuesday, January 01, 2008 1:02 PM To: openssl-users@openssl.org Subject: Please Remove [EMAIL PROTECTED] Too many emails for me. Please take me off _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KOLLURU SURESH Sent: Tuesday, December 25, 2007 6:08 AM To: openssl-users@openssl.org Subject: Hi Please remove from the mailing list K. Suresh K. Suresh HOD, Dept of Computer Science Sri Vasavi Engineering College Tadepalligudem _ Looking for last minute shopping deals? Find http://us.rd.yahoo.com/evt=51734/*http:/tools.search.yahoo.com/newsearch/ca tegory.php?category=shopping them fast with Yahoo! Search.
RE: Please Remove [EMAIL PROTECTED]
I'm only a recipient of e-mails from openssl.org. I do not, nor have I ever had any control over their e-mail system or membership information. You need to direct your request to the administrator. Just a fellow member. Carrie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carrie Sent: Wednesday, January 02, 2008 4:03 PM To: openssl-users@openssl.org Subject: RE: Please Remove [EMAIL PROTECTED] I beg your pardon. Can you redirect you request to [EMAIL PROTECTED] or [EMAIL PROTECTED] Thank you kindly Carrie Schlagenhauser 3-D Graphics and Web Design [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Sent: Tuesday, January 01, 2008 1:02 PM To: openssl-users@openssl.org Subject: Please Remove [EMAIL PROTECTED] Too many emails for me. Please take me off _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KOLLURU SURESH Sent: Tuesday, December 25, 2007 6:08 AM To: openssl-users@openssl.org Subject: Hi Please remove from the mailing list K. Suresh K. Suresh HOD, Dept of Computer Science Sri Vasavi Engineering College Tadepalligudem _ Looking for last minute shopping deals? Find http://us.rd.yahoo.com/evt=51734/*http:/tools.search.yahoo.com/newsearch/ca tegory.php?category=shopping them fast with Yahoo! Search.
RE: Please Remove [EMAIL PROTECTED]
Triguy, remove yourself here. HYPERLINK http://www.openssl.org/support/http://www.openssl.org/support/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carrie Sent: Thursday, 3 January 2008 8:17 AM To: openssl-users@openssl.org Subject: RE: Please Remove [EMAIL PROTECTED] I’m only a recipient of e-mails from openssl.org. I do not, nor have I ever had any control over their e-mail system or membership information. You need to direct your request to the administrator. Just a fellow member. Carrie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carrie Sent: Wednesday, January 02, 2008 4:03 PM To: openssl-users@openssl.org Subject: RE: Please Remove [EMAIL PROTECTED] I beg your pardon. Can you redirect you request to HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] or HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Thank you kindly Carrie Schlagenhauser 3-D Graphics and Web Design [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Sent: Tuesday, January 01, 2008 1:02 PM To: openssl-users@openssl.org Subject: Please Remove [EMAIL PROTECTED] Too many emails for me. Please take me off _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KOLLURU SURESH Sent: Tuesday, December 25, 2007 6:08 AM To: openssl-users@openssl.org Subject: Hi Please remove from the mailing list K. Suresh K. Suresh HOD, Dept of Computer Science Sri Vasavi Engineering College Tadepalligudem _ Looking for last minute shopping deals? HYPERLINK http://us.rd.yahoo.com/evt=51734/*http:/tools.search.yahoo.com/newsearch/ca tegory.php?category=shoppingFind them fast with Yahoo! Search. No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.17.13/1207 - Release Date: 2/01/2008 11:29 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.17.13/1207 - Release Date: 2/01/2008 11:29 AM
Please Remove [EMAIL PROTECTED]
Too many emails for me. Please take me off _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KOLLURU SURESH Sent: Tuesday, December 25, 2007 6:08 AM To: openssl-users@openssl.org Subject: Hi Please remove from the mailing list K. Suresh K. Suresh HOD, Dept of Computer Science Sri Vasavi Engineering College Tadepalligudem _ Looking for last minute shopping deals? Find http://us.rd.yahoo.com/evt=51734/*http:/tools.search.yahoo.com/newsearch/ca tegory.php?category=shopping them fast with Yahoo! Search.
Please Remove [EMAIL PROTECTED]
Remove
Remove subscription
-- Robert J. Denis Services Account Manager U.S. Support Services Sun Microsystems, Inc. 550 West Cypress Creek Road Suite 500 Ft. Lauderdale, FL 33309 Phone: (954) 882-1676 [EMAIL PROTECTED] begin:vcard fn:Robert Denis n:Denis;Robert org:U.S. Support Services;SUN SVCS, GCS adr:Suite 500;;550 Cypress Creek Road;Ft. Lauderdale;FL;33309;United States email;internet:[EMAIL PROTECTED] title:Services Account Manager tel;work:954-882-1676 tel;fax:954-689-9150 tel;cell:954-882-1676 x-mozilla-html:TRUE url:WWW.SUN.COM version:2.1 end:vcard
Remove subscription
__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl how to remove BEGIN PUBLIC KEY/ END PUBLIC KEY p
Hi, Are there ways to remove the -BEGIN PUBLIC KEY/ END PUBLIC KEY- heading from a public key? I have a public key that I extracted from my x509 certificate, but it gave me BEGIN PUBLIC KEY/ END PUBLIC KEY in the public key, I want to remove it and have the encoded base64 text all in one line. For ex: I don't want this: -BEGIN PUBLIC KEY- ZIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/ E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP vVuGCAqfaps8J0FjOQIDAQAZ -END PUBLIC KEY- I want this format instead: ZIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWqoG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaPvVuGCAqfaps8J0FjOQIDAQAZ Any help is much appreciated. -Janet
Re: openssl how to remove BEGIN PUBLIC KEY/ END PUBLIC KEY p
Hello,
Are there ways to remove the -BEGIN PUBLIC KEY/ END PUBLIC
KEY- heading from a public key?
I have a public key that I extracted from my x509 certificate, but it
gave me BEGIN PUBLIC KEY/ END PUBLIC KEY
in the public key, I want to remove it and have the encoded base64
text all in one line. For ex:
I don't want this:
-BEGIN PUBLIC KEY-
ZIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq
oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/
E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP
vVuGCAqfaps8J0FjOQIDAQAZ
-END PUBLIC KEY-
I want this format instead:
ZIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWqoG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaPvVuGCAqfaps8J0FjOQIDAQAZ
Any help is much appreciated.
$ cat cert.pem | sed '/^-/d' | awk '{printf %s, $1}'
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: openssl how to remove BEGIN PUBLIC KEY/ END PUBLIC KEY p
Thanks! This works.
On 5/23/07, Marek Marcola [EMAIL PROTECTED] wrote:
Hello,
Are there ways to remove the -BEGIN PUBLIC KEY/ END PUBLIC
KEY- heading from a public key?
I have a public key that I extracted from my x509 certificate, but it
gave me BEGIN PUBLIC KEY/ END PUBLIC KEY
in the public key, I want to remove it and have the encoded base64
text all in one line. For ex:
I don't want this:
-BEGIN PUBLIC KEY-
ZIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq
oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/
E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP
vVuGCAqfaps8J0FjOQIDAQAZ
-END PUBLIC KEY-
I want this format instead:
ZIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWqoG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaPvVuGCAqfaps8J0FjOQIDAQAZ
Any help is much appreciated.
$ cat cert.pem | sed '/^-/d' | awk '{printf %s, $1}'
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
remove
Ion Buicliu Systems Integration Specialist BC Vital Statistics Agency Knowledge Management and Technology Division Voice Mail: (250) 952-2410 mailto:[EMAIL PROTECTED] Unless otherwise agreed expressly in writing by the author, this communication is to be treated as confidential and the information in it (or attached to it) may not be used or disclosed except for the purpose for which it has been sent or as determined by FOIPPA requirements and procedures. This message is intended only for the use of the person(s) to whom it is addressed. Any distribution, copying or use by anyone else is strictly prohibited. If you have received this e-mail in error, please telephone the sender immediately and destroy this e-mail.
remove
remove __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How do I remove padding during AES encryption/ decryption
Hello,
Thanks for the reply. I have my sample test case like this.
#define KEYSIZE 256
#define AES_BLOCK_SIZE 32
AES block size for this implementation is 16 bytes
(of course AES standard talks about block size 24 and 32
bytes - Nb variable - but this implementation use
only 16 byte AES block)
void test_main()
{
char key[KEYSIZE+1];
int I,keylen;
char data[AES_BLOCK_SIZE] ;
char cbuf[AES_BLOCK_SIZE];
char pbuf[AES_BLOCK_SIZE];
strcpy(key,2ea24d27bc6e40e70b0a2ab08b0831675cf1274834f98a58709edeeb56af
f547);
strcpy(data,000
0);
I guess that this strings should be converted from hex form to
binary for using (something like 0x41 = 'A')
keylen = strlen(key);
{
AES_KEY ctx;
unsigned char iv[AES_BLOCK_SIZE];
memset(cbuf, 0,AES_BLOCK_SIZE);
AES_set_encrypt_key(key, KEYSIZE, ctx);
AES_cbc_encrypt(data, cbuf, AES_BLOCK_SIZE, ctx, iv,
AES_ENCRYPT);
iv is not initialized here and you should check return code of
AES_set_encrypt_key() - this function accept key length of 128,192,256.
Here this works good but checking error code is good practise.
for (i =0 ; i sizeof(data) ; i++)
printf(%d...input = %d \n,data[i],i);
printf(\n);
for (i =0 ; i sizeof(cbuf); i++)
printf(%d...encoded data =%d \n,cbuf[i],i);
printf(\n);
}
{
AES_KEY ctx;
int len,pad,flag =0;
unsigned char iv[AES_BLOCK_SIZE];
memset(pbuf, 0,AES_BLOCK_SIZE);
memset(iv, 0, AES_BLOCK_SIZE);
iv should have the same value as in encrypting.
AES_set_decrypt_key(key, KEYSIZE, ctx);
check error code
AES_cbc_encrypt(cbuf,pbuf, AES_BLOCK_SIZE, ctx, iv,
AES_DECRYPT);
}
}
Please can any tell me what could be the problem with this code?
There are many problems with using AES_cbc*().
If we are talking of padding - this functions do not support
normal padding - i suggest add proper padding on encryption
yourself and remove padding after decryption.
This functions should take properly padded data rounded to
16 bytes.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: How do I remove padding during AES decryption
Hello,
Please can any one tell me how do I remove the pad bytes during
AES decyrption using AES_cbc_encryption.
Provided that block_size is size of encryption algorithm block
size and last block is in dst you may use something like that:
.
.
pad = dst[block_size - 1];
if (pad block_size) {
goto err;
}
for (i = 1; i pad; i++) {
if (dst[block_size - 1 - i] != pad) {
goto err;
}
}
len = block_size - pad;
.
.
Proper length is returned in len.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: How do I remove padding during AES encryption/ decryption
Hi,
Thanks for the reply. I have my sample test case like this.
#define KEYSIZE 256
#define AES_BLOCK_SIZE 32
void test_main()
{
char key[KEYSIZE+1];
int I,keylen;
char data[AES_BLOCK_SIZE] ;
char cbuf[AES_BLOCK_SIZE];
char pbuf[AES_BLOCK_SIZE];
strcpy(key,2ea24d27bc6e40e70b0a2ab08b0831675cf1274834f98a58709edeeb56af
f547);
strcpy(data,000
0);
keylen = strlen(key);
{
AES_KEY ctx;
unsigned char iv[AES_BLOCK_SIZE];
memset(cbuf, 0,AES_BLOCK_SIZE);
AES_set_encrypt_key(key, KEYSIZE, ctx);
AES_cbc_encrypt(data, cbuf, AES_BLOCK_SIZE, ctx, iv,
AES_ENCRYPT);
for (i =0 ; i sizeof(data) ; i++)
printf(%d...input = %d \n,data[i],i);
printf(\n);
for (i =0 ; i sizeof(cbuf); i++)
printf(%d...encoded data =%d \n,cbuf[i],i);
printf(\n);
}
{
AES_KEY ctx;
int len,pad,flag =0;
unsigned char iv[AES_BLOCK_SIZE];
memset(pbuf, 0,AES_BLOCK_SIZE);
memset(iv, 0, AES_BLOCK_SIZE);
AES_set_decrypt_key(key, KEYSIZE, ctx);
AES_cbc_encrypt(cbuf,pbuf, AES_BLOCK_SIZE, ctx, iv,
AES_DECRYPT);
}
}
Please can any tell me what could be the problem with this code?
Regards,
Jaya.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Monday, September 18, 2006 3:39 PM
To: openssl-users@openssl.org
Subject: Re: How do I remove padding during AES decryption
Hello,
Please can any one tell me how do I remove the pad bytes during AES
decyrption using AES_cbc_encryption.
Provided that block_size is size of encryption algorithm block size and
last block is in dst you may use something like that:
.
.
pad = dst[block_size - 1];
if (pad block_size) {
goto err;
}
for (i = 1; i pad; i++) {
if (dst[block_size - 1 - i] != pad) {
goto err;
}
}
len = block_size - pad;
.
.
Proper length is returned in len.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: How do I remove padding during AES decryption
Hi All, Thanks for the reply. But I am aware of using EVP API's. Cant I remove the padding without using EVP API's. Regards, Jaya. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of k b Sent: Saturday, September 16, 2006 10:22 PM To: openssl-users@openssl.org Subject: RE: How do I remove padding during AES decryption Jaya, You would have to use the EVP api that would do it for you. see http://www.openssl.org/docs/crypto/EVP_EncryptInit.html -kbisla From: Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED] Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: How do I remove padding during AES decryption Date: Sat, 16 Sep 2006 14:58:11 +0530 Hi all Please can any one tell me how do I remove the pad bytes during AES decyrption using AES_cbc_encryption. Regards, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How do I remove padding during AES decryption
Hi , Thanks a lot for th reply. But cant I remove the padding without using EVP API's. I want to use AES_cbc_encryption, directly for encryption/decryption. How do I remove padding here. Regards, Jaya. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of k b Sent: Saturday, September 16, 2006 10:22 PM To: openssl-users@openssl.org Subject: RE: How do I remove padding during AES decryption Jaya, You would have to use the EVP api that would do it for you. see http://www.openssl.org/docs/crypto/EVP_EncryptInit.html -kbisla From: Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED] Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: How do I remove padding during AES decryption Date: Sat, 16 Sep 2006 14:58:11 +0530 Hi all Please can any one tell me how do I remove the pad bytes during AES decyrption using AES_cbc_encryption. Regards, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How do I remove padding during AES decryption
Hi all Please can any one tell me how do I remove the pad bytes during AES decyrption using AES_cbc_encryption. Regards, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How do I remove padding during AES decryption
Jaya, You would have to use the EVP api that would do it for you. see http://www.openssl.org/docs/crypto/EVP_EncryptInit.html -kbisla From: Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED] Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: How do I remove padding during AES decryption Date: Sat, 16 Sep 2006 14:58:11 +0530 Hi all Please can any one tell me how do I remove the pad bytes during AES decyrption using AES_cbc_encryption. Regards, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Remove
__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Remove my adress from mailing list
Could you remove my email adress from the mailing list please Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Remove my adress from mailing list
On Sun, May 21, 2006 at 09:57:10PM +, Emile Georges wrote: Could you remove my email adress from the mailing list please Automated List Manager [EMAIL PROTECTED] For help with a majordomo list: mailto:[EMAIL PROTECTED]body=help One of the help items is how to unsubscribe: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: remove passphrase from the key?
kloomis wrote: At 11:17 PM 3/6/2006 -0700, you wrote: The practical upshot of this is, yes, your apache configuration needs the privkey.pem file in order to do SSL/TLS at all. I have myServer.csr, myServer.cert and myServer.key located in ssl.csr, ssl.crt, and ssl.key respectively. The ssl.conf points to the cert and the key. There is a privkey.pem in ssl.pem, but there is no reference in the ssl.conf to it. I have these settings in the ssl.conf: # Server Certificate: SSLCertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myServer.com.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert Should the private key be the .pem? Is the .key a public key? Where should it go? The private key (which also includes the public part) should be in the file referenced by SSLCertificateKeyFile. I think you did name the private keyfile something.key. SSLCertificateFile points to the certificate file which was generated by the CA (key and certificate may be in the same file). BTW, SSLCACertificateFile should contain you CA's cert. Ken. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
remove passphrase from the key?
Hello: I have some directions on how to build a self-signed certificate which consists of 5 steps. 1) create a key and a request 2) Remove the passphrase from the key (optional) 3) sign the certificate 4) install the cert and the key 5) set the SSLConf to point to the cert and the key. My question is what are the effects of removing the passphrase from key? Is the data still encrypted? Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? Thanks, Ken
Re: remove passphrase from the key?
kloomis wrote: Hello: I have some directions on how to build a self-signed certificate which consists of 5 steps. 1) create a key and a request 2) Remove the passphrase from the key (optional) 3) sign the certificate 4) install the cert and the key 5) set the SSLConf to point to the cert and the key. My question is what are the effects of removing the passphrase from key? Advantage: You can use the key without supplying a passphrase, this simplifies for example the startup procedure of an SSL enabled Apache server Disadvantage: You can use the key without supplying a passphrase, this is very bad if someone can read privkey.pem who should not. Is the data still encrypted? No. Even if it were it would be no use since everyone could decrypt it without a passphrase. Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? privkey.pem is not needed by the process of certificate generation once the request is generate, but you'll need it once you want to use this certificate to authenticate yourself, for example when opening a SSL connection or signing an email. Thanks, Ken I'm not sure if i did understand your problem, in case I missed please clarify your needs. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: remove passphrase from the key?
At 11:24 PM 3/6/2006 +0100, you wrote: Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? privkey.pem is not needed by the process of certificate generation once the request is generate, but you'll need it once you want to use this certificate to authenticate yourself, for example when opening a SSL connection or signing an email. I'm not sure if i did understand your problem, in case I missed please clarify your needs. Ted, thanks for your reply. To clarify the above question, once the certificate has been generated and signed, is it necessary that the file privkey.pem be present for normal encryption and decryption of html data transmissions. If it is needed I don't see where in the sslconf file it is referenced. Thanks, Ken
Re: remove passphrase from the key?
Please see comments inline with the questions. On 3/6/06, kloomis [EMAIL PROTECTED] wrote: Hello: I have some directions on how to build a self-signed certificate which consists of 5 steps. 1) create a key and a request 2) Remove the passphrase from the key (optional) 3) sign the certificate 4) install the cert and the key 5) set the SSLConf to point to the cert and the key. My question is what are the effects of removing the passphrase from key? No need to enter a passphrase to use the key. This means that you don't need to type in (or supply) the passphrase during the startup; however, if anyone else gets their hands on the privkey.pem file it means that they can masquerade as you (and listen in on all of your traffic). Is the data still encrypted? The SSL/TLS session is still encrypted on the wire. SSL/TLS has never guaranteed anything beyond the encryption of the data on the wire, though, so adequate security (possibly including encryption for the database you query or such) needs to be built into your application as well. Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? Without the privkey.pem, the cert is useless. The certificate 'binds' an identity to a public key; however, it only holds the public key, not the private key. The nature of the encryption method used is that it's very difficult to decrypt data encrypted with the private key without the public key, and very difficult to decrypt data encrypted with the public key without the private key. The practical upshot of this is, yes, your apache configuration needs the privkey.pem file in order to do SSL/TLS at all. Thanks, Ken -Kyle __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: remove passphrase from the key?
SSLPrivateKeyFile filename At least that's what it was on older versions of Apache; check the documentation on mod_ssl for more information. -Kyle H On 3/6/06, kloomis [EMAIL PROTECTED] wrote: At 11:24 PM 3/6/2006 +0100, you wrote: Also, does anything in the process need the privkey.pem file that is created once the cert and key are created? privkey.pem is not needed by the process of certificate generation once the request is generate, but you'll need it once you want to use this certificate to authenticate yourself, for example when opening a SSL connection or signing an email. I'm not sure if i did understand your problem, in case I missed please clarify your needs. Ted, thanks for your reply. To clarify the above question, once the certificate has been generated and signed, is it necessary that the file privkey.pem be present for normal encryption and decryption of html data transmissions. If it is needed I don't see where in the sslconf file it is referenced. Thanks, Ken __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: remove passphrase from the key?
At 11:17 PM 3/6/2006 -0700, you wrote: The practical upshot of this is, yes, your apache configuration needs the privkey.pem file in order to do SSL/TLS at all. I have myServer.csr, myServer.cert and myServer.key located in ssl.csr, ssl.crt, and ssl.key respectively. The ssl.conf points to the cert and the key. There is a privkey.pem in ssl.pem, but there is no reference in the ssl.conf to it. I have these settings in the ssl.conf: # Server Certificate: SSLCertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myServer.com.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/ssl.crt/myServer.com.cert Should the private key be the .pem? Is the .key a public key? Where should it go? Ken. Thanks, Ken -Kyle __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
remove
- Original Message - From: Marco GRELLA [EMAIL PROTECTED] Date: Monday, February 27, 2006 2:29 pm Subject: Problems with OpenSSL Engine and hashing. Hello everybody, I have a problem in making our OpenSSL Engine that drives our HW accelerator work fine for hash (SHA1 in particular). The problem seems to be related to my "Digest_Copy" or (less likely) "Digest_Cleanup" implementation (I'll explain this further on). The Engine works fine for the Cipher algorithms (both just operating on a file and using s_client/s_server), and works fine for SHA1 when operating on a file. Trying to run an s_client / s_server session, I noticed that multiple context are used and the calls to "Digest_Update" function are mixed, so I have to maintain coherency in some way. - 1 - The easiest (and quickest) way to do this is to buffer the data that I receive at each call to "Digest_Update", for each context, and ask for a real hash operation only when I receive the "Digest_Final" for that context. Doing in this way, everything is ok, both operating on a single file (here only one context is used) and using s_client / s_server (multiplecontexts). In this scenario, in the "Digest_Copy" function I make a "memcopy" of the EVP_MD_CTX-md_data field where our data structure sits, and moreover I manually allocate and copy the buffer in which I am keeping the stored data. In the "Digest_Cleanup" I make a "free" of the buffer in which I keep the data (it is dynamically allocated) and I set to zero the counters used to keep track of its size and actual occupation. In this way, as I said, everything works. - 2 - The previous solution is mainly a workaround and has a big disadvantageif you want to hash large files or amount of data. So I decided to use the capability of our HW accelerator to save and restore the current context of the hash block. Here I have some problem, when using s_client/ s_server. Even if I implement it in the most trivial and inefficient way (RESTORE/UPDATE/SAVE at *each* call to update) it does not work. In this scenario, we have a buffer for the context in our data structure. I allocate this buffer at the first call to "Digest_Update",obviously not setting the RESTORE flag for this first call. I call "free" for this buffer and put it to NULL in the "Digest_Cleanup"function and, if this buffer is valid (not null) I copy it in the "Digest_Copy" function, by allocating a proper memory area in the "to" context. If I use this solution on a single file, it works, so the SAVE/RESTORE mechanism works fine (and it has been proved elsewhere). But it fails in the s_client/s_server test. As the main difference is that here the "Digest_Copy" and "Digest_Cleanup" function are called, I suppose the problem is here, even if I do not see many differences with the scenarionumber -1- What am I missing? Could you help me? Can someone point me to some useful resource or describe me exactly what has to be implemented in the Digest_Copy (and Digest_Cleanup) function?Or do you know another way to avoid the problem of "mixed context"? I mean: sha1_init(ctx_A) sha1_update(ctx_A) sha1_init(ctx_B) sha1_update(ctx_B) sha1_update(ctx_A) Thank you very much and best regards, Marco Grella __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Please remove me from the mailing list.
Thanks, John __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to change/remove p12 file password
Hi, I have a p12 file in which the private key is password protected. I want to remove the private key password. Is there any option in openssl to change/remove the p12's private key password ? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to change/remove p12 file password
On Wed, Jan 12, 2005, Jaleel P.A wrote: Hi, I have a p12 file in which the private key is password protected. I want to remove the private key password. Is there any option in openssl to change/remove the p12's private key password ? Currently you have to parse and recreate the PKCS#12 file. There is a function to change a PKCS#12 file password but its not currently available from the command line utility. As for removing the password, that can be can be done. The password however doesn't just belong to he private key, in can apply to certificates and an integrity check too using a mac. There are three different ways to remove the password: 1. Keep encryption and macs but have a NULL password. 2. Keep encryption and macs but have a zero length password. 3. Dont encrypt anything and don't have a mac. The first two can be done with any version of OpenSSL, the last one only with 0.9.8-dev. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
REMOVE
REMOVE
Remove
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 11:03 AM Subject: Remove REMOVE Thanks, GuruGnanam Subramanian, iNautix Technologies, Chennai, India Tel: 91-44-2254 6000 Ext: 1099 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
remove
--- When in doubt, use brute force. --Ken Thompson ~~~ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
