[openssl.org #258] ssl3_output_cert_chain

It seems possible that for certain very long certificate chains the length will exceed the maximum ssl record length (16384). While this appears to be very unlikely the code could be buggy. Any thoughts? __ OpenSSL Project

ssl3_output_cert_chain

It seems possible that for certain very long certificate chains the length will exceed the maximum ssl record length (16384). While this appears to be very unlikely the code could be buggy. Any thoughts? __ OpenSSL Project

[openssl.org #254] pem_lib.c

The following is a patch for crypto/pem/pem_lib.c on openssl-0.9.6g 408,409c408,412 < memset(data,0,(unsigned int)dsize); < OPENSSL_free(data); --- > if (data) > { > memset(data,0,(unsigned int)dsize); > OPENSSL_free(data); > } This is because it is p

pem_lib.c

The following is a patch for crypto/pem/pem_lib.c on openssl-0.9.6g 408,409c408,412 < memset(data,0,(unsigned int)dsize); < OPENSSL_free(data); --- > if (data) > { > memset(data,0,(unsigned int)dsize); > OPENSSL_free(data); > } This is because it is po

Re: [openssl.org #210] 0.9.6g: apps/openssl: argument parsing errors wh dynamically

"Richard Levitte via RT" <[EMAIL PROTECTED]> (2002-08-11 21:38:11) wrote: > > The 'openssl ' command produces incorrect results when > > linked dynamically against the (newly created) libssl.so.0.9.6, > > libcrypto.so.0.9.6. It seems to ignore the selected hash algorithm > > and displays the md

[openssl.org #210] 0.9.6g: apps/openssl: argument parsing errors when linked dynamically

The 'openssl ' command produces incorrect results when linked dynamically against the (newly created) libssl.so.0.9.6, libcrypto.so.0.9.6. It seems to ignore the selected hash algorithm and displays the md5 hash instead. $ ./openssl version OpenSSL 0.9.6g [engine] 9 Aug 2002 $ ldd ./openssl

[no subject]

I am trying to compile openssl to VC 6.0 (SP5) on W2000 the test fails on cl /Fotmp32dll\ec_mult.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 / Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIA N -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32

0.9.6c: 'make' at top level dir will not recreate deleted libssl.a libcrypto.a

OpenSSL self-test report: OpenSSL version: 0.9.6c Last change: Fix BN_rand_range bug pointed out by Dominikus Scherkl... OS (uname): Linux pc 2.4.16 #1 Sat Dec 15 21:20:55 GMT 2001 i586 unknown OS (config): i586-whatever-linux2 Target (default): linux-elf Target: linux-

Re: HP-UX shared lib support

Lutz Jaenicke wrote: > After having applied the patch and recompiled the necessary items, > I am now proud owner of both a +O3 +Oall and a +O4 +Oall share library set. It might be interesting to also try it with and without BN_LLONG defined. If you're running HPUX 10.X then you don't have "native

Re: Verisign acquisition of Thawte

Massimiliano Pala wrote: > I do have contacts with the ICE-CAR root CA peple. We can get a certificate > there for free and start from there using the OpenCA software. It would be better to start from a root CA that is in Netscape and IE by default. ICE-CAR is not, is it? Or, considering the lo

Re: RC4 tune-up

Andy Polyakov <[EMAIL PROTECTED]> wrote: > i.e. my suggestion is to replace +O4 with +O3 +Oprocelim or simply +O3 > in next release. And of course I appreciate if you could throw RC4_CHUNK > at the snapshot and post output from 'apps/openssl speed rc4'... Of > course provided that +O3 works:-) Us

Re: support for HPUX11 on 32/64 bit machine

"Peter Huang" <[EMAIL PROTECTED]> wrote: > the default autoconf for openssl on HPUX11 give a compiler flag of = > +DA2.0. this flag will compile the openssl > library in 64-bit mode which can't be used by apache (32bit). The = > correct compiler flag should be +DAportable > so CC will genera

Re: OpenSSL v 0.9.4 compile problem on WinNT

Bodo Moeller <[EMAIL PROTECTED]> wrote: > Taking into account the problems for VMS that Richard Levitte mentioned, > I think we should put obj_dat.h back in the distribution. And instead fix obj_dat.pl or objects.h so the compression objects are sorted correctly. A fix for objects.h was posted r

Re: Bug on 9000/879-hp-hpux10

Even Holen <[EMAIL PROTECTED]> wrote: > ucomp : >Error at line 0 : memory exhausted at 65536 Kbytes; try increasing > swap space or the maxdsiz kernel parameter (8203) > *** Error exit code 254 Yup, HPUX ships with a per-process data size limit of 64MB. Pretty silly, huh? Increase the maxd

Re: (autoconf cometh?!)

[EMAIL PROTECTED] (William M. Perry) wrote: > We also use libtool to build all of our stuff as shared libraries when > possible. You're not the first to suggest libtool. Wasn't there some license conflict with it that meant we couldn't use it? > So my question is: would people be willing to thr

libRSAglue.a not installed

"make install" does not install libRSAglue.a __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager

Re: cvs commit: openssl/util libeay.num

On Mon, Jun 28, 1999 at 10:12:06AM +0200, Arne Ansper wrote: >> This depends on how you define "properly written", obviously. > yes. but in order to make the OpenSSLifying of existing applications > simpler, it would be nice to follow the semantics of normal socket calls. This, however, can wor

[STATUS] OpenSSL (Sun 27-Jun-1999)

OpenSSL STATUS Last modified at __ $Date: 1999/06/08 17:57:49 $ DEVELOPMENT STATE o OpenSSL 0.9.4: Under development... o OpenSSL 0.9.3a: Released on May 29th, 1999 o OpenSSL 0.9.3: Released on May

Re: Bug in make file creation; doc inconsistency

"Zot O'Connor" <[EMAIL PROTECTED]>: > The docs reference CygWin32 and Mingw32. It *seems* both work, but they > are not consistent. Specifically the perl Configure command in > install.win32 doesn't mention how to run for pure Cygnus. > > The only differences I see between then is: > > "CygWi

Re: default to cc instead of gcc?

[EMAIL PROTECTED] writes: > > "Mixmaster" == Mixmaster <[EMAIL PROTECTED]> writes: > > Mixmaster> It looks like cc is now preferred over gcc on the most common platforms > Mixmaster> where both might be available (like Solaris and HPUX), and that systems > Mixmaster> where gcc is better wil

Re: default to cc instead of gcc?

> "Mixmaster" == Mixmaster <[EMAIL PROTECTED]> writes: Mixmaster> It looks like cc is now preferred over gcc on the most common platforms Mixmaster> where both might be available (like Solaris and HPUX), and that systems Mixmaster> where gcc is better will either have it aliased to cc or wil

Creating and self signing an X509 Cert?

Hi there folks! I was wondering if someone could help me out in creating an x509 cert and self signing it.? This is how I tried to do it: --Made DSA --Created key pair --Created x509 cert --stuffed pub key in the x509 cert --stuffed misc. info into cert -- name, etc.. --signed the cert with its pr

How to convert MULTILINE Netscape SPKAC to SINGLELINE SPKAC string?

HI! Does anybody know how to convert multiline NETSCAPE SPKAC string to singlline NETSCAPE SPKAC string? For next use with openssl ( openssl -spkac spkac.reg out new.req ) Tahanks you Ivo MACHULDA __ OpenSSL Project

Re: Buglet in dsa_sign.c

Bodo Moeller schrieb: > > Thanks for pointing this out. After verifying that fix I found > another memory hole, and noticed that the openssl.c application did > not really enable memory hole checks (CRYPTO_MEM_CHECK_ON should be > ..._ENABLE) -- does anyone know what reason this could have? See

Re: CRL Reason Code

Dror Otmi wrote: > > > > >> Is there a way to add the revocation reason code to a CRL generated > by > >> OpenSSL??? > >> > > >Not using "openssl ca -gencrl" generated CRLs: this would need a couple > > >of extra fields in the text database. > > >If you are generating CRLs in some other way th

Re: CRL Reason Code

> >> Is there a way to add the revocation reason code to a CRL generated by >> OpenSSL??? >> >Not using "openssl ca -gencrl" generated CRLs: this would need a couple >of extra fields in the text database. >If you are generating CRLs in some other way then you can use the >extension code to manu

Buglet in dsa_sign.c

Hi, I've noticed that there is a memory leak in dsa_sign.c The BN* kinv is not being freed before the function exits; inserting the line BN_clear_free(kinv); at line 128 of dsa_sign.c (at t'bottom of function DSA_do_sign()) fixes it. Chad.

Re: certificate_authorities in CertificateRequest message

Roger Bodén <[EMAIL PROTECTED]>: > Our application can have several certificates to use when acting as an > SSL client. In order to choose the right certificate for each connection > we intend to set a callback using SSL_CTX_set_client_cert_cb that will > return the private key and certificate to

Re: Request verification failure

Holger Reif wrote: > > Dr Stephen Henson schrieb: > > > > One is to note the original encoding and then compare it with what we > > think it should be. If they match then fair enough: we can discard the > > original, if they don't match then the original encoding is retained for > > signature ver

Re: certificate_authorities in CertificateRequest message

Hallo, Sorry, forget this mail. (Was a reply to another one...) At 10:48 24.06.99 +0200, you wrote: >At 09:58 24.06.99 +0200, you wrote: >>Hi, >Hallo, > >>Our application can have several certificates to use when acting as an >>SSL client. In order to choose the right certificate for each connec

Re: certificate_authorities in CertificateRequest message

At 09:58 24.06.99 +0200, you wrote: >Hi, Hallo, >Our application can have several certificates to use when acting as an >SSL client. In order to choose the right certificate for each connection >we intend to set a callback using SSL_CTX_set_client_cert_cb that will >return the private key and cer

certificate_authorities in CertificateRequest message

Hi, Our application can have several certificates to use when acting as an SSL client. In order to choose the right certificate for each connection we intend to set a callback using SSL_CTX_set_client_cert_cb that will return the private key and certificate to use. In this callback we need to acc

0.9.3a installation failures

Hello, I just downloaded OpenSSL0.9.3a version. The installation failed. The following is the output from './config -t' and the error message in 'make'. Thanks, -Renjie ### ### # output for config -t Operating system: sun

default to cc instead of gcc?

It looks like cc is now preferred over gcc on the most common platforms where both might be available (like Solaris and HPUX), and that systems where gcc is better will either have it aliased to cc or will not have cc at all. Should config look for cc first and gcc second, instead of the other wa

Re: Request verification failure

Dr Stephen Henson schrieb: > > One is to note the original encoding and then compare it with what we > think it should be. If they match then fair enough: we can discard the > original, if they don't match then the original encoding is retained for > signature verification. > > There are a few c

Re: Info about benchmark?

Did you had a look at apps/speed.c? Yuriy Stul schrieb: > > Hi there! > > Can anyone tell me where I may get benchmark information about different cipher > algorithms. > > Thanks in advance. > > Regards > Yuriy Stul > > > _

Info about benchmark?

Hi there! Can anyone tell me where I may get benchmark information about different cipher algorithms. Thanks in advance. Regards Yuriy Stul __ OpenSSL Project

Re: CRL Reason Code

Dror Otmi wrote: > > Is there a way to add the revocation reason code to a CRL generated by > OpenSSL??? > Not using "openssl ca -gencrl" generated CRLs: this would need a couple of extra fields in the text database. If you are generating CRLs in some other way then you can use the extension c

RE: Request verification failure

DER had a specific purpose, probably application relays. It was specified for signatures because they are signed and it made some sense to do this. But a great many players have been unable to create correct DER encodings. The only possible rule (TM) must be to create DER but accept BER. Ron. >

RE: Request verification failure

I don't think there will ever be a 'correct' solution. As time goes on it appears that more and more attributes will be added to certificates with a diminishing probability of correctness. (Those adding the attributes can claim they received them in bad order.) The only appropriate behaviour is t

Re: openssl app patch

Jonathan Mayer wrote: > > > I have a patch for the openssl app that enables some command-line options > > to make openssl completely non-interactive. I've found this to be of > > value. > > I've been told this mailing list is the right place for it, so here it is: > Hmmm, this is the kind of

Re: openssl app patch

> I have a patch for the openssl app that enables some command-line options > to make openssl completely non-interactive. I've found this to be of > value. I've been told this mailing list is the right place for it, so here it is: diff -u --recursive --new-file old/openssl-0.9.3a/apps/MagicPass

Re: Request verification failure

Ben Laurie wrote: > > Dr Stephen Henson wrote: > > > > Ben Laurie wrote: > > > > > > Holger Reif wrote: > > > > > > > > Dr Stephen Henson schrieb: > > > > > > > > > > Hmmm. A similar could happen with the PKCS#7 and certificate routines: > > > > > some PKCS#7 implementations don't correctly sort

Re: Request verification failure

Dr Stephen Henson wrote: > > Ben Laurie wrote: > > > > Holger Reif wrote: > > > > > > Dr Stephen Henson schrieb: > > > > > > > > Hmmm. A similar could happen with the PKCS#7 and certificate routines: > > > > some PKCS#7 implementations don't correctly sort authenticated > > > > attributes and som

Re: Request verification failure

Ben Laurie wrote: > > Holger Reif wrote: > > > > Dr Stephen Henson schrieb: > > > > > > Hmmm. A similar could happen with the PKCS#7 and certificate routines: > > > some PKCS#7 implementations don't correctly sort authenticated > > > attributes and some certificates are filled with horrible stuff

Re: Request verification failure

On Wed, Jun 23, 1999 at 09:57:17AM +0100, Ben Laurie wrote: > Holger Reif: >> Dr Stephen Henson: >>> [...] The usual workaround is to verify the >>> signature on the original data or order rather than a re-encoded version >>> of it: this is done in a few places already. >>

Re: openssl app patch

Jonathan Mayer wrote: > > Hello, > > I have a patch for the openssl app that enables some command-line options > to make openssl completely non-interactive. I've found this to be of > value. > > Who can I send my patch to for consideration for integration? Send it to this list. Cheers, Ben.

Re: Request verification failure

Holger Reif wrote: > > Dr Stephen Henson schrieb: > > > > Hmmm. A similar could happen with the PKCS#7 and certificate routines: > > some PKCS#7 implementations don't correctly sort authenticated > > attributes and some certificates are filled with horrible stuff like > > indefinite length encodi

Re: Request verification failure

Dr Stephen Henson wrote: > > Bodo Moeller wrote: > > > > >>> As you asked I send you two of those > > >>> requests that pass the verification test of SSLeay 0.8.1 but not of > > >>> OpenSSL 0.9.2b and higher (I didn't test the versions in between). > > > > >> I

can't get ELF-libraries with FreeBSD R3.1.0

Hello people, I have troubles with openssl-0.9.3a on FreeBSD 3.1-RELEASE - can't create shared (ELF) library - only static (but too big to use) What can I do? Details: *** OpenSSL Details *** OpenSSL 0.9.3a 29 May 1999 built on: ÐÎ 21 ÉÀÎ 1999 09:43:50 MSD platform: FreeBSD-elf options: bn(64

CRL Reason Code

Is there a way to add the revocation reason code to a CRL generated by OpenSSL??? Thanks in advanced Dror begin:vcard n:Otmi;Dror tel;home:041/2404310 tel;work:041/7571588 x-mozilla-html:FALSE adr:;; version:2.1 email;internet:[EMAIL PROTECTED] fn:Dror Otmi end:vcard

RE: Bug in decoding negative ASN1 integers?

Hi, Brien, I stumbled across the same bug and reported it on May 12th. Stephen Henson replied: ... Ouch! Negative ASN1 INTEGERs are pretty rare so this mustn't have been checked too closely. Anyway the problem seems to be that the ASN1 negative INTEGER encoding stuff is completely broken. I'll

Bug with spurious assembly code generation on solaris x86

When attempting to compile OpenSSL 0.9.3a on solaris x86 2.6 I found that compilation failed in crypto/sha/sha_dgst.c with the following error: gcc -I.. -I../../include -DTHREADS -D_REENTRANT -Wall -DL_ENDIAN -c sha_dgst.c Assembler: sha_dgst.c aline 425 : Illegal mnemonic a

Re: Request verification failure

Dr Stephen Henson schrieb: > > Hmmm. A similar could happen with the PKCS#7 and certificate routines: > some PKCS#7 implementations don't correctly sort authenticated > attributes and some certificates are filled with horrible stuff like > indefinite length encoding. The usual workaround is to ver

Re: cvs commit: openssl/util libeay.num

On Mon, 21 Jun 1999, Bodo Moeller wrote: > It will work with the current implementation (but only if the > applications don't do too stupid things, such as point to a buffer > with different contents); but this may change. if the application does stupid things (i.e. does not check return val

Unable to apply mod_ssl to apache

    Hi,   I was applying mod_ssl to Apache by running 'configure.bat' provided in mod_ssl-2.3.3-1.3.6. I am getting an error "Bad file descriptor at configure.bat line 202". At line 202 in configure.bat is -   open(FP, "$patch --forward --directory=$apache &1|") || die "$!";   I am not famil

Re: Request verification failure

Dr Stephen Henson <[EMAIL PROTECTED]> wrote: >Hmmm. A similar could happen with the PKCS#7 and certificate routines: >some PKCS#7 implementations don't correctly sort authenticated >attributes and some certificates are filled with horrible stuff like >indefinite length encoding. The usual workaro

Re: Request verification failure

Bodo Moeller wrote: > > >>> As you asked I send you two of those > >>> requests that pass the verification test of SSLeay 0.8.1 but not of > >>> OpenSSL 0.9.2b and higher (I didn't test the versions in between). > > >> I tested DrorReq.pem with SSLeay 0.8.1b (

Re: Request verification failure

>>> As you asked I send you two of those >>> requests that pass the verification test of SSLeay 0.8.1 but not of >>> OpenSSL 0.9.2b and higher (I didn't test the versions in between). >> I tested DrorReq.pem with SSLeay 0.8.1b (which, I think, is like 0.8.1 >>

Re: X509V3_EXT prototype problems

Daniel Lanz wrote: > > I have found a problem in the function prototype typedefs for four > of the X509V3_EXT functions in crypto/x509v3/x509v3.h . > The parameter lists for the functions typdef'd (below) are left > undefined. This causes problems when you crank up the > debug level on a C compi

X509V3_EXT prototype problems

I have found a problem in the function prototype typedefs for four of the X509V3_EXT functions in crypto/x509v3/x509v3.h . The parameter lists for the functions typdef'd (below) are left undefined. This causes problems when you crank up the debug level on a C compiler or compile with mixed C++ co

Re: Request verification failure

>> As you asked I send you two of those >> requests that pass the verification test of SSLeay 0.8.1 but not of >> OpenSSL 0.9.2b and higher (I didn't test the versions in between). >I tested DrorReq.pem with SSLeay 0.8.1b (which, I think, is like 0.8.1 >except

Re: cvs commit: openssl/util libeay.num

Arne Ansper <[EMAIL PROTECTED]>: [...] > i proposed to remove input parameter check from ssl/s2_pkt.c write_pending > and ssl/s3_pkt.c ssl3_write_pending functions. there was a discussion > about it back in January. [...] > if ((s->s3->wpend_tot > (int)len) || (s->s3->wpend_buf != buf) >

Re: cvs commit: openssl/util libeay.num

> Damn. I thought I'd applied all your patches. Are there any others I > missed? i proposed to remove input parameter check from ssl/s2_pkt.c write_pending and ssl/s3_pkt.c ssl3_write_pending functions. there was a discussion about it back in January. snipet from original message: 8) ssl/s2_

Connecting via socket using SSL and PERL

I have a basic question using PERL for connecting to a socket and communicating with a credit card authorization gateway (but maintaining the SSL data integrity). I have read several documents on SSLeay (including the FAQ and Programmers reference), but I am still having some difficulty. Here is

Re: cvs commit: openssl/util libeay.num

Arne Ansper wrote: > > > New functions CONF_load_bio() and CONF_load_fp() to load a configuration > > file from a bio or fp. Added some more constification to the BN library. > > i added write, delete and save functions + ability to use BIO's to CONF > module long time ago and sent a patch t

Re: 0.9.3a fails one test on FreeBSD 2.2.7

On Sun, Jun 20, 1999, Bodo Moeller wrote: > On Sat, Jun 19, 1999 at 07:50:33PM -0700, Claus Assmann wrote: > > OpenSSL 0.9.3a 29 May 1999 fails on FreeBSD 2.2.7-RELEASE > > test sslv2 with client authentication > > client authentication > > ERROR in SERVER > > 9058:error:140710C7:SSL routines:RE

Re: cvs commit: openssl/util libeay.num

> New functions CONF_load_bio() and CONF_load_fp() to load a configuration > file from a bio or fp. Added some more constification to the BN library. i added write, delete and save functions + ability to use BIO's to CONF module long time ago and sent a patch to Ben too. too bad you had to

Re: 0.9.3a fails one test on FreeBSD 2.2.7

On Sat, Jun 19, 1999 at 07:50:33PM -0700, Claus Assmann wrote: > OpenSSL 0.9.3a 29 May 1999 fails on FreeBSD 2.2.7-RELEASE > one test: > > test sslv2 with client authentication > client authentication > ERROR in SERVER > 9058:error:140710C7:SSL routines:REQUEST_CERTIFICATE:peer did not return a

[STATUS] OpenSSL (Sun 20-Jun-1999)

OpenSSL STATUS Last modified at __ $Date: 1999/06/08 17:57:49 $ DEVELOPMENT STATE o OpenSSL 0.9.4: Under development... o OpenSSL 0.9.3a: Released on May 29th, 1999 o OpenSSL 0.9.3: Released on May

0.9.3a fails one test on FreeBSD 2.2.7

OpenSSL 0.9.3a 29 May 1999 fails on FreeBSD 2.2.7-RELEASE one test: test sslv2 with client authentication client authentication ERROR in SERVER 9058:error:140710C7:SSL routines:REQUEST_CERTIFICATE:peer did not return a certificate:s2_srvr.c:838: further information: built on: Sat Jun 19 19:36:

Re: Request verification failure

On Fri, Jun 18, 1999 at 09:54:27AM +0200, Dror Otmi wrote: > As you asked I send you two of those > requests that pass the verification test of SSLeay 0.8.1 but not of > OpenSSL 0.9.2b and higher (I didn't test the versions in between). I tested DrorReq.pem wi

cray t3e problem

> If a test fails, try removing any compiler optimization flags from > the CFLAGS line in Makefile.ssl and run "make clean; make". Please > send a bug report to <[EMAIL PROTECTED]>, including the > output of "openssl version -a" and of the failed test. I compiled OpenSSL on an Army-owned Cray T3E

Request verification failure

Hi Thank you Bodo for the fast answer. As you asked I send you two of those requests that pass the verification test of SSLeay 0.8.1 but not of OpenSSL 0.9.2b and higher (I didn't test the versions in between). Thanks in advanced. Dror Otmi RafiReq.pem DrorReq.pem begin:vcard n:Otmi;Dror

RSA cert "sign only extension"

This is from X509_certificate_type() in x509type.c: switch (pk->type) { case EVP_PKEY_RSA: ret=EVP_PK_RSA|EVP_PKT_SIGN; /* if (!sign only extension) */ ret|=EVP_PKT_ENC; Is there an intention to alter this routine so that an RSA public key can b

RE: Adding parameters to passphrase callbacks.

> -Original Message- > From: Ben Laurie [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 15, 1999 5:35 AM > To: [EMAIL PROTECTED] > Subject: Re: Adding parameters to passphrase callbacks. > > > Bodo Moeller wrote: > > > > "Wade L. Scholine" <[EMAIL PROTECTED]>: > > > > > An alternati

Re: what happened to SSLeay_add_ssl_algorithms() in 0.9.3

On Wed, Jun 16, 1999 at 10:16:17AM +0200, Andy Hofmann wrote: > does the function SSLeay_add_ssl_algorithms() in the newest release of > openssl not exists anymore? This must have been changed quite some time ago (in SSLeay), but SSLeay_add_ssl_algorithm does exist; however not as a function, bu

Re: advice needed

On Wed, Jun 16, 1999 at 08:47:39AM +0200, Martin Hallerdal wrote: > So according to you, knowing just the secret key of the server wouldn't be > sufficient to decrypt the data without using brute force? I did not say that, because I was assuming that the server's secret key would not be known to

"Y2K bug" in 0.9.3.a?

Hello, There seemes to be a kind of Y2K bug in openssl: The function X509_cmp_current_time in x509_vfy.c doesn't make a difference between UTCTIME and GENERALIZEDTIME formats, so certifcates with a 4-digit year representation won't be verified correctly (like: format error in "notBefore" field),

RE: Key generation for DES

Take a look at the function PEM_ASN1_read_bio in pem_lib.c, and more specially at the lines if (!PEM_get_EVP_CIPHER_INFO(header,&cipher)) goto err; if (!PEM_do_header(&cipher,data,&len,cb)) goto err; The first line intitializes the cipher from a PEM header like yours. The second

return values of ssl_connect()

hi where can i get the meaning of the return-values of the ssl_connect-function. i guess that 0 stands for a failed connect and everything bigger than zero could be for a successfull ssl_connect to the specified server! thanks in advance andy hofmann

Key generation for DES

Hi there! I would like to use X509 certificates generated by ssleay/openssl within a Java application I am writing. Of course the corresponding private keys should be encrypted. Now my problem is how do I get the right DES key from the information stored in the private key file and the users pass

RE: advice needed

Due to the nature of SSL/TLS protocol you shouldn't be able to obtain server's secret key in plain form. During handshake, in client key exchange phase the premaster secret is sent, from which both server and client encryption keys are derived. But premaster secret is encrypted with public key of

Re: Adding parameters to passphrase callbacks.

Bodo Moeller wrote: > > On Tue, Jun 15, 1999 at 05:37:27PM +0100, Ben Laurie wrote: > > > Under Windoze, callbacks are traditionally declared with CALLBACK in the > > prototype, which, I think, uses Pascal linkage (the afore-mentioned > > "non-C" calling convention). > > But many of the callbac

return values of ssl_connect()

hello where to get return values of ssl_connect() ? i guess that 0 is for a failed ssl_connect and everything bigger than 0 is for a succesfull connect? but i am not sure about it! thanks in advance andy hofmann __ OpenSSL

what happened to SSLeay_add_ssl_algorithms() in 0.9.3

hi does the function SSLeay_add_ssl_algorithms() in the newest release of openssl not exists anymore? andy hofmann __ OpenSSL Project http://www.openssl.org Development Mailing List

RE: advice needed

What secret key? The private PKI key (e.g. a RSA key) or the session symmetric key shared by both parties? The first one is just used during the handshake for authentication and key exchange purposes. All data packets are encrypted with the session symmetric key. But as I said previously, you nee

RE: advice needed

So according to you, knowing just the secret key of the server wouldn't be sufficient to decrypt the data without using brute force? > -Original Message- > From: Bodo Moeller [SMTP:[EMAIL PROTECTED]] > Sent: Tuesday, June 15, 1999 5:46 PM > To: [EMAIL PROTECTED] > Subject: Re: advi

Hello context

Sorry for the re-post. I have heard that there is a context sent along with a client hello message and that most browsers include the URL they are requesting. Is this true? If it is, could someone please explain it in a little more detail? Thanks -tim __

Re: memory leak about SSL_load_error_strings

On Tue, Jun 15, 1999 at 08:38:25PM +0200, Bodo Moeller wrote: > On Tue, Jun 15, 1999 at 02:06:34PM -0400, Timothy Canfield wrote: >> I have heard that there is a context sent along with a client hello >> message and that most browsers include the URL they are requesting. Is >> this true? > It i

Re: memory leak about SSL_load_error_strings

On Tue, Jun 15, 1999 at 02:06:34PM -0400, Timothy Canfield wrote: > I have heard that there is a context sent along with a client hello > message and that most browsers include the URL they are requesting. Is > this true? It is as accurate as the "Subject" line of your message. > If it is, cou

Re: Adding parameters to passphrase callbacks.

On Tue, Jun 15, 1999 at 05:37:27PM +0100, Ben Laurie wrote: > Under Windoze, callbacks are traditionally declared with CALLBACK in the > prototype, which, I think, uses Pascal linkage (the afore-mentioned > "non-C" calling convention). But many of the callback pointers in OpenSSL have just "int

Re: memory leak about SSL_load_error_strings

Michael, Try calling ERR_free_strings(). I believe this would clean up most of the memory allocated from SSL_load_error_strings. Tri Michael Bai wrote: > > SSL_load_error_strings dynamically alloc some memory, > but I can not find a function to free this memory > > ___

Re: memory leak about SSL_load_error_strings

I have heard that there is a context sent along with a client hello message and that most browsers include the URL they are requesting. Is this true? If it is, could someone please explain it in a little more detail? Thanks -tim ___

RE: advice needed

Yes, all the compression/cipher spec are transmitted in clear during the handshake phase and that can give some information to an attacker like the use of "fool" ciphers (40 bits). It is also in that phase that the master key is secretely negiotiated between the two parties (thanks to a key exc

Re: Adding parameters to passphrase callbacks.

Bodo Moeller wrote: > The callback function is not dynamically linked, it is passed as a > function pointer. The functions that *take* such a function parameter > will be dynamically linked, but if we have two versions of them (a new > one with _ex suffix, and the old one with the same prototype

Re: advice needed

On Tue, Jun 15, 1999 at 04:54:40PM +0200, Pierre De Boeck wrote: > I think your concept of SSL/TLS sniffer is not realistic > in a general way, for the following reasons: > > - the packets transmitted between a client and a server have submitted > a set of "transformations" (fragme

Re: Problem with DES cipher?

On Tue, Jun 15, 1999 at 01:22:29PM +0200, Erwann ABALEA wrote: > Something strange happens when I try to encrypt some data using the > 'openssl enc' tool... [...] always 1 block larger... (or course, if > I start with a 7 bytes file, I end with an 8 bytes file, that's > normal). Is the padding

Re: memory leak about SSL_load_error_strings

On Tue, Jun 15, 1999 at 04:46:52PM +0800, Michael Bai wrote: > SSL_load_error_strings dynamically alloc some memory, > but I can not find a function to free this memory Try ERR_free_strings (declared in openssl/err.h, defined in crypto/err/err.c). __

RE: advice needed

I think your concept of SSL/TLS sniffer is not realistic in a general way, for the following reasons: - the packets transmitted between a client and a server have submitted a set of "transformations" (fragmentation, compression(optional)+ encryption(optional)+"MACed")

  1   2   >