should be avoided (there are some attacks known against SSL v2.0).
Best Regards & Good luck,
David Maurus
Jason A. Pfeil wrote:
Greetings List!
My apologies for cross-posting this request, however since I have
receved exactly zero replies to this or my previous message, I fear that
my choice o
Richard,
sorry for not answering before - I assumed that my position on this was
clear ;-). The code does exactly what I'd propose and what I consider to
be the best trade off.
I'd like to point out again that we should not forget to think of the
usage restrictions of counter mode, should some
Michael Sierchio wrote:
Completely. If we have confidence in the cipher and the secrecy
of the key, make the "nonce" all zeroes. There's good reason for not
doing this in the case of IPsec, but not for SSL/TLS.
In theory, you may be right ;-). But: For one, I think that it can't
hurt NOT to h
Götz Babin-Ebell wrote:
The application specifies 4 datas:
1. a step size
2. a bit mask.
3. a (optional) pointer to a function that is called if the
step bits that are not in the bit mask:
4. a (optional) pointer to a function doing the counting;
> if (pCounter->Range)
> return pCounter->Range(pCo
Steven,
Stephen Sprunk wrote:
Thus spake "David Maurus" <[EMAIL PROTECTED]>
I assume that 'number /nonce/' should mean the result of the
concatenated parts of the IV.
No, in the proposal to NIST (by Lipmaa, Rogaway and Wagner), 'nonce' refers
to the
Stephen Sprunk wrote:
In the specification of CTR mode, as proposed for AES, you will find the
statement "The number /nonce/ is incremented following each encryption." I
interpreted this to mean that the top 2^64 bits are to be incremented for
each successive block, and this is how I implemented
Michael Sierchio wrote:
Using AES Counter Mode With IPsec ESP - This mandates a 32-bit counter,
requiring rekeying after 2^48 octets of stream material.
Ah, this is interesting. Considering that OpenSSL is not only used for
SSL / TLS encryption, and the mentioned RFC proposes to use a 32 bit
cou
Thierry Boivin <[EMAIL PROTECTED]> said:
Thierry.Boivin> My understanding of this one is (in a practical perspective) is :
Thierry.Boivin> calling programs maintain a 64 bit long nonce counter.
This is not correct - to quote from the (btw excellent) new book from Bruce
Schneier and Neils Ferguss
f the server expects one
* To further debug this problem, I'd suggest you run Eric Rescorla's SSLdump [
http://www.rtfm.com/ssldump/ ] to analyse what's actually going on in the
handshake. I
found this tool very useful.
Bes
Disclaiemr: I can't by any means give an authorative answer, since I am not part
of the development team
But I think you should consider the following:
- if you are in the US, you should send every source code contribution in CC to
[EMAIL PROTECTED]
- I think that it's not so nice to include you
Disclaiemr: I can't by any means give an authorative answer, since I am not part
of the development team
But I think you should consider the following:
- if you are in the US, you should send every source code contribution in CC to
[EMAIL PROTECTED]
- I think that it's not so nice to include you
pport for more ciphering types in the CipherSpec.
Warning: The ability to send Version 2.0 client hello messages will be
phased out with all due haste. Implementors should make every
effort to move forward as quickly as possible. Version 3.0
provides better mechanisms for moving to newer versi
5B 71 3F 71 BF 02 1A 64 DF F4 6D AC A3 l..[q?q...d..m..
> 0010: 93 43 00 73 1C .C.s.
> main, READ: SSL v3.1 Application Data, length = 21
> Plaintext after DECRYPTION: len = 21
> : 64 AE 26 F2 DF A
"Mark W. Webb" wrote:
> I am working on an application that will implement PKI between a server
> and a client.
That sentence is somewhat wrong: between clients and servers (i.e. 2
computers) you will need to use a protocol they adhere to when speaking to
each other. PKI (Public Key Infrastructu
ake install it. Then you'll find these libraries in the lib
subdirectory of your ssl install directory (you can set this directory
with the --prefix option of ./configure)
Best Regards,
David Maurus
___
cess - I found the cause for a BAD RECORD MAC
SSL error sent in the server hello msg, after my JSSE SSL client sent an
incorrect finish msg...
Best Regards,
David Maurus
__
OpenSSL Project
Leonid Frog wrote:
> I am trying to run test.bat file and I am getting error messages which
> refer to *.pem files in CERT folder.
> Do you have any idea where I can find names of PEM files which has to be in
> CERT folder so I can compare it to what I have? Thanks a lot for your
> help.
enSSL-Directory (type "perl
Configure VC-WIN32" at the command prompt, etc.).
You can find some documentation on how to use OpenSSL here:
http://www.openssl.org/docs/
There's a lot you can do with the commandline utility openssl, and even more when you
link to the libraries.
- Dav
18 matches
Mail list logo