Hi all,
we are facing a weird problem that we started to notice recently and we
could not really find the source of the issue. The issue presented
itself when starting using OpenSSL v1.0.1p (upgrading from v1.0.1m) in
TLS connections. We started noticing the following error:
effort.
Any comments and feedback are welcome (positive and negative alike).
Cheers,
Max
Forwarded Message
Subject:[saag] Standard Crypto API + Symmetric Crypto At Rest
Date: Sat, 7 Nov 2015 22:30:35 +0900
From: Massimiliano Pala <direc...@openca.org>
Organi
That's right - I missed that (my bad!). Thanks.
Cheers,
Max
On 7/22/14, 7:02 PM, Viktor Dukhovni wrote:
On Tue, Jul 22, 2014 at 09:37:13AM -0400, Massimiliano Pala wrote:
working on porting my libpki implementation (based on OpenSSL) to MacOS I
found out an issue that is not really related
Hi all,
working on porting my libpki implementation (based on OpenSSL) to MacOS
I found out an issue that is not really related to the code itself but
the distributed version in the SDK.
In particular, I found out that several functions' signatures have been
altered in their return codes.
Hi all,
working on porting my libpki implementation (based on OpenSSL) to MacOS
I found out an issue that is not really related to the code itself but
the distributed version in the SDK.
In particular, I found out that several functions' signatures have been
altered in their return codes.
Hi all,
working on porting my LibPKI implementation (based on OpenSSL) to MacOS
I found out an issue that is not really related to the code itself but
the distributed version in the SDK.
In particular, I found out that several functions' signatures have been
altered in their return codes.
Hello,
it seems that there are two different encoding versions when encoding
EC keys. In particular, if using the EVP_PKEY_() the version is set to
0 - and that is incompatible with software other than OpenSSL.
Here's an example:
-BEGIN PRIVATE KEY-
, x-pkey.ec, enc, kstr, klen, cb,
u);
break;
default:
ret = 0;
};
...
This encodes the key correctly.
If there is a more elegant way to solve the issue.. let me know :D
Best,
Max
On 03/27/2011 06:03 PM, Massimiliano Pala wrote:
Hello,
it seems that there are two
Hello guys,
do you know what are the real effects of the EC_KEY_set_enc_flags()
function ? I tried to use it to force the implicitCurve type of
encoding in a cert.. but it did not work:
// pkey - has the key in the cert
ecKey = EVP_PKEY_get0(pkey);
EC_KEY_set_enc_flags( ecKey,
Hello Peter, all,
thanks for the hint.. but I was actually looking more at a way to check if
a certificate has been signed with one of the curves you listed. Maybe it is
not possible, but it would be nice to be able to say this certificate has
been signed with P-256 - since this can be a
that that check
would be performed in the EC_POINT_is_on_curve().. maybe is a check
that should be added there ?
Cheers,
Max
On 03/22/2011 10:47 AM, Dr. Stephen Henson wrote:
On Tue, Mar 22, 2011, Massimiliano Pala wrote:
Hello Peter, all,
thanks for the hint.. but I was actually looking more
of certificates that have been signed with a particular
group.. (that's my goal).
Thanks for your help and comments!
Cheers,
Max
On 03/22/2011 12:02 PM, Douglas E. Engert wrote:
On 3/22/2011 10:10 AM, Massimiliano Pala wrote:
Hello Stephen, all,
thanks for all the advices, I ended up doing the following
try to change the
type directly when generating the key (but how.. change the type to 2 ?) ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope
.
Cheers,
Max
P.S.: I also tried by using the OBJ_NAME_add with OBJ_NAME_ALIAS, but
I could not figure out how to make it work for my purpose... :(
On 01/15/2011 02:06 PM, Massimiliano Pala wrote:
Hi all,
I was wondering if it was possible to add an alias to an object.
In particular, I would
Hi all,
I was wondering if it was possible to add an alias to an object.
In particular, I would like to add the possibility, for example,
to use P384 instead of secp384r1 when retrieving an object ID:
name_1 = P384;
name_2 = secp384r1;
ret_1 = OBJ_txt2obj ( name_1, 0 );
compatible with the latest version of PKIX, which is in RFC 5280; it's
[...]
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept Home
Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept
?
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept
-20080318'
make[1]: *** [shared] Error 2
make[1]: Leaving directory
`/home/madwolf/devel/originals/openssl-SNAP-20080318/crypto'
make: *** [build_crypto] Error 1
--
Best Regards,
Massimiliano Pala
--o
Massimiliano
,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 397
(2)
us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-sha2(3) 2 }
but I can not find it defined (at least in 0.9.8x versions).
Anyone has tried it yet ? :D
Later,
Max
--
Best Regards,
Massimiliano Pala
--o
, actually...
Later,
Max
Allan Clark wrote:
I assume you compiled your libcrypto. You should probably build it -g
to enable debug symbols which will let gdb tell you what file, line,
and function it segv at
Allan
On 7/12/07, Massimiliano Pala [EMAIL PROTECTED] wrote:
Hi all,
I have been
() from /lib/libcrypto.so.6
#2 0x4b530c86 in X509V3_EXT_conf () from /lib/libcrypto.so.6
Do you have any idea of what's going on ?
Later,
Max
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA
found that /dev/random and /dev/urandom files exist.
But in case of Solaris 7 these files are not
Hi,
go to http://www.sunfreeware.com/ - there you'll find needed patches for
Solaris.
--
Best Regards,
Massimiliano Pala
--o
send you the certificate and the
CRL, I am not
sending them to the list as them are quite big (~1.6Mb).
Have a nice day,
Byz!
--- Massimiliano Pala ([EMAIL PROTECTED])
__
OpenSSL Project http
failed:rsa_eay.c:580:
7322:error:0D089006:asn1 encoding routines:ASN1_verify:EVP
lib:a_verify.c:162:
should be changed as it is not really clear :-D
Thank you again.
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala
(0001).
Does anyone have experiences on how to load a private
key from the LunaSA (LunaCA3) with OpenSSL 0.9.7 ?
Thanks for any help,
--- Massimiliano Pala
__
OpenSSL Project http
on the device, not a software one.
Does anybody have experiences (also with other hardware)
that may be of some help ???
Thank you, byz.
--- Massimiliano Pala ([EMAIL PROTECTED])
__
OpenSSL Project
on the LunaCA/SA!?!?
Anyway if you have some code you can send me about your
implementation, I would be glad to take a look at it in
order to check my implementation.
Thx, for your help.
-- Massimiliano Pala
---End Message---
successfully on my test machines:
- Linux box (Debian, Linux 2.4.27 SMP, 2 Xeon 3.2 Ghz CPU, gcc-3.0.4)
- Linux box (RH 9, Linux 2.4.27#6 SMP i686 i686 i386 GNU/Linux, gcc-3.2.2-5)
Probably another issue tied to Fedora ???
--
Best Regards,
Massimiliano Pala
--o
kentlinux wrote:
[...]
It is only for crypto
I do not know anything about SSL
Thank you, this is exaclty what I was looking for. When ready we will
send the patch to add aes-ccm among the ciphers.
Have a nice day!
--
Best Regards,
Massimiliano Pala
--o
???
Thank you in advance, have a nice day!
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)11 564 7081
when setting up the BIOs ? Do I have to flush/reset (how ???) the
'buf_bio' (line 16 of the first snap) before calling the BIO_free_all()?
Thanks in advance for the help.
Have a nice day!
--
Best Regards,
Massimiliano Pala
--o
using
standard (ENGINE) functions or does it depend on the implemented engine ?
At the moment I have a LunaSA but I want the server to be able to use
different ENGINE sharing as much code as possible.
Thanks for the help.
--
Best Regards,
Massimiliano Pala
--o
because I have not found any reference to the ENGINE extension in the OCSP
code.
Please let me know.
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
Hi Guys,
we are currently working on this platform - OpenVMS 8.1, Itanium2 - is
this OS/CPU supported by openssl ?
--
C'you,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
setting it :-D
--
C'you,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)59 270 094
http://www.openca.org
of you...
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
Tel.: +39 (0)59 270 094
http://www.openca.org
Richard Levitte via RT wrote:
Oh look, there's a draft too:
http://www.ietf.org/internet-drafts/draft-nourse-scep-06.txt
This is the draft I used as a reference to implement SCEP...
--
C'you,
Massimiliano Pala
--o
?
Let me know. Thanks for your time.
--
Best Regards,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
Tel
do you think about it ?
As integrating the work into OpenSSL will require some additional work I
would like to know if you were interested in it before cleaning up the
code.
Let me know.
--
C'you,
Massimiliano Pala
--o
as to avoid unsafe code from
core dumping ?
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
http
*) [virtually useless, if not for cecking
against the recipient info, I guess] ?
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED
in the right way.
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org
Hi all,
I am replying myself... this seems like a sign I have to stop working
late at night... anyway... here it comes the real message...
Massimiliano Pala wrote:
Hi,
I am trying to decrypt some data in a pkcs7 env structure. The problem
comes
when I try to use the PKCS7_decrypt (I guess
to know if it will be best to code this ENGINE as a dynamic
one (external to the OpenSSL source tree) or it is best we start coding
it directly into OpenSSL ?
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA
the
implementation for the MuscleCard API so as to have some code ready soon,
we'll see what to do next later on... :-D
Anyone has suggestions about the project ?
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA
for the ENGINE... well I guess
it will require more time than what I had expected and I am even not sure
it will be possible doing what I was intended to do without having at least
the ca command enhanced...
... but I have only read it fast and I am probably wrong ...
--
C'you,
Massimiliano Pala
--o
and forgive me for the additional noise...
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] madwolf at cpan.org
madwolf
the possiblity to
have the public key printed out.
Let me know about the status of this patch, thanks.
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
be discouraged as its lifetime
(key's one) should be considered ended with the expiration of the certificate
(or you could have issued the certificate with a longer validity period,
don't you think ?), at least to me.
--
C'you,
Massimiliano Pala
--o
Massimiliano Pala wrote:
I'll try to be more specific in my next report.
Here I am again. The problem is very strange... indeed I find it difficult
to fix because I can simply not understand why the problem exists... Let's
see it:
1. The sk_PKCS7_new_null() is called by pkcs12.c at line 547
Hi all.
Just few lines to say that the bug (pkcs12 segfault on linux) seems to have
been fixed in new openssl-SNAP-20011106. Thanks.
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager
in the email OpenSSL and
Patches for CAs ? What do you think about it ?
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
.
This caused the entry in the index.txt file to report null DN
set.
To apply the patchm simply copy it into the openssl/apps dir and do the
following:
$ patch ca.c.fix-20011026
This will fix the bugs listed.
--
C'you,
Massimiliano Pala
--o
.
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED
) are
reference
to cross certification into RFCs... you could try to take a look into rfc2510,
but I am not sure...
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL
this is the scope of the openssl
project... anyway as this is strictly tied with openssl library itself
it could be useful having it together with the package.
I will forward this e-mail to the openssl-dev mailing list also to get
the feeling about all this stuff.
--
C'you,
Massimiliano Pala
.
At least to me...
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED
to add to the cert
email_in_dn = no# Don't add the email into the cert DN
...
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
of the server related issues already addressed...
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
:
pkey = load_key(bio_err, keyfile, keyform, passin, e,
Private Key);
Hope this is the right way to cerrect the bug.
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project
without requiring the password (in the
pwd env variable) it still asks for it from the standard input.
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
tomorrow at OpenCA
(guess the module name ... OpenCA-OCSPD ).
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED
...
Wait... I have made some othe DNs trying and it seems that if I
put the Email=... at the end of the DN all goes well, otherwise
the subjectAltName extension is empty.
The same seems to happen to the Issuer Alternative Name too, but
more tests are needed.
C'you,
Massimiliano Pala ([EMAIL
Massimiliano Pala wrote:
The same seems to happen to the Issuer Alternative Name too, but
more tests are needed.
I have tested it, and it seems like I already said: if the Email
field is at the end of the name (Issuer/subject) the altName
extension is correctly filled, otherwise it gets
ing the user to
submit again for a certificate because of errors in subject.
This is useful for IE/Server requests.
The subject's format is the same as the one reported for the
-subj request's new switch.
Hope this will help in CA managing.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
--- a
Dr S N Henson wrote:
I've checked in a fix for this. Patch is:
[...]
Steve.
Thanks. I will re-send my patches to Bodo at the
end of the week as he said.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
out I get the old DN:
i=PEM_write_bio_X509_REQ(out,req);
Why ??? I am patching the req.c file, but I am stuck with this
problem. Someone can help ???
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
the
cached version is no longer valid. So you should set
req-req_info-enc.modified to 1.
Thanks. I'll update the code right now.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
??
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
patch
right now because I am waiting for suggestions about where to fix.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
Massimiliano Pala wrote:
Hi,
i probably found a bug in the ca.c program where it sorts the REVOKED
certificate:
sk_X509_REVOKED_sort(ci-revoked); /* Line 1400 ~ */
the problem is related to the fact that with empty index.txt file the
ci-revoked value is 0: this causes
=email:copy,some@someplace
And I get a certificate with only "some@someplace" contents. Obviously
I have used a request with the "EMAIL" field set... Have someone
experienced the same problem or am I wrong in extension usage ???
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
: Error: immediate operand illegal with absolute jump
make[2]: *** [lhash.o] Error 1
make[2]: Leaving directory
`/usr/local/devel/madwolf/original/openssl-SNAP-20010110/crypto/lhash'
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
platform-related
problems with that ???
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
Richard Levitte - VMS Whacker wrote:
From: Massimiliano Pala [EMAIL PROTECTED]
madwolf Ignore my previous mail, it was a gcc error... lucky
madwolf me... :-D Updating had fixed the problem, it seems.
It might be a good idea for us to know what gcc version caused the
problem
it into the distribution (let me know if you
do so I must not distribute the patch with the OpenCA package).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
--- ca.cMon Nov 6 01:08:04 2000
+++ ca.patched Mon Nov 6 01:07:27 2000
@@ -166,6 +166,7 @@
" -msie_hack -
-0.5.98.tar.gz
Hope this will solve your problems... :-D
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
are woering on it and are willing
for coordinating their work
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
What's wrong here in ??
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
Thanks to all who sent me their help. I found it very singular that using inside
a cgi script the code works... :-D I will investigate deeply ... (If I have time
to ... )
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
://ftp.openca.org/pub/patches/openssl/openssl-SNAP-19990907-ocsp.tar.gz
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
Dr Stephen Henson wrote:
Massimiliano Pala wrote:
I am forwarding this message to the openssl-dev list so as to ask for
support in generating such CSLs (read on). Some chance in getting help
to write the code ??? Actually the CRLs do not support extentions in
OpenSSL, isn't
I am forwarding this message to the openssl-dev list so as to ask for
support in generating such CSLs (read on). Some chance in getting help
to write the code ??? Actually the CRLs do not support extentions in
OpenSSL, isn't it ??
--- Massimiliano Pala ([EMAIL PROTECTED])
[EMAIL
there
is the need of them by the communitiy and many protocols and studies are
carried out everyday (smart-cards with crypto chips/OCSP/SCVP/etc...).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
ies are matched, you generally trust your governments (at
least if you are not American... :-D It's a joke... ). That would guarantee
your ID online and open services that could be offered to nearly every application
you can think of....
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
I think the discussion should be continued on another mailing list :-D This is
really OT, here (sorry people) ...
If you can/want to continue discussing it, please subscribe to
[EMAIL PROTECTED]
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
to donate lines and equipment.
- Erik Aronesty
Prime Data Corp.
The problem is the liability... anyway if you want to get a free certificate, go to
https://secure.openca.org
C'you,
Massimiliano Pala
o the fact that in many countries (as in Italy) there are
laws about Certificate Service Providers that we do not have time/money
to guarantee...
But I realize now that this is more related to to legally-binding signatures.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
to donate =
lines and equipment.
I do have contacts with the ICE-CAR root CA peple. We can get a certificate
there for free and start from there using the OpenCA software.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
VĂctor R. Ruiz wrote:
On Wed, Dec 22, 1999 at 08:17:58PM +0100, Massimiliano Pala wrote:
Does anyone agree, wants to collaborate, etc ???
I wonder the amount of work of such a project. But seems interesting anyway.
The problem I see is the legal side.
Greetings,
It seems
,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
elson.
I ave tested it without actually having real problems. Which code exactly
you think it is not y2k ???
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
to Netscape db, simply send a certificate in
.der format with the
Content-Type: application/x-x509-ca-cert
Then the user will be asked to accept the CA certificate. I send you some code
from the OpenCA project.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
#!/usr/bin/perl
and the ca app could
be a very useful link (so we do not have to distribute patches to OpenSSL
instead we could use it as it was compiled by the user) between our web-
based interface and the crypto layer.
What do you think about it ???
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME
certificates
currently supports ??
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
1 - 100 of 121 matches
Mail list logo