> is there any way to tag these certificates so that a
> browser will refuse to export them?
If importing p12's into MSIE don't select the option on the browser that
says "Mark private keys as exportable" if using pkcs7 on the MSIE html
request form set the "GenKeyFlags" to 1.
On Netscape you c
Title: Message
Hmm.. Looking at my libeay32, I have a d2i_X509, but no
d2i_x509. Perhaps your code just has a typo, and you meant to use the upper case
X?
Greg Stark[EMAIL PROTECTED]
- Original Message -
From:
Andrew Finnell
To:
From: "Greg Stark" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject:Re: can we prevent export of a personal certificate?
Date sent: Tue, 28 Aug 2001 17:40:31 -0400
Send reply to: [EMAIL PROTECTED]
If they are using the
What you are referring to is in fact the private key information and not
just the public certificate. I don't know of any way to stop a mozilla user
from doing the backup, I'm just not that familiar with mozilla. For IE and
if you are using one of the MS providers, the default is to disallow expor
Title: Message
Yes but for some reason d2i_x509 is not exported by ssleay32 nor libeay32.lib.
That is what I'm trying to figure out. I link with both of the libraries and
call d2i_x509 in one of my methods and during linking I get a undefined symbol
for d2i_x509
-
Andrew
-Or
steve wrote:
> Do you mean 'private keys'? Certificates are public
knowledge and can't be restricted in that way. What OS
is this for, if windows then you can for MSIE but it
depends on how you import the certificates in the
first place.
i think i mean 'certificates', as in mozi
Title: SSLEAY32
The library names are different for the win32 build. They are
libeay32.lib and ssleay32.lib.
Greg Stark[EMAIL PROTECTED]
- Original Message -
From:
Andrew Finnell
To: Openssl
([EMAIL PROTECTED])
Sent: Tuesda
Hello,
I am looking to build the SSL module on perl 5.6.1 on a HPUX 10.20 platform.
Can somebody give me some advice as to what version I should use? where I
should go to get it? Any specific steps involved?
Thanks in advance,
> Paul Szeto
> Unix Systems Group
> Merck-Medco
> * FRLN#60
>
Title: SSLEAY32
I have come across a problem I'm not quite sure how to fix. I use d2i_x509 in one of my applications. When I compile on NT I can't find any libssl.lib or libcrypto.lib files all I find is ssleay32.lib so I link against that. It comes up with an undefined symbol _d2i_x
Unfortunately, the OpenSSL wrapper around gethostbyname cache's lookup
results forever, so you'll need to restart your application. I know you
said you can't do that. Good luck figuring out how to address this.
Infinite caching of gethostbyname() results is a bug, so I added -dev
back to the li
--redirected to -users
I think that is how it should work. I see no reason why another DNS lookup
should be made after the first one. I assume that a gethostbyname() is
called once.
BTW, you random seeding is totally insecure, but you probably already know
that.
Greg Stark
"franck P." wrote:
>
> Hi there,
>
> running perl 5.004_04 on Solaris 2.6, SPARC, OpenSSL 0.9.6,
> I have installed Crypt-SSLeay-0.29.
> No compilation problem (excepted for an other module:
> libwww-perl-5.5395).
>
> After some test, everything goes fine. But, I have tried to connect
> to a ru
You should set up you're server to do a man-in-the-middle attack defense.
Check that the ip address stored in the cert (could be stored in the common
name field) corresponds to the ip address of the peer trying to connect to
you're server. That way someone elsewhere using an exported certificate
werner fraga wrote:
>
> we are using openssl to issue personal certificates to
> our employees so that we can restrict access to our
> website.
>
> we would like to prevent users from moving these certs
> from their PC to another PC.
>
> is there any way to tag these certificates so that a
> br
> is there any way to tag these certificates so that a
> browser will refuse to export them?
no.
--
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
__
Ope
we are using openssl to issue personal certificates to
our employees so that we can restrict access to our
website.
we would like to prevent users from moving these certs
from their PC to another PC.
is there any way to tag these certificates so that a
browser will refuse to export them?
__
On Tue, 28 Aug 2001 12:13:40 -0400, you wrote:
>> /*** anyway, pthread_once is not too good either - something
>> like a C++ constructor on a global static variable would be
>> much better ***/
>> pthread_once(&tid_once, init_openssl_tid);
>
>That's not portable -- go look
> /*** if (tid == 0) this check was a bad idea, for further
> discussion of weak memory models and
> aggressive optimization techniques you are
> welcome to comp.programming.threads ***/
Been there, done that, and you're
Hi there,
running perl 5.004_04 on Solaris 2.6, SPARC, OpenSSL 0.9.6,
I have installed Crypt-SSLeay-0.29.
No compilation problem (excepted for an other module:
libwww-perl-5.5395).
After some test, everything goes fine. But, I have tried to connect
to a running machine which has NO Web server i
[ On info-cyrus: ]
> I am seeing strange behavior with STARTTLS falling
> back to version 1 with outlook clients however when I
> connect from localhost using openssl client command it
> appears ready to do buisness using version 3.
> I am using Cyrus 2.0.16 and OpenSSL 0.9.6 and am using
> Outloo
Why do you think it is a problem? IE tends to do things differently than
Netscape ;). For a number of reasons, IE will close a connection after the
handshake, and then reconnect. It shouldn't cause any problems.
Greg Stark
[EMAIL PROTECTED]
- Origin
The place to start for the ASN.1 for such beasts is usually the PKCS site,
(http://www.rsalabs.com/pkcs/index.html). Look at PKCS#1 and PKCS#7.
Greg Stark
[EMAIL PROTECTED]
- Original Message -
From: "Hellan,Kim KHE" <[EMAIL PROTECTED]>
To: "'Op
On Mon, 27 Aug 2001 14:50:39 -0400, you wrote:
>> > unsigned long SSL_pthreads_thread_id(void) {
>> > unsigned long ret;
>> > ret=(unsigned long)pthread_self();
>> > return(ret);
>> > }
>
>> > The return type of pthread_self(), pthread_t, is not necessary a type
>> > castable to unsigned lo
> You have read up to step 5? :-)
>
> HTH,
> Thomas
>
Thanks, Thomas - the penny has finally dropped. I just have to loop through
steps 4 and 5, incrementing j for as long as jhttp://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
Hi,
> Sisyphus [SMTP:[EMAIL PROTECTED]] asked:
> I have 2 almost identical accounts of the Rabin-Miller test. One is in
> Schneier's 'Applied Cryptography' and the other is at
> http://mason.gmu.edu/~kgaj/ECE590/spec/dong.html ( from a Google search).
>
> I can follow the procedure quite well, e
Hi,
I have gone through some implementations of DES/3DES and found that the
des_key_schedule is generated just before the data is given to the
encryption API. I have got some clarifications and I would be thankful if
somebody could clarify these:
1. Isn't it advisable to generate the des_key_s
hi Kim,
On Tue, 28 Aug 2001, Hellan,Kim KHE wrote:
> I'm looking for an example of a "RSA Digital Signature Using Hash Function"
> (text followed by the signature).
Probably the most relevant data structure is PKCS7 Signed.
> Does anyone know where to find a more technical description of such
Hi,
I have 2 almost identical accounts of the Rabin-Miller test. One is in
Schneier's 'Applied Cryptography' and the other is at
http://mason.gmu.edu/~kgaj/ECE590/spec/dong.html ( from a Google search).
I can follow the procedure quite well, except for the role of the variable
'j', which has no b
On Mon, Aug 27, 2001 at 06:23:30PM -0700, chirs charter wrote:
> Hello,
> Can someone elaborate on these two log entries:
>
> Aug 27 21:22:12 catfish imapd[3449]: [ID 781445
> local6.notice] starttls: TLSv1 w
> ith cipher RC4-MD5 (128/128 bits) no authentication
> Aug 27 21:22:14 catfish imapd[34
Hi folks,
I have built the OpenSSL-engine code(0.9.6.b) in my Windows NT machine. I'm
basically interested in creating a new CA,creating a Certificate and signing
and verifying that Certificate. All seems fine except that I'm not able to
verify the Certificate which I'm creating(from command line
I'm looking for an example of a "RSA Digital Signature Using Hash Function"
(text followed by the signature).
Does anyone know where to find a more technical description of such a
signature (like the ASN.1 syntax) ?
Does anyone have a sample of such a signature including the public key to
verify
Hi Olaf et Al.
Use this command line with your settings.
It should work since in my LX box it works with Netscape/OutLook!
openssl pkcs12 -export -inkey hostKey.pem \
-in hostCert.pem -name "soggy" \
-certfile caCert.pem -caname "Root CA" \
32 matches
Mail list logo