On 12-08-2010 05:36, sandeep kiran p wrote:
Hi,
Ours is an LDAP client application that fetches LDAP server names on the fly
using DNS SRV Resource Records. We then randomly pick one the servers
returned from DNS, establish an SSL/TLS connection with that server and then
perform a bind
On 11-08-2010 17:40, cmkastn wrote:
With regards to initialization vectors for CBC-mode block ciphers, how does
one extract the vector? Is it merely the first X bytes of data after the
record header, where X is the block size?
No, the IV is computed according to a formula in the protocol.
Hi.
Umm.. I'm so sorry .. I can't speak English Well.!!
I want to build libosslfips.dll (Windows) in openssl-0.9.8o or
openssl-fips-1.2
But This is build(link) error (LNK2001)!!
In UserGuide-1.2 (http://www.openssl.org/docs/fips/UserGuide-1.2.pdf)
On Wed, Aug 11, 2010 at 11:36 PM, sandeep kiran p
sandeepkir...@gmail.comwrote:
[ ... ]
Client would then blindly establish an SSL/TLS connection with that server
and would end up handing over the user credentials to it. Note that, as part
of the SSL handshake, the malicious serve would
We dont have any control on how the server generates its certificates. As
said earlier, we only control the client portion of SSL/TLS. Sites where our
client application runs, is handed over the location where trusted CA certs
are stored and thats all we have.
Secondly, as you pointed out, if we
On Wed August 11 2010, Tim Cloud wrote:
Let's pretend for a moment that an out of the box application uses openssl to
provide access not through a browser, but rather through a SOAP client like
Eclipse.
And let's also say that you have no access to the code internal to that
application.
Many applications have a configuration for that, either via a range
(high/medium/low security), or by explicitly listing the cipher suites. The
configuration may be in a file, Windows registry, or anywhere; it's completely
up to the application implementation.
Remember that the client offers
When attempting to verify the hmac signature of the file
openssl-fips-1.2.crossbuild.diff.gz I get a wrong value. At least
it's wrong when compared with the Security Policy document.
Also, the file when retrieved from the web is not compressed as the
file name might imply, but merely a text
2010/8/12 홍성일 remip...@gmail.com:
Hi.
Umm.. I'm so sorry .. I can't speak English Well.!!
I want to build libosslfips.dll (Windows) in openssl-0.9.8o or
openssl-fips-1.2
But This is build(link) error (LNK2001)!!
In UserGuide-1.2 (http://www.openssl.org/docs/fips/UserGuide-1.2.pdf)
Q: I am a bit confused by the limits to your question, the two parts: have no
access to the code internal to that application
A: Meaning that I'm working with a commercial pre-compiled application that was
designed to use OpenSSL.exe, but does not allow you to edit how that
application
On Thu August 12 2010, Tim Cloud wrote:
That is EXACTLY what I want to do.
But having a background as a SQL DBA, I have no idea how to do that.
Is there an easy answer?
The server will be running Windows 2003 32-Bit, and I just want to
compile it with only the FIPS compliant strong
Hi,
I am able to generate RSA key using RSA_generate_key(). i need to know how
to manage these keys...is there any doucment available for key management?
Thanks for your time,
Krishnamurthy
From: owner-openssl-us...@openssl.org On Behalf Of David Stafford
Sent: Thursday, 12 August, 2010 11:31
To: openssl-users
Subject: openssl-fips-1.2.crossbuild.diff.gz signature incorrect
When attempting to verify the hmac signature of the file
openssl-fips-1.2.crossbuild.diff.gz I get a
I am not trying to set up client auth on Apache, just install a new SSL
certificate.
The instructions[1] for the new certificate says to install and intermediate
certificate:
SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt
I've done that, confirmed the paths and the certificate, but
You're looking at a couple of issues here. (First, please be aware that this
is the OpenSSL users list, not necessary a mod_ssl support list; however, since
they're intertwined, we do have some knowledge of mod_ssl.)
What you need to do is change that from 'SSLCACertificateFile' to
On 13/08/2010 5:12 AM, Dave Thompson wrote:
I'm not sure why they even used an HMAC in the Policy.
Probably the 'priests' just liked it. It doesn't add anything.
Any actual security comes from having the digest, *or* HMAC,
protected by a different means than the subject data.
And unfortunately
On Thu, Aug 12, 2010 at 1:56 PM, aerow...@gmail.com wrote:
You're looking at a couple of issues here. (First, please be aware that
this is the OpenSSL users list, not necessary a mod_ssl support list;
however, since they're intertwined, we do have some knowledge of mod_ssl.)
Plus,
Sandeep Kiran P wrote:
We dont have any control on how the server generates its certificates.
As said earlier, we only control the client portion of SSL/TLS.
Sites where our client application runs, is handed over the location
where trusted CA certs are stored and thats all we have.
On first glance, it's rather stupid, but Apache (partly due to baggage from the
underlying OpenSSL, but this baggage was unavoidable) requires the end-entity
certificate (the certificate which contains the public key for which you have
the private key) to be loaded separately from the chain
We will have to check if all our sites are ready to accommodate the list of
servers file which will be fetched securely. They should also be ready to
update that list each time a server is added or removed from DNS SRV
records.
I am not sure if I got your second option. You said that I should be
In the case of a DNS attack, the only information that your users can rely upon
is information which comes out of the PKI. If your attackers can attack both
DNS and the PKI, then you're 0wned, game over.
Otherwise, if DNS is completely attacked but you can still have some trust in
the PKI,
21 matches
Mail list logo