Decrypted buffer padding

Hello, I am trying to decrypt a buffer whose size is a multiple of the padding size (n * 16 bytes). But instead of getting the whole buffer as a result from EVP_CipherUpdate() I only get InSize - PaddingSize decrypted bytes. I get this behaviour with padding enabled and disabled. Is this the

specifying certificate extensions on command line

Hi, Is there any way to specify the certificate extensions (when using req and ca tools) directly on the command line rather than using the -extensions argument? I am looking for a way where I can avoid using the config file with the req and ca commands. Thanks, Sandeep

renegotiation during a handshake failure

Hi, Let me start with a disclaimer that i am not very experienced with openssl. I have a requirement. In an enterprise all clients and servers communicate over ssl. the certs in client and server are self signed. There is one client application which talks to 100+ different services. Currently

RE: Unable to load certificate

I found the problem with this was it was pkcs7 From: Hopkins, Nathan Sent: 30 November 2011 18:52 To: openssl-users@openssl.org Subject: RE: Unable to load certificate When I try with ...-inform der I get ... 32328:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong

RE: Friendly name

I'm using the below commands to create a ca ... openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt -days 730 ... please can you advise how I can add a friendly name to this cert?

RE: Friendly name

Wouldn't that be in your openssl.cnf file? Thomas Floodeen, Jr. Mentor Graphics BSD 720.494.1133 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Hopkins, Nathan Sent: Thursday, December 01, 2011 1:25 PM To: openssl-users@openssl.org Subject: RE:

RE: Friendly name

I had a look and couldn't see a place for it in openssl.cnf? Or at least nothing listed under name or friendly name or similar? From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Floodeenjr, Thomas Sent: 01 December 2011 20:33 To:

anonymous DH for DTLS

Hi! I would like to turn off certificates and use anonymous DH for a DTLS exchange. What flags do I use in the s_server and s_client programs? I set the -nocert flag in s_server, but I am getting the error no cipher suite exchanged. Thanks!

Re: Friendly name

On 12/1/2011 9:25 PM, Hopkins, Nathan wrote: I’m using the below commands to create a ca … openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt -days 730 ** … please can you advise how I can add a “friendly name” to this cert? ** The Friendly name is the

RE: Friendly name

I looked through the OID and couldn't see anything - I'm sure this must be possible? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 01 December 2011 21:22 To: openssl-users@openssl.org Subject: Re: Friendly

Re: renegotiation during a handshake failure

On 12/1/2011 6:33 PM, Rohit Bansal wrote: Hi, Let me start with a disclaimer that i am not very experienced with openssl. I have a requirement. In an enterprise all clients and servers communicate over ssl. the certs in client and server are self signed. There is one client application

Re: Decrypted buffer padding

Hi, after you use the EVP_CipherUpdate(), you have to call the EVP_CipherFinal() to encrypt the remaining bytes. Refer to the documentation to see how to correctly pass the parameters: http://www.openssl.org/docs/crypto/EVP_EncryptInit.html. The same goes for the decryption. I hope this help.

RE: size of EVP_Seal* output

From: owner-openssl-us...@openssl.org On Behalf Of Jonas Schnelli Sent: Wednesday, 30 November, 2011 09:57 I try to pre-calculate the size of a EVP_Seal encrypted buffer (just the seal, exkl. keys). How do i precalculate that? I assume with some blocksize stuff (i'm a

RE: Usage of CAPath/CAFile options in int SSL_CTX_load_verify_locations Reg.

From: owner-openssl-us...@openssl.org On Behalf Of Ashok C Sent: Wednesday, 30 November, 2011 00:51 Some more followup questions here: In case of a server application, it is expected to send the intermediate certificates to the client. And in this case,

Re: Friendly name

On Thu, Dec 01, 2011, Hopkins, Nathan wrote: I'm using the below commands to create a ca ... openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt -days 730 ... please can you advise how I can add a friendly name to this cert? What do you mean by

RE: anonymous DH for DTLS

From: owner-openssl-us...@openssl.org On Behalf Of Odomae Bro Sent: Thursday, 01 December, 2011 16:17 I would like to turn off certificates and use anonymous DH for a DTLS exchange. What flags do I use in the s_server and s_client programs? I set the -nocert

Re: anonymous DH for DTLS

Hi Dave Thanks for your reply. In the code for s_server and s_client, I manually set cipher= aNULL and I still get the same error. One thing to note is: I used the built in s_server and s_client (command line) as follows and the ssl connection is established. openssl s_server -nocert -cipher

Re: Usage of CAPath/CAFile options in int SSL_CTX_load_verify_locations Reg.

Hi Dave, Keeping the things you have mentioned in mind, this is how it goes. In server side, EE key is loaded using SSL_CTX_use_RSAPrivateKey_file(ctx,eekeyfile,SSL_FILETYPE_PEM); EE certificate is loaded using SSL_CTX_use_certificate_file(ctx, eepemfile,SSL_FILETYPE_PEM); And the intermediate

AW: Decrypted buffer padding

Hi, Thanks for your reply. I am aware of CipherFinal() but I wonder why CipherUpdate() writes anything into the final buffer at all if the buffer size is a multiple of the padding size. Additionally CipherFinal() fails if I call it afterwards. The documentation says as a result the