On 10/03/2017 04:34, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Jakob Bohm
Sent: Thursday, March 09, 2017 19:05
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow
First, note my original
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Jakob Bohm
> Sent: Thursday, March 09, 2017 19:05
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow
First, note my original calculation was wrong - I was think
On 03/09/2017 08:53 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote:
$ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up that I
needed:
chmod 640 for the private keys for Apache. (and post
But if the starting value is random, the number of increments
before overflow or wrap will be random too (and could
hypothetically, but rarely, be as little as 1).
Anyway, I thought TLS records were limited to slightly more than
16K each, so the in-record block counter would not count very far.
> On Mar 9, 2017, at 8:43 PM, Robert Moskowitz wrote:
>
>> $ umask 077 # avoid world-readable private keys
>
> Perhaps (no perhaps about it) this is old information, but I picked up that I
> needed:
>
> chmod 640 for the private keys for Apache. (and postfix and others use these
> certs;
Viktor,
On 03/09/2017 08:17 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote:
I am creating self-signed certs with:
openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048
-nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x50
Jan,
On 03/09/2017 08:06 PM, Jan Danielsson wrote:
On 03/10/17 00:49, Robert Moskowitz wrote:
[---]
Is there some 'simple' way to provide these answers? Like with env
variables?
I tend do create response files (one response per line) and then
simply pipe to openssl:
$ cat foo.params
> On Mar 9, 2017, at 6:49 PM, Robert Moskowitz wrote:
>
> I am creating self-signed certs with:
>
> openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048
> -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509
> -extensions v3_req
>
> Where, for examp
Hi, Rich.
Fancy meeting you here.
On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote:
Yes there are easier ways to do this. Set up a conf file and use it (via the
-conf flag). You can use env vars, set default values, and so on. Look at the
config manpages, https://www.openssl.org/
On 03/10/17 00:49, Robert Moskowitz wrote:
[---]
> Is there some 'simple' way to provide these answers? Like with env
> variables?
I tend do create response files (one response per line) and then
simply pipe to openssl:
$ cat foo.params | openssl ...
Just make sure openssl doesn't need
Yes there are easier ways to do this. Set up a conf file and use it (via the
-conf flag). You can use env vars, set default values, and so on. Look at the
config manpages, https://www.openssl.org/docs/manmaster/man5/
For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz
PS -- fi
First, to get intelligible text errors, replace your initial call with
ERR_load_crypto_strings(). The ERR_load_ERR_strings call doesn't even
seem to be documented, likely because it only loads the strings
associated with the ERR API, and you likely need PEM and BIO error
strings. When I did this,
I am creating self-signed certs with:
openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey
rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days
3650 -x509 -extensions v3_req
Where, for example:
your_host_tld=z9m9z.test.htt-consult.com
Thing is that this then
I have been tiring to keep my posting to a minim but I am not getting
across what I am looking to
fix. And I have been getting reports that my source code is not
viewable. In my Apache logs I see that some people have be using the
wrong link, they are tiring to use
"http://mt-umunhum-wireless.n
And there's no reason for it to do so, because it isn't needed. If you generate
one TLS packet every nanosecond, it will take nearly six centuries to overflow,
by which time the version of TLS you're using will have been deprecated and all
security guarantees are moot anyway.
In general, most s
Script started on Thu Mar 9 05:45:36 2017
root@doctor:/usr/source/openssl-1.0.2-stable-SNAP-20170309 # make
making all in crypto...
making all in crypto/objects...
making all in crypto/md4...
making all in crypto/md5...
making all in crypto/sha...
making all in crypto/mdc2...
making all in
Already fixed.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
No, it does not do this automatically.
if the nounce _explicit overflows or overlaps , then does openssl code
handles it (atleast by initiating renegotiation )?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
18 matches
Mail list logo