Re: test/heartbleed_test.c

On 20 May 2014 15:17, Ken Goldman wrote: > On 5/20/2014 7:24 AM, Ben Laurie wrote: >> >> >> There is already a strndup replacement: BUF_strndup(). Switching to >> use that would be better. > > > However > > - if that function points to strndup, don

Re: test/heartbleed_test.c

On 20 May 2014 06:40, The Doctor,3328-138 Ave Edmonton AB T5Y 1M4,669-2000,473-4587 wrote: > Found that strndup would not work. > > I had to add > > #if !HAVE_STRNDUP > > #include > #include > #include > #include > > /* Find the length of STRING, but scan at most MAXLEN characters. >If no

Re: OpenSSL doesn't treat RFC 3280 validations as an error?

On 13 November 2013 10:35, Igor Sverkos wrote: > According to RFC 3280, which defines > X.509 certficates, these entries, if they exist, must not have > an empty value. FWIW, RFC 3280 has been obsoleted by RFC 5280. I couldn't find where it said this in RFC 5280. Pointer? ___

Re: redirected input to s_client on Windows: Any trick to avoid the keypress?

On 3 October 2013 22:14, Jeff Trawick wrote: > E.g., run > > echo GET / | openssl s_client -connect host:port > > It does the handshake then stalls until you press a key (which will be > left unused in the buffer when openssl exits), then it sends the input. I > guess the kbhit() in the s_client

Re: not fork-safe if pids wrap (was Re: DLL hell)

On 21 August 2013 03:19, Patrick Pelletier wrote: > On 8/15/13 11:51 PM, Patrick Pelletier wrote: > >> On Aug 15, 2013, at 10:38 PM, Nico Williams wrote: >> >> Hmm, I've only read the article linked from there: >>> http://android-developers.**blogspot.com/2013/08/some-** >>> securerandom-thought

Re: weird bug

Try write_data( file_, data, strlen(data) + 1, "mykey"); On 16 August 2013 03:34, Ztatik Light wrote: > ps, yes, line 29 is a mistake and should read: char new_filename[strlen( > filename ) + 5]; > > But even with that fix i get the same results > > > On Fri, Aug 16, 2013 at 2:27 AM, Ztatik L

Re: RFC in OpenSSL

On 24 July 2013 08:57, Lionel Estrade wrote: > Hello, > > > > I am looking for a SSL/TLS stack for a project based on CVP2 and I need to > know if the following RFCs (which are required by CVP2) are fully/partially > implemented in OpenSSL. > > RFC 4680 - TLS Handshake Messages for Supplemental

Re: Using libcrypto's RSA code

On 18 April 2013 00:17, Jakob Bohm wrote: > This sounds like a gross violation of the Postel principle. A principle that should be pretty much universally violated. __ OpenSSL Project http://www.op

Re: Are Openssl Random Number Generator NIST compliant ?

On 6 March 2013 03:55, Nayna Jain wrote: > > Hi all, > > Are RAND_seed(), RAND_add() NIST SP 800-151A compliant ? 800-151 does not appear to exist, got a link? __ OpenSSL Project http://www.openssl

Re: How to specify an architecture for Configure?

On 20 January 2013 00:09, Jeffrey Walton wrote: > Hi All, > > How does one specify and architecture for Configure? I don't think there is an approved way to do it in general. Probably you have to edit Configure to specify a new target. However, your problem appears to be that you can';t put CFLA

Re: OpenSSL 1.0.1c, Mac OS X, -no-XXX, and [missing] make depend

On 19 January 2013 16:31, Jeffrey Walton wrote: > On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie wrote: >> On 26 December 2012 20:07, Jeffrey Walton wrote: >>> On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wrote: >>>> On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey

Re: OpenSSL 1.0.1c, Mac OS X, -no-XXX, and [missing] make depend

On 26 December 2012 20:07, Jeffrey Walton wrote: > On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wrote: >> On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton wrote: >>> I fetched `makedepend` from FreeDesktop.org >>> (http://xorg.freedesktop.org/releases/individual/util/).

OpenSSL infrastructure changes

The sharp-eyed will have already noticed we're moving to git. Well, it looks like that's actually happened now. We're also shifting pretty much everything to new infrastructure. So, there may be outages, unexpected changes and general weirdness for a little while. We'll let you know when we're d

Re: Hardware solution for asymmetric decryption.

On Fri, Jan 4, 2013 at 9:58 AM, Tayade, Nilesh wrote: > Hi, > > The RSA_private_decrypt() function is proved to be costlier on my system. > I will try for some hardware cards (PCI or over the network), which will help > me perform asymmetric decryption in case of Premaster-decryption. > I am look

Re: Conditionally Patching output of Makefile from Configure?

On Wed, Jan 2, 2013 at 8:34 AM, Jeffrey Walton wrote: > On Mon, Dec 31, 2012 at 7:00 AM, Ben Laurie wrote: >> On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton wrote: >>> On Sun, Dec 30, 2012 at 3:20 PM, wrote: >>>> On 30-12-2012 21:01, Jeffrey Walton wrote: >

Re: Conditionally Patching output of Makefile from Configure?

On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton wrote: > On Sun, Dec 30, 2012 at 3:20 PM, wrote: >> On 30-12-2012 21:01, Jeffrey Walton wrote: >>> >>> Hi All, >>> >>> While working on Apple with Mac OS X and iOS, I found I needed to >>> patch OpenSSL 1.0.1c's Makefile. >>> >>> Makefile.org has

Re: OpenSSL 1.0.1c, Mac OS X, -no-XXX, and [missing] make depend

On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton wrote: > I fetched `makedepend` from FreeDesktop.org > (http://xorg.freedesktop.org/releases/individual/util/). It would not > build due to missing dependencies. Ad infinitum. $ port search makedepend makedepend @1.0.4 (x11, devel) Create depend

Re: I can't believe how much this sucks

On Tue, Nov 13, 2012 at 6:34 PM, Sanford Staab wrote: > I have been struggling with openssl for a few months now writing batch > scripts on windows trying to make a .net web client with a client > certificate work with 2-way ssl against an apache web server. > > Do you guys just want to continue t

Re: DES3 encryption with padding

On Wed, Oct 17, 2012 at 9:52 AM, Brent Evans wrote: > Hi, > > I'm currently trying to use the openSSL library to perform DES3 encryption > on a string. The result from this encryption then has a base64 operation > performed on it, before this is passed to a Java application to decode the > base64

Re: Best practice for client cert name checking

On Sat, Oct 6, 2012 at 2:52 PM, Charles Mills wrote: > I have recently written a product that incorporates SSL/TLS server code that > processes client certificates. I designed what I thought made sense at the > time but now I am wondering if what I did was best. > > In the product's configuration

Re: OpenSSL on beagleboard

On Fri, Aug 24, 2012 at 2:18 AM, Jeffrey Walton wrote: > On Thu, Aug 23, 2012 at 9:06 PM, Paulo Roberto > wrote: >> Hello, I am using the package libssl-dev on ubuntu in my beagleboard xm, and >> I have to run two C algorithms using the openSSL library.. >> Although I can't compile using the com

Re: OpenSSL DES generates '\n' in encrypted code

On Tue, Aug 21, 2012 at 2:14 PM, Charles Mills wrote: > Actually, there IS *almost* a general solution to this problem. > > The input consists of characters from some set of 'n' characters. (Perhaps > 'n' is 94 -- 0x21 through 0x7e inclusive -- but it does not matter.) You need > to pack those c

Re: ECC and OpenSSL version

On Tue, May 22, 2012 at 9:55 AM, Simner, John wrote: > Dear all, > > I am working on an embedded product which currently uses OpenSSL 0.9.8w with > FIPS support. I'm curious: what product is this? I had a quick poke around and couldn't find any mention of OpenSSL on Siemen's websites... > We hav

Re: Looking for (easy) help.

On Sat, May 12, 2012 at 12:15 AM, wrote: > Ahhh! > So, a 15 byte block (or ends with a 15 byte after multiples of 16 bytes) > would use a 0x01 in the last position...? > > And a whole multiple of 16 blocks would have an extra block filled with > 0x0f's...? 0x10, actually. > > My initial testing

Re: Help me find the SSL wrapper/another solution

demos/state_machine demos/tunala On Tue, May 8, 2012 at 2:17 PM, Marcin Głogowski wrote: > Hello, > I have to write non blocking SSL/TLS server based on the OpenSSL library. > I couldn't find any example/tutorial with this. > Please write me where can I find some client/server examples or simple

Re: McAfee Claims TLS Vulnerability

Engineer | Quantum Corporation | Office: > 949.856.7748 | paul.suh...@quantum.com > Preserving the World's Most Important Data. Yours.T > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Laurie > Sent

Re: McAfee Claims TLS Vulnerability

On Mon, Apr 30, 2012 at 12:45 PM, Dr. Stephen Henson wrote: > On Sun, Apr 29, 2012, Mike Hoy wrote: > >> We use McAfee to scan our website for vulnerabilities. They claim the >> following: >> >> > Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. >> > Configure SSL/TLS servers

Re: McAfee Claims TLS Vulnerability

On Sun, Apr 29, 2012 at 10:40 PM, Mike Hoy wrote: > We use McAfee to scan our website for vulnerabilities. They claim the > following: >> >> Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. >> Configure SSL/TLS servers to only support cipher suites that do not use >> block ci

Re: How to do encryption using AES in Openssl

On Thu, Mar 29, 2012 at 5:40 AM, Prashanth kumar N < prashanth.kuma...@gmail.com> wrote: > Thanks Ken for pointing out the mistake... after changing to > AES_Decrypt(), it worked but i still see issue when i print the > decrypted output as it has extra non-ascii characters in it. > > Below is the

Re: How to do encryption using AES in Openssl

On Tue, Mar 27, 2012 at 8:26 PM, Ken Goldman wrote: > On 3/27/2012 3:51 PM, Jakob Bohm wrote: > >> On 3/27/2012 9:37 PM, Dr. Stephen Henson wrote: >> >>> You should really be using EVP instead of the low level routines. >>> They are well documented with examples. >>> >> Where, precisely? >> >> I

Re: weak key check?

On Tue, Feb 21, 2012 at 7:04 PM, Ben Laurie wrote: > On Tue, Feb 21, 2012 at 5:47 PM, Chris Dodd wrote: >> On 02/19/2012 07:36 PM, anthony berglas wrote: >>> >>>  Exactly. So you need about 112 bits of "entropy" / Pass Phrase to >>>  generate a good

Re: weak key check?

On Tue, Feb 21, 2012 at 5:47 PM, Chris Dodd wrote: > On 02/19/2012 07:36 PM, anthony berglas wrote: >> >>  Exactly. So you need about 112 bits of "entropy" / Pass Phrase to >>  generate a good 2048 bit key. Remember that the vast majority of 2048 >>  bit numbers are not valid key pairs. >> >>  My

Re: Question on OpenSSL encryption

On Sat, Jan 7, 2012 at 4:12 PM, Manish Jain wrote: > > Hello Michael/Anyone Else, > > Can you be kind enough to please point me to some place/URL where I can get > a bit more information about how the key is negotiated upon ? > > I have gone through a a couple of write-ups on OpenSSL which throw l

Re: TLS 1.0 "cracked"...

On Fri, Sep 23, 2011 at 4:54 PM, Dr. Stephen Henson wrote: > On Fri, Sep 23, 2011, Jakob Bohm wrote: > >> >> Is openssl running out of bit values for SSL_OP_ constants? >> > > Well more ran out of contants. When a new flag was needed for TLS v1.2 all 32 > bits were used but fortunately two ancient

Re: TLS 1.0 "cracked"...

On Wed, Sep 21, 2011 at 3:48 PM, Thomas J. Hruska wrote: > The Register published an article yesterday that some people here might be > interested in on TLS 1.0 being "cracked": > > http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ > > > The Register points their Finger of Blame r

Re: Auto Reply: Various postings on the openssl mail list.

The offender was removed from the list earlier today :-) On Wed, Sep 14, 2011 at 3:41 PM, Jakob Bohm wrote: > WARNING: The automatic "vacation response" mail system used by your coworker > Mr. Lau > is spamming a public mailing lists with its automatic responses.  You may > want to stop that > so

Re: r.e testing beta

Rodney Thayer wrote: I've tried one of the 0.9.8 snapshots and "make test" is failing, after running for an enormous amount of time. (openssl-0.9.8-stable-SNAP-20050613.tar.gz) Two questions: 1. what's the output supposed to look like, these days? Specifically, is it supposed to run a long

Re: Regarding OpenSSL

Richard Levitte - VMS Whacker wrote: This kind of question should go to openssl-users@openssl.org, which is why I only send the response there. I'm surprised you bothered, given that he spammed every email address he could find. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net

Re: Dual 64 & 32 libraries

Medi Montaseri wrote: ThanksI was particularly interested in FreeBSD amd64 which currently Configure does not support. I have since found that FreeBSD.org has a patch and they claim that OpenSSL code maintainers have been notified but openssl community has not included that on their recent r

Re: Writing to a mem BIO instead of using SSL_Write

Henry Su wrote: Try to find some source code for EAP-TTLS or EAP-PEAP, these use mem BIO and SSL. You can try to read some source code FreeRadius or Open.1X. Good luck. Or mod_ssl in Apache 2. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can

Re: SSL (or alike) over UDP

Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do boot

Re: Steps to use RSA for SSL

Joseph Bruni wrote: On Apr 11, 2004, at 1:44 PM, Garrett Kajmowicz wrote: They don't do quite the same thing. RSAPrivateKey_dup() et al. do not accept a const RSA*, they accept a RSA*. The i2d function, however, does accept a const RSA*, so I've resorted to that pair. I believe that the inco

Re: FIPS mode

Steven Reddie wrote: Hi Steve, I take it that dynamically linking the FIPS OpenSSL into an executable means that the FIPS certification is void for that application. So as you have stated, static linking is required. However, if I'm producing a security library that uses OpenSSL and I stati

Re: Regarding all the spam...

Boyle Owen wrote: -Original Message- From: Ben Laurie [mailto:[EMAIL PROTECTED] I disagree. I've lost the thread... You want to limit posting to subscribers only or you don't? I don't. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There i

Re: Regarding all the spam...

Rich Salz wrote: I think I misunderstood that question. I honestly don't know what we would lose. Maybe a sense of openness. In the past -- at least, say, 2-3 years ago -- we had a couple of anonymous posters who made very worthwhile contributions. Haven't seen that recently. Also, it used t

Re: questions about PGP keys used to sign openssl tar balls

Jin Zhao wrote: Looks like openssl tar balls are signed with a different PGP key for each source tar ball. For example, openssl-0.9.7b.tar.gz was signed using a key with key id E06D2CB1 and openssl-0.9.7c.tar.gz was signed with key id 49A563D9. My question is why not sign the released tar ball us

Re: Hardware crypto speed anyone?

Rich Salz wrote: we got ahold of an AEP1000 crypto accelerator for testing purposes. I am stumped. The numbers look horrible. The openssl "speed" program is not good for testing anything other than the openssl software implementations. It does a repeated single-threaded call to RSA_sign, etc.

Re: FIPS Certification

Tal Mozes wrote: Hi, I just ran into this article (http://www.gcn.com/vol1_no1/daily-updates/24504-1.html) which title is "OpenSSL gets FIPS certification". There was also a link to the article on the last SANS NewsBites (Vol.5 Num.52, see http://portal.sans.org/). From what I read in the website

Re: reversing md5, sha

Rich Salz wrote: >> reversible compression hash alogorithms out there? > > I'm not a mathematical cryptographer, but that phrase sounds like an > implausability to me. It is, of course, trivial to prove that anything with arbitrary length input and fixed length output is not reversible. I missed

Re: FIPS mode

Mathias Brossard wrote: > On Fri, 2003-09-05 at 19:59, Ben Laurie wrote: > >>Mathias Brossard wrote: >> >>>- Asymmetric: DSA, RSA, ECDSA >> >>Not my understanding. Anyway, DSS only. RSA can't be, and ECDSA we >>aren't doing. > > &g

Re: FIPS mode

Chris Brook wrote: > If I read your reply right, responsibility for DAC and Known Answer Test > checking is the responsibility of the app developer, though you will provide > the DAC checksum for the crypto module. Have you also included the KATs, > since they essentially exist the OpenSSL test m

Re: FIPS mode

Mathias Brossard wrote: > On Fri, 2003-09-05 at 11:55, Ben Laurie wrote: > >>>- What version of OpenSSL does it correspond to? 0.9.7b? >> >>"Yes, and the FIPS specific routines will be carried forward in future >>OpenSSL releases. Only the "cryp

FIPS mode

I'm coming close to the end of the work to get OpenSSL FIPS-140ed. So, if people have comments/changes/concerns, they'd better get a move on and clue me in, because once its done we can't change it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no

[ADVISORY] Timing Attack on OpenSSL

I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability -

Re: Slapper denial-of-service problem - why isn't this fixed?

Joe Rhett wrote: So, say you have a server which listens on both port 443 for SSL and 80 for HTTP, does access on port 80 get blocked at the same time as access on port 443 gets blocked. Yes. Not 'blocked' -- TCP connects happen, but the server doesn't reply for up to the Timeout period. It

Re: nonces?

Rich Salz wrote: >>>Or use the trick we created for Identrus: make the nonce be the hash of >>>the document that made you first do the OCSP query. >> >>That doesn't prevent a replay attack, in general, of course. > > > If the document isn't public, then it's as good as arbitrary random bytes.

OpenSSL Security Altert - Remote Buffer Overflows

The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2

Re: Speaking of shared secrets

Vadim Fedukovich wrote: > On Sun, Jul 14, 2002 at 11:56:19AM +0100, Ben Laurie wrote: > >>Richard Levitte - VMS Whacker wrote: >> >>>In message <[EMAIL PROTECTED]> on Tue, 9 Jul 2002 11:43:04 +0300, >Vadim Fedukovich <[EMAIL PROTECTED]> said: >>&g

Re: Speaking of shared secrets

Richard Levitte - VMS Whacker wrote: > In message <[EMAIL PROTECTED]> on Tue, 9 Jul 2002 11:43:04 +0300, >Vadim Fedukovich <[EMAIL PROTECTED]> said: > > vf> please consider to include this code into distribution > > Thanks and forgive me for being a nuisance... > Errr... a) This should be on

Re: Global PKI on DNS?

Bill Sommerfeld wrote: >> As others have pointed out, the DNS already has the capability >> to store certs. So you could use the DNS as a publication >> method. But is this the only thing a PKI needs? How would >> one revolke a cert that was in the DNS? How can you update

Re: libssl.so: undefined symbol: sk_X509_NAME_value

[EMAIL PROTECTED] wrote: > > I have, for two days, been banging my head on trying to install this > apache server with mod_ssl. I keep having problems. I have tried > absolutely everything I can think of to try to fix this. I have searched > all of the postings and tried their "solutions". No

Re: Why no sig for openssl src?

Rich Salz wrote: > > An interesting question. Should it be PGP-signed? Well, since it's an > X.509-based system, that wouldn't look great. Eh? Just coz we're stuck with X.509 for SSL doesn't mean we have to depart from common sense and use it for anything else, does it? Cheers, Ben. -- http

Re: Exportable cipher suite

Patrick Li wrote: > > Thanks for the information. Does that mean there is no longer restrictions > on using any of the cipher suites specified by TLS or SSL outside of the US? There never were restrictions on _using_ them, only on exporting. > Sorry for a simple question. But is it still the

Re: echoping 4.1 released : a tool to test SSL servers

[EMAIL PROTECTED] wrote: > > > -Original Message- > > From: Ben Laurie [mailto:[EMAIL PROTECTED]] > > Sent: 14 February 2001 13:25 > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: Re: echoping 4.1 released : a tool to test SSL serv

Re: BN_mod_inverse problem

Joseph Ashwood wrote: > > I've found a problem with BN_mod_inverse, in particular when it is called > many times in quick succession when verifying DSA signatures. Originally > this showed up when use DSA_do_verify, so I wrote my own, and I've isolated > the problem as being in BN_mod_inverse. It

Re: Rainbow Cryptoswift cards - information

[EMAIL PROTECTED] wrote: > > Further to my previous message, I have not only received my Cryptoswift > card, but I actually have it working. I'm seeing a speed improvement of > around 20x on a Dual Pentium 166. Hmmm ... so we can expect about 3x on a single P3/1GHz. How much do these things cost

Re: Distributed session caching

Shridhar Bhat wrote: > > Hi, > > We are trying to deploy multiple SSL-based servers > in a cluster. We want to share the session cache of each > of these servers so that connections from same client > (with session id reuse) can be handled by any server in > the same cluster. The scheme is simpl

Re: Troubles in re-connect

Lutz Jaenicke wrote: > > On Sun, Jan 21, 2001 at 07:03:07PM -0500, Greg Stark wrote: > > sorry for the misinformation. I misunderstood a thread I had read in the > > archives. Just out of curiousity, what do the following functions do: > > > > SSL_CTX_set_session_cache_mode( ); > > SSL_CTX_sess

Re: BN_rand question

Marco Russo wrote: > > - Original Message - > From: "Ben Laurie" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, January 17, 2001 7:18 PM > Subject: Re: BN_rand question > > > Marco Russo wrote: > > > > > &

Re: BN_rand question

Marco Russo wrote: > > I need to generate a random polynomial in Zp, with p very large (1024-2048 > bits). > Sorry for my math...:-(, > but I think that with your method the problem is that the numbers in [0, > p-1] are equally likely only if > (2^(n - 1))mod p = 0, where n is the number of bits

Re: Looking for an HTTPS client for NT C/C++

Bernard Dautrevaux wrote: > > > -Original Message- > > From: David Schwartz [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 29, 2000 12:26 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Looking for an HTTPS client for NT C/C++ > > > >

Re: Looking for an HTTPS client for NT C/C++

David Schwartz wrote: > > > David Schwartz wrote: > > > That is not a restriction on the right to "copy, distribute or modify", > > now is it? > > Yes, it is. > > > All it restricts is your ability to advertise: i.e. if you > > advertise yourself, you must also advertise us. A bit like

Re: Looking for an HTTPS client for NT C/C++

John Casu wrote: > For example, mod_ssl is released under the GPL, and links > with openSSL and Apache. Actually, I believe mod_ssl is BSD-licenced, as is Apache-SSL. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't

Re: Looking for an HTTPS client for NT C/C++

Shridhar Bhat wrote: > > [EMAIL PROTECTED] wrote: > > > > On 24 Nov, Jean-Marc Desperrier wrote: > > > > > Shridhar, a tool that incorporates OpenSSL code can hardly be released as > > > GPL, because OpenSSL itself is not GPL. > > As I understand the BSD license, BSD licensed code can be rereleas

Re: Compilation Problem on True64 V4.0f(!)

Richard Levitte - VMS Whacker wrote: > > From: Achim Spangler <[EMAIL PROTECTED]> > > spangler> The error message is as follows: > spangler> cc -I.. -I../../include -std1 -tune host -O4 -readonly_strings -c > spangler> bss_fd.c > spangler> cc: Error: /usr/include/sys/signal.h, line 486: In the d

Re: Found a bug in the OpsnSSH configuration script

Richard Levitte - VMS Whacker wrote: > > ben> > I don't recall how SSLeay was installed, but for OpenSSL, there's a > ben> > glitch in the way it tries to find the libraries. The following fix > ben> > works for me: > ben> > ben> Its looking for an uninstalled version, handy for developers, not

Re: Found a bug in the OpsnSSH configuration script

Richard Levitte - VMS Whacker wrote: > > [I'm cc:ing [EMAIL PROTECTED], because questions about this > are getting there over and over...] > > There's a problem that several people who installed OpenSSL to be able > to uyse OpenSSH have faced: > >Could not find working SSLeay / OpenSSL lib

Re: How do I generate 56 bit DES keys?

"Wilder, John" wrote: > > The openssl has utilities to generate DSA and RSA encrypted keys. > Is there anyway to generate 56bit DES keys? If not by openssl, how? Just pick a random number. Cheers, Ben. -- http://www.apache-ssl.org/ben.html

Re: Accessing a Smart Card through Browser

Hakan Lindh wrote: > > Look at Arcot Systems, Inc. for a smart-card solution without the physical > smart card www.arcot.com I've heard some pretty bloody stupid things in my time, but this really does take the biscuit. -- SECURE HOSTING AT THE BUNKER: http://www.thebunker.net/hosting.htm http

Re: Perl and OpenSSL

Bruno Salgueiro wrote: > So, I can only wish that someone in the development team of OpenSSL > really takes a look at this and makes a mapping of all the OpenSSL > functions to Perl, otherwise I can not find a decent solution to those > like me who wish to use Perl with a complete crypto toolkit.

RSA flier?

Does anyone have a copy of the RSA flier going about with a picture of a car on the front, in which the scurrilous claim that free software is not supported or maintained is made? I had one, but its, err, in use by the ASA. :-) Cheers, Ben. -- SECURE HOSTING AT THE BUNKER! http://www.thebunker

Re: error C2197: 'void (__cdecl *)(void)' : too many actualparameters: problems compile the following code using ms visual c v6

Jeffrey Altman wrote: > > > Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> ,in message <2202220 > > [EMAIL PROTECTED]>, wrote: > > > > > I think the real problem is that an attempt is made to compile stack.c > > > as a C++ file, not a C one. What should be done is to tell the > > >

Re: Bug report: primality testing algorithm.

"Paulo S. L. M. Barreto" wrote: > > Greetings. > > I'm implementing elliptic curve software on top of OpenSSL Bignum > library. When testing it on NIST's standard curves, I found a problem that > seems not to be in my code: Bignum reports that NIST's 384-bit prime is not > prime! I've checked

Re: OpenSSL and SET

Radovan Semancik wrote: > > hello! > > I'm interested in SET (Secure Electronic Transactions) protocol support > in OpenSSL. > > Is there such a best? Is there plan to add SET implementation to > OpenSSL? > Is there any other open SET implementations? No, no and not as far as I know. I'm vague

Re: SSL 3.0 and TLS 1.0: differences?

M wrote: > > [Perhaps I ought to know this already, but...] > > RFC 2246 says "The differences between [TLS 1.0] and SSL 3.0 are not dramatic, but >they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although >TLS 1.0 does incorporate a mechanism by which a TLS implementa

Re: apache's ssl side fails to be stable

Michael R Gettes wrote: > > I am seeing something similar. Apache 1.3.9 with openssl 0.9.4 > on solaris 2.6. Everything seems ok and periodically, what I will > assume to be under some reasonable load, I find that I have many > httpd processes running (I believe it is my max) and apache > is no

Re: Need some help

"Leland V. Lammert" wrote: > > At 05:59 AM 1/11/00 , you wrote: > >Hello, > > I was wondering over the new rules that were sat by the US concerning > >Strong crypto there was a huge debate about freely distributing strong > >crypto after the new year. I hope i have asked this question to the > >

Re: out of memory error with netscape/openssl

jackie wrote: > > Will you tell me what fields I must fill in my certificate that > are different from client certificate or normal certificate? There aren't any that are different, but leaving any blank makes Netscape throw hissy fits. Cheers, Ben. > > Ben Laurie wrot

Re: out of memory error with netscape/openssl

Ramesh Panuganty wrote: > > Hi, > > I get an "out of memory" error when I tried to connect to my machine > via netscape on "https" (both windows and linux platforms). Internet > explorer from 95/98/NT does not have any complaints and works > properly. > > My machine runs redhat6.0, linux kernel

Re: Millenium and 37 bug

Rodney Thayer wrote: > > you should be able to go to at least 2049, as the PKIX limit > is around 2050. I know some vendors have tested this. PKIX is not limited to 2050, it simply changes format at that point. The problem is, presumably, that the date calculation is not carried out in an appro

Re: Is it legal?

Michael Sierchio wrote: > > Ben Laurie wrote: > > > Permit me to quote from RFC 2246 (TLS): > > > >The Internet > >Standards Process as defined in RFC 2026 requests that a statement be > >obtained from a Patent holder indicating that a l

Re: Checking client IP address in certificate

Ben Laurie wrote: > > Karsten Spang wrote: > > > > Is there a way to make Apache with SSL (either Apache+SSL, or mod_ssl, or ...) > > check the either the X509v3 Subject Alternative Name of type IP Address or > > the Subject unstructuredAddress against the clien

Re: Checking client IP address in certificate

Karsten Spang wrote: > > Is there a way to make Apache with SSL (either Apache+SSL, or mod_ssl, or ...) > check the either the X509v3 Subject Alternative Name of type IP Address or > the Subject unstructuredAddress against the client IP address? > I guess that this is an OpenSSL configuration thi

Re: Is it legal?

Vin McLellan wrote: > >I also believe in SW patents, .. but the current farce with RSA, even you > have >to admit, is stupid! Why cannot developers purchase a license (I do > not call >$100,000 a license fee for ANYONE)? Why has RSA abandoned RSAREF? > > 1. People who own something (and

Re: OpenSSL compiling problem on OpenBSD

Michal Otoupalik wrote: > > Hi, > I have tried to compile OpenSSL 0.9.4 on OpenBSD and when compilation was in >directory crypto/comp > then it stopped with error: > +gcc -shared -o libcrypto.so.1 -Wl,-S,-soname=libcrypto.so.1 -Wl,--whole-archive >libcrypto.a > ld: No reference to __DYNAMIC >

Re: Again: Win32 versions?

[EMAIL PROTECTED] wrote: > Out of curiosity, is there any reason why there isn't an archive of > compiled binaries? Source is all very well, and I can see absolutely > why you *have* to have it when you're dealing with encryption > technology, but couldn't the OpenSSL site be regarded as being > a

Re: SSL and non-repudiation

Maurice klein Gebbinck wrote: > > Hi all, > > This weekend I read the SSL spec and I am wondering about the following. > Suppose I am a the owner of an e-shop and I have a secure webserver. In > order to make sure that all product orders I get are for real, I require > that clients present a val

Re: Certificate question

Michael Robinson wrote: > > Patrik Carlsson <[EMAIL PROTECTED]> writes: > >You could remove your key passphrase - but it's not recommended for obvious > >security reasons! > > Everyone says that, but I've never seen anyone elucidate on the so-called > "obvious" reasons. > > The key file is prot

Re: openssl inside linux kernel

Seetharama Sarma Ayyadevara wrote: > > hi > > There are crypto accelrator cards that can do crypto on them, freeing the > CPU. This requires copying of date to/from user space. To avoid this and to > improve speed I thought openssl inside the kernel will help. That is why I > posted the que

Re: OpenSSL and Mac OS and export fun

Rich Salz wrote: > To the > best of my recollection, the following is a direct quote from one > of the NSA folks: > ... we call that crypto-with-a-hole and we don't allow > that to be exported Hmm ... thought it was the DoC that wrote the export rules. :-) Cheers, Ben. -- http:

  1   2   >