gic [EMAIL PROTECTED]:
I was developing an SSL client (with openssl-0.9.3a)
and found memory leaks when using RC4-MD5 (1024/128 bits).
HOWEVER, when I switched to "EXP-RC4-MD5" (512/40 bits),
there are NO leaks.
The best way to reproduce the leaks is to run 's_time'
for a long time. (Use
On Tue, Jul 20, 1999 at 02:36:54PM +0200, Bodo Moeller wrote:
[...]
Programs that access that structure directly cannot reasonably expect
binary compatability across library versions. Clean programs handle
SSL_CTX's only as pointers. A problem is just that, in case the
application
On Tue, Jul 20, 1999 at 10:02:05AM +1000, Damien Miller wrote:
Backward compatibility is an important issue. Think "dynamic
library".
The funny thing here is that if we just add the parameters, then on
systems with "standard" calling convention old programs should run
without any problems
On Tue, Jul 20, 1999 at 10:55:20AM +0100, Ben Laurie wrote:
Bodo Moeller:
So, is backwards compatibility an important issue here
and is it worth this kind of evil hack, or should we
just add the parameters?
Backward compatibility is an important issue. Think "dynamic
li
Juan Carlos Castro y Castro [EMAIL PROTECTED]:
Maybe it's obvious but I'd like know if it's possible before I actually
start working. Let's say I have on one corner an SSL "socket",
handshaking already done. On the other corner, I have a normal,
connected, TCP socket. I'd like to know when
On Tue, Jul 20, 1999 at 01:20:52AM +0200, Richard Levitte - VMS Whacker wrote:
So, is backwards compatibility an important issue here
and is it worth this kind of evil hack, or should we
just add the parameters?
Backward compatibility is an important issue. Think "dynamic
library".
The
Juan Carlos Castro y Castro [EMAIL PROTECTED]:
Now I researched and learned (correct me if I'm wrong please) that I
can't ignore the server certificate if I'm using RSA as the key
exchanger. I'll have to use DH if I want a "thin" SSL client.
Another thing: I used "openssl s_client -connect
"Patrick Harlin" [EMAIL PROTECTED]:
I have tested on all the platforms several times, and I could still
see that one of the machines have problem with slow generation of
private keys. It seems like Test2 machine always is 3 minutes slower
then all other HP installations ??? One other odd
On Wed, Jul 07, 1999 at 08:46:29AM +0200, Bodo Moeller wrote:
is the SSL library safe in a multi-threaded environment ?
[...]
Also you have to provide a callback that returns a thread ID (unless
you're using Windows, where OpenSSL already knows how to obtain the
thread ID from the OS
On Tue, Jul 06, 1999 at 06:26:42PM +0900, Takeshi Hamade wrote:
I want to get X509** object.How can we get X509** object
from CA certificates with SSL API?
Look at the examples -- apps/x509.c does this, for example.
__
On Tue, Jul 06, 1999 at 09:37:39PM -0400, Thomas Reinke wrote:
J-L Charton:
is the SSL library safe in a multi-threaded environment ?
Tot he best of my knowledge, mostly yes. The solution
employed is to use callback routines that employ locks
of one form or another (e.g. mutex'es).
Also
On Thu, Jul 01, 1999 at 05:10:09PM +0200, Lutz Jaenicke wrote:
On Thu, Jul 01, 1999 at 10:08:11AM -0400, Howard Uman wrote:
If I protect my certificates in Netscape with a password, when I
enter the password, the request hangs until it times out (this
actually doesn't happen every time, but
On Thu, Jul 01, 1999 at 05:47:42PM +0200, Pierre De Boeck wrote:
I have noticed that the SSL_OP_NETSCAPE_CA_DN_BUG option
enables to modify slightly the DER-encoding of the CA's DNs
that a TLS server sends to a client during the
SSL3_ST_SW_CERT_REQ_A/B phase of the handshake.
I suppose
On Tue, Jun 29, 1999 at 10:00:57AM +0800, Sun JunXu wrote:
[...] there was an error, I captured it in .jpg in attached file [...]
^
What's that nonsense for? About all errors show in pure ASCII, which
makes them readable,
On Wed, Jul 28, 1999 at 06:32:56PM +0100, David J. Palaitis wrote:
i had a problem with session ID reuse and openSSL0.9.2b
i set the verify flags to
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
but sessions weren't being reused,...
[...]
On Tue, Jun 29, 1999 at 12:51:40PM +0200, Oliver Floericke wrote:
is there somebody who can briefly describe how to configure a OpenSSL server
program in that way that it sends a list of acceptible ca's to the client?
I'm using client authentication and would like to decide on the client
Carl-Henrik Tano [EMAIL PROTECTED]:
I´m using openssl 093a and have some problems when I resusing a ctx in
my serverapplication.
My server initiates one ctx when it starts and for every client
connection it creates a new ssl sesson with SSL_new(ctx).
Sometimes I get core dump in SSL_new
Sarah Bateman [EMAIL PROTECTED]:
Client: ssleay 0.8.1 running on NT4
Server: proxy server using ssleay 0.8.1 library
SSL related server code:
[...]
ssl = SSL_new (ctx);
SSL_clear(ssl);
(An SSL_clear directly after after the SSL_new is not necessary, but
should not cause any problems.)
On Tue, Jun 22, 1999 at 06:23:09PM +0200, Oliver Floericke wrote:
I'm would like to convince OpenSSL to cache the session ID's but how can I
achive this?
I have a Client that sends him his SessionId which OpenSSL should already
have, but the answer from OpenSSL is that it do not want to
On Fri, Jun 11, 1999 at 08:54:24AM +0200, Stéphane CORNOU wrote:
I can't understand why the Makefile in apps/ do a
rm -f openssl
So, when i do a 'make install' after the 'make all', i have to rebuilt
openssl.
My hp-ux takes 1 hour to build this latter.
'Make clean' directive seems
On Mon, Jun 07, 1999 at 05:17:52PM +0200, George Huan (EUS) wrote:
I have created the multi-threaded SSL client appliocation for Windows NT
system with Microsoft Visuall C++ 6.0, it works quite well with its
corresponding server, only on some occassions, it will get a SSL_read()
error with
On Tue, Jun 01, 1999 at 04:15:40PM -0400, York Pang wrote:
I try to install Apache-ssl on Solaris 2.7. First, I need to install
Openssl. When I compile the package, I need to run "make", "make test",
"make install", etc. However, make is not in the default path. I do a find,
and get
On Tue, Jun 01, 1999 at 09:03:31PM +, Patrick Bertholon wrote:
To handle multiple connection simultaneously, I have one "network"
thread, that start the SSL connection when a client connects. After
that, it gives the connection (the SSL*) to another thread and waits for
another
On Wed, May 26, 1999 at 10:41:02AM -0600, Jim Hribnak wrote:
I am having problems compiling openssl .0.9.3 and bsdi 3.1 I run config
and then make and I then eventually get the following:
making all in crypto/sha...
gcc -I.. -I../../include -O3 -ffast-math -DL_ENDIAN -DPERL5 -m486
On Thu, May 27, 1999 at 10:25:34AM +1000, Ian Pollard wrote:
I have a proprietary client application and server that I have implemented
OpenSSL for secure comms. My own client app doesn't have to communicate
with anything other than my own application server. My server will be
likely
On Tue, May 25, 1999 at 01:28:51PM +0100, Ben Laurie wrote:
I have no doubt that there will be a "b" version shortly. The VMS
changes will be picked up then.
IIRC the only non-documentation VMS change was GENDSA, right?
There was more than that. GENDSA is the one that was not correct in
geoffrey [EMAIL PROTECTED]:
I'm running SuSE6.0 on intel with an apache 1.3.6 server. I built
openssl-0.92, and when i do "make certificate", it builds one of only
40-bit strength. [...]
There is no such thing as a "40-bit certificate". What you likely
mean is that when you use Netscape to
"Raul Gutierrez" [EMAIL PROTECTED]:
Can somebody tell me all posible values of nsCertType field in the
openssl.cnf file and its means?
See doc/openssl.txt in the OpenSSL 0.9.3 distribution.
__
OpenSSL Project
On Fri, May 21, 1999 at 02:25:23PM +0100, Ben Laurie wrote:
Bodo Moeller wrote:
On Fri, May 21, 1999 at 09:08:52AM +0200, Ralf S. Engelschall wrote:
What exactly does Apache with mod_ssl do when shutting down an SSL
connection (in the default case)? Does it send its close_notify alert
On Fri, May 21, 1999 at 04:35:50PM +0200, Oliver Flöricke wrote:
I'm new to OpenSSL so therefore my question maybe quit simple: After
installing the files (Ver. 0.9.2b) without any problems on an AIX I build
the SSL libs.
After this I tried then to compile the SSL demos in ../demos/ssl,
On Fri, May 21, 1999 at 01:00:02PM +0200, Bodo Moeller wrote:
When I
understand you correctly, the problem can be those platforms where Apache
doesn't do the lingering close, right?
Could be, yes. Netscape does not recognize
On Fri, May 21, 1999 at 05:58:55PM +0100, Ben Laurie wrote:
Bodo Moeller wrote:
No, it's exactly the opposite: Instead of keeping a half-closed
connection (where the party that initiated the close stays in
FIN-WAIT-2 state and the other party stays in CLOSE-WAIT until it
decides to close
"Scheltema, R.A." [EMAIL PROTECTED]:
1. Now I think the previous calls do not place a signature on the data (at
least I hope not). My question is how do I place a signature on something (I
know I need my own private key to do this). I have an array of chars. Which
calls do I have to make ?
Lars Weber [EMAIL PROTECTED]:
Is there a limitation of 255 total issued certificates in the OpenSSL
"ca" program ?
This could be a serious problem for some places
JFI:
Some time ago I have done some testing with SSLeay-0.8.1.
I have set up a cron-job to issue a new cert every five
"Scheltema, R.A." [EMAIL PROTECTED]:
With the
examples given with the OpenSSL-distribution I've been able to make a (as of
yet) minimal server to which Netscape and IExplorer can connect and exchange
information. The problem is
On Tue, May 18, 1999 at 05:45:52PM -0800, Michael wrote:
apache 1.3.6 openssl 92b
everything seems to work. If I connect with a self signed test cert,
I get a dialog in the browser but when I get to the end it says
"connection reset by peer". This occurs with all NS browsers,
MSIE does
On Wed, May 19, 1999 at 12:59:21PM -0700, Dinesh Somani wrote:
I am trying to build openssl 0.92b for apache.
SO I downloaded and built the openssl-0.9.2b package.
The make went fine, BUT 'make test' failed as follows:
...
openssl:Error: 'idea-ecb' is an invalid command.
You compiled the
"Haskell, Paul" [EMAIL PROTECTED]:
Attempting to access
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt from the
Internet results in something this:
Access Forbidden [...]
I noticed this soon after having sent off my e-mail message with that
URL ... I've alredy sent e-mail to
"Michael" [EMAIL PROTECTED]:
apache_ssl w/openssl 9.2b
Everything was going fine. All of a sudden when I attempt
ssl connection with NS 4.05, NS4.08 I get the message
"The certificate is not approved for the attempted operation"
NS is using PKCS#11 v2.0 lib version 4.0
No problems with NS
Benjamin Grosman [EMAIL PROTECTED]:
I am able to fetch the issue and subject details of the client certificate
from inside the server, but how do I know that someone hasn't simply
generated their own certificate with the same details?
If you initialize the verification settings with about
Paul Rubin [EMAIL PROTECTED]:
Yes, you can proxy ssl connections. However, mod_proxy doesn't
seem to support keepalives. So if you proxy a page containing
html and 15 .gif's, each of the gifs will result in a new ssl
connection being negotiated, complete with public key signatures,
Christian Hammers [EMAIL PROTECTED]:
I have a problem. I've just received a Thawte Apache-SSL certificate
that I have created with openssl-0.9.2b. But whenever I start my
apache_1.3.4 it writes:
[crit] error:0906D06C:PEM routines:PEM_read_bio:no start line
But my cert file looks like:
On Sat, May 15, 1999 at 07:02:19AM +0300, Oleg Girko wrote:
case BIO_C_SET_FILE_PTR:
file_free(b);
- b-shutdown=(int)num;
+ b-shutdown=(int)numBIO_CLOSE;
b-ptr=(char *)ptr;
b-init=1;
Thanks; fixed.
On Sat, May 15, 1999 at 12:11:20PM +0200, Massimiliano Pala wrote:
I've found interesting bug in OpenSSL crypto library. This bug causes
crash in `make test' when building libcrypto as shared library on Linux
RedHat 6.0. Probably, this bug can crash other utilities linked with
OpenSSL on
John Martin [EMAIL PROTECTED]:
I'm looking for documentation on how to use a client certificate, ie
how to make a certificate available to the SSL server. I don't seem to
be getting any results from SSL_CTX_use_certificate_file().
Do you also load the corresponding key file? If not, that's
[EMAIL PROTECTED] (Colin Bradley):
May I ask someone who is familiar with the degree of thread
safety of the OpenSSL libraries to comment on it? I have been
unable to find clear documentation on this aspect of the
implementation, but noted that some of the libraries
appear to
"Wade L. Scholine" [EMAIL PROTECTED]:
Record layer is below the whole stuff (menaing the
handshake protocol itsself uses the record layer as
well).
But the record layer is basically doing no-ops (except maybe
fragmentation defragmentation) during the initial handshake?
Yes. I include an
On Fri, Apr 30, 1999 at 11:28:45AM +0100, Anthony Peacock wrote:
It turns out the Netscape v4.06 or higher, requires that the CN (common
name) of the certificate matches the DNS name of the server. I think this
_is_ part of the standard, it is just that the other browsers don't complain.
On Tue, Apr 27, 1999 at 08:53:03AM -0500, Ross Foard wrote:
Olga,
Did you get any responses to this question? Because of the unclear
(to me) nature of the RSA licensing I am using an evaluation of
Covalent Raven while try to understand the licensing issues. In the
past I have always
On Thu, Apr 15, 1999 at 11:53:01AM +0200, Stefan Pedersen wrote:
On Thu, 15 Apr 1999, Bodo Moeller wrote:
Stefan Pedersen [EMAIL PROTECTED]:
if(retval == 0)
otherSideClosedConnection();
Not quite. If retval == 0, you still have to call SSL_get_error if
you want
On Tue, Apr 13, 1999 at 12:00:00AM +, Richard Levitte - VMS Whacker wrote:
SSL_read() appears to return the number of characters
returned in the buffer on success (= 0). If failure, it
returns 0. This is different from Unix read().
I'm afraid you're wrong, unless you consider EOF to
On Tue, Apr 13, 1999 at 12:00:00AM +, Andrew Cooke wrote:
I am reading across the network, using SSLeay-0.9.0.b, and have an
intermittent problem - the sending socket is being closed, but this is
not always being detected by the receiving SSL. In particular,
SSL_read(ssl, buffer,
Daniel Smith [EMAIL PROTECTED]:
I've been trying to trace a strange problem here with our mail system.
We have various clients using IMAP over SSL (openssl-0.9.2b) with
stunnel in the middle.
[...]
At the top level, stunnel tells me that SSL_accept() returned 0 - no
error set in the ssl
On Mon, Apr 05, 1999 at 11:07:57AM -0400, Nishith Dipak Shah wrote:
I need to implement an SSL server that will force a renegotiation after a
certain period of time.
Why "after a certain period of time"? Renegotiation is useful e.g. if
you want to verify a client certificate when you did
On Mon, Apr 05, 1999 at 02:00:01PM -0500, olga wrote:
While compiling on IRIX with cc I got the following error:
cfe: Error: bn_mul.c, line 98: Syntax Error
if (n2 (16) // 32 )
---^
[etc. etc.]
The problem I guess is C++ comments in C code (in
On Mon, Apr 05, 1999 at 02:49:59PM -0700, Roland Mechler wrote:
I haven't seen a reply to this one, so here goes. I'm not clear on
whether this is a bug or not. I haven't had a really close look at
the code, but I think the issue is that the SSLv3 method won't
accept Version 2.0 client hello
Don Badrak [EMAIL PROTECTED]:
Bodo Moeller:
It appears that either your copy of pem.h or your C
preprocessor is broken ...
It is probably an irix64-gcc vs irix-gcc thing. I'll have to look deeper
at the differences between the two. I don't believe the gcc preprocessor
is broken
Dr Stephen Henson [EMAIL PROTECTED]:
[...]
The SSL spec isn't clear on the format of the DSS signature.
I hadn't noticed that problem -- the TLS RFC does have an explicit
definition ("hashing [...] produces two values, r and s. The DSS
signature is an opaque vector [...] the contents of which
On Wed, Mar 31, 1999 at 02:15:23PM +, Dr Stephen Henson wrote:
Bodo Moeller wrote:
Dr Stephen Henson [EMAIL PROTECTED]:
The SSL spec isn't clear on the format of the DSS signature.
I hadn't noticed that problem -- the TLS RFC does have an explicit
definition ("hashing [...] pro
olga [EMAIL PROTECTED]:
[...]
I have an open socket "s" which should be persistent (should be left
open for reuse, but may be closed any time by another library -
wwwlib)
So presumably you're connecting to some HTTPS server.
I am creating ssl object, setting socket fd to "s", connecting
Rodney Thayer [EMAIL PROTECTED]:
how do I set up a hierarchy of signing certificates? I want to do this:
root cert (generated with OpenSSL)
- signs Signing Certificate Two (generated with OpenSSL)
- signs User Certificate
in other words, I need to generate a cert request for
201 - 261 of 261 matches
Mail list logo