X509_STORE lookup problem

a get_by_fingerprint function, but it never gets called. -- Chris Bare

Re: EC_POINT_get_affine_coordinates replacement in 3.0

Thanks, I'll check those out. On Tue, May 3, 2022 at 4:53 PM William Roberts wrote: > On Tue, May 3, 2022 at 3:18 PM Chris Bare wrote: > > > > > > On Tue, May 3, 2022 at 3:10 PM William Roberts > wrote: > >> > >> On Tue, May 3, 2022 at 1:14 PM Chris

Re: EC_POINT_get_affine_coordinates replacement in 3.0

On Tue, May 3, 2022 at 3:10 PM William Roberts wrote: > On Tue, May 3, 2022 at 1:14 PM Chris Bare wrote: > > > > I'm converting some openssl 1.0 code to 3.0 and I don't know how to get > the coordinates > > in a 3.0 way. > > The old code is: > > BN_CTX *ctx =

EC_POINT_get_affine_coordinates replacement in 3.0

= EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey)); group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey)); EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx) What would be the 3.0 way to get X and Y without using deprecated functions? -- Chris Bare

Re: OpenSSL Memory Allocation Functions Issue

Thanks, Chris On Wed, 30 Mar 2022 at 16:32, Todd Short wrote: > Each OS distribution may choose to enable/disable features as they see > fit. And they may also patch the code. > > It's likely RHEL disabled the functionality. > > You would need to download the RPM source, buil

OpenSSL Memory Allocation Functions Issue

me output Would someone be able to confirm what is going on here? Does the above script suggest a problem with the OpenSSL-Libs? Am I looking in the right places to confirm a difference between the two VMs? Thanks, Chris

SHA256 openssl-1.1.1i Checksum Error

This is my first post. OpenSSL is not my forte. The code below returns an unexpected checksum value for openssl-1.1.1i.. Strangely, when the same code is run for a previous version, the correct checksum value is returned. Here is what I’ve tried: 1. Downloaded the current SHA256 value for

CVE-1999-0428

Hi openssl-users, I am researching the known vulnerabilities of open source software that we are considering. According to the NIST NVD web site, the 1.1.1d version of OpenSSL has a few known vulnerabilities:

fipsld in CMake

Hello, I am trying to compile an openSSL wrapper for use on android, using fipsld to generate a fips compliant so file. It seems that android favors cmake now, so I was wondering if anyone got the fipsld steps working within cmake successfully and can give any pointers Thanks

Re: [openssl-users] Compiling FIPS-cable OpenSSL on Windows Server 2012R2

> On Jan 7, 2019, at 11:52, Chris Fernando via openssl-users > wrote: > >> >> On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users >> wrote: >> >> I perused the list archives for all of 2018 and did not see anything current >> relat

Re: [openssl-users] Compiling FIPS-cable OpenSSL on Windows Server 2012R2

> > On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users > wrote: > > I perused the list archives for all of 2018 and did not see anything current > relating to this problem, so if this is a question that has been asked & > answered, please feel free to

[openssl-users] Compiling FIPS-cable OpenSSL on Windows Server 2012R2

it work? Any help would be greatly appreciated. Thanks, Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Subject CN and SANs

ace to put the client's identity, but maybe it is still better to use subjectAltName? - Chris > Actually, per the latest CA/Browser forum guidelines, subject.CN is not > only optional but “discouraged”. > > -FG > >> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton wrote: &g

[openssl-users] Exclude unwanted ciphers during build

Is there a simple way of excluding unwanted ciphers or cipher suites during a build? I would like to remove ARIA in particular, but may want to remove additional ones in order to use a smaller footprint. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] How to compile 1.1.1 under Windows

1.1-stable-SNAP-20181018. On Tue, Oct 23, 2018 at 3:31 AM Chris Clark wrote: > > Next I tried an older stable snapshot > openssl-1.1.1-stable-SNAP-20181018 which configured without issue, but > I got a different compile result: > > cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /

Re: [openssl-users] How to compile 1.1.1 under Windows

clared identifier crypto\rand\drbg_ctr.c(422) : error C2065: 'INT32_MAX' : undeclared identifier crypto\rand\drbg_ctr.c(423) : error C2065: 'INT32_MAX' : undeclared identifier crypto\rand\drbg_ctr.c(424) : error C2065: 'INT32_MAX' : undeclared identifier NMAKE : fatal error U1077: '"C:

Re: [openssl-users] How to compile 1.1.1 under Windows

gt; > You found a bug in crypto\sm2\sm2_sign.c, thank you. Are you willing > > to write up a Github issue for it? > > > > In message > > on > > Tue, 23 Oct 2018 01:22:34 -0700, Chris Clark said: > > > > > Thank you Richard. Adding the "no-makedepe

Re: [openssl-users] How to compile 1.1.1 under Windows

XE"' : return code '0x2' Stop. NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2' Stop. On Tue, Oct 23, 2018 at 12:19 AM Richard Levitte wrote: > > I suspect you'll find some kind of error message in > cry

Re: [openssl-users] How to compile 1.1.1 under Windows

> HTH, > > Matthias > > > > > > > -Ursprüngliche Nachricht- > > > Von: openssl-users Im Auftrag von > > > Chris Clark > > > Gesendet: Dienstag, 23. Oktober 2018 08:51 > > > An: openssl-users@openssl.org > > > Betreff: [open

[openssl-users] How to compile 1.1.1 under Windows

I am attempting to upgrade a project using OpenSSL 1.0.0h to version 1.1.1 under Visual Studio 2008-SP1, but when I try to compile version 1.1.1 for VC-WIN64A I get the following compile error: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 /I "." /I "crypto\include"

Re: [openssl-users] Checksum for openssl-1.0.2p download

On Behalf >> Of Matt Caswell >> Sent: Wednesday, September 12, 2018 14:29 >> >> On 12/09/18 19:24, Chris Outwin wrote: >>> I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for >> receipt validation in an iOS application. >>> >>>

[openssl-users] Checksum for openssl-1.0.2p download

I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for receipt validation in an iOS application. Is there a list of checksums to verify openssl download versions? I believe I should be using openssl-1.0.2p. Can openssl-1.1.1 be used in a production application yet? Why

Re: [openssl-users] PRNG is not seeded

> Of course people have been harvesting entropy, or trying to, from network > sources for decades. There's a famous paragraph regarding it in RFC 4086, > which is an expanded version of a similar statement from RFC 1750 (1994): > > Other external events, such as network packet arrival times

Re: [openssl-users] PRNG is not seeded

As it happens I am the proud owner of a made-in-UK Mathmos Lava Lamp and a couple of their Space Projectors : however I don't use them as a RNG. I am thinking more about the fact that there are a lot of devices which * have no hardware TRNG on board * do have one or more connections to wired or

Re: [openssl-users] PRNG is not seeded

I've also encountered this quite often, and I have a feeling that on today's connected devices there may be a lot of entropy "in the air" (quite literally) which is not being captured. Does any one know of research in this area? > Hi Scott > > I don’t know your OS or environment, have you

[openssl-users] how to control the cipher list of an openssl server

false); but after that the nmap script doesn't find any ciphers. Any suggestions? -- Chris Bare -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

for taking an encrypted string, and "backing in" to the details of how it was created? (ie what algorithm, etc?) Thanks, Chris On Mon, Jan 15, 2018 at 2:01 PM, Chris B <cryptoassetrecov...@gmail.com> wrote: > Hi Daniel, > > >Option #1 from the possibilities you mentione

Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

Hi Daniel, >Option #1 from the possibilities you mentioned below seems to be the most logical to me. Thank you, that's very helpful. Thanks, Chris On Mon, Jan 15, 2018 at 1:29 PM, Sands, Daniel <dnsa...@sandia.gov> wrote: > On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

Hi Matt, >If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Awesome thought, but I'm also using 1.0.2: $ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 (I also tried adding -md md5 to the previous command, but I got the same error message). Thanks, Ch

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

t 139845090879392:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581: Which brings me back to the original question. Does anyone know how to interpret "EVP_DecryptFinal_ex:wrong final block length" Thanks! -Chris On Sun, Jan 14, 2018 at 11:2

Re: [openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581: Thanks, Chris On Sun, Jan 14, 2018 at 10:39 AM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > For CBC the encrypted text will be a multiple of the cipher size. So your > use of CBC is wrong. The quoted post uses aes2

[openssl-users] OpenSSL error message when decrypting Ethereum encrypted private key

private key -- its length must be a multiple of the AES block length. o Something else entirely Can anyone help me understand how to interpret this error message? Thanks, Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] ENGINE API and a compromised client or server

? Note that we are not only talking about servers here, rather we currently have only one internet-facing server (HTTPS) and a growing number of XXX-over-TLS clients, so if anything these are a greater source of concern. Any pointers are very welcome! Chris Gray -- openssl-users mailing list

[openssl-users] cms utility "-sign" doesn't include signed content

I'm struggling with a PKCS7 signing operation using openssl 1.0.2g. I want to create signed messages like the one in my 'original' file (below). It seemed like extracting and then re-signing this message would be a good start. I'm able to verify/unpack the original message, but not able to sign

[openssl-users] SSL_shutdown:shutdown while in init

own protocol and BIO_do_connect fails as expected, but BIO_free gives this error: SSL_shutdown:shutdown while in init If I don't free it, I have a memory leak. Is there something else I need to do to clean up the BIO? I tried calling BIO_do_handshake, but that crashes (not surprised). -- Chris B

Re: [openssl-users] How do I connect to this server

You should be able to do this using stunnel: see for example https://www.elastic.co/guide/en/cloud/current/tunneling-ssl.html where your telnet commands would be the "client which supports only http". But you can also learn a lot by playing with curl ... > I know that this is a TLS related

[openssl-users] How to detect AES-NI compatible CPU

My application links to OpenSSL 1.1.0 dynamically, and I would like to be able to determine if the CPU supports the AES-NI instruction set. Is there an OpenSSL API that can do this? -Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to enable RC4 in OpenSSL 1.1.0c

On Thu, Jan 19, 2017 at 10:36 AM, Matt Caswell <m...@openssl.org> wrote: > Try this: > > openssl ciphers -v "ALL:@SECLEVEL=0" Okay that worked! Thanks to everyone that responded. I saw Rich Salz mentioned using ALL, but I didn't realize it was a parameter. -Chris -- o

Re: [openssl-users] How to enable RC4 in OpenSSL 1.1.0c

c=AES(128) Mac=SHA256 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 -Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to enable RC4 in OpenSSL 1.1.0c

T PREFIX=C:\openssl64 SET OPENSSLDIR=C:\openssl64 perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4 nmake >> I would also like to know, is it possible to also enable the depreciated SSL3 >> ciphers? > > Do you mean the ciphers or the protocol? Many SS

[openssl-users] How to enable RC4 in OpenSSL 1.1.0c

C4 ciphers. Is there another parameter needed? I would also like to know, is it possible to also enable the depreciated SSL3 ciphers? -Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] X.509 Attribute Certificate status

we and our customers use (which includes OpenSSL). Thanks for any indications Chris Gray -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EVP_get_digestbyobj fails for ecdsa-with-SHA256

a function that will return just the digest algorithm? I'm trying to be as flexible as possible, so I don't want to hard code this or have my own limited lookup table. On Thu, Jul 7, 2016 at 2:54 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 07/07/2016 20:08, Chris Bare wrote: > >&g

[openssl-users] EVP_get_digestbyobj fails for ecdsa-with-SHA256

BJ_NAME_get = (nil) EVP_get_digestbyobj failed So it looks like my sig_alg_oid is good, but OBJ_NAME_get fails. I am using openssl 1.0.2d-0ubuntu1.5 in ubuntu 15.10 Am I doing something wrong, or could this be a bug in the library? Any suggestions appreciated. -- Chris Bare -- openssl-users ma

[openssl-users] Access to ECC X and Y

Is there a public interface to access the X and Y elements of an Ecc public key? I tried: EC_KEY *ecc; BN_num_bytes (ecc->pub_key->X); but get the compiler error: error: dereferencing pointer to incomplete type ‘EC_KEY {aka struct ec_key_st}’ -- Chris Bare -- openssl-users mailin

[openssl-users] SSL errors connecting to some websites

sort of SSL handshake fallback error? Is there anything we can do in terms of configuration? Are we barking up the wrong tree? All input/questions welcome. Thanks Chris --- Chris Puttick CEO & Chief Asst to the duck TwoTen http://twoten.is Making the Internet better. For kids. +44 7908 997

Re: [openssl-users] Guidance on proper usage of OpenSSL_add_all_digests

> On Wed, Mar 2, 2016 at 12:27 PM, Neptune wrote: > [...] > You can perform initialization in a static C++ ctor, but it can be > tricky because the C++ committee has never addressed the problem of > initialization order across translation units. Also see What's the > "static

Re: [openssl-users] FW: Website changing this weekend

Hi Rich, I'm curious why the new download page lists version 1.01p before version 1.02d? Is it suggesting that users download the 1.01 branch instead of the later one? -Chris On Fri, Aug 14, 2015 at 1:26 PM, Salz, Rich rs...@akamai.com wrote: From: Salz, Rich [mailto:rs...@akamai.com] Sent

[openssl-users] Question on logjam

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_DES_CBC_SHA The above are weak (e.g. vulnerable to freak), no argument there, but just want to ensure these are not vulnerable to this newly published bug. Thanks all! Chris. ___ openssl-users mailing list To unsubscribe: https

Re: [openssl-users] Delete a post to openssl-user mailing list

What is the security risk? Management ? :) There could be a perceived problem that the world now knows that company X has problems with OpenSSL, and a competitor could even try to make mischievous use of this information - it happened to me once (with another technology). Death of developer

Re: [openssl-users] openssl 1.0.2a CMS encrypt with ECDH EnvelopedData fails?

. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org Many thanks Steve for the prompt response! That fixed it. Chris ___ openssl-users mailing list To unsubscribe: https

[openssl-users] openssl 1.0.2a CMS encrypt with ECDH EnvelopedData fails?

Hi, I am playing with openssl 1.0.2a - specifically CMS support for ECC. But what I think should work doesn't. Commands used and parsed data shown. (I gave an RSA example as a known good working example) ./openssl version OpenSSL 1.0.2a 19 Mar 2015 echo -n 12345678123456781234567812345678

Re: [openssl-users] EVP_aes_256_gcm -- receiving of tag

Dr. Stephen Henson wrote (on Wed 21-Jan-2015 at 14:53 +): On Tue, Jan 20, 2015, 'Chris Hall' wrote: ... I find that the EVP_aes_256_gcm for decrypt requires the Tag to be set before the first call of EVP_DecryptUpdate(), and EVP_DecryptFinal_ex() with then return 0 if the Tag is found

[openssl-users] EVP_aes_256_gcm -- receiving of tag

encrypts an arbitrary amount of data and starts sending it before all of it has been encrypted. What I have found so far seems to require me to receive all the cipher-text, and only when the Tag (finally) arrives, can I start to decrypt :-( Thanks, Chris

[openssl-users] openssl, opencrypto integration

I have implemented a H/W encryption driver and have integrated it with cryptodev. In eng_cryptodev.c there is an array digests[]. In that array it defines CRYPTO_MD5 to have a keylen of 16. In cryptodev, the xform.c file definedes MD5 to have a keylen of 0. Why is the keylen not zero for the MD5

Re: [openssl-users] How to get current using openssl version

! ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users -- Chris Bare ___ openssl-users mailing list openssl-users@openssl.org https

[openssl-users] eng_cryptodev question

generation. Chris. ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users

Re: Small memory leak on multithreaded server

As the maintainer of an alternative JavaVM I can confirm that we absolutely had to support library unloading because one customer was using it heavily - and that was quite a few years ago. Early Sun VMs didn't support library unloading, but then those VMs also did not garbage-collect obsolete

which cipher was chosen?

that Windows has started to favor the slower ECC ciphers, but I need a way to prove it. -- Chris Bare

Re: which cipher was chosen?

Henson st...@openssl.org wrote: On Fri, Nov 21, 2014, Chris Bare wrote: Is there a way to query the BIO or SSL object to see which cipher is being used? I have a case where my openssl client's performance is significantly slower when talking to server A vs server B. AFAIK, the only

my custom lookup method is leaking certs

this via openssl functions, can anyone enlighten me? -- Chris Bare

Re: SSL vs. SSH in the context of CVE 2014-0160

Thanks Wim. On Tue, Apr 8, 2014 at 10:36 PM, Wim Lewis w...@omnigroup.com wrote: On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: Team, I am having a discussions with a few friends about why this OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of you

CVE 2014-0160 and FIPS 140-2 module

Can anyone confirm my understanding that the FIPS 140-2 certified module is NOT affected by the CVE 2014-0160 vulnerability? -- Chris Bare

Re: How to determine when data is finished on an SSL socket

Regards Chris Gray On 11 January 2014 19:46, M. V. bored_to_deat...@yahoo.com wrote: Hi everybody, I'm writing an application that creates multiple non-blocking SSL connections to an https server, in each one I send a request and read the server's response. my problem is, whatever I do, I can't

Looking for a tech talk speaker on Secure Networking

meetup.com. Thanks, Chris Westin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

SSLv23_Server_Method() not working in OpenSSL 1.01e

in 1.0.1e? -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord

Re: RAND_bytes() returns zero in pre-boot environment

Issue is fixed. So long as it's OK to generate the same random bytes at each power-on. This is quite a common problem with embedded devices: even after boot it can be hard to find entropy with which to seed the PRNG. The usual sources which are used in a PC environment (keystrokes, ethernet

Re: How do I mount a NAS device?

On Aug 8, 2013, at 2:45 PM, Ted Byers r.ted.by...@gmail.com wrote: I obtained a NAS, with a view toward running MySQL on a sever running MS Small Business Server 2003 (yes, I know, it is old, but I don't have authority to upgrade it or wipe it and install Linux on it). Anyway, the latest

Re: connection encrypted (a question)

On May 12, 2013, at 6:38 PM, Salz, Rich wrote: Many people find the four-letter word at the start of your domain name offensive. I'm assuming you know English well enough to know that, and chose it deliberately. That's reading beyond the cover. It broadcasts a general lack of respect

RSA_PKCS1_PSS_PADDING and CMS_verify (repost)

in CMS_verify. If not, I have some experience working with the openssl source code, but some pointers would be appreciated. -- Chris Bare On Mon, Sep 12, 2011, Stef Hoeben wrote: Hi, we have an SOD (a CMS for e-passports and e-ID cards) file that we can read out and verify nicely

RSA_PKCS1_PSS_PADDING and CMS_verify

. -- Chris Bare On Mon, Sep 12, 2011, Stef Hoeben wrote: Hi, we have an SOD (a CMS for e-passports and e-ID cards) file that we can read out and verify nicely if the signature algo is RSA_PKCS1_PADDING. But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1 dump

[no subject]

with the openssl code, and could try to fix it myself, but pointers would be helpful. -- Chris Bare On Mon, Sep 12, 2011, Stef Hoeben wrote: Hi, we have an SOD (a CMS for e-passports and e-ID cards) file that we can read out and verify nicely if the signature algo is RSA_PKCS1_PADDING

EVP_get_digestbyname and 'standard' signature algorithm names

, but it seems it should be possible to do something more general. Chris Dodd d...@csl.sri.com __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured

On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz ralph-openssl-...@ralphholz.de wrote: -CAfile fileA file of trusted certificates. The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the trusted certificates. The root CA is

Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured

On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea erwann.aba...@keynectis.com wrote: There's the same behaviour with -CAfile. If -CAfile isn't specified, then the default platform CA file is used (by default, /usr/lib/ssl/cert.pem). This is true for verify, ocsp, smime, and cms. Oh, right. New

CryptAcquireContext -- New KeyObject already exists error pop up

is it the OpenSSL library that is creating the actual alert pop-up boxes? And if so, how can I suppress them? Thanks, -- Chris Long Programmer/Analyst Charitable Gaming Division Canadian Bank Note Company Ltd. Phone: 705-251-1559 Cell: 705-257-1261

Quick question if TLS renegotiations are supported

Hi, Just a quick question. Does OpenSSL 1.0.1c support renegotiation of TSL clients? I'm programming a small server/client and if my SSL_method is SSLv23_method()'s or TLSv1_method()'s and they negotiate a TLS connection I'm having trouble getting them to renegotiate. -- Chris Long

OpenSSL renegotiation problems with TLS

information or clarification as requested. Thank you, -- Chris Long Programmer/Analyst, Bingo Systems Lottery Systems Division Canadian Bank Note Company Ltd. __ OpenSSL Project http://www.openssl.org

n00b Cert Questions

Hi all! I am trying to generate Certs for use with strongswan VPN. Specifically, I am trying to fulfill: http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq So as to use windows 7 builtin VPN client. Has anyone here done this with strongswan? Can anyone point me to a doc that has

Re: weak key check?

clear that using 112 bits of entropy to generate an RSA key (of any length) cannot possibly give you more that 56 bits of security, and probably far less. Chris Dodd d...@csl.sri.com __ OpenSSL Project

CApath with multiple client certs

I love this toolset; definitely value-add for the community! I am using OpenSSL to run through a sizable number of web server connections (~500), and tell me which certs are getting ready to expire. My utility has worked for a while (a couple years?) on 1.0.0 Beta3, and I recently upgraded to

Re: CApath with multiple client certs

Hi Dave, Thanks for your ideas and response. Especially the explanation of CApath; very informative. You're right, I'm on version 'g' not 'n'. I'd say it was a typo, but I really thought I was on 'n'. ;) -Chris On Fri, Feb 3, 2012 at 4:48 PM, Dave Thompson dthomp...@prinpay.com wrote

Uninitialized variable detected in commit 1.76

(val); - uninitialied variable val used ... Since the variable is uninitialized, it could be non NULL, which if passed to OPENSSL_free could potentially cause a crash. A solution to this problem would be to assign val to 0. Thanks, Chris -- Chris Wilson http://vigilantsw.com/ Vigilant

we have an issue

...the certificate part of the command is displayed with the hashed cert. What can I do to fix this problem? Regards, Thanks for the help ahead of time. Chris Johnson SR. Software Engineer, MSE. FEMA NCP RE Office: (202)646-3531 Cell: (202)577-7441 inline: image001.gif

Re: What is the maximum data size for encrypting with rsautl command?

with RSA and prepend that to the encrypted file. -chris On 06/27/2011 09:00 AM, ml.vladimbe...@gmail.com wrote: Hello. I tried to encrypt a file(1Mb), with RSA private key of 4096-bit length with command: openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in 2.txt -out 2

Re: Question regarding to memory leak

stack traces in the leak reports. You need a depth of 15-20 to get far enough to see where your code is calling into the OpenSSL code in most cases. There's probably a similar option for IBM purify. -chris

OpenSSL and multithreaded programs

and wrapping a mutex acquire around every call into the library. Is this kind of locking expected to be needed? Chris Dodd cd...@csl.sri.com __ OpenSSL Project http://www.openssl.org User Support Mailing

BIO_f_buffer read behavior

. Is this the expected behavior of the BIO_f_buffer on a read? If so, is the only alternative to track a read and a write bio? I assume that I can read from the bio under the BIO_f_buffer without causing problems, is that correct. -- Chris Bare ch...@bareflix.com

Re: Installing openssl 1.0.0a in Ubuntu

that expect 0.9.8 data files. Also programs linked with 0.9.8 libraries will have to be rebuilt to use the 1.0.0 libraries since the major version number has changed. Let's hope debian or ubuntu packages 1.0.0 soon. -- Chris Bare ch...@bareflix.com

.deb packages for 1.0.0?

Has anyone seen .deb packages for openssl 1.0.0? I took a quick stab at converting the 0.9.8 debian files, but I ran into a lot of problems and it takes a long time to debug. -- Chris Bare ch...@bareflix.com __ OpenSSL Project

Re: Error signing certificates with my own CA... Configuration file?

Not discouraged at all (just short on time trying to meet a deadline). I'll check out TinyCA (and the like) in the meantime, but actually do hope to delve into the source and figure out those directives when I get some time. I do appreciate your time and attention!! On 09/28/2010 09:41 AM,

Error signing certificates with my own CA... Configuration file?

in my type of situation? I at least know CA=True and keyUsage needs to include certSign (many thanks to Patrick!)... but what, if anything, else? Then, same for the end-user certificates... anything special there? Thanks! Chris

Re: Self-signed CA problem for internal web application

Sure.. but please excuse me as this is the first time posting on this forum ~ post in plain text or does this system support attached files? Patrick Patterson wrote: Hi Chris: Can you post the certificates in question? My guess is that you don't have the various extensions set according

Re: Self-signed CA problem for internal web application

:name=basicConstraints, value=CA:True What is the best way to include my file contents for you? (worried about posting something a mile long) Patrick Patterson wrote: Hi Chris: On 2010-09-22, at 4:13 PM, Chris Rider wrote: For now, I've just copied the CA's public .crt file

Re: Self-signed CA problem for internal web application

/ scope... and when I generate my end user CSR, it has its own config file / scope. I am, however, granting my CSR from within the scope of my CA and its configuration. In other words, I'm replicating a real world type situation -- or that is the hope! Chris Rider wrote: I think we're

Re: Self-signed CA problem for internal web application

of installing in every browser I have. I agree with you about the latest versions of MSIE and that stupid wizard they now use! I'm pretty sure it something in my generating keys, rather than client issues. John R Pierce wrote: On 09/22/10 11:57 AM, Chris Rider wrote: We have a client/server

Self-signed CA problem for internal web application

o, what am I missing? -- Chris Rider, Systems Architect MessageNet Systems chris.ri...@messagenetsystems.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopens

Self-signed CA problem for internal web application

, what am I missing? -- Chris Rider, Systems Architect MessageNet Systems __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List

Re: Self-signed CA problem for internal web application

like the browser is hanging up on the fact that the CA's certificate is self-signed. (??) -Chris Hugo Garza wrote: Hi Chris, how are you installing the root CA on the client machines? In windows once you double click the root certificate you get a message dialog box and click the install

Re: Displaying modulus

/Asn1Editor/ There's also a very neat online ASN.1 parser available here: http://geminisecurity.com/parse.php Regards, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List

  1   2   3   4   >