Client: Mac OS X 10.5.5 (OpenSSL 0.9.8g 19 Oct 2007)
Server: Astaro Security Gateway (with self-signed certificate)
Background:
This broke months ago and I have never been able to figure out where
the problem is. The problem started when I was upgrading this
appliance from Version 6 to Versi
other people having this
problem the answer is always "add all algorithms".
Thanks for any help.
--
// Chris
ions were listed somewhere or at least listed in the relevant
sections of the documentation. I spent much time looking through
evp.h and other headers trying to find something that made sense and
the whole time all I needed was PKCS12_PBE_add().
Thanks again!
--
// Chris
On 2/16/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Thu, Feb 16, 2006, Chris wrote:It is documented in doc/openssl.txt and that file is referred to in the FAQ...http://www.openssl.org/support/faq.html#MISC2
At some point I'll tidy that up and place it in an appropriate
I'm having a bit of trouble creating and using RSA keys from raw data.
I have the public exponent(e), public modulus(n), and private modulus(d).
Encryption seems to work (don't know for sure):
RSA* rsa = RSA_new();
rsa->e = BN_bin2bn(pubexp, pubexp_len, rsa->e);
rsa->n = BN_bin
On 2/22/06, Chris <[EMAIL PROTECTED]> wrote:
Decryption seg faults without e and is incorrect with e:
Seems strange to seg fault, doesn't it know something is
missing/incorrect? Does RSA_new not initialize the structure to a
clean state? Wouldn't an error be appropriate here?
O
On 2/23/06, Dr. Stephen Henson <[EMAIL PROTECTED]
> wrote:
There are security issues associated with RSA private key operations which arehandled by OpenSSL trying the reverse operation using a public key whichrequires the public exponent.While this is particularly the case when all CRT components a
Is there any documentation covering the AES support in OpenSSL? I
can't find anything. There seems to be no manual entry or
anything under docs.
I do have it working but I'm wondering how to change the block size
(seems to always use 128 bits by default?) and what the difference
between AES_encr
On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
The preferred interface to all ciphers is EVP.
The reason I am not using the EVP interface was to save space.
Currently OpenSSL is already making my end product way too large so I'm
trying to minimize the code dependancies.
128 bits is fi
Something might be broken with your GCC install. You also might want to
look at bitypes.h and see what it's defining int16_t etc. to be. I've
seen before where Sun has made syntactical mistakes before.
My SPARC is down right now, otherwise I'd try the compile m
don't the difference. Perhaps
someone who knows the difference and what these flags mean can
explain.
Of course, now apache doesn't want to build with it but that's a
problem for tomorrow.
--
Chris
__
pages but it is still unknown to me.
Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
Ah I was unclear.
As with many Unix programs there are very basic instructions.
I use the /lib because I don't know better. There are no written rules.
It was handy..I don't think it makes much difference, however I like
trying to do things correctly...
I really dislike the idea of overwriti
Dear Ovais and openssl users.
Please ignore my post concerning ssl problem as I have now resolved the problem by
using ssh instead.
Many thanks for your help
Regards
Chris
On Wed, Aug 28, 2002 at 12:09:47PM -0700, [EMAIL PROTECTED] wrote:
> Hi Chris,
>
> BTW which OS are you
I've been using openssl smime to learn a bit more about how it works
and have managed to decrypt and verify messages.
I was wondering if there's a way to feed openssl an S/MIME message and
get information about what encryption algorithm was used... Any help
appreciated.
__
On Mar 3, 2009, at 11:15 PM, Peter Byldner wrote:
Chris,
you can use command asn1parse to analyze the s/mime data stream.
Awesome. Thanks.
Using this:
openssl smime -decrypt -in crypt.eml -recip cert.pem -inkey
cert.key.pem -pk7out | openssl asn1parse
Works great. It's reporti
I'm getting almost everything I want but can't figure out how to get
the X509 signature algorithm so I can check for md5 badness. Any help?
Here's my test php:
$result = stream_context_set_option($context, $mode, 'cafile',
$ca_roots);
$result = stream_context_set_option($context, $mode, 've
or not having a good backup). Any help would
be very appreciated.
Thanks in advance,
Chris
re a way to get the RSA
fingerprint? Or is there something else I can try?
openssl x509 -noout -fingerprint -in server.crt
SHA1 Fingerprint=6B:41:50:43:6A:E9:26:CB:66:98:19:20:42:11:BF:9E:68:AA:E0:34
Thanks,
--
Chris
equate for XMMWORD?
Can anyone tell me how XMMWORD should be defined?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated Li
microsoft.com/en-us/library/cw0399sf(VS.80).aspx
which indicates that I need a newer ML from VS2005. Is that correct?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
m?page=6
It mentions that the following include file is needed to assemble SSE3
instructions: 'include ia_pni.inc'
Can anyone tell me where to find this, or of there is a simpler
solution for compiling 0.9.8F for W
the only files included in nasm-0.99.04-win32.zip are:
COPYING
nasm.exe
ndisasm.exe
Can anyone tell me what I am doing wrong?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing
add the two
DLL library files to an existing InstallShield or Wise installer
installation, and these files can be placed in the same directory as
your main application. There is no need to "register" these DLL's in
Windows.
-Chris
Hi all,
Anyone have experience of using ACs, or know where practical examples can be
found? I've been reading RFC 3281, but it would be nice to look at some
real-world code ...
Thanks,
--
Chris Gray/k/ Embedded Java Solutions BE0503765045
Embedded & Mobile Java, OSG
ject and to OpenSSL and I have tried to do as
much reading as possible but I'm confused about what I should be passing to
RSA_verify, in what format it should be and whether I need to format in
anyway the values I am extracting from the xml before I pass them to the
function.
Any help anyone can offer would be much appreciated.
Chris
preparing my modulus correctly before
passing it to RSA_verify or indeed extracting the SignatureValue properly.
For example should I be Base64 decoding any of these values first?
Any further help anyone can offer would really be appreciated.
Many Thanks
Chris Brown
At the moment the error I get is "bignum routines:BN_mod_inverse:no inverse"
but I think this is because my exponent length is zero and maybe the modulus
length is incorrect.
Could you offer any further suggestions please
I have modified this and am passing the Base64 decoding length to Bn_bin2bn
but I still get "data too large for modulus" errors. The modulus is 128
bytes, the exponent 3 bytes and the signature value 128 bytes. The message
digest is 20 bytes.
Is there anything else I can check?
Tha
I have a server application using openssl, and I have a server
certificate which is chained to a root CA via intermediate certificates
If I load the chained certificates onto the clients, all works well, but
then I have to do this on every client.
I feel sure there is some trivial way to load
byte signature.
4) Converting the Base64 decoded modulus and exponent values and assigning
them to a RSA structure (n and e).
5) Calling RSA_Verify with 'NID_sha1', the 20 byte hash, the 128 byte
signature value, a signature size of 128, and the previousl
ated on the server before the signature is sent to the client.
The Modulus and Exponent values match those that are received on the client.
Is there some step I am doing incorrectly or something I am still missing?
Thanks
Chris
ing of the
SignedInfo element?
Thank you for your continued help.
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, 5 February 2008 6:34 a.m.
To: openssl-users@openssl.org
Subject: RE: RSA_verify problem
Hello,
oing
wrong.
Thanks
Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
On 5/15/08, PoWah Wong <[EMAIL PROTECTED]> wrote:
> Is there some cipher suites more secure than SSL_RSA_WITH_RC4_128_MD5
> (RC4-MD5) so that they should replace RC4-MD5?
The AES 256-bit cipher suites are not only more secure then RC4, they
are also much faster
S, and if the other end only supports RC4
then it will be selected instead.
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
GMT
notAfter=Feb 10 13:05:22 1902 GMT
Clearly it wrapped around and subtracted 68 years from 1970 instead of
adding 68 years.
Is there a plan to remove this limitation ?
I am seeing this on openssl-0.9.7m.
Thanks
Chris Kottaridis([EMAIL PROTECTED
hin 2038 ?
Thanks
Chris Kottaridis([EMAIL PROTECTED])
On Thu, 2008-06-05 at 18:22 +0100, [EMAIL PROTECTED] wrote:
> Hi,
> > When trying to make a certificate for 30 years seems you run into the
> > 2038 date limitation. Seems the code converts date to a signed int in
> >
er date prior to the notBefore date ?
Thanks
Chris Kottaridis([EMAIL PROTECTED])
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openss
on this machine.
Thanks
Chris Kottaridis([EMAIL PROTECTED])
On Thu, 2008-06-05 at 17:42 -0400, Jim Adams wrote:
> What OS did you have this problem on? I use Openssl 0.9.7m on Windows to
> generate
> certificates, and I was able to ge
asier said then done.
Anyway, it sounds like it is currently generally accepted that on 32 bit
machines you can't generate certificates past 2038. That's really all I
was looking for here is that it's just generally accepted to
I tried this here, and it accepted the Organization Name that you provided
"long Name problems making Certificate Request" without any errors.
As you can see, this name is only 45 characters long, and the maxsize
is 64 characters.
-Chris
On 6/9/08, Florian Lindner <[EMAIL PROT
ademark of RSA Security, but this one can be used
without the "Alleged" prefix, providing you list them as the trademark
owner.
Disclaimer: I am not a lawyer, and I suggest you contact RSA directly
to confirm this information on your own.
-Chris
by OpenSSl, there is no problem.
-Chris
On 7/17/08, Alan Wolfe <[EMAIL PROTECTED]> wrote:
> Thats kind of difficult because we are making a retail video game that uses
> libcurl to talk http for one of the minor features the game has.
>
> We've already had commer
This is a completely stupid question, but is there a command line option
from openssl to add use CRLF instead of just CR. Running unix2dos after
the file is made is not an easy option in Windows...unfortunately.
Chris Hinshaw
Avocent - Redmond Engineering
[EMAIL PROTECTED]
80284006 EDX = 7C90EB94 ESI = 0003
EDI = EIP = 109549E0 ESP = 022DFD14 EBP = 022DFEE4 EFL = 0202
Thanks
Chris
--
Chris Hatko
Email: [EMAIL PROTECTED]
iMsg: [EMAIL PROTECTED]
__
OpenSSL Project
SLThreadID );
CRYPTO_set_locking_callback( ( void (*)( int, int, const char *, int
) ) openSSLLockCB );
}
static void freeOpenSSLLocks()
{
CRYPTO_set_id_callback( NULL );
CRYPTO_set_locking_callback( NULL );
}
Chris,
On Wed, Aug 13, 2008 at 6:27 AM, Kyle Hamilton <[EMAIL PROTECTED]&g
I am working to setup a Watchguard firewall with x509 certs for VPN
tunnels. I have created my own CA on my laptop and I have created a
CSR on the Watchguard product. I have then signed the CSR with my CA
certificate successfully which then imports into the Watchguard.
Here's the problem: Watchgu
That command seems to have a syntax problem, showing: "unknown option
[cert.pem-inserted my cert here]"
On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson <[EMAIL PROTECTED]> wrote:
> Chris Zimmerman wrote:
>>
>> I am working to setup a Watchguard firewall with x509 ce
f0:57:4e:
ed:ec
On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> openssl x509 -in [filename] -noout -text -inform PEM
>
> -Kyle H
>
> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
> <[EMAIL PROTECTED]> wrote:
>> That comman
What is the appropriate section?
Sorry if this is a basic question, but I am working on improving my knowledge.
On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
<[EMAIL PROTECTED]> wrote:
> Chris:
>
> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>> There i
gt; On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
> <[EMAIL PROTECTED]> wrote:
>> What is the appropriate section?
>>
>> Sorry if this is a basic question, but I am working on improving my
>> knowledge.
>>
>> On Tue, Aug 26, 2008 at 10:24 AM, Patri
erverAuth,clientAuth,ipsecIKE,ipsecendsystem,ipsectunnel,ipsecuser
>
> This /should/ do it, but since I don't do anything with IPsec I can't
> test it. My reference is
> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
>
> -Kyle H
>
> On Tue, Aug 26, 2008 at 1:17 P
ughts on why this works?
On Tue, Aug 26, 2008 at 2:50 PM, Chris Zimmerman
<[EMAIL PROTECTED]> wrote:
> Well, those attributes will work (minus the IKE one-it was not
> recognized) but the Watchguard does not assign it with a type of
> IPSec, so I've contacted Watchguard suppor
oting that Microsoft's ipsec
> implementation in Windows Server 2008 doesn't appear to require this.)
>
> -Kyle H
>
> On Mon, Sep 8, 2008 at 2:29 PM, Chris Zimmerman
> <[EMAIL PROTECTED]> wrote:
>> Here's what I had to add to the config to get it to
air. Try
appending the contents of file 1 to file 2. (adding 1's certificate to 2's
bundle).
Cheers, Chris.
--
_ __ _
\ __/ / ,__(_)_ | Chris Wilson < at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Develop
All -
I am using OpenSSL with memory BIOs for the communication. I have
everything working just fine, until I came across a server that sends
Application data in the final packet of the TLS handshake.
Specifically, Wireshark shows the following in its output :
Change Cipher Spec, Encrypted
Hi all,
my question may not be directly related to OpenSSL, but I don't know
where else better to seek for answer, so...
I'm curious to know, given a number of cipher texts, how hard it is to
know, if at all possible, what algorithm was used to generate tha
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-openssl-
> [EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
> Sent: 13 August 2005 17:44
> To: openssl-users@openssl.org
> Subject: Re: Newbie question X509 certificate stores
>
> On Sat, Aug 13, 20
errors as d2i_PKCS7(). The
asn1parse command complains about a bad Boolean.
I am stumped here.
Chris
cert_store_data
Description: Binary data
eason omits this info.
Kicking myself now.
Thank you for all your help.
Regards,
Chris
smime.p7s
Description: S/MIME cryptographic signature
rs such as:
AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
But when I select a "high" set of cipher suites it does include the above,
in addition to the 256 bit ciphers.
It seems that this is only a problem with the AES ciphers.
-Chris Clark
that 128
bit AES is faster then 256 bit AES, and will use less CPU overhead on
slower machines. Is this not true?
Is there an easy way I can limit openssl to only use 128 bit ciphers
for example?
-Chris Clark
__
Ope
t) encryption.
This method works great for everything except AES, which incorrectly
groups all the 128 bit ciphers as being HIGH instead of MEDIUM.
Is it a known bug, or are the docs outdated?
-Chris Clark
___
to let the
users choose between 128 bit and 256 bit key lengths when they are
using AES...
Looks like I will have to implement these user options the hard way then :(
-Chris Clark
__
OpenSSL Project htt
ng users detailed options on which ciphers to use, or to
stick with the simplistic nature of the MEDIUM and HIGH settings along
with the 4 groups.
-Chris Clark
__
OpenSSL Project http://www.openssl.o
. After giving this some thought I can see it would be best to do
it this way so the users have a choice of 128 or 256 bit AES, and at the same
time adhering to the documented definition of what MEDIUM means.
-Chris Clark
It appears that the SSL_METHOD functions don't allow a server to
accept connections using either SSL or TLS, so it has to be either one
or the other.
Does anyone have a work around to allow both SSL and TLS connections
to be accepted?
-Chris
;res!=NULL;i++)
{
res = SSL_get_cipher_list(lSSL, i);
if (res)
{
m_List.AddString((char*)res);
ccnt++;
}
}
-Chris Clark
__
OpenSSL Project http://www.openssl.org
I tried adding ":" as suggested, but this still did not work. :(
Does anyone have other suggestions?
-Chris
> > I'm trying to allow my program to be configurable for either AES 128
> > bit, or AES 256 bit. The problem is that when I select only the
> > AES128-
On 2/16/06, Kyle Hamilton wrote:
> Yeah. Any cipher that is not explicitly added is denied. So, try just doing:
>
> CString Shif = "AES128-SHA";
When I just use this string, it automaticly adds "AES256-SHA" as well.
This appears to be a bug in OpenSSL 0.98a. Could
s" command does the same.
Thanks Steve. Do you know if this has been fixed in the development version?
If so, which source file would I need to look at?
-Chris
__
OpenSSL Project http://www.o
u find
any work around please let me know.
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List M
e know.
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
lows users to select
ciphers and the minimum/maximum strengths, so I have not found any
solution to the problem.
It's been close to two months now, so I'm currently considering
switching to an older version of OpenSSL which
> Try the next 0.9.8 snapshot.
Thanks Dr. Steve!
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Mana
eturning int
NMAKE : fatal error U1077: 'cl' : return code '0x2'
Stop.
Could anyone point me in the right direction?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support M
ing but it still says the same thing. Does anyone have any suggestions for fixing this?
Thanks,
Chris Harward.
The result that when all ciphers are enabled, the client and sever
negotitate a 3DES protocol. If I disable 3DES, then they negotiate
using RC4.
Is there a way I can force the client to negotiate using AES as the
perfered method, and if the server will not allow AES then it selects
some other ci
all cipher-suites are selected, and also all strengths are selected
then I want the negotiation to use AES256 instead of 3DES if the
server also allows this.
-Chris
__
OpenSSL Project http://www
thms excluding export ciphers.
But if I just use 'Medium' it does not select AES128.
and If I use 'High' then it selects both AES128 and AES256.
-Chris
>> Is this a real problem? What's wrong with:
>>
>>
!EXPORT:!LOW:!MEDIUM:DEFAULT:-DHE-RSA-A
different p12 stores).
It would therefore be useful to me to somehow combine either the PEM or P12
files that result from my conversion into a single keystore for Java. Is
this possible? If so, how? If not... drat.
Thanks,
Chris
Thank you. I'll give it a try.
Cheers,
Chris
From: "Kyle Hamilton" <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Merge certs?
Date: Fri, 29 Sep 2006 12:48:30 -0700
http://www.alphaworks.ibm.com/tech/keyman
Found it.
Hi all,
How can I simply take an existing unencrypted client certificate and
add a password to it? In other words, do the opposite of:
openssl rsa -in pass.pem -out nopass.pem
thanks
Chris
__
OpenSSL Project
s.pem
hmm, tried that:
openssl.exe rsa -des -in certnew.cer -out passcert.cer
unable to load Private Key
3752:error:0906D06C:PEM routines:PEM_read_bio:no start
line:.\crypto\pem\pem_lib.c:644:Expecting: ANY PRIVATE KEY
Chris
ne
to be able to just grab the client certificate and impersonate, so I
would like to add a password to the cert. I would think this would be
similar to where for instance Verisign sends you a certificate for
your webserver, and it has a password on
e able to just grab the client certificate and impersonate, so I
> would like to add a password to the cert. I would think this would be
> similar to where for instance Verisign sends you a certificate for
> your webserver, and it has a password on it. Am I mistaken?
>
> Chris
No,
On 11/22/06, Chris Covington <[EMAIL PROTECTED]> wrote:
On 11/22/06, David Schwartz <[EMAIL PROTECTED]> wrote:
> > OK, perhaps I need to explain this more. I have a client cert
> > scenario where in order to verify the client's identity a certificate
> > is us
On 11/22/06, Chris Covington <[EMAIL PROTECTED]> wrote:
On 11/22/06, Chris Covington <[EMAIL PROTECTED]> wrote:
> On 11/22/06, David Schwartz <[EMAIL PROTECTED]> wrote:
> > > OK, perhaps I need to explain this more. I have a client cert
> > > scenari
On 11/22/06, Victor Duchovni <[EMAIL PROTECTED]> wrote:
On Wed, Nov 22, 2006 at 09:31:35PM -0500, Chris Covington wrote:
> I am most likely using the wrong terms (but I may be completely
> confused, I admit). When one distributes client certificates to take
> the place of user
ver A also
require a username and password for Servers 1, 2, 3, etc. as well as a
valid client certificate? Or should a username map to a pkcs12
bundle?
thanks
Chris
__
OpenSSL Project http://www.open
On 11/24/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hello,
I am using openssl 0.9.7a running on Linux RedHat 9.0.
Maybe you should try using a recent version and seeing if the problem
still persists?
Chris
__
O
ls me the password is incorrect. Has anyone found some kind of
limit to the Export password Windows can use?
Chris
ps - the openssl Export password can be up to 31 characters. Once I
hit that 32nd character, Windows doesn't recognize the password.
However, if I use the Active Directory CA, I can correctly import the
32 character password?
? I'm using 0.9.8.d
Chris
On 12/8/06, Chris Covington <[EMAIL PROTECTED]> wrote:
ps - the openssl Export password can be up to 31 characters. Once I
hit that 32nd character, Windows doesn't recognize the password.
However, if I use the Active Directory CA, I can correctly import
On 12/8/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Fri, Dec 08, 2006, Chris Covington wrote:
> pps - if I import the openssl pkcs12 bundle with a 31 character
> password, then export it using the Windows GUI with a 32 character
> password, that 32 character passwor
It is possible I suppose that a 32 character password under Windows excludes
the double null terminator. If so then thats a bug on Windows.
Thanks for looking into it! Let me know if I can help in any way.
Chris
_
On 12/8/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Fri, Dec 08, 2006, Chris Covington wrote:
> On 12/8/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> >> Windows allows up to 32 character passwords. It seems when openssl
> >> exports a 32 charac
ecting to my server. I am getting
a "Length mismatch" error following the client key exchange. In this
run, the server ctx is set to receive SSLv23, the ssl on s_client was
not specified. Would the Length Mismatch indicate a bad key?
Thanks,
Chris.
New TCP connection #5: local
On 12/11/06, chris busbey <[EMAIL PROTECTED]> wrote:
On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote:
> > It almost seems like the server is accepted SSL3 msgs, but sending out
> > another protocol type. Any suggestions?
> If you using Linux, can you send ssl
1 - 100 of 277 matches
Mail list logo
