> From: owner-openssl-us...@openssl.org On Behalf Of Nathan McCrina
> Sent: Tuesday, 21 August, 2012 21:31
> I'm using 'openssl enc' on the command line to check my
> [Blowfish]. However, the man page seems to indicate that it is only
> possible to use 128-bit keys with the openssl Blowfish. Is
>From: owner-openssl-us...@openssl.org On Behalf Of Bart W Jenkins
>Sent: Monday, 20 August, 2012 09:15
>I've created a prototype, in Java that creates an s/mime file,
>and now I need to convert that to the equivalent of what the
>"binary" switch does when using openssl. The command in openssl
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Tuesday, 21 August, 2012 14:41
> The O'Reilly OpenSSL book - in some examples but not others -
> cat's the
> certificate and key together and then just uses that one file as both
> certificate_chain_file and PrivateKey_fil
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Monday, 20 August, 2012 16:05
> I create a certificate request that includes -reqexts usr_cert. The [
> usr_cert ] section specifies two additional names.
>
> I display the request and see them:
> I then sign the request
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Monday, 20 August, 2012 15:32
> Sorry to have so many questions ...
>
> I create a certificate request. I sign it with
>
> openssl.exe ca -in MYNOTEBOOK_server.req.pem -config CMC_root_config.cnf
> -out MYNOTEBOOK_server
> From: owner-openssl-us...@openssl.org On Behalf Of CharlesTSR
> Sent: Tuesday, 14 August, 2012 17:12
You've already followed-up with some, but a few more points:
> I am porting an existing Windows-based TCP/IP server
> (receive-only, not a Web server) to OpenSSL.
>
> The way it works with TCP
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Tuesday, 14 August, 2012 08:09
> > if your self-signed cert has a KeyUsage extension that does
> > not include certSign,
> > OpenSSL skips it for chain-building, resulting in verify 20.
>
> Looks like the latter to me. P
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Saturday, 11 August, 2012 08:57
> I wondered if perhaps there were path or filename
> specification problems
> (need to escape backslashes? a problem with embedded spaces?) but I
> eliminated all of those variables -- put
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Monday, 13 August, 2012 11:32
> Found some things on the Web that led me to believe some
> programs choke when
> they get IPv6 addresses back from gethostbyname(), so I tried
> disabling IPv6
> on Windows -- but no improv
> From: owner-openssl-us...@openssl.org On Behalf Of CharlesTSR
> Sent: Friday, 10 August, 2012 16:48
> Please bear with me; I'm a real SSL newbie. I am attempting
> to develop my
> first SSL program, an SSL/TLS client that will communicate
> with a commercial
> SSL server product (Kiwi Server)
> From: owner-openssl-us...@openssl.org On Behalf Of Alexander Voropay
> Sent: Friday, 10 August, 2012 08:24
> How to produce a "canonical" RC4 test vectors as seen on Wikipedia
>
> http://en.wikipedia.org/wiki/Rc4#Test_vectors
[or RFC6229, referenced therein]
> Is it possible to produce this r
>From: owner-openssl-us...@openssl.org On Behalf Of James Marshall
>Sent: Thursday, 09 August, 2012 19:41
>I'm trying to write a secure embedded HTTP server using OpenSSL.
>I'm using non-blocking I/O, and the main functions I'm using are
>SSL_accept(), SSL_read(), SSL_write(), and SSL_shutdown(
>From: owner-openssl-...@openssl.org On Behalf Of Mithun Kumar
>Sent: Wednesday, 08 August, 2012 16:53
Note: individual recipient dropped; that's poor netiquette
unless requested, which AFAICS it wasn't.
I think this should be -users not -dev, so I added -users back.
>i will elaborate, for
>X509_
> From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke
> Sent: Tuesday, 07 August, 2012 08:02
> I'm using the attached code to connect to a server. This
> works perfectly until
> I had to excange the certificate which now needs two
> additional intermediate
> certs. All certs a
> From: owner-openssl-us...@openssl.org On Behalf Of Erwann Abalea
> Sent: Monday, 06 August, 2012 08:06
> The given certificate is correctly self-signed, you can
> manually check
> it by extracting the signature block and playing with "openssl rsautl
> ...", "dd ... | openssl dgst -sha1", etc.
> From: owner-openssl-us...@openssl.org On Behalf Of Harald Latzko
> Sent: Friday, 03 August, 2012 03:02
> Am 03.08.2012 um 03:55 schrieb Dave Thompson:
> Yes, the hash link (.0) exists and after the first
> connect failed, I double-checked the linked openSSL version
> again
>From: owner-openssl-us...@openssl.org On Behalf Of Harald Latzko
>Sent: Thursday, 02 August, 2012 03:03
> self-signed certificate as attached to this mail (can be retrieved
>from the TLS server 87.236.105.37:6619). My TLS client uses the
>following options:
>SSL_CTX_load_verify_locations(ctx, N
> From: owner-openssl-us...@openssl.org On Behalf Of Erik Tkal
> Sent: Wednesday, 01 August, 2012 16:33
> I'm playing around to see if I can observe client and server
> under various conditions when negotiating TLS 1.2 with newer
> certs. I created a root and server cert as ecdsa-with-SHA256.
>
> From: owner-openssl-us...@openssl.org On Behalf Of Albers, Thorsten
> Sent: Monday, 30 July, 2012 03:43
> I also debugged the openssl-server when receiving the message
> above. The server recognized the correct hash and signature
> algorithms, but while following the functions to the point
>
> From: owner-openssl-us...@openssl.org On Behalf Of Pica Pica Contact
> Sent: Monday, 30 July, 2012 13:47
> Look at this example:
> This certificate was signed by "openssl ca" without changing subject,
> and "openssl req" did not use BMPString and UCS-2 in this
> case. CN string contains Georg
> From: owner-openssl-us...@openssl.org On Behalf Of Pica Pica Contact
> Sent: Saturday, 28 July, 2012 14:41
> My application uses X.509 certificates with commonName field
> set to following format:
>
> number#UserName,
> Everything is ok when UserName is in ascii, but when I sign
> new certif
>From: Ashok C [mailto:ash@gmail.com]
>Sent: Saturday, 28 July, 2012 01:21
>Thanks Dave. But main use case for me is the trust anchor update case.
>I have a certain requirement which goes like this:
>I have a client application which runs on my machine and it will attempt
> From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya
> Sent: Friday, 27 July, 2012 10:21
> On 7/27/12, Saurabh Pandya wrote:
> >> Do roughly the same thing apps/ca.c does, except you probably don't
> >> need all its options but may want some other options:
> >>
> >> Create an X509
> From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya
> Sent: Thursday, 26 July, 2012 02:52
> demos/x509/mkcert.c approach:
> I understood that I dont need to create Certificate
> signing request (CSR) and I can directly create
> X509 *My_cert ,
>and sign it with m
>From: owner-openssl-us...@openssl.org On Behalf Of Hasan, Rezaul (NSN -
US/Arlington Heights)
>Sent: Thursday, 26 July, 2012 12:02
>I have created a self-signed CA certificate, a Client certificate and a
>Server certificate. I signed the Client and Server certificates with
>the self-signed CA c
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Wednesday, 25 July, 2012 08:45
>You will always have to create a certificate request using your private
key.
True if you're using an external CA, but not if you're doing it yourself.
openssl commandline supports both options
> From: owner-openssl-us...@openssl.org On Behalf Of Matthias Apitz
> Sent: Sunday, 22 July, 2012 02:54
> I'm trying to build openssl keys to be used in a client/server connection
> and neeed some step by step guide for this, as I'm doing it for the
> first time.
> 1)openssl req -out ca.pem -
> From: owner-openssl-us...@openssl.org On Behalf Of Michal Kuchta
> Sent: Thursday, 12 July, 2012 10:04
> I have a certificate and private key file in the encrypted .p12 file
> format (I have the password for the file). I need to use it in the
> [PHP] function PKCS7_sign, which assumes certificat
>From: owner-openssl-us...@openssl.org On Behalf Of Sebastian Raymond
>Sent: Saturday, 07 July, 2012 05:31
>I have set-up the apache2 on my linux machine. Everything worked fine
previously.
>But now, when I try to use openssl s_client command to connect to
>the machine, SSL handshake is
> From: owner-openssl-us...@openssl.org On Behalf Of Sandro Tosi
> Sent: Monday, 09 July, 2012 10:15
> /usr/bin/openssl ts -verify -sha256 -untrusted -CAfile
> -data -in
>
> and the output we get is:
>
> 140119872083624:error:2F06D064:time stamp
> routines:TS_VERIFY_CERT:certificate verif
>From: owner-openssl-us...@openssl.org On Behalf Of Peter Eckersley
>Sent: Monday, 09 July, 2012 19:59
># now try to verify it. Note that "allcerts" was a poorly chosen
>directory name. It should have been allCAs...
>openssl verify -untrusted twitter.com.results_2.pem
>-CApath ../al
_
From: Mohammad khodaei [mailto:m_khod...@yahoo.com]
Sent: Wednesday, 04 July, 2012 07:12
To: openssl-users@openssl.org; dthomp...@prinpay.com
Subject: Re: Convert PKCS7_decrypt output to char*
Thanks a lot for the response. I applied the feedbacks you gave me. Now I
changed the pa
>From: owner-openssl-us...@openssl.org On Behalf Of Mohammad khodaei
>Sent: Monday, 02 July, 2012 10:05
>I want to encrypt and decrypt using PKCS7_encrypt() and PKCS7_decrypt().
>I use this procedure to encrypt so that I can retreive the encrypted buffer
>into a char* (and not into a file). Here
>From: owner-openssl-us...@openssl.org On Behalf Of Dogan Kurt
>Sent: Friday, 29 June, 2012 15:14
>Hi, i am developing a client app with openssl. I use SSL_read
>and SSL_write in blocking mode, i just cant figure out something
>about them, if server sends me 10 kb and i call SSL_read just
>once
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 19:37
>Following is the code I used at server side program.
>while (1) {
>SSL *ssl = SSL_new(ctx);
>SSL_set_fd(ssl, clientserver[1]);
> if (SSL_accept(ssl) != 1)
> break;
>result
> From: owner-openssl-us...@openssl.org On Behalf Of Lutz Jaenicke
> Sent: Friday, 29 June, 2012 15:10
> Forwarded to openssl-users for public discussion
(attachment: 80-char lines of base64 that didn't decode)
OpenSSL BIO_f_base64 by default tries to nearly enforce the
MIME limit of 76 encoded
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 15:30
>I am trying to measure server performance for client certificate
verification.
>However, there is no significant difference in the server performance
>when I send one certificate and condition
> From: owner-openssl-us...@openssl.org On Behalf Of Li, David
> Sent: Monday, 25 June, 2012 00:03
> Sorry I forgot. I do also have the EC public key (the point
> Qx and Qy) in hex. I also know the curve P-384.
> So the only step I am not sure is how to convert the EC
> private and public keys
> From: owner-openssl-us...@openssl.org On Behalf Of Bernard46
> Sent: Sunday, 24 June, 2012 18:12
> Can I just double check that you are certain the Alert Level
> and Description
> bytes (1 byte each) are encrypted and so cannot be read in a Wireshark
> trace? This makes debugging very difficult
> From: owner-openssl-us...@openssl.org On Behalf Of ml
> Sent: Wednesday, 20 June, 2012 21:34
> when using ssl V2 it is possible to run code in a few lines I quote
>
> #define CHK_NULL(x) do { if ((x)==NULL) exit (1); } while(0)
> #define CHK_ERR(err,s) if ((err)==-1) { perro
> From: owner-openssl-us...@openssl.org On Behalf Of Li, David
> Sent: Thursday, 21 June, 2012 17:53
> If I have a private key in hex string , e.g,
> 23d9f4ea6d87b7d6163d64256e3449255db14786401a51daa7847161bf56d4
> 94325ad2ac8ba928394e01061d882c3528, how can I convert it into
> an ECDSA privat
>From: owner-openssl-us...@openssl.org On Behalf Of Li, David
>Sent: Thursday, 21 June, 2012 11:48
>How does openssl dgst know which signing algorithm it's supposed
>to use in openssl dgst? For example how does it figure out
>if this signing private key is a ECDSA key or RSA key?
>Is this info
> From: owner-openssl-us...@openssl.org On Behalf Of Francis GASCHET
> Sent: Monday, 18 June, 2012 12:06
> In my application, I met some problem when verifying a
> certificate which is expired. It worked perfectly in 0.9.8
> and I get the X509_V_ERR_CERT_HAS_EXPIRED error code,
> The same code
>From: owner-openssl-us...@openssl.org On Behalf Of Jack Trades
>Sent: Thursday, 14 June, 2012 16:18
>I have an asynchronous win32 websocket server (written in C/C++
>using MSVS 2010) application that I now want to support WSS -
>a WebSocket Secure connection. To accomplish this, I added
>open
> From: owner-openssl-us...@openssl.org On Behalf Of Patrick Patterson
> Sent: Wednesday, 13 June, 2012 15:59
> To: openssl-users@openssl.org
> Subject: Re: Is Sha2 supported for signing certs?
>
> Hi Pushkar,
>
> Don't use the -md option - just use -sha256 directly.
Nope. -sha256 is correct for
>From: owner-openssl-us...@openssl.org On Behalf Of Jayant Dusane
>Sent: Tuesday, 12 June, 2012 03:24
>SO_RCVTIMEO and SO_SNDTIMEO didnt work!
>and also nothing related to certifacte, firewall, authentication.
>because it works with 0.6 ms latency and stopped working in ~100ms latency
network.
>From: owner-openssl-us...@openssl.org On Behalf Of Jayant Dusane
>Sent: Monday, 11 June, 2012 10:40
>I am using openssl 0.9.8s in my c++ application.
>SSL handshake and all post communication works fine in LAN. But
>SSL handshake start failing if the network latency reaches to ~100ms.
>its seems
>From: owner-openssl-us...@openssl.org On Behalf Of Patrik Ahlin
>Sent: Friday, 08 June, 2012 13:44
>I am new to using OpenSSL. I have been using IIS for way too long
>and I want to start to sign SSL Certificates using SHA2/2048 bit.
>So I successfully generated a CSR using this method and was
> From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu
> Sent: Thursday, 07 June, 2012 19:25
> For ecdh_tmp, should it be the same as what is set in the
> pkey in CTX->CERT? What is the purpose of these _tmp keys?
> Sent: Thursday, June 07, 2012 4:04 PM
> But for a DSA key, what DH do I su
>From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu
>Sent: Thursday, 07 June, 2012 14:53
>I am trying to use an ECDSA certificate
>the correct cipher suite is not being chosen
>dh_tmp, ecdh_tmp and their callback functions not set
>Is some code missing in SSL_CTX_use_PrivateK
>From: owner-openssl-us...@openssl.org On Behalf Of Arthur Spitzer
>Sent: Tuesday, 05 June, 2012 04:48
>I need to verify a X.509 certificate against a self-signed X.509 CA,
>both certificates are in PEM-format. Doing this on the command line
>works so far:
>Right now I am working on a small pie
>From: owner-openssl-us...@openssl.org On Behalf Of Menon, Anish
>Sent: Tuesday, 05 June, 2012 17:38
>I am trying to use the command pkeyutl but I don't see that option
>available on the latest version for windows. 1c . How do I get the same?
By '1c' I assume you mean 1.0.1c.
Are you using the
> From: owner-openssl-us...@openssl.org On Behalf Of Dinh, Thao V CIV
NSWCDD, K72
> Sent: Monday, 04 June, 2012 11:08
> Please help me to understand more about "SELF SIGNED CERTIFICATES".
>
> Do Self-Signed certificates have to signed at all by its own
> CA ?? Do we have to generate CSR for eac
> From: owner-openssl-us...@openssl.org On Behalf Of Oleksiy Lukin
> Sent: Tuesday, 05 June, 2012 03:59
> I have problem with EVP_PKEY_decrypt() function and 4K RSA
> private key
> decrypting data encrypted with EVP_PKEY_encrypt() and corresponding
> public key. Keys generated using openssl CA s
> From: owner-openssl-us...@openssl.org On Behalf Of DRings
> Sent: Tuesday, 05 June, 2012 13:15
> I have a restricted community application that seems a
> perfect fit for using
> openssl to self-generate our own CA, and self-sign it, and
> self-generate our
> own web client authentication certi
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
> Sent: Tuesday, 29 May, 2012 03:34
> On 5/27/2012 2:29 AM, Jeremy Farrell wrote:
>
> Note that when considering portability, C99 is not yet
> fully implemented everywhere, so when I say "ANSI C"
> without qualification, I generally
>From: owner-openssl-us...@openssl.org On Behalf Of al so
>Sent: Monday, 04 June, 2012 14:48
>Does it look for client cert chain by default in the home dir?
>Looks like it's due to mutual authentication setup?
s_client looks for client-auth key&cert only where you tell it
using the comm
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
> Sent: Thursday, 31 May, 2012 13:14
> On 5/31/2012 4:01 PM, Jack Trades wrote:
> > client is rejecting the server certificate with the
> following error:
> >
> > -Error with certificate at depth: 1
> > issuer = /C=US/ST=VA/L=Fa
>From: owner-openssl-us...@openssl.org On Behalf Of Erwann Abalea
>Sent: Tuesday, 29 May, 2012 10:13
>Yes to everything.
Minor caveat: OpenSSL supports signatures using SHA256
*with RSA and ECDSA* back to 0.9.8 and I think 0.9.7,
but SHA256 (and SHA224) with DSA only since 1.0.0.
(As I recall
(somewhat offtopic)
> From: owner-openssl-us...@openssl.org On Behalf Of Jeremy Farrell
> Sent: Saturday, 26 May, 2012 20:29
> > From: Jakob Bohm [mailto:jb-open...@wisemo.com]
> > Which version of the ANSI Spec, and where did you get a copy?
>
> I quoted from C99 in a recent message; can't re
> From: owner-openssl-us...@openssl.org On Behalf Of ml
> Sent: Saturday, 26 May, 2012 16:18
> I try to realize as base64 encoding
> char *base64(char *input, int length)
> {
> BIO *bmem, *b64;
> BUF_MEM *bptr;
>
> b64 = BIO_new(BIO_f_base64());
> bmem = BIO_new(BIO_s_mem());
> b64 = B
> From: owner-openssl-us...@openssl.org On Behalf Of rockinein
> Sent: Friday, 25 May, 2012 08:58
> I need help with certificate chain (with intermediate CA). I
> need to convert pem to der.
>
> There is a command:
>
> openssl x509 -in something.pem -out something.der -outform der
>
> Problem
> From: owner-openssl-us...@openssl.org On Behalf Of marek.marc...@malkom.pl
> Sent: Monday, 21 May, 2012 11:11
(-dev dropped)
> This looks like declaration mismatch, you should send more info (used
> compilers, environment), maybe simple test code.
> owner-openssl-us...@openssl.org wrote on 05/
>From: owner-openssl-us...@openssl.org On Behalf Of Khuc, Chuong D.
>Sent: Friday, 18 May, 2012 17:22
>I have an ECDSA private key in the form of a 32 byte unsigned char array,
>and a data that needs to be signed using that key. So I wrote the following
>code to load the key and use it to sign m
>From: owner-openssl-us...@openssl.org On Behalf Of scott...@csweber.com
>Sent: Friday, 11 May, 2012 19:15
(re: usual=PKCS5 padding for AES-CBC)
>So, a 15 byte block (or ends with a 15 byte after multiples of
>16 bytes) would use a 0x01 in the last position...?
Yes.
>And a whole multiple of 16
>From: owner-openssl-us...@openssl.org On Behalf Of scott...@csweber.com
>Sent: Friday, 11 May, 2012 17:09
>I manually padded the input in the C code with spaces. Then I
>manually padded the input file with spaces. Now both cleartexts
>are exactly 16 bytes long.
>The output from the openssl e
> From: owner-openssl-us...@openssl.org On Behalf Of Marcin Glogowski
> Sent: Tuesday, 08 May, 2012 09:18
> Hello,
> I have to write non blocking SSL/TLS server based on the
> OpenSSL library.
> I couldn't find any example/tutorial with this.
> Please write me where can I find some client/server
> From: owner-openssl-us...@openssl.org On Behalf Of Vladimir Belov
> Sent: Thursday, 10 May, 2012 16:09
> I want to know what constants(such as OPENSSL_SYS_WIN32 or
> OPENSSL_SYS_UNIX)
> with #define operator I must define at the beginning of the
> program in
> different OS: Windows, Linux a
> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
> Sent: Friday, 11 May, 2012 03:50
> Please help me out in debugging this cipher negotiation issue.
>
> My client supports OpensslV1.0 and my server supports
> Openssl0.9.7. I used
> self-signed RSA type certificate on both server & cl
>From: owner-openssl-us...@openssl.org On Behalf Of Adrian Manuel Vázquez
Betancourt
>Sent: Tuesday, 08 May, 2012 15:21
>I have a p12 certificate file and I would like to extract the private
>key from it and export it as a pem file in plain pkcs#1 format.
>openssl pkcs12 -in test.p12 -out testke
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
> Sent: Monday, 30 April, 2012 02:39
> On Sun, Apr 29, 2012 at 5:40 PM, Mike Hoy wrote:
> > We use McAfee to scan our website for vulnerabilities. They
> claim the
> > following:
> >>
> >> Configure SSL/TLS servers to only use T
> From: owner-openssl-us...@openssl.org On Behalf Of ml
> Sent: Tuesday, 01 May, 2012 15:21
Aside: this question isn't really related to OpenSSL.
> i work on small projet
> https://github.com/fakessh/openprojectssl/blob/master/smtp.c
> https://github.com/fakessh/openprojectssl/blob/master/smtp.h
> From: owner-openssl-us...@openssl.org On Behalf Of Alex Chen
> Sent: Thursday, 03 May, 2012 13:47
> Thanks for the reply Erwin. Let me clarify the goal: the client
> wants to send an encrypted message to the server for security reason
> and the connection ... can be SSL [but
> From: owner-openssl-us...@openssl.org On Behalf Of Johansen Daniel
> Sent: Friday, 27 April, 2012 03:18
> Im sorry for removing some "sensitive" information, but it is
> company policy.
>
Understood.
> SFTP Server is using maverick sshd library (java based).
>
I haven't used that myself, but
> From: owner-openssl-us...@openssl.org On Behalf Of Tammany, Curtis
> Sent: Friday, 27 April, 2012 09:45
> To: st...@openssl.org; openssl-users@openssl.org
> Subject: FAILED:unable to get local issuer certificate
>
> We have an Apache 2.2.22/OpenSSL 1.0.1 CAC-enabled website
> running on Windows
> From: owner-openssl-us...@openssl.org On Behalf Of jb-open...@wisemo.com
> Sent: Thursday, 26 April, 2012 19:37
> On 26-04-2012 15:05, Thomas J. Hruska wrote:
> > ... This archive under 7-Zip 9.20 (latest
> > stable) displays a "There are no trailing zero-filled records"
> > error dialog but
>From: owner-openssl-us...@openssl.org On Behalf Of Johansen Daniel
>Sent: Wednesday, 25 April, 2012 08:13
>Having this weird problem when connecting to a SFTP server.
>OpenSSH_5.9p1, OpenSSL 1.0.1 14 Mar 2012
>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>debug1: expecting SSH2_MSG_
:14
To: openssl-users@openssl.org
Subject: Re: a question about openssl sessions
On Thu, Apr 19, 2012 at 19:45, Dave Thompson wrote:
> From: owner-openssl-us...@openssl.org On Behalf Of Stéphane Charette
> Sent: Sunday, 15 April, 2012 20:31
> I'm using Openss
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
> Sent: Wednesday, 18 April, 2012 07:57
> On 4/17/2012 7:00 PM, Nou Dadoun wrote:
> > Quick question regarding certificate usage in an ssl
> connection; you can associate a number of certificates with a
> server endpoint - is there
> From: owner-openssl-us...@openssl.org On Behalf Of Stéphane Charette
> Sent: Sunday, 15 April, 2012 20:31
> I'm using Openssl to talk to a server that expects to re-use ssl
> sessions when a client needs to open many SSL connections. I have
> the same code working on Linux a
> From: owner-openssl-us...@openssl.org On Behalf Of Nathan Smyth
> Sent: Wednesday, 11 April, 2012 09:08
> > If this server is getting connections from the client above,
> > and that client mistakenly handles WANT_READ by closing or
> > even exiting/aborting, the server gets either TCP abort or
>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
>Sent: Wednesday, 11 April, 2012 03:16
>Thanks Dave could you please elaborate below lines too
Meta-answers: you can read the instructions for any OpenSSL
utility on Unix with man (here man req and man x509)
(you
> From: owner-openssl-us...@openssl.org On Behalf Of Nathan Smyth
> Sent: Tuesday, 10 April, 2012 09:25
> I'm having trouble getting the SSL Connect/Accepts to work.
>
> For the client, SSL_Connect returns -1. Raising SSL Error =
> 2, SSL_ERROR_WANT_READ
>
Are you using nonblocking socket? If s
> From: owner-openssl-us...@openssl.org On Behalf Of Jim Segrave
> Sent: Friday, 06 April, 2012 16:32
> On 04/06/2012 01:46 AM, Dave Thompson wrote:
> >> AES_KEY actx, dctx;
> >>printf("\n keylen = %d; kebits= %d", KEYLEN, KEYBITS);
> >>
&
> From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
> Sent: Monday, 09 April, 2012 01:54
> I am newbie to OpenSSL. I am trying to understand how certificates
> are generated. I downloaded the samples and started understanding
> the "Makefile" that came wit
> From: owner-openssl-us...@openssl.org On Behalf Of Ram Prasad Reddy
> Sent: Wednesday, 04 April, 2012 09:08
> We are using OpenSSL DH for key establishment in our product.
> Recently we increased the size of P parameter to 2048 bits from
> 640 bits (we use g parameter of valu
> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn
> Sent: Wednesday, 04 April, 2012 05:41
> I need to wrap 512bit key with 256 bit KEK key. When i do
> this, i am hitting
> seg fault in AES_wrap_key(). When i do gdb, it points to
> memcpy().
> #define KEY512 0
>
> #if KEY512
>
> From: owner-openssl-us...@openssl.org On Behalf Of carlyo...@keycomm.co.uk
> Sent: Tuesday, 03 April, 2012 09:35
> >On Tue 03/04/12 2:21 PM , Balamurugan rajan
> balamurugan@gmail.com sent:
> >I want to need to read the Certiifcate Key usage and
> identify the combination values to determ
> From: owner-openssl-us...@openssl.org On Behalf Of Prashanth kumar N
> Sent: Thursday, 29 March, 2012 10:02
> Bit confusing... are you saying that i need to add NULL termination
> at the end of encrypted data? Isn't this wrong? I assume i shouldn't be
> NULL terminating the
> From: owner-openssl-us...@openssl.org On Behalf Of (me)
> Sent: Wednesday, 28 March, 2012 20:45
> AES-OFB or AES-CFB or AES-OFB are stream modes [with no padding]
Sorry; I meant to write -OFB or -CFB or -CTR.
While I'm correcting, -GCM is also a (new) stream mode,
implemented in 1.0.1; it d
> From: owner-openssl-us...@openssl.org On Behalf Of Alex Chen
> Sent: Wednesday, 28 March, 2012 17:50
> When the padding is disabled by setting the padding size to 0
> in EVP_CIPHER_CTX_set_padding(), is the output data block
> size the same as the input block size?
> Will this reduce the encry
> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn
> Sent: Monday, 26 March, 2012 01:52
> I was going through the RFC of AES and it does say we get the IV upon
> unwrapping . Check the below link
> http://www.ietf.org/rfc/rfc3394.txt
Not really. 2.2.3 says
In the final step of
> From: owner-openssl-us...@openssl.org On Behalf Of Prashanth kumar N
> Sent: Wednesday, 28 March, 2012 03:01
> As i read min AES block size is 128 bits which can go up to
> 256 bits in multiples of 32-bits. Is this correct?
No but almost. The *algorithm* Rijndael designed b
> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn
> Sent: Wednesday, 21 March, 2012 01:46
> Coming to the usage, i really don't want to use HEX for the
> PKCS5_PBKDF2_HMAC_SHA1(). I just want to input the values i got from
> RAND_byes().
>
> Here is what i am going to do, correct me if
ut for
key wrapping like this, assuming your data keys are random
as they should be, you don't really need nonce IVs, and
you could have both wrap and unwrap use the default in
those routines (8 x A6) or some other fixed value.
>
> Dave Thompson-5 wrote:
> >
> >&g
> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn
> Sent: Monday, 19 March, 2012 09:17
> I have a requirement of wrapping a 512-bit DEK witk 256 bit
> KEK. I picked up
> openssl API and figured out that it provides AES_wrap_key()
> to do the job. I
OpenSSL's AES_{wrap,unwrap}_key doe
> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn
> Sent: Tuesday, 20 March, 2012 00:36
> Thanks a lot Dave for pointing out few things which i need to
> take care. By
> the way as this is not complete code, original code already
> has taken care
> of few thing
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
> Sent: Monday, 19 March, 2012 13:25
> On 3/19/2012 5:26 PM, Nicle wrote:
> > Hi all,
> >
> > I can understand if file-size%16 != 0, openssl will pad data.
> >
> > But it will also pad 16bytes for those file size exactly 16 times.
> >
> From: owner-openssl-us...@openssl.org On Behalf Of Fekete, Tamás
(lesswire AG Ungarn)
> Sent: Saturday, 17 March, 2012 01:03
> But I am thinking, maybe a trivial question to you.
> Do I need use something "to ACK" messages?
Maybe. It depends on your application(s).
SSL/TLS,
> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
> Sent: Sunday, 18 March, 2012 03:55
> We have fixed the Segment lost issue which was causing Packet
> drop. But we
> are still seeing the "Encryption Alert" again. I am attaching one more
> packet capture which has all the information.
601 - 700 of 1342 matches
Mail list logo
