CRL verification question ...

on is still succeeding even after 30 days. Can someone please tell me what I'm missing? -David- __ OpenSSL Project http://www.openssl.org User Support Ma

Re: Certificate Revocation List (CRL) management recommendations?

Sorry to prolong this thread, but does the function X509_CRL_verify() actually check to see if the CRL has expired? If not what function performs this verification? I'm confused as to the actually mechanics of using the default_crl_days in code. -David

RE: Investigating a leak

> That'd do it. But if you're doing the loop in that sequence, and > if you have > set non-blocking on the sockets, then instead of polling for the > connection > you can use select or poll (depending on your platform) to wait > for incoming > connection activity, then enter ssl_accept in blocking

Authentication error

Why will a ca generated in openssl result in an authentication error if this root cert is installed on a phone? I am using the root cert to validate a java signed "midlet" for a phone... The phone does not use any other certs to validate my cert and it does not access the web to validate a cer

Please help. X509 v3 java ca cert extensions?

to the phone etc, but the certs I create do not validate a java midlet I get an authentication error. Please help! David __ OpenSSL Project http://www.openssl.org User Support Mailing List

RE: How to change utc time?

> This is a follow on from my last post as the text lost its formatting. > > How do I change the utc time of a certificate to a smaller format > (whilst creating a cert): > 18082107Z - there are lots of zeros in this format, openssl > gives less. There is never more than one way to re

Re: Some troubles making my own CA

make them work). The commands are fairly similar, just create a .bat file with those commands and things should work. David Templar wrote: I think I can help you with PC certs - I am having trouble with phone certs though :( openssl genrsa -out ca.key 1024 (or whatever size key you want) you

Re: Some troubles making my own CA

I think I can help you with PC certs - I am having trouble with phone certs though :( openssl genrsa -out ca.key 1024 (or whatever size key you want) you can also chose dsa or dsa1 etc and openssl req -new -x509 -key ca.key -out cacert.pem -config [the name of the config file] - you can als

Re: Am I barking up the wrong tree?

e my certs (if I have 1 old cert on the phone) but it considers it as part of the old cert - with its expiry date etc? David Templar wrote: Ignore my last post - I forgot the extra 0s are the hhdd etc... But I am having a problem - I have deleted all files on my phone, but I cannot get it to

Am I barking up the wrong tree?

s appreciated! RGDS David __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]

Re: Can openssl change a V1 to a V3 x509?

Thanks. David Schwartz wrote: I am having a lot of problems importing a certificate made in openssl into a phone, but I can get a keytool certificate imported. The only thing is that I need to change the V1 cert (keytool only makes V1) to a V3 cert - can openssl modify a cert to a V3 (without

How to change utc time?

This is a follow on from my last post as the text lost its formatting. How do I change the utc time of a certificate to a smaller format (whilst creating a cert): 18082107Z - there are lots of zeros in this format, openssl gives less. Also, how do I add a friendly name object - I have trie

Generatiing a cert with these objects - help! .cnf and utctime...

Hi, I am still stuck on the phone cert creation, but I am inching closer! How do I generate a cert with only the below data to be included in the certs? What should be openssl.cnf have? What should be my genrsa be? and do I need to do anything else? I have attached the asn1parse output of the

RE: Can openssl change a V1 to a V3 x509?

> I am having a lot of problems importing a certificate made in openssl > into a phone, but I can get a keytool certificate imported. The only > thing is that I need to change the V1 cert (keytool only makes V1) to a > V3 cert - can openssl modify a cert to a V3 (without changing anything > else)?

Can openssl change a V1 to a V3 x509?

I am having a lot of problems importing a certificate made in openssl into a phone, but I can get a keytool certificate imported. The only thing is that I need to change the V1 cert (keytool only makes V1) to a V3 cert - can openssl modify a cert to a V3 (without changing anything else)? _

openssl.cnf, please help: What is the difference between these 2 certificates?

motorola phone, but the openssl cert can be installed (it is not fully recognized though). How do I configure openssl to create a root certificate exactly like the microsoft one (except for the key etc...)? Thanks. David 0‚0‚ú 
Á‹<<ˆÑ>[EMAIL PROTECTED]  *†H†÷



Re: Dr Henson is a superstar!!! 3rd time request... PLEASE help! Phone cert creation

. I have changed the extension of the attached cert to .txt as the openssl forum does not accept .crt. Thanks for your great tip! I am now 90% there! RGDS, David Dr. Stephen Henson wrote: On Tue, Jul 12, 2005, David Templar wrote: Hi all, I am really stuck and have tried all I can - I

Re: 3rd time request... PLEASE help! Phone cert creation

Thanks, I will try this within the next hour to see what happens. Is there a key size or any other issues that I need to consider when I generate a new cert now? Dr. Stephen Henson wrote: On Tue, Jul 12, 2005, David Templar wrote: Hi all, I am really stuck and have tried all I can - I

Re: 3rd time request... PLEASE help! Phone cert creation

orum or to anybody who knows flex operating system (the one from Motorola).   Daniel Díaz   [EMAIL PROTECTED]   De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] En nombre de David Templar Enviado el: martes, 12 de julio de 2005 20:01 Para: openssl-users@openssl.org Asunto

Re: 3rd time request... PLEASE help! Phone cert creation

because openssl (I have been using for many years) comes with cert creation abilities - it has helped me for many years with PC java! Also, I was hoping I would be able to ask many crypto experts on the forum! RGDS David Pablo J Royo wrote: I suppose this is not the right forum to ask for

3rd time request... PLEASE help! Phone cert creation

and appreciated - even if you cannot help, please tell me where I can get some help... Thanks in advance, David 0‚©0‚‘ 

0  *†H†÷

0y10 UUS10UIllinois10ULibertyville10U Motorola Inc10 UPCS10UMotorola Java CA400 03082107Z

Need help creating certificate for mobile phone

posting does not allow .crt files to be attached. Please tell me how to create my own certificates like it either using openssl or any other tool. Thanks in advance, David 0‚©0‚‘ 

0  *†H†÷

0y10 UUS10UIllinois10ULibertyville10U Motorola Inc1

Please help!!! What is the format of this certificate?

Hi all, Please help me! I am trying to work out the format of this certificate and then make my own certificates like it. It is a root certificate for verification of signed java midlets on a moblile phone (Motorola). All help appreciated. I need to know the type, format and how to make my o

RE: Creating certs for others (without their private keys)

> Does openssl (9.0.9.7g or 0.9.8beta6) allow creating certs (signing > others' public keys) without havign their private keys presented to the > signer? Of course, > [For having to bring private key along with the public key sort fo > defeats the whole purpse PKI.] Exactly.

Re: Supporting both TLSv1 and SSLv3

Thanks for the reply, don't know how I missed that one, perhaps the name SSLv23 is confusing because it doesn't contain TLS. -David --- Cesc <[EMAIL PROTECTED]> wrote: > Why don't you try SSLv23_client_method()? > You can also use the set_options (for the SSL >

Supporting both TLSv1 and SSLv3

() first, and if that fails then try SSLv3_client_method()? Can these be done over the same socket connection or will the server disconnect if TLSv1 is not supported? Thanks, -David __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email

Key length and other questions

wer might be whatever "openssl ciphers" prints out: "EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA: etc." Thanks for any comments, -David Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy

RE: Generating a lot of randomness...

> I see things for adding entropy, loading files, etc. I don't see > anything about generating random numbers. Am I missing something so > obvious if it was a snake it would have bitten me by now? RAND_bytes DS ___

RE: Generating a lot of randomness...

> Generating one or two random numbers over a period of time isn't a big > deal. Generating 100,000+ 128 bit random numbers an hour taxes > /dev/random and /dev/urandom. Even the use of EGAD doesn't help. Right. > If you re-read the thread you will see that I wrote what I thought was a

RE: Generating a lot of randomness...

> I can't add anything beyond what is available on a AMD or Intel > motherboard. So is there a built-in HRNG that I can get to (if so, where > is the driver for it)? Use /dev/urandom to seed your own PRNG. Or use it to seed OpenSSL's PRNG. Why are you asking on this list anyway?

RE: Decrypting RSA Private Key

Strictly speaking 1.2.840.113549.1.5.13 is the OID for the "PBES2 encryption scheme" from PKCS#5 V2. Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listope

Certificate Heirichy

Gurus, Two questions (perhasp I should have split this) #1 When I look at Thawte or VeriSign certs that a server has there is a heirichy, Thawte then Me or VeriSign then Me. Well I made my on CA and signed some certs but they don't have the heirichy like the commercial ones. What gives? Do

Re: Need objective arguments against double certificate

. non-voluntary. At 07:20 PM 6/16/2005, you wrote: On Thu, Jun 16, 2005 at 06:33:53PM -0700, david wrote: > Like the commentator, I'm also a little guy. In my case, I'm a retired guy > who got his intro to this stuff from Entrust. I got convinced that their > two (or mor

RE: Need objective arguments against double certificate

> Pease help to fill in items that I might have missed :) The security risk that this non-standard scheme might introduce an unforseen vulnerability. This is, IMO, as likely as that it will protect against some unforseen vulnerability -- the alleged reason for the scheme. DS __

Re: Need objective arguments against double certificate

row, it just allows for it to happen when appropriate. Yet, it allows for a separation of confidentiality and identity proof. David Kurn At 06:07 PM 6/16/2005, you wrote: Like everyone else, I say this consultant doesn't know what he's talking about (I'm tempted to ask you t

RE: Need objective arguments against double certificate

> Thanks all for replying. More heated debates I guess. How can there be a heated debated when there is not yet one argument advanced in favor of the double certificate scheme? DS __ OpenSSL Project

RE: nseq vs Thawte freemail certificates

I've not been there, but is it possible that this is a PKCS#12 bag? Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated

Re: PKCS12 client

Thank you Heikki Toivonen and Goetz Babin-Ebell, your suggestions were very helpful. -David > david kine wrote: > > How does one load verify locations into a SSL_CTX > from > > in-memory X509 certificates? > > You can get the X509_STORE from the SSL_CTX. > There yo

RE: Need objective arguments against double certificate

>If you want to separate the signature key from the encryption key, you should have 2 keys, and not one key with 2 certificates. Totally agreed - the reason for using key separation is that encryption keys will (typically) have a shorter life time than signing keys (at least for certificate valid

PKCS12 client

I am writing an SSL client which utilizes a PKCS12 keystore. I am able to create the keystore using OpenSSL utilities, read the .p12 file using d2i_PKCS12_fp(), and parse it using PKCS12_parse(). The X509 and STACK_OF( X509 ) return parameters are all correct. The next thing I need to do is set

RE: Question regarding certificate requests !

Howsabout using openssl req ? That does what U want I think you will find. Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Au

RE: Hardware Acceleration.

> I was wondering if there is a list of all the hardware > accelerators that openssl supports? Or at the very least if > someone can tell > me if this card from Intel would be supported by OpenSSL. > > http://www.intel.com/network/connectivity/products/pro100dport_adapter.htm As I unders

RE: timeout vs. SSL_ERROR_WANT_XXXX

> I want to use timeout with select and I wonder how to "cancel" operation > (SSL_read or SSL_write non-blocking) that caused SSL_ERROR_WANT_READ (or > *_WRITE). I've got messages queue to send (and one for received too). If > I cannot send whole particular msg within some time (5 sec) I want to >

RE: timeout vs. SSL_ERROR_WANT_XXXX

> What I think is as its the application's responsibility to retry > the "same" openssl operation whenever it receives a WANT_READ or > WANT_WRITE, why cant we simply overwrite the buffer that is passed > to say SSL_write with the next payload that needs to be sent when we hit > that error code, i

RE: Checking for socket read state

> Ok... > > Sorry, maybe that was the wrong question altogether... > I am trying to signal my blocking connection thread to end while > OpenSSL is > negotiating a connection with SSL_connect. > > Is there any way to tell SSL to stop once it enters SSL_connect, perhaps > with a non-blocking appr

RE: Checking for socket read state

> Hi all quick question of you guru's. > > If I wish to check to see if data is ready to be read on my SSL connection > do I just use normal "select" or is there something in the SSL libraries > that I need to use? You aren't asking a precise question. For example, if there's data that co

SSL/HTTPS Stream.

Hello.   I am trying to connect to a secure (https) webserver using PHP.  The problem is that PHP needs to have https as a registered stream (which it doesnt).  I have installed OpenSSL, and enabled the extensions in PHP.   Can I assume that OpenSSL doesnt add https as a registered stream, o

Question on ENGINE implementation.

startup from an initialisation file (encrypted). I also noticed ENGINE_load_private_key etc use a UI_method prompting for passphrase. Is there any way of initialising the engine and keys etc without any user interaction? David

RE: How to map recv(fd, buffer, SEGMENT_LEN, MSG_PEEK) to SSL_read

> Adding to David's response... > > MSG_PEEK is problematic on some systems. On Windows for example > (maybe only > the 9x series, but a problem none-the-less) using MSG_PEEK will > effectively > freeze the contents of the buffered data that can be seen with MSG_PEEK, > meaning that any further p

RE: How to map recv(fd, buffer, SEGMENT_LEN, MSG_PEEK) to SSL_read

> Dr Stephen, > I want to map recv(fd, buffer, SEGMENT_LEN, MSG_PEEK) > to some kind of SSL_read. > > MSG_PEEK > This flag causes the receive operation > to return data from the > beginning of the receive queue without > removing that data from > the q

RE: SSL_read confusion

> sprintf(head,"GET /index.html HTTP/1.1 \t\n\t"); That should be "GET /index.html HTTP/1.1\r\nHost: \r\n\r\n". For an HTTP/1.1 request, a 'Host' header is required. You also have to handle chunked encoding if you claim 1.1 compliance. > memset(read, 0, sizeof(read)); > res = SSL_read (

RE: simple question again

corresponds to the public key in it. > > You can now prove that you are you by presenting the certificate and then > proving that you know the private key. This is usually done by challenging > you to sign something with it or decrypt something with it. > > DS On step 6, I thin

RE: simple question again

> Thanks to the both of you...Josh and Ken. > > My questions got answered and I have a better understanding. > > and now -- > > So - I put SSL inside an i-frame and when the user comes into my website - > accepts my certificate - from that point on all documentation sent either > back and forth is

Re: Getting Cisco 3kvpn to accept openssl signed certs - anyone done it?

Have you installed the CA cert on the cisco? David Gianndrea Senior Network Engineer Comsquared Systems, Inc. Email: [EMAIL PROTECTED] Web: www.comsquared.com ray v wrote: Has anyone been able to get a certificate signed by openssl CA to accept the identity certificate? 1. Gen manual pkcs10

Re: RE: Re: simple question again

vate key. Ok, so if it is not a problem if the cetifiacte is intercepted, how to "prove that you are the party the certificate was issued to by demonstrating possession of the private key " ? Is it a special configuration the VPN ? thx david Protek-on: CaraMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramail.com

RE: Re: simple question again

> This is why in my other replies to whomever - I made the > statement about how > fast all this can be done. It takes at least 3 good handshakes to get > onboard a SSL site - but, what matters the most is that > &*_*&)^&^)*_**;qwepqowifskljfas that surrounds the key - is intact and not > minus o

RE: Re: simple question again

> > > if somebody intercepts the certificate while it is in transit > > > on the network, this person can use this certificate ? > > If you have a certificate you can verify something that's been signed > > with the private key, or you can encrypt something so that only the > > holder of the priv

Re: Re: simple question again

cepts a certificate it can use the VPN ? (because the VPN server accepts all connection if it knows CA which signed the certificate of the user) thx for your answers david Protek-on: CaraMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramail.com

Re: Re: simple question again

Ok, if somebody intercepts the certificate while it is in transit on the network, this person can use this certificate ? How a CA knows that the certificate is used by the good user or not in this case ? > De: Rich Salz <[EMAIL PROTECTED]> > A: david <[EMAIL PROTECTE

simple question again

When a CA signs a certificate request , then the certificate is sent to the user . for this, is the certifictate automatically encrypted with the user public key ?   thx     david   Interview 50 Cent 100% I am what I am...

Simple questions about the req_attribut challengePassword

hi all,   what is the use of the req_attribute  "challengePassword" in a certificat request ? How is it used ? In which case is it used ?   thx   davidLa puissance n’est pas innée : elle se construit. Cliquez ici pour découvrir Nike Free !

RE: Questions on SSL_CTX_use_certificate_file

> We're currently using the following to read a key from disk and use it > in our application: > > SSL_CTX_use_certificate_file(my_ssl_ctx_save,"./SSL/pubcert.pem",S > SL_FILETYPE_PEM); > SSL_CTX_use_PrivateKey_file(my_ssl_ctx_save,"./SSL/privkey.pem",SS > L_FILETYPE_PEM); > > This works, however,

RE: How to pass SSL connection/object from one process to another?

> If using the third process to hold the SSL connection act like stunnel, > But the performance is slower, so I prefer without the third process. It's hard to give you good suggestions without knowing more about the specifics of your application. But I think it should be possible to make

RE: How to pass SSL connection/object from one process to another?

> But the SSL object structure is too complex, > it containing too many pointer, and many other object pointer which also > containing pointer. > > That is hard to translate all of them. > > Is there any method, that just pass some element of SSL structure > connection > to [Request Handler], then

RE: Re:

Probably a good thing - all these zip files have been virus infested and I don't think they are related to this mailing list at all in fact. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rajeev Aggarwal Sent: 04 May 2005 11:47 To: openssl-users@openssl.

RE: Odd handshake deadlock..

> Okay, interesting development. If I put a sleep(5); on the C client > before I issue SSL_connect (but after I BIO_write "ssl on\n"), > everything works fine. Otherwise both client and server deadlock on > read/recv. Makes perfect sense. The problem is that the server has already receive

RE: CPU horsepower needed to run openssl

3.2 million certs! That's going to be "fun" when you get to certificate rollover time!!! What CA you using (I guess not openssl ca for that volume). Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ray v Sent: 29 April 2005 05:00 To: openssl-users@

RE: SSLVerifyClient

Also I'm surprised to see V3 cert with no KeyUsage section ... It would also would be more normal to use Extended Key Usage to say it is good for SSL Server etc. rather than use the old NetScape Cert Type ... Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Beh

RE: SSLVerifyClient

X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Certificate is why it is failing. The server certificate needs: X509v3 extensions:

RE: RFC3852 CMS specification

2 CMS specification On Tue, Apr 26, 2005, David C. Partridge wrote: > Is there any expectation that openssl will be enhanced in the near future to > support the current CMS specification which I think is RFC3852? If > possible retaining support for the old PKCS#7 "Signed and Enveloped

compile time errors

Hello,   I am running fedora core 3 and trying to install openssl 0.9.7g.  I am using gcc version 4.0.0 20050308, and GNU ld version 2.15.94.0.2 20041220.   using ./config no-asm shared     I get a huge list of errors similar to the following:   libcrypto.a(co86-elf.o)(.text+0x8c0)

RFC3852 CMS specification

Is there any expectation that openssl will be enhanced in the near future to support the current CMS specification which I think is RFC3852? If possible retaining support for the old PKCS#7 "Signed and Enveloped" message format? TIA Dave

Password Protected Keys

I am trying to access module protected keys with openSSL on an nCipher HSM. We have been able to do this both using the with-nfast predicate and through the openSSL code ENGINE_load_private_key. These both prompt interactively for the password to access the keys. Does anyone know of anyway that thi

Non-blocking accept call ...

t_error() where I can see something like SSL_ERROR_WANT_READ) I can call? Thanks, -David- __ OpenSSL Project http://www.openssl.org User Support Mailing List

how to check CRL ?

config ca-manager.cnf -gencrl -out ca.crl BUT it does not change anything, the client can  connect to the server, I think the server does not check the CRL ! How can I do to tell to the server/client to check the CRL ???    thanks david CaraMail met en oeuvre un nouveau Concept de Sécurité Globale

RE: Confusion about SSL_ERROR_WANT_READ/WRITE

> Thanks for the info. One last question :) So if I am using blocking > sockets, than would I ever get a WANT_WRITE error? I'm guessing no? No, it should just block until it gets some application data or can send the application data. > But if I am using BIO pairs, and blocking socket

RE: Confusion about SSL_ERROR_WANT_READ/WRITE

> > There may not be any application data, but there should > > be data sent over the SSL connection. > Protocol data? Like an ack for some previous data sent? Well, remember no data at all can be sent until a key is negotiated. So if you immediately call SSL_write, it will be unab

RE: Confusion about SSL_ERROR_WANT_READ/WRITE

> Yes, I think I understand what you are saying. If I get a > WANT_READ from a > call to SSL_write, that means I need to read some data before I can send. Not quite, it means the OpenSSL engine must read some data (from the socket) before you can perform the 'write' logical operation on

RE: Confusion about SSL_ERROR_WANT_READ/WRITE

> Thanks for this explanation. As I read more, I think I am > getting a better > understanding of this. So unlike normal tcp connections, where a > read juts > reads, and a write just writes, SSL_read may write, and SSL_write > may read. > This is all done under the hood, so I don't need to be c

RE: Confusion about SSL_ERROR_WANT_READ/WRITE

> I have an app where reads and writes happen from different threads. > Now, ideally, one would envision that I just replace the reads/writes > with SSL_read/SSL_write. Now I know it is not as simple as that. You need to wrap each SSL connection with a lock and hold that lock when you ca

Using Unix Domain Sockets?

g, or can I only use AF_INET sockets with BIOs? Thanks in advance! -David- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openss

RE: Multiple Threads accessing an SSL connection

>I read many posts about multiple threads accessing > a single SSL connection for read/write. I am still > confused about the usage. What exactly is the truth? You cannot access the same SSL connection from more than one thread at a time. > If I have a client SSL connection that

TLS vs SSL

I dont have my book handy today, but is TLS just another name for SSL or is it different? My development group is looking into encrypting a client server app data stream before putting it on the wire. Im thinking that TLS is better suited for that. -- David Gianndrea Senior Network Engineer

RE: SSL_CTX_load_verify_locations

> Is there any alternative API for SSL_CTX_load_verify_locations? > SSL_CTX_load_verify_location ends up using STDIO calls and i am > trying to avoid STDIO calls. > > I am stuck here and i need yr help to proceed further. > > Any help is appreicated. Just add them to the verification tree

RE: use os BIOs

> I'm trying to implement an eap-tls server using openssl and > I've found only few examples about using memory BIOs to > perform a TLS handshake. > Can you give me some pointer to documentation about this or > to some examples? > > The code that I'm using is very simple: > > > <...> >

RE: Total newbie Question

> Hi folks, > > I am new to openssl and I am trying to use a Thawte key with Mutt > but I keep > getting this error message: > > Verification failure > 8458:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > error:pk7_smime.c:222:Verify error:unable to get local issuer certificate > >

RE: Problem with SSL_accept

> Thanx for replying. By live testing I mean, actual client connections > that a server is supposed to accept. The client I developed is a very > basic one and I have only tested it from localhost. I dont know if it > will work from outside or not. So you have no idea whether the client y

RE: PEM_write_DSA_PUBKEY

> I'm trying to write the public/private keys to a PEM file. I'm using the book "Network Security > with OpenSSL" as a reference which says I need to use PEM_write_DSA_PUBKEY, but I can't find > this anywhere in the openssl source. I'm using 0.9.7d. I see PEM_write_DSAPrivateKey, but > nothing

RE: Problem with SSL_accept

> The most intriguing part is when I was writing this server, I > developed a small client just to test connectivity. That client > succeeds. However, when doing live testing not a single connection was > accepted from outside. The test client was run on the same host. I > obtained network traffic

RE: OpenSSL With NO_STDIO

> Has anybody tried compiling OpenSSL with NO_STDIO flag and > successfully run without stdio library ? I don't want to use the > stdio library since it does not recognize File descriptors > > 256.. Hence i want to avoid stdio library and use the native OS calls. I have never been able t

RE: Renegotiation with reader and writer threads.

> Now coming to the first part of your comment. As I understand it, the > manipulation of SSL connection > needs mutex, but can the SSL_read(s) and SSL_write(s) be done from two > threads independently? It can be done from two threads, but it requires a mutex. Thus the two threads are not

RE: Renegotiation with reader and writer threads.

>My client and server has two threads each: a reader thread and a writer thread. >I have put the renegotiation code in the reader thread. It works for most >of the time but occasionally the client gets an "Encrypted Alert" message >( I suspect that this happens when the application data somehow ge

RE: Certificate : how many stages?

> Hi everybody, > > I hear about several methods for server's certificate creation. > - one of them (through CA.pl) creates a root CA and then the server's > certificate > - an another one creates a root CA, then a server CA and finally the > server's certificate. > Why are there three stages? Is

RE: X509 certificate with S/MIME

Current recommendation is to put in the subjectAltName extension.   Dave

RE: Writing to a mem BIO instead of using SSL_Write

> I'm trying (with no success) to detach SSL from a socket, and use it > to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want > to write the encrypted data to a mem BIO (or just a buffer) and send > it by myself (and do the reverse operation on receive). I will do this > just after

RE: SSL (or alike) over UDP

> On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: > > Do you know if it's possible to use SSL (or some other protocol) over > > UDP running totally in user space. > Not possible to use SSL. Some other protocol is potentially > possible, but you > haven't told us what you are trying to accompli

RE: The time of the openssl-ciphers is constant?

> Thanks, I had forgotten that the time that I am calculating it is not > the time of the CPU and I was calculating the time of the data send > with the time that is lost with other processes that the linux > scheduler assign. > Somebody how I can profile only the time spent by SSL_write and SSL_r

RE: The time of the openssl-ciphers is constant?

> Hello, > I am trying to get the transfering time between a client and a server > with different size of data because I want to know that ciphers are > more efficient and after I can choose the cipher more efficient and > secures, because I want build a library for to transfer data in mobile > de

RE: Quantum Encryption no protection against man in the middle attack?

> > 2) Streams of entangled particles can generate shared > > secrets where none > > previously existed. > > No, not really, since the scheme described on page 80 of the Jan 2005 > Scientific American looks vulnerable to a man-in-the-middle attack. In that case, it generates two share

RE: Quantum Encryption no protection against man in the middle attack?

> 3. QE and man in the middle > > NOW we are in a position to see how the combination of QE and > key mixing can actually buy us something! Consider the plight > of the man in the middle when both are being used. She cannot > passively eavesdrop and record for further analysis because of > the n

<    9   10   11   12   13   14   15   16   17   18   >