> we tried to create a ssl certification via openssl.
> Our problem is that we have in intern server called SVR02. This server
> could be reached via name.dyndns.org:443. If we create a certification
> with the CO SVR02 the server accept this and install the certification.
> But if we try it from
> This is on SuSE 10.3. The socket is non-blocking, for the only reason
> that I thought it would make debugging the problem easier.
Debugging non-blocking sockets is much more complex than blocking ones.
> With the socket in blocking mode (which is all I need), I have the
> problem where SSL_c
> I'm attempting to establish an SSL connection, where everything
> seems OK until SSL_connect, which returns -1. error is set to 11,
> and perror() gives "Resource temporarily unavailable."
> ERR_error_string rather useless output:
> error:0002:lib(0):func(0):system lib, even though both
> SS
> Dear SSL Users,
>
> I am looking at the debug output of the s_client command, trying
> to compare the
> binary data with structures described in rfc 5246... Everything
> is more or less
> clear, but, I can not figure out where three bytes in front of
> each structure
> come from...
>
> Each dat
> Actually, I do that. And I think I understand what SSL_pending does : it
> returns the number of decrypted bytes remaining in the SSL buffer.
> Implied: at least 1 SSL_read has been done before ! Am I wrong ?
You are wrong in theory. Any SSL operation can churn the SSL state machine and
decr
> Hi All!
>
> I've have some doubts regarding SSL_write in non blocking mode..
>
> 1. if SSL_write returned SSL_ERROR_WANT_WRITE, it is mentioned that the
> call has to be repeated with the same arguments.
> Does this means the same buffer to be used again?? or the data
> passed in the initia
> Is it
> openssl speed -evp aes-128-cbc -engine xx -elapsed
> or
> openssl speed -evp aes-128-cbc -engine xx
It depends what you want to measure.
> I have seen examples with both of them on the internet and I get
> different results with each of them. What exactly does "elapsed"
> opt
> OK, but from the source, I discovered that SSL_read is blocking until it
> receives a complete record. So, if I want to be awaken with select I
> must either:
Combining 'select' with blocking operations almost never works right. This is
the most difficult conceivable situation and you should
> David,
> When I sign the same hash with the same certificate I should get the same
> signature. That sounds pretty logical to me.
Really? So if you sign the same contract twice, the two signatures will be
precisely identical?
> The company I'm doing this
> project for
> After lots and lots of testing, trying and debugging I still
> haven't managed
> to get the same results from RSA_sign and CryptSignHash. I've discovered a
> problem with the base64 decoding function i use to decode the
> hash i want to
> sign, so now i get a different signature from RSA_sign bu
> After lots and lots of testing, trying and debugging I still
> haven't managed
> to get the same results from RSA_sign and CryptSignHash. I've discovered a
> problem with the base64 decoding function i use to decode the
> hash i want to
> sign, so now i get a different signature from RSA_sign bu
> Hi Srinivas,
> We compiled our code with the new version of lib files from
> openssl-0.9.8j version and replaced the new client dll's.
> Is any specific step has to be followed?
> Regards,
> Sweta
Did you compile against the new header files?
The client is saying the server cut the TCP conne
> the application read the first
> 1500 bytes, then "select(...)" no more indicates that something has to
> be read on the fd. So the OFTP application behind the gateway doesn't
> send the new "credit authorisation" because it didn't receive the
> complete previous credit. And the sender waits unt
> > be aware that SSL BIO's (and (SSL*) sessions!) are 'threadsafe'
> > in the sense that OpenSSL *assumes* a (SSL *) or
> > /any/ BIO remains inside a single thread from the moment it
> > becomes 'active', i.e. is set up / is going to do some work.
This is completely incorrect. It's totaly nonse
> I'm trying to create a sub-ca with name constraints for website
> certificate generation with the effect that sub-ca can sign only certs
> for *.mydomain.com, i.e. anything ending in .mydomain.com
> thanks
> stephen
You should be aware that, unfortunately, this is only possible in a
controlled
> Francois -
>
> Thanks for your reply.
>
> On the source (where I am running openssl client):
> - The windows firewall is disabled (I have no other software
> based firewall
> software loaded)
> - I can connect to other (non-windows 2008/iis7) destination servers
> properly using the openssl clie
> We have upgraded Openssl in our application to Openssl-fips-1.2
> along with Openssl-0.9.8j, so that we can run the server (Apache
webserver)
> in FIPS mode. After the changes, the server works fine in FIPS mode, on
most
> of the systems, except for these two machines, where the server refuses t
> Hi,
>
> My application uses EPOLL. I have integrated openSSL in my
> application. While running the application with 2000 client application
> takes 100% CPU usage. If change my application to use "select" it works
> fine.
>
> Please suggest regarding this.
>
> Thanks in advance for
> The end result is that I had to change the makefile to -q32 to get
> it to work with the openssl-0.9.8j distribution, which smartly does
> use 32_64 mode and will FAIL if I did not change the fips-1.2 makefile.
This violates the security policy and invalides the FIPS certification. You
cannot c
> Hi All,
> I have some weird problem extracting Subject field from certificate
> when using windows API and openssl API.
> Using windows API results the following subject:
> e=li...@mailaddress.com,CN=lior,OU=SLS,O=Sales,L=Depart,S=NLS,C=DE
> And using openssl API / openssl.exe utility result
> I have a general query regarding FIPS mode.
> I am running an simple openssl https server based on openssl
> that services https requests from window clients.
Is it in FIPS mode, yes or not? If not, then you cannot claim it is FIPS
compliant.
> I have the following setting in my windows XP
> I have some doudt regarding fips capbable openssl... If in my system ,
> one of the my application gets into fips mode .. whether that going to
> effect other application to use fips enabled cryptography alogorithm..
No.
> I have seen in some fips enabled library, if one application gets into
> Is there any way i can make my implementaion of openssl
> FIPS capable and FIPS compliant ?
If you change even one line of code or one parameter in the building of the
canister, you have to go through the FIPS process yourself. Contact any of
the 13 accredited testing labs.
http://ts.nist.gov/
> thanks for the response.
>
> I just need the certificate to securely identify that a request is
> coming from who I think it is coming.
Then you need some way to distribute a certificate to that endpoint and for
the other end to know what certificate that endpoint has.
> My goal is that I can
> Hello,
> I am currently developing an interface to a 3rd party product that
requires
> HTTPS support using an X.509 certificate.
> I have been given instructions on how to generate the certificate using
openssl.
> While in development mode (this is a commercial product), do I need
> to include
> Why does the call to d2i_ECPrivateKey(NULL, &pptr, len); always fail?
Because you didn't pass it a key. Change that 'NULL' to 'eckey'.
DS
__
OpenSSL Project http://www.openssl.org
User Support
> One final question. Given that non fips mode openssl can talk with fips
> validated implementations , Lets say i have a server
> which is using openssl in non fips mode which speaks and suports all the
> ciphers (including the FIPS ciphers) .Now for a FIPS validated client is
> there any way for
>> FIPS validated cryptography is mandated on endpoints which handle
>> sensitive information by the US Federal Government (though current
>> practice includes "procurement", not necessarily "implementation").
> Thanks David and kyle for your time.
&g
> Hi,
>
>
> Do you know why an extra charater "/" is attached in front of the
> subject name?
>
> X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
>
> fprintf(stderr, " Subject = %s\n", data);
>
> The output is like "/CN=XXX.hp.com".
>
> Carol
X509_NAME_online is known to be buggy and
> Hello all,
> I have a general query regarding FIPS mode. I am running an simple openssl
> https server based on openssl that services https requests from window
> clients. I have the following setting in my windows XP "Use FIPS comliant
> algorithms for encryption, hashing and signing set to 1"
> Victor Duchovni wrote:
> > Because in amost all cases that's exactly the right advice.
> >
> > The cryptography learning that is sufficient and desirable is from books
> > such as "Applied Cryptography" which cover protocols and algorithms
> > at a high level. Studying the implementation or cre
> buff = (char *)malloc(bptr->length);
> memcpy(buff, bptr->data, bptr->length-1);
> buff[bptr->length-1] = 0;
Umm, you don't copy the last byte of data. You don't allocate enough space to
hold the data and a terminator. This is probably your main error. How will
'buff' hold a C-style string wh
> When i use to encrypt data, i have not problems.. when i
> decrypt the result of this code, i have not problem...
> when i decrypt with this program, i have
> 13015:error:06065064:digital envelope routines:
> EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
> The EVP_DecryptUpdate works ok, dec
> Hi... a simple question, i hope somebody know the solution:
> I need to use the EVP_DecryptUpdate... but for fifth argument,
> i need the large of encrypted.. how i do this? i'm sure that
> strlen not works...
You cannot have a chunk of data without knowing how big it is. What it means to
"h
> Has anyone seen problems encrypting credit card numbers with BlowFish.
> When encrypting with a 32 char or a 56 char key the there are a number
> of values that are not encrypting and thus decrypting all of the
> characters.
This sounds like a classic example of bugs caused by the "everything i
Olaf Gellert:
> I would not say so. If I found a CRL which contains the
> self signed root certificate I would stop to trust it
> immediately.
Why? What do you think that CRL means? Specifically, do you think it means
the public key was compromised? Do you think it means the issuer of the
origin
> Can you please elaborate on how would the higher-layer security
> infrastructure go about this?
Simply put, whatever put the certificate in its trusted position is what is
to remove it. If a CA says to trust a certificate, that CA can say not to.
But if the certificate is self-signed, the trust
Ger Hobbelt wrote:
Okay, so if I get this right, you're saying you want to verify the
server certificate BUT you do NOT want to check it's activation date /
expiry date (i.e. the time range over which the certificate is valid)?
I'll forego the very bad security implications of such a wish (those
On Sat, 2009-01-24 at 23:03 +0100, Georges Le grand wrote:
> So it is alike SSL VPN with data encapsulated into HTTP Packets, but I
> don't get how does HTTP run over UDP.
Probably best explained by the code... it just uses HTTP for the initial
setup -- a CONNECT request with an HTTP cookie for au
On Sat, 2009-01-24 at 00:13 +0100, Georges Le grand wrote:
> I wonder if you could give out a reference on how to establish a VPN
> using DTLS or to tell how to do so.
We are just using Cisco's "AnyConnect" VPN, which runs over an HTTPS
'CONNECT' and will use DTLS for subsequent data transfer if i
> All,
>
> I am trying to build OpenSSL-fips-1.2 on a Solaris 10 machine
> with Sun Studio 8 and force it to build 32-bit objects. Is there
> a way I can do that without changing the makefile and thus
> violating the fips validation?
I'm not specifically familiar with 64-bit Solaris, but I k
On Thu, 2009-01-22 at 06:10 +0100, Robin Seggelmann wrote:
>
> To avoid getting into trouble with already fixed bugs you should apply
> the patches I sent to the dev list. I'll set up a website with a patch
> collection and some instructions soon.
Is there anyone who actually cares about DTLS
on is missing
CertUtil: -dsPublish command FAILED: 0x80070490 (WIN32: 1168)
CertUtil: Element not found.
So I assume this means I need the CRL Next Publish oid somehow... Or I
have something messed up above.
Please help
-
DAVID B
> Please note that I can not solve this problem via the protocol that I
> use on top of DTLS - which is IPFIX - because IPFIX - by definition -
> only *sends* but does not receive data. I.e. I can not infer that the
> server crashed from the fact the he does not send any data because he
> does not
We are experiencing the following error intermittently when we create
SSL connections via PHP + cURL:
error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines
We're running Arch Linux, with Apache 2.2.10 and the latest Pacman
modules for PHP (5.2.7-2), cURL (7.19.2), and OpenSS
> Hi,
>
> I am writing an application that using openssl to do some encryption and
> decryption. I am wondering if there is a way, on the command line or
> otherwise, to make sure that no memory that OPENSSL is using is ever
> paged out to disk? I want to make sure that after the program is done
>
Edward Diener wrote:
> > 1) You need someone to confirm that having a client use a
> > known-compromised
> > private key to authenticate over SSL is no worse than the
> > client using no
> > key at all. It seems to me like you'd almost have to try to make this a
> > problem, but who knows -- mayb
Edward Diener wrote:
> Perhaps your seeing this shows why I was at least nominally concerned
> about the MySQL client having its own public key-private key
> certificates. I have tried to find out what actual use the client's
> public key-private key has in MySQL, from either the client or the
>
> I can understand your summary quite clearly.
Great.
> Suppose the server encrypts data it sends to the client and the client
> needs to decrypt that data. This is the case when my client SELECTs data
> from the MySQL database. Does this need a different sequence than the
> sequence mentioned a
> The TLS protocol did not fail, what failed is the X.509v3 protocol where
> algorithm choices are not made by SSL users, rather the poor choices
> were made by CAs, who should have known better, and in any case have
> largely phased out MD5, with Verisign (reportedly) just one month away
> from c
Edward Diener wrote:
> In this last case I do not understand how the client can encrypt data
> going to the server if it has no private key of its own.
Your question is kind of puzzling. Why would the client needs its own
private key in order to encrypt data going to the server? In general,
priv
Victor Duchovni wrote (ironically, just a week ago):
> No, it is the protocol design (how all the pieces fit together), not the
> specific algorithms that make it secure (yes the pieces have to have
> the right general properties, but this is secondary).
I can't resist pointing out how today's n
Edward Diener:
> But other than vague remonstrances about security planning, and that I
> was not qualified as a mere "programmer" to handle security issues from
> people who have no idea about my ability, I have yet to receive any
> specifics from others about what they would do in this very com
Edward Diener
> > Your scheme requires you to put the credentials where an
> > attacker can get them in unencrypted form. All an attacker need
> > do is terminate your process as soon as it attempts a network
> > connection (or intercept its filesystem calls and snapshot every
> > file before
Edward Diener wrote:
> Please suggest ways to do so. The server is no different from any other
> server database. It accepts a username/password to prevent unauthorized
> users from accessing its data. I am perfectly willing to listen to other
> server techniques which involve security, or rea
Kyle Hamilton wrote:
> If your company hires a security consultant, s/he will state the
> same thing.
>
> -Kyle H
The fundamental problem is this:
You have one door. Every customer must walk through it. However, you don't want
a customer to run amuck once he gets through the door. Your solut
> It is not just about you but about many people that have skills
> in security,
> but I have this feeling that those people likes to bash on
> newbies, thinking
> that they are stupid.
Would you want to drive over a bridge that was built by a newbie engineer
who didn't think it was important to
> No, my risk model is to simply ascertain whether distributing the certs
> as files in the application directory is a serious security risk or not
> and, if it is, what steps can make it less so.
If it's a security risk, it's because something is broken someplace else.
Why do you need to hide a
> > If we want secure compare
> > by hash, then almost any sync protocol that uses SHA-256 will
> > be fine but
> > almost any that uses MD5 will not. Why? Because SHA-256 is good
> > for compare
> > by hash and MD5 is not. Any protocol that's not brain-damaged that uses
> > SHA-256 will work, and
> - Don't choose algorithms for security, choose protocols for
> security.
That sounds completely backwards to me. When we have a set of security
requirements, the first thing we do is select the algorithms that meet those
requirements, then we look for protocols that implement them.
F
> > Why not use the RSA key for this purpose, using an established
> > and tested
> > algorithm? Since you have the RSA key, and there are any number of
> > established algorithms to use an RSA key for encryption, why
> > did you roll
> > your own?
>
> This too is wrong,
If it's wrong, why did yo
> For information: I am using this key to encrypt / decrypt files
> locally on a
> host.
Why not use the RSA key for this purpose, using an established and tested
algorithm? Since you have the RSA key, and there are any number of
established algorithms to use an RSA key for encryption, why did y
> And, I should note, you've already proved our point a dozen times
> over. Your
> code contains three separate bugs, all of them extremely serious. For
> example, you used the byte size of the *MODULUS* (that's what RSA_size
> returns) as the hash input size for the private key.
And, by the way,
BiGNoRm6969:
> Never heard about binary specification of the RSA* private key.
> Can you give
> more more information about that please.
Okay, think about this logically. You want to take the SHA256 hash of an RSA
private key and get the same result every time. But the SHA256 hash function
takes
> Hi!
>
> I am doing a SHA256 on a RSA* private key. I used the result as a
> symmetric
> key for AES encryption.
Do you have a specification for how to do this? What ensures that the RSA
private key has the same binary representation each time?
For example, "3" and "03" represent the same numbe
> Ok. I am a little bit confused. You are telling me that a same
> data encrypted
> with the same key can generate different results?
Yes. This is absolutely essential for any public-key system to be secure.
Imagine if someone asks you, "Should we attack at dawn? Send the message
securely using m
> Hello,
>
> Can you explain-me how ssl can to be security comunicating first by the
> public key, and them negociate a private key?
>
> If anyone can get the public key, anyone can get the private sniffing
> the packs.
>
> Thanks.
> Walter Neto - Brazil
Private keys are never sent over the netwo
> The only reasion I'm installing openSSL is because Perl SSH2 requires it.
> Am I getting to deep into this or is there another way I can get the
> library I need?
Get OpenSSL-0.9.8e or any other version that SSH2 supports.
> > Then how would I fix it so it would compil and not violation
> > an
> Then how would I fix it so it would compil and not violation any security
policy
Getting a FIPS build just right is a major pain and requires all kinds of
trade offs. I just wouldn't bother unless you absolutely, positively must
have a FIPS build for some reason.
What you have to do is find s
> In the non-blocking mode, is there a better way than watch return value of
> BIO_do_accept() in a loop ?
>
> Is there a way to be notified when a handshake is initiated from
> the client
> ? A kind of "WAITINCOMINGHANDSHAKE" which have a timeout ? Or
> nothing else ?
>
> The OpenSSL documentatio
> > I used fwrite(signature,1,strlen(signature),fp) and got the
> > same results.
You seem to have a fundamental misunderstanding about how strings work
in
C. That's not good for someone writing security software. The 'strlen'
function computes the length of a C-style string. The signatu
> SSL_accept always returns < 0 error. With SSL_get_error I found that the
> error is SSL_ERROR_WANT_READ.
> During debugging and troubleshooting, I realised that when I use "normal"
> blocking windows socket, SSL_accept works fine.
>
> Why using non-blocking windows socket caused that error ?
Th
> Hi all,
>
> it seems that I am missing the usage of the set of obscure functions:
>
> CRYPTO_set_dynlock_create_callback()
> CRYPTO_set_dynlock_lock_callback()
> CRYPTO_set_dynlock_destroy_callback()
>
> but I have no idea how to initialize those functions - is there
> any
> RSA_verify(NID_md5, datatosign, (strlen(datatosign)), signature,
> strlen(signature), key);
The 'strlen' function is only useable on a C-style string. The signature cannot
be a C-style string because it is arbitrary binary data.
> Best regards,
> Am. Sivaramakrishnan
DS
__
> Where am i going wrong here?
> char* message = "Hello World";
> if(RSA_sign(NID_md5, (unsigned char*) message, strlen(message),
> signature, &slen, private_key) != 1) {
The problem is that your RSA key is very small. A 256-bit RSA key can only
sign up to 32 bytes. 11 bytes are
> I'm using RSA to encrypt/decrypt some text. I encrypt the data using the
> private key and then decrypt it using RSA_public_decrypt(). One thing i
> noticed was that if the data was not encrypted using the correct
> private key
> that RSA_public_decrypt() will just set the output to giberish.
> Yes. Hence the correct solution would be non-blocking with select()...
>
> Best regards,
> Lutz
How do you determine (portably) if the socket you got from 'socket' is
inside the legal range for FD_SET? Many platforms, including Linux, will
happilly allow 'socket' to return values that are w
>> So what do you want to do if you run out of entropy?
> Fail with an error condition stating that, rather than
> the indeterminate hang in read() that was experienced.
I believe you need to compile with EGD support then. This will get you the
behavior you want. EGD provides no way to tell whet
> That's a great question. Indeed, this platform (AIX) does have
> /dev/random but apparently that too was exhausted because that
> is checked first in our implementation. I think the fault is truly
> with the system in question, because prngd should not have blocked
> in the manner it did. Des
Ben Sandee wrote:
> On Thu, Nov 6, 2008 at 9:11 PM, David Schwartz <[EMAIL PROTECTED]>
wrote:
>> > There needs to be a call to fcntl(fd,F_SETFL,O_NONBLOCK) just after
>> > the socket() call and error status check.
>> That will just waste CPU. The code will spin
> There needs to be a call to fcntl(fd,F_SETFL,O_NONBLOCK) just after
> the socket() call and error status check.
>
> -Kyle H
That will just waste CPU. The code will spin in each loop "while (!success)"
loop until it gets what it wants. It will still not return any time soon, but
will do so at
> All -
>
> I am using OpenSSL with memory BIOs for the communication. I have
> everything working just fine, until I came across a server that sends
> Application data in the final packet of the TLS handshake.
> Specifically, Wireshark shows the following in its output :
>
> Change Cipher Spec,
> Thank you again David,
You are welcome.
> As for the network issue scenarios here are some details about the last
case:
> 1)The server is running on UNIX, the client is running on windows or unix.
> unplug the client or the server. The server does not report anything!
Logical,
. What the implications are, with respect to having
a predictable pattern in the connection message is in relation to making
a known plaintext/crypto text, I'll leave to the experts.
Or I may be misunderstanding your needs (-:.
David Richardson
From: [EM
> On 2008.09.22 at 16:37:58 +0200, F. wrote:
>
> > Any way to collect only from HRNG?
>
> You can write your own RAND_METHOD
> and encapsulate it in the engine module.
>
> Then you can load this engine via openssl.cnf
> and set default rand method to this engine.
>
> Really, this is not very good
> So I can now see the Solaris side. It appears it gets
> "gibberish", probably
> encrypted data. Does anyone know why it would appear that the socket is
> not decrypting the data? This same code works fine on a Windows system.
>
> SSL_ca_file: /opt/bf-567/Platform/keystore/CA.pem
> SSL_cert
> Calling SSL_accept.
> Error code: 5
> error::lib(0):func(0):reason(0)
> Error: SSL_ERROR_SYSCALL, errlist: No such file or directory
> WSAGetLastError, rc=0
>
> This is basically the APIs I call to get the above information.
>
> err = SSL_get_error(ssl, rc);
> printf("Error code: %d", er
> Thanks David.
> Unfortunately option 1) and 3) are not possible for my clients.
In other words, you cannot engineer a sensible option and have to fake it.
That's fine, but solutions that aren't engineered tend to be poor.
> option 2) seems the way to go for me, b
> Hello,
>
> In appendix B of the openssl FIPS security policy it is stated
> that the module must be built with a particular tar file
> (openssl-fips-1.1.2.tar.gz) and a hmac hash value for the tar
> file is specified. Furthermore it is stated that there shall be
> no additions, deletions, or alt
Md Lazreg wrote:
> Actually the same question is valid even if I am not using SSL sockets.
> So is there a way to distinguish between if a socket was closed because
> of a client crash or because of a netwrok issue?. If yes, is there an
> equivalent under SSL sockets?
You have three choices:
1)
hould understand in SSL and Certificates?
Thank you in advance!
David Carvalho
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
Let me try one more time to explain the problem with an unrealistic, but I hope
easy to follow, example. Consider:
A <-> B
Now, imagine A sends a message to B requesting some unit of data. B begins
sending a very, very large chunk of data to A, many tens of MB. After 10 MB or
so, A realizes t
> please tell me where the deadlock is.
> As far as I know a deadlock arise when one process locks a
> resource an other
> process requests and vice versa.
A deadlock occurs when two or more agents are waiting for each other. Neither
can make forward progress until the other does. This is preci
there anything that I
fairly clear and I should understand in SSL and Certificates?
Thank you in advance!
David Carvalho
> Hello list,
>
> I write a application which acts like a proxy/repeater between
> two ssl - endpoints. For my app I use OpenSSL 0.9.8g.
> The two endpoints connect to the app and idenfity themselves
> using a id (Both use the matrixssl implementation for ssl handling).
> Two matching id's sta
> > I was thinking about an alternate solution, using blocking sockets,
> > and doing the connect on another thread. If the user cancels the
> > operation I'd close the socket (BIO_free) and I guess the connect
> > would return with an error and the thread would exit then. Seems a
> > little dirty
> I was thinking about an alternate solution, using blocking sockets,
> and doing the connect on another thread. If the user cancels the
> operation I'd close the socket (BIO_free) and I guess the connect
> would return with an error and the thread would exit then. Seems a
> little dirty but it co
Gabriel Soto wrote:
> {
> // Create BIO with some random nonexistent host.
> BIO *bio = BIO_new_connect("192.168.9.9:");
>
> if (bio == NULL) {
> // Failed to obtain BIO.
> return false;
> }
>
> // Set as non-blocking.
> BIO_set_nbio(bio, 1);
>
> //
> Never ship a Shared OpenSSL library. Anyone can rebuild it to output
> the socket buffer to disk prior to encryption and replace yours.
>
> :-)
A party to an encrypted conversation can put its contents in a full-page ad
in the New York Times if they want to. There's no need to keep a
conversati
> David Schwartz wrote:
> > Which is pretty much the same as every other operation. If you
> > call 'send'
> > or 'write' on a blocking TCP socket, and you get a zero return,
> > does that
> > mean the data has been sent? No. It means the d
501 - 600 of 1807 matches
Mail list logo