/* now sign the request generated */
sprintf(cmd,"openssl ca -batch -config %s -in %s -days
%d -out %s -passin
pass:%s",ROOTCA_CONFIG_FILE,temp_cert_req,CA_SERVER_VALID_DAYS,tmpcert,ROOTCA_PKEY_PHRASE);
ret = system(cmd);
This is what I have in my program and it works non
interac
Dear Kadir,
Did you enable mod_ssl while building httpd?
Is mod_ssl listed in "httpd -l"?
Most likely httpd doesn't recognize the directive
"SSLEngine" since mod_ssl is not able to see it.
Hope this helps.
Also this mail belongs to Apache mailing list. :-)
regards,
Girish
--- kadir iscmng
Try calling EVP_CIPHER_CTX_cleanup(&ctx) at the end...
--- Felix Dorner <[EMAIL PROTECTED]> wrote:
> Hi,
>
> the following code executes once, and does fine.
> Calling the function a
> second time gives a segfault during the call marked
> by "-->"
>
> unsigned char *encrypt_message(unsigned cha
Try calling EVP_CIPHER_CTX_cleanup(&ctx) at the end...
--- Felix Dorner <[EMAIL PROTECTED]> wrote:
> Hi,
>
> the following code executes once, and does fine.
> Calling the function a
> second time gives a segfault during the call marked
> by "-->"
>
> unsigned char *encrypt_message(unsigned cha
Dear Pjothi,
Making an application TLS aware/TLS enabled is not
much trouble once you have access to the source code.
You have to set up the SSL/TLS server with proper
X.509 certificate and corresponding private key,
specify which protocol(in your case TLS v1) you want
to use and then call SSL_acc
There is a utility called "certpatch" developed by
OpenBSD folks for including the SubjAltName extension.
I have modified it a little bit to suit my need.
This utility modifies the certificate in place and
regenerates the hash. Perhaps you can modify it a
little to suit your need.
If all you nee
It seems to be 7200 seconds on my system even though
the man page says the default value is 300 seconds.
I don't think it possible to specify the timeout in a
system-wide config file without any effort from your
part. You can however have another config file and set
the timeout using SSL_CTX_set_
The standard practice is that of ignoring SIGPIPE in
all TCP servers.
signal(SIGPIPE,SIG_IGN);
OpenSSL cannot help you here because the problem
occurs at a lower level(TCP).
I remember seeing this line in the ssh server source
code as well.
regards,
Girish
--- Alberto Alonso <[EMAIL PROTECT
None of the solutions suggested by others in the list
will protect you against a SIGPIPE for the simple
reason that it is a fatal signal if not handled or
ignored and it can come at any time during the TCP
session...
Ignoring SIGPIPE is one of the steps in writing a
server daemon and it is standar
None of the solutions suggested by others in the list
will protect you against a SIGPIPE for the simple
reason that it is a fatal signal if not handled or
ignored and it can come at any time during the TCP
session...
Ignoring SIGPIPE is one of the steps in writing a
server daemon and it is standar
--- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> SIGPIPE is a remnant of BSD attempting to overlay
> UNIX socket (named
> pipe) semantics onto TCP/IP connections. If the
> socket that you are
> writing to is a socket (or pipe), AND the pipe is
> closed, then you
> receive a SIGPIPE.
>
> In this
SIGPIPE is fatal if not handled or ignored and it can
come at any time during the TCP session. Which means
that none of the solutions suggested by others in the
list will work.
And it is wrong to rely on OpenSSL for solving a TCP
closure at the remote end which is essentially a TCP
issue.
write
AFAIK Blowfish key setup times are very high. That
might account for the difference.
All things being equal AES certainly gives you more
security than any other cipher.
And AES was chosen also because it was found fit for
implementation on severely constrained embedded
devices. So you get both
Doug,
Certpatch was needed when OpenSSL did not have support
for SubjAltName. That is the reason you don't find it
in the latest version of OpenBSD.
You will find certpatch in an old CVS snapshot in the
OpenBSD tree.
I am attaching a slightly modified certpatch for your
use.
All the best!
re
You should take care that the key and IV are indeed
same. What I mean by that is that in the C and Java
code you should hardcode the actual hex values and it
should have the exact length. For instance DES
requires 8 byte key and you should hardcode something
like this.
unsigned char key[8] =
{0x1
The problem you are talking about seems to be
occurring at the TCP layer even before things come
into the hands of SSL_accept().
So I suggest you test this without SSL first.
You might hit some SSL session reuse limit and get a
similar problem but yours doesnt seem to be that.
And 150 is a ver
I tried your code and I had a suspicion that using the
*_ex() functions along with *() functions can cause
trouble. Which is what has happened in your case.
Here is the correct code for your reference. You are
supposed to stick to either Init_ex() , Final_ex()
functions or Init() ,Final() functio
Sorry if I sound too obvious.
Actually I think you need to allocate space for the
buffer, try with
unsigned char buf[4096] or something.
I am sure you have tried it ...
regards,
Girish
--- vipin rathor <[EMAIL PROTECTED]> wrote:
>
> hi all,
> i need to fetch the thumbprint of the X50
Padding is a standard enforced by encryption algos and
protocols and independent of language...
I suggest you use the openssl enc command line to
verify the padding with Java.
It will certainly work. Actually DES padding scheme is
very simple. It is only 4 lines of C code.
regards,
Girish
---
Kyle is the best person to explain these things to
you. However I will make an attempt. Please find
answers inline.
--- michael Dorrian <[EMAIL PROTECTED]> wrote:
> I make a client and server certificate and then sign
> it with the root cert.Are these generated
> certificates the public keys?
Yes
It seems both are used. But i am not sure
> about exactly how they are used. The diffie hellman
> one is the ephemeral keying one and thats about all
> i know..any help would be great thanks.
> Girish Venkatachalam <[EMAIL PROTECTED]> wrote:
> Kyle is the best person
Looks like I have not understood your problem.
Why do you have to do an SSL_read() to figure out if
it has closed? SSL_write() will fail it the other side
closes...
--- michael Dorrian <[EMAIL PROTECTED]> wrote:
> Here is the relevant code. The problem is in this
> do_client_loop. I need to rea
openssl-0.9.8a/crypto/hmac directory has the hmac
interface code.
openssl-0.9.8a/crypto/sha directory has the sha
implementation and
openssl-0.9.8a/crypto/md5 directory has the md5
implementation.
Now you take the relevant files, remove the
dependencies and compile...
All the best!
regards,
the ENGINE interface is the hardware interface of
OpenSSL. If you are not using any cypto hardware you
can safely
#define OPENSSL_NO_ENGINE
CRYPTO_cleanup_all_ex_data() is defined in ex_data.c
file. Make sure your compiler picks up the definition
from there...
--- Namrata Patil <[EMAIL PROTECTED
Random number generation always depends on the PRNG
being seeded first.
The man page clearly mentions that.
Add RAND_seed() or RAND_add() with the required
entropy required before calling RAND_bytes(). In a
pseudorandom number generator the seed uniquely
determines the random sequence. So you
AFAIK it uses something called NSS, which is another
SSL implementation.
http://www.mozilla.org/projects/security/pki/nss/
HTH,
Girish
--- Dan M <[EMAIL PROTECTED]> wrote:
> What does Firefox use for SSL? Is it a custom
> implementation, or does it
> use something similar to the CryptoAPI?
>
The IV is used only for decrypting the first block
since after that the first block serves as the IV for
the second block and so on.
To answer ur question, the IV has to be known at both
sides along with the key.
regards,
Girish
--- Wai Wu <[EMAIL PROTECTED]> wrote:
>
> Do the Initial Vector
bcoz d2i resolves to d2i_X509() , not to
d2i_PrivateKey
--- �� ���� <[EMAIL PROTECTED]> wrote:
> when i use PEM_read_PrivateKey find it work error
> ,so i look into
> PEM_read_PrivateKey to find the reason.
> first i find in
> #define PEM_read_PrivateKey(fp,x,cb,u) (EVP_PKEY
>
TED]> wrote:
> how come ? plz explain.
>
> On 6/13/06, Girish Venkatachalam
> <[EMAIL PROTECTED]> wrote:
> >
> > bcoz d2i resolves to d2i_X509() , not to
> > d2i_PrivateKey
> >
> > --- �� ���� <[EMAIL PROTECTED]>
> wrote
I think ur HP UX box is not able to get enough random
data to seed its PRNG. Consider using the -rand option
as suggested by the error message or figure out what
is different in HP UX. Maybe the devices
/dev/(u)random is not configured properly
randomness is very imp for cryptography
--- Matthew
Right. If I were you I would use kqueue() on *BSD or
epoll() which is avail only on 2.6 linux kernels.
I am not sure what you are trying to achieve but it
may be worthwhile to take a look at libevent by Neils
Provos as well. It abstracts out select(), kqueue()
and epoll() thus making ur app porta
First you create a certificate request using the
openssl req command. I guess that is what you have
done now. The default output format for that is pem.
The next step is to get the certificate request signed
by a certificate authority. This is accomplished using
the openssl x509 command. This wi
I don't know what your need actually is , the only
impediment to using sha1-512 is that the compiler has
to suppor the 64 bit long long type. Some embedded
systems may not have this support.
Other than that, you can easily follow the code. I
have seen one implementation in the OpenBSD IPsec
source
I am guessing here, did you check the methods you
specified in SSL_set_ssl_method() ? Most
interoperability problems are caused due to this.
Since some cipher suites are not supported in some
protocols it might be a good guess. :-)
HTH,
Girish
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> Hello
> ====
>
>
>
> Has someone faced this kind of problem earlier?
> Could anyone throw some more light on this?
>
>
>
> ~ Urjit
>
>
>
> - Original Message -
>
> From: "Girish Venkatachalam" <[EMAIL PROTECTED]>
>
Yes, u can use setsockopt(...TCP_NODELAY) before
SSL_set_fd(). OpenSSL doesn't care about Nagle.
regards,
Girish
--- Leandro Gustavo Biss Becker
<[EMAIL PROTECTED]> wrote:
> Hello
>
> Can I disable Nagle algorithm using OpenSSL? My
> application always send
> entire buffers to openssl, so I thi
As far as block ciphering goes, it just munches input
data. It really doesn't care whether the input is text
or xml(special form of text) or binary data.
So I think you should not worry about that. There are
examples of how to use the crypto functions in OpenSSL
in the man pages. "man evp" will h
Urjit,
I got it working once I replaced
"EXP-DES-CBC-SHA" with
"DES-CBC-SHA"
I think you might have to do something special to
enable export quality ciphers.
regards,
Girish
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> Hi,
> I have attached the sample server and client
> programs for your
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> Hi,
> Thanks for the reply.> > Urjit,
> > >
> > > I got it working once I replaced
> > > "EXP-DES-CBC-SHA" with
> > > "DES-CBC-SHA"
> > >
> > > I think you might have to do something special
> to
> > > enable export quality ciphers.
> > >
> >
> > Th
You urself answered it just now! :-)
The client doesn't matter, so you can connect to
s_server...
--- Urjit Gokhale <[EMAIL PROTECTED]>
wrote:
> > Well ... In that case,
> > A] how is it that s_server and s_client can
> > communicate
> > 1) Using the same ssl library
> > 2) Using the same certif
I am afraid few can help u with this. "man 3 rsa" on a
linux/*BSD system might help u.
The code samples at www.opensslbook.com have couple of
samples IIRC
All the best!
regards,
Girish
--- Neil Dugan <[EMAIL PROTECTED]>
wrote:
> Hi,
>
> OpenSSL newbie here, I am looking for an 'C'
> example/
In a blocking socket when a network read freezes, it
is normal. It only means that nothing arrived on the
socket.
You got to take a look at the MSN protocol. With HTTP,
it might be sending a TCP FIN or something which is
why it is working in that case...
--- Robert Olsson <[EMAIL PROTECTED]> wro
Excuse me if I am saying the obvious.
But did you factor the fact that an SSL renegotiation
or handshake can happen anytime during the
conversation?
Irrespective of whether you are doing SSL_read or
SSL_write... That is why you have to check for pending
write during a SSL_read and vice versa in
Do you know stunnel ( www.stunnel.org ) ?
You could use that to setup https tunnel.
man evp will give u enuf info on encrypting strings
with OpenSSL.
OpenSSL really is the definitive resource for
cryptography. :-)
Please find attached my code. It may be of use.
regards,
Girish
--- "Mayorga,
Don't know the specifics but you do need all certs
till the root CA for verification in the web of
trust model.
You navigate up and up with the issuername matching
the subject name until both are same.
HTH
--- "Michael P. Soulier" <[EMAIL PROTECTED]>
wrote:
> Marek Marcola wrote:
> > Maybe
Mayorga,
--- "Mayorga, Armando CTR NIOC Norfolk N361"
<[EMAIL PROTECTED]> wrote:
> Hello all,
> Could someone please clarify this for me and correct
> me if I am wrong
>
> I am using AES_encrypt and AES_decrypt which
> apparently only work on
> chunks of 16 bytes of data, my goal is to create my
Hello,
--- Bu Bacoo <[EMAIL PROTECTED]> wrote:
> Instead of modifying the BIO, I've also tried to set
> it's socket to
> non-blocking mode. Same result, BIO_do_connect
> returns -1
This is good news then since it is expected behavior.
:-) You are doing nothing wrong till now. However you
have to
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Sat, Jul 22, 2006, Bu Bacoo wrote:
>
> > Thanks you both... after correcting my
> BIO_do_connect (and all
> > read/write following it) -> adding retries (as
> Girish pointed), it
> > works just fine.
> > Now I'll check the errors, mentioned
> But it
> would appear that
> this is the hard way to do it and have heard
> numerous recommendations to
> instead use the EVP API, but I have found minimal
> examples on how to do
> this. Does anyone have some sample code?? And also I
I had sent one few days ago. I am sending it again.
HTH,
Giri
Deval,
--- DEVAL SHAH <[EMAIL PROTECTED]> wrote:
> Hello,
> I have openssl installed on a Solaris machine. I
> have logged in as a root
> user. I goto /usr/local/ssl/bin and try to run
> openssl command. It gives me
> this error:
> openssl: not found.
>
How was it installed? Was it installed al
-- Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> If you installed it to /usr/local/ssl/bin, and you
> have changed
> directory to /usr/local/ssl/bin, then the most
> likely scenario is that
> you do not have "." in your $PATH.
>
> I consider it a security risk to have the current
> directory in your
--- Marten Lehmann <[EMAIL PROTECTED]> wrote:
> Hello,
>
> how can I view the information that are contained in
> a CSR, KEY or
> CRT-file? E.g. for which hostname a cert is issued,
> when it will expire,
> who is the company it is issued for ...
man x509
For eg,
$ openssl x509 -text -noout
--- Robert Butler <[EMAIL PROTECTED]> wrote:
> Hi everybody. I'm trying to set up an OpenSSL
> Certificate Authority for use with my
> recently-installed stunnel 7.x installation-
> only, I'm having a hard time creating the cacert.pem
> file. It seems that OpenSSL wants an infile when
> generat
--- GUIRY Aroun <[EMAIL PROTECTED]> wrote:
> Hi all
>
> I am doing a simple ssl server/client. I use a
> select function to read
> and write in the socket.
> From my client I send 1KB of data, in one time, and
> then I expect to
> read it in the server.
> In the server appli, I have got a
--- Robert Butler <[EMAIL PROTECTED]> wrote:
> Okay, that works, I get an OK from OpenSSL, but now
> I'm getting other,
> more cryptic errors-
>
> DEBUG LEVEL: 7 (Dump to Screen)
>
--
> [EMAIL PROTECTED]:~/stunnel# sbin/stunnel
Dear Jon,
--- Jon Perkin <[EMAIL PROTECTED]> wrote:
> Hi folks.
>
> Apologies if this is the wrong place for my query,
> as I'm not sure how to
> track down whether my problem lives in core OpenSSL,
> in the Perl OpenSSL
> modules, or in the LWP modules I'm trying to use
> them via.
>
> I'm tr
--- "Bhat, Jayalakshmi Manjunath"
<[EMAIL PROTECTED]> wrote:
> Hi All,
>
> I am trying to complie openssl.9.8a on HP-UX. I am
> getting errors
>
> ../../include/openssl/pem.h:610: parse error before
> `RSA'
> ../../include/openssl/pem.h:611: warning:
> return-type defaults to `int'
> pem_all.
ersion of OpenSSL headers.
Try adding -I/usr/include/openssl or some such to a
recent version to your CFLAGS. Make sure you install a
recent version of OpenSSL first.
Best,
Girish
>
> Regards,
> Jaya
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--- "Michael P. Soulier" <[EMAIL PROTECTED]>
wrote:
> Hey,
>
> I'm on a CentOS 4.3 Linux system, and ssh-keygen is
> occasionally
> crashing. The backtrace from the coredump shows that
> it's in openssl.
>
> Core was generated by `/usr/bin/ssh-keygen -l -f
> /etc/ssh/ssh_host_key.pub'.
> Progr
--- [EMAIL PROTECTED] wrote:
> Hello openssl-users,
>
> For some peculiar reason I need to have a
> base64-encoded file to be
> written as one single line.
> Currently I get nice-looking, properly-wrapping
> files that I have to
> edit manually.
> What BIO flag should I set to avoid t
--- [EMAIL PROTECTED] wrote:
> Hello openssl-users,
>
> I generate an RSA key-pair like this:
> openssl genrsa 1024
> And put it's output into a PEM file.
> Now I need to read both private and public parts
> of the key-pair
> into an RSA object in a program.
>
> This is how I try h
--- "Buicliu, Ion VSA:EX" <[EMAIL PROTECTED]>
wrote:
> I am trying to do the following:
> - create a private and public key (self-signed
> certificate)
> - encrypt a file and place on an ftp server
> - the client will pick up the file and decrypt it
> using the PUBLIC key
>
> Here is what I did
--- "Buicliu, Ion VSA:EX" <[EMAIL PROTECTED]>
wrote:
> Thank you Girish, I understand now. The
> combination: encrypt with
> public key - decrypt with private works.
>
> What we are trying to do is to place an encrypted
> file on our ftp server
> for a specific user. The ftp server is behind
--- Florian G otter <[EMAIL PROTECTED]> wrote:
> Hello everybody !
>
> I have a problem witht the SSL_accept / handshake
> which i could not
> resolve with the help of the net / colleagues /
> time.
>
> Having written a small server / client, it gives the
> following output
> (debug info gener
--- David Irvine <[EMAIL PROTECTED]> wrote:
-
Many thanks for a fantastic explanation and for
taking the time tohelp me. I was just reading some
docs there pointing me to this but youhave saved me a
good few hours.
I will search out info for python info on PBK
--- Ryan Shon <[EMAIL PROTECTED]> wrote:
> I am attempting to build OpenSSL for the Analog
> Devices
> Blackfin 537 digital signal processing chip using
> the
> VisualDSP++ compiler, also from Analog Devices.
>
> I have been studying the Configure script, and I
> would
> be appreciative of any
--- Ryan Shon <[EMAIL PROTECTED]> wrote:
>
> > Are you sure you want to squeeze in the entire
> OpenSSL
> > library into your Blackfin processor?
> > What is it that you want?
> > Do you want SSL or crypto?
>
> The plan is to build the SSL and crypto libraries so
> that applications could
--- "Buicliu, Ion VSA:EX" <[EMAIL PROTECTED]>
wrote:
>
>
>
> >
> > What we are trying to do is to place an encrypted
> file on our ftp
> > server for a specific user. The ftp server is
> behind a firewall, and
> > the user can access and see only its account, and
> they are supposed to
>
--- Florian G otter <[EMAIL PROTECTED]> wrote:
> Added code:
>
> if(SSL_set_cipher_list(m_ssl,"EXP-RC4-MD5")==1)
> {
> cout << "setting cipher went okay" << endl;
> }
> else
> {
> cout << "cipher not set" << endl;
> }
>
Dont use EXP- ciphers!
__
--- Sendil kumar <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I've got some code that seems to work, except when
> the server responds with
> a 'large' amount of data.
>
> When the server sends 5000 bytes of data to the
> client ,the client was able to read it and
> every thing goes fine.But when
On Wed, Oct 18, 2006 at 11:35:13AM +0200, Marek Marcola wrote:
> Hello,
> > the block size is always the same as the key length in AES (and the most
> > block
> > ciphers, I think). You are using 128-AES -> 128 bits key == 16 bytes block
> > size
> > (q.e.d).
> Not exactly:
>
> AES128: block
On Thu, Oct 19, 2006 at 12:14:55PM +0530, Kaushalye Kapuruge wrote:
> Hi,
> I tried to get the base64 encoded result of a SHA1 digest. But the
> result is not compatible with the same operation in Java. Also I tried
> to use a javascript function. It is matching with the result of the Java
> imp
On Sat, Oct 21, 2006 at 08:04:01PM -0700, Ferianto siregar wrote:
> Dear all,
>
> Thank you very much for this chance. Thanks
> All, now I am finishing my paper. The title is TLS.
> As I know that TLS use SSL to make the communication secure.
> Can anybody tell me how can SSL make communication se
On Fri, Nov 17, 2006 at 11:04:48PM -0500, Victor Duchovni wrote:
> On Fri, Nov 17, 2006 at 08:14:26PM -0500, Brian Thompson wrote:
> > We have a group of users here who wish to send email through
> > Thunderbird to a SMTP server (sendmail) that requires SSL/TLS
> > authentication/encryption. The co
On Wed, Dec 13, 2006 at 08:45:50PM +0100, Marek Marcola wrote:
> Hello,
> > H = HMAC(packet_proto+ssl_version+data_len+M, server_write_mac)
> Should be:
> H = HMAC(packet_sequence+packet_proto+ssl_version+data_len+M,
> server_write_mac)
>
Marek,
You forgot to mention that HMAC has a
On Thu, Dec 14, 2006 at 01:27:10PM +0100, Marek Marcola wrote:
> > This is done by simply appending the key to the digest input.
> I can not agree. In HMAC you use some message digest algorithm
> (MD5/SHA1/...) with HMAC algorithm.
> Let MD() will be some message digest algorithm, M - message t
On Sat, Dec 16, 2006 at 04:43:52PM +0530, bsenthil wrote:
>
>Hi,
>I don't know is it a right forums to discuss about the question? If it
>is wrong please suggest the forum.
>I am looking for "openssl accelerator". Is any body know any free
>implementation / projects. Please sen
Hi samaritans and friends,
Is there a port of openssl on VxWorks? If not, what will be the
difficulty in doing the same? Has anyone attempted it?
Thanks in advance for the help.
kind regards,
Girish V
__
OpenSSL Project
Hi,
The FILE pointer corresponding to stdout,stdin and stderr gets corrupted in
Windows NT when we use openssl.
Is there a way out ?
kind regards,
Girish V
__
OpenSSL Project http://www.openssl.o
Hi everyone,
Openssl smime is not able to handle big files ( We
tried with a 500MB file). It doesn't report any error message.
On stepping through the source, we found that it's
failing in OPENSSL_malloc.
However openssl enc works fine with files larger
than 2 GB.
There is a bug in o
80 matches
Mail list logo