Thanks Matt.
I did read those RFC as well. And here is the confusion. The RFC5116 says
this section 2.1
There is a *single output:*
A ciphertext C, which is at least as long as the plaintext, or
an indication that the requested encryption operation could not be
performed.
N
I am trying to decrypt TLS 1.2 records that is using the
TLS_AES_128_GCM_SHA256 cipher-suite using openssl's EVP API.
Per RFC 5246, decryption needs 4 inputs.
"
In order to decrypt and verify, the cipher takes as input the key,
nonce, the "additional_data", and the AEADEncrypted value. The
Hello,
Can I use the same input and output buffer in calls to EVP_DecryptUpdate
and the EVP_DecryptUpdate_final_ex functions?
The padding is on by default. And my application will always feed 8k chunks
in the update and the final calls?
Is it safe to then do the decrypt in place?
Hi all,
I have run a vulnerability scanning against some systems and some
vulnerabilities have come up related with OpenSSL. However, some of them have
not 443 port open or have nothing but a single file named as openSSL inside
some other's application folder. I asked about the operation of t
If Client-server session is reused from a past session then the client will
not get a Server Certificate during the handshake. In this case, if I do a
SSL_get_peer_certificate(), will it give me the server's certificate from
the initial handshake from which this reuse happened?
tem would understand before
> you could do that kind of byte comparison, or byte-compare the
> DER-encoded keys from the certificates themselves.)
>
> -Kyle H
>
> On Tue, Jul 20, 2010 at 11:40 AM, PS wrote:
> > Let us say I have a certificate and a private key pair (C1, K1)
&g
Let us say I have a certificate and a private key pair (C1, K1)
Now, lets say I received a Certificate, C2 on the wire. Now, I want to know
whether the pvt-key K1 corresponds to the private key of C2. One method is
encrypt a Known random number with pub-key in C2 and decrypt with K1 and see
if the
() method
with the flag SSL_VERIFY_NONE.
BTW, it is a potentially insecure system that you have if you intend to do
this unless your only goal is to provide enryption and not authentication.
PS
On Thu, Feb 19, 2009 at 2:22 AM, Anri Lau wrote:
>
> All,
>
> I encountered a problem. There i
Hi All,
I was under the impression that openssl allows loading multiple CRLs for the
same issuer. But, this does not seem to be the case as is proved by using
"openssl verify".
$ ls -l ./ca/
total 24
lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 ->
cacert.pem -> the CA ce
Also, does openssl allow a CA to revoked its own self-signed certificate?
What happens when during the openssl verify, it finds that the CRL given by
CA contains the CA-certificate in the revoked list?
On Mon, Jan 26, 2009 at 9:28 PM, PS wrote:
> Can you please elaborate on how would the hig
he first place, and is outside the scope of CRL.
>
> -Kyle H
>
> On Mon, Jan 26, 2009 at 9:17 PM, PS wrote:
> > Hi All,
> > Is it possible to revoke a self-signed CA certificate?
> >
> > If yes, then I dont understand why it should be allowed. It does not make
Hi All,
Is it possible to revoke a self-signed CA certificate?
If yes, then I dont understand why it should be allowed. It does not make
sense. The only reason a root CA would want to revoke its own certificate is
if its private-key might have been compromised. So, the CA would want to
revoke its
I meant SSL_get_peer_certificate.
On Mon, Apr 7, 2008 at 6:53 PM, PS <[EMAIL PROTECTED]> wrote:
> Hi,
> I have a quick question. If Client-server session is reused ,in the
> re-used sessions SSL* data structure, will SSL_use_peer_certificate ( )
> return the certificate
Hi,
I have a quick question. If Client-server session is reused ,in the re-used
sessions SSL* data structure, will SSL_use_peer_certificate ( ) return the
certificate that it got in the initial handshake ?
PS
You need to do this :
On Client Side:
SSL_CTX_use_certificate ()
SSL_CTX_use_private_key()
On Server Side:
SSL_CTX_load_verify_locations()
SSL_CTX_verify()// Set the flag to (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
Paras
On Thu, Mar 27, 2008 at 5:15 AM, vaibhav bindroo <[EMAIL PR
Hi,
I had a set of related questions regarding the trusted CA store and
certificate chaining:
1. Lets say we have a chain of the form RootCA -> SubCA ->
Server-certificate.
Now, Will the openssl verify function be able to verify if I give only
the SubCA as the trusted CA Cert and the above cha
Hi,
I had a set of related questions regarding the trusted CA store and
certificate chaining:
1. Lets say we have a chain of the form RootCA -> SubCA ->
Server-certificate.
Now, Will the openssl verify function be able to verify if I give only
the SubCA as the trusted CA Cert and the above cha
Hi,
One of the tests on the openssl-fips-1.1.2 fails without any warning when I
try running "make test". Though the test fails, the command continues to
completion.
Specifically this is the snippet of the output where the error occurs:
Testing cipher RC4(encrypt/decrypt)
Key
ef 01 23 45 ef 01
You are contradicting yourself. If you link against the
openssl-fips-1.1.1library, and are in FIPS_mode, then you have FIPS
functionality. If you are
not in FIPS mode, then the fips library trivially behaves as the traditional
openssl (with all functionalities). The former is called FIPS-validated
Hi,
The openssl User-Guide only mentions about how to create an application in
FIPS mode ( by calling FIPS_mode_set (1) ). The question is that is it
possible to have the openssl command line tool (generated from
openssl-fips-1.1.1) be in FIPS mode ? If yes, please can someone shed some
light on th
Renegotiation. Thats what this is for.
On 11/2/07, Darryl Miles <[EMAIL PROTECTED]> wrote:
>
>
> Maybe they can, but you wont get much response from me by being too lazy
> to start a new thread with your "Compose New Mail" function, as opposed
> to picking a historic message at random and using th
Yes. Thats what I was trying to ask. So, how can I change the expiry date of
an existing certificate without changing any other field ? Is there any
openssl command that I may use ?
On 10/17/07, G.W. Haywood <[EMAIL PROTECTED]> wrote:
>
> Hi there,
>
> On Wed, 17 Oct 2007, David Schwartz wrote:
>
Hi,
I have a private CA certificate created using openssl command line. The
issue is that the certificate expires on 19th Oct, 2007. The question is
that "Is it possible to extend the expiry of this certificate without
changing any other fields in the certificate?" Basically, I want to continue
usi
Hi,
I have a private CA certificate created using openssl command line. The
issue is that the certificate expires on 19th Oct, 2007. The question is
that "Is it possible to extend the expiry of this certificate without
changing any other fields in the certificate?" Basically, I want to continue
usi
24 matches
Mail list logo
