- Feb 12, 2001
-
-
Geoff Thorpe authored
well (and is a good demonstration of how encapsulating the SSL in a memory-based state machine can make it easier to apply to different situations). The change implements a new command-line switch "-flipped <0|1>" which, if set to 1, reverses the usual interpretation of a client and server for SSL tunneling. Normally, an ssl client (ie. "-server 0") accepts "cleartext" connections and conducts SSL/TLS over a proxied connection acting as an SSL client. Likewise, an ssl server (ie. "-server 1") accepts connections and conducts SSL/TLS (as an SSL server) over them and passes "cleartext" over the proxied connection. With "-flipped 1", an SSL client (specified with "-server 0") in fact accepts SSL connections and proxies clear, whereas an SSL server ("-server 1") accepts clear and proxies SSL. NB: most of this diff is command-line handling, the actual meat of the change is simply the line or two that plugs "clean" and "dirty" file descriptors into the item that holds the state-machine - reverse them and you get the desired behaviour. This allows a network server to be an SSL client, and a network client to be an SSL server. Apart from curiosity value, there's a couple of possibly interesting applications - SSL/TLS is inherently vulnerable to trivial DoS attacks, because the SSL server usually has to perform a private key operation first, even if the client is authenticated. With this scenario, the network client is the SSL server and performs the first private key operation, whereas the network server serves as the SSL client. Another possible application is when client-only authentication is required (ie. the underlying protocol handles (or doesn't care about) authenticating the server). Eg. an SSL/TLS version of 'ssh' could be concocted where the client's signed certificate is used to validate login to a server system - whether or not the client needs to validate who the server is can be configured at the client end rather than at the server end (ie. a complete inversion of what happens in normal SSL/TLS). NB: This is just an experiment/play-thing, using "-flipped 1" probably creates something that is interoperable with exactly nothing. :-)
-
- Feb 11, 2001
-
-
Lutz Jänicke authored
-
- Feb 10, 2001
-
-
Lutz Jänicke authored
-
Lutz Jänicke authored
-
Lutz Jänicke authored
options someone much longer working with OpenSSL/SSLeay is needed.
-
Bodo Möller authored
-
Bodo Möller authored
file http://www.nrca-ds.de/ftp/pkd.ttp, which contains a total of 288 certificates issued by the RegPT so far)
-
Bodo Möller authored
-
Bodo Möller authored
(similar to how arguments such as -inform/-outform specifications are treated)
-
Dr. Stephen Henson authored
Fix CRL printing to correctly show when there are no revoked certificates. Make ca.c correctly initialize the revocation date. Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() set the string type: so they can initialize ASN1_TIME structures properly.
-
Bodo Möller authored
-
- Feb 09, 2001
-
-
Lutz Jänicke authored
the clients choice; in SSLv2 the client uses the server's preferences.
-
Lutz Jänicke authored
-
Lutz Jänicke authored
-
Dr. Stephen Henson authored
Fix warning in apps/engine.c Remove definitions of deleted functions. Add missing definition of X509_VAL.
-
Dr. Stephen Henson authored
and ASN1 code.
-
Bodo Möller authored
-
Bodo Möller authored
Denis Beauchemin <Denis.Beauchemin@Courrier.USherb.ca>)
-
Dr. Stephen Henson authored
-
- Feb 08, 2001
-
-
Dr. Stephen Henson authored
OCSP responses. Documentation to follow... Urgh.. this conflicted with the -VAfile patch I hope I haven't broken it.
-
Richard Levitte authored
inversed. Corrected. Hopefully, this will make it work without dumping core.
-
Richard Levitte authored
client code certificates to use to only check response signatures. I'm not entirely sure if the way I just implemented the verification is the right way to do it, and would be happy if someone would like to review this.
-
Ulf Möller authored
-
Ulf Möller authored
entropy devices or sockets.
-
Ulf Möller authored
-
Ulf Möller authored
-
Bodo Möller authored
for range = 11000000... or range = 100000...)
-
Bodo Möller authored
never exceeds 1.333...).
-
Bodo Möller authored
-
Bodo Möller authored
Bleichenbacher's DSA attack. With this implementation, the expected number of iterations never exceeds 2. New semantics for BN_rand_range(): BN_rand_range(r, min, range) now generates r such that min <= r < min+range. (Previously, BN_rand_range(r, min, max) generated r such that min <= r < max. It is more convenient to have the range; also the previous prototype was misleading because max was larger than the actual maximum.)
-
Bodo Möller authored
-
Lutz Jänicke authored
-
- Feb 07, 2001
-
-
Ulf Möller authored
-
Lutz Jänicke authored
during connect() and other calls. First seen on Unixware-7. Unify access to EGD-socket for all RAND_egd_*() methods.
-
Dr. Stephen Henson authored
Fix AES code. Update Rijndael source to v3.0 Add AES OIDs. Change most references of Rijndael to AES. Add new draft AES ciphersuites.
-
Lutz Jänicke authored
reasonable selection.
-
Lutz Jänicke authored
-
- Feb 06, 2001
-
-
Ben Laurie authored
-
Ben Laurie authored
-
Bodo Möller authored
-