From bram at GAWTH.COM Sun Jul 1 05:39:17 2001 From: bram at GAWTH.COM (Bram Cohen) Date: Sat, 30 Jun 2001 20:39:17 -0700 Subject: [PYTHON-CRYPTO] entropy collection Message-ID: Does anybody know of an entropy collection tool for Python? Right now I'm reading out of /dev/random, which obviously isn't cross platform. -Bram Cohen "Markets can remain irrational longer than you can remain solvent" -- John Maynard Keynes From michael at STROEDER.COM Sun Jul 1 10:42:00 2001 From: michael at STROEDER.COM (Michael =?iso-8859-1?Q?Str=F6der?=) Date: Sun, 1 Jul 2001 10:42:00 +0200 Subject: [PYTHON-CRYPTO] entropy collection References: Message-ID: <3B3EE258.A0224EB0@stroeder.com> Bram Cohen wrote: > > Does anybody know of an entropy collection tool for Python? Right now I'm > reading out of /dev/random, which obviously isn't cross platform. Pisces seems to have a nice solution. http://www.cnri.reston.va.us/software/pisces/manual/module-pisces.cryptrand.html http://www.cnri.reston.va.us/software/pisces/manual/module-pisces.egdlib.html Ciao, Michael. From richard at BIZARSOFTWARE.COM.AU Wed Jul 4 09:08:54 2001 From: richard at BIZARSOFTWARE.COM.AU (Richard Jones) Date: Wed, 4 Jul 2001 17:08:54 +1000 Subject: [PYTHON-CRYPTO] M2Cypto SSL and IE5's 56bit bug Message-ID: <01070417085402.24503@ike> Here's a workaround for ZServerSSL for the 56bit SSL cipher bug in IE 5. The bug is described in the following pages: http://www.geocrawler.com/archives/3/191/2000/6/0/3962617/ http://support.microsoft.com/support/kb/articles/Q249/8/63.asp I've managed to work around it in much the same way as the Apache mod-ssl fix - by disabling the 56bit ciphers. In ZServerSSL, this is achieved using the following context call: ssl_ctx.set_cipher_list('ALL:!EXPORT56:!ADH:RC4+RSA:+SSLv2:@STRENGTH') ... except this doesn't work. A dump of ssl_conn.get_ciphers() definitely doesn't list any 56-bit ciphers, but IE still refuses to work. A test with s_server in both -www and -WWW mode works OK though (with -cipher being the above cipher list)... Anyone got any ideas? Richard -- Richard Jones richard at bizarsoftware.com.au Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) From richard at BIZARSOFTWARE.COM.AU Wed Jul 4 10:03:29 2001 From: richard at BIZARSOFTWARE.COM.AU (Richard Jones) Date: Wed, 4 Jul 2001 18:03:29 +1000 Subject: [PYTHON-CRYPTO] M2Cypto SSL and IE5's 56bit bug In-Reply-To: <01070417085402.24503@ike> References: <01070417085402.24503@ike> Message-ID: <01070418032903.24503@ike> On Wed, 4 Jul 2001 17:08, Richard Jones wrote: > Here's a workaround for ZServerSSL for the 56bit SSL cipher bug in IE 5. > The bug is described in the following pages: > > http://www.geocrawler.com/archives/3/191/2000/6/0/3962617/ > http://support.microsoft.com/support/kb/articles/Q249/8/63.asp > > I've managed to work around it in much the same way as the Apache mod-ssl > fix - by disabling the 56bit ciphers. In ZServerSSL, this is achieved using > the following context call: > > > ssl_ctx.set_cipher_list('ALL:!EXPORT56:!ADH:RC4+RSA:+SSLv2:@STRENGTH') > > > ... except this doesn't work. A dump of ssl_conn.get_ciphers() definitely > doesn't list any 56-bit ciphers, but IE still refuses to work. A test with > s_server in both -www and -WWW mode works OK though (with -cipher being the > above cipher list)... > > Anyone got any ideas? A clarification - this only occurs with the Thawte SuperCerts or Verisign`s "Global Site Services". Specifically, we have a Thawte SuperCert. When using the dummy server.pem bundled with m2crypto, there's no problems. I have the https_server.py code dumping the cipher usage info for each connection at the moment. With the chiper list above, the actual list of ciphers is the same regardless of the server.pem used: EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-DSS-RC4-SHA, IDEA-CBC-SHA, RC4-SHA, RC4-MD5, IDEA-CBC-MD5, RC2-CBC-MD5, RC4-MD5, RC4-64-MD5, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DES-CBC-SHA, DES-CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5 When using the m2crypto dummy server.pem, the EXP-RC2-CBC-MD5 cipher is selected. When using our SuperCert server.pem, the handshake fails and no cipher is selected. I don't actually know how the SuperCert differs from the m2crypto cert, and I can see a brick wall rapidly approaching... Richard -- Richard Jones richard at bizarsoftware.com.au Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) From richard at bizarsoftware.com.au Wed Jul 4 12:07:59 2001 From: richard at bizarsoftware.com.au (Richard Jones) Date: Wed, 4 Jul 2001 20:07:59 +1000 Subject: [PYTHON-CRYPTO] M2Cypto SSL and IE5's 56bit bug In-Reply-To: <3B42E770.BE52F67D@stroeder.com> References: <01070417085402.24503@ike> <01070418032903.24503@ike> <3B42E770.BE52F67D@stroeder.com> Message-ID: <01070420075905.24503@ike> On Wed, 4 Jul 2001 19:52, Michael Str?der wrote: > Richard Jones wrote: > > On Wed, 4 Jul 2001 17:08, Richard Jones wrote: > > > Here's a workaround for ZServerSSL for the 56bit SSL cipher bug in IE > > > 5. The bug is described in the following pages: > > > > A clarification - this only occurs with the Thawte SuperCerts or > > Verisign`s "Global Site Services". Specifically, we have a Thawte > > SuperCert. > > Note that some versions of MS IE have a buggy step-up (switch from > export grade cipher to strong cipher) procedure. If I remember > correctly this was discussed several times on the mod_ssl mailing > list. There were proposed solutions like this setting (taken from my > httpd.conf shipped with SuSE Linux): > > SSLCipherSuite > ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > It's up to you to compare that in detail to the cipher list you > suggested. I can get m2crypto to have the SSL Connection have the cipher list as above, that's not a problem. That removes all the 56-bit chipers. Well, that's what ssl_conn.get_ciphers() tells me... Problem is, unlike Apache, something must still need configuring in m2crypto because it still doesn't work... I've talked to Thawte about it, and am going with the $50 re-issue of the cert. No SGC extension. Guaranteed to work - just like the test cert that comes with m2crypto. Richard ps. "some versions" ... read: all the browsers installed on windows 2000 without service pack 1!!! -- Richard Jones richard at bizarsoftware.com.au Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) From michael at STROEDER.COM Wed Jul 4 11:52:48 2001 From: michael at STROEDER.COM (Michael =?iso-8859-1?Q?Str=F6der?=) Date: Wed, 4 Jul 2001 11:52:48 +0200 Subject: [PYTHON-CRYPTO] M2Cypto SSL and IE5's 56bit bug References: <01070417085402.24503@ike> <01070418032903.24503@ike> Message-ID: <3B42E770.BE52F67D@stroeder.com> Richard Jones wrote: > > On Wed, 4 Jul 2001 17:08, Richard Jones wrote: > > Here's a workaround for ZServerSSL for the 56bit SSL cipher bug in IE 5. > > The bug is described in the following pages: > > A clarification - this only occurs with the Thawte SuperCerts or Verisign`s > "Global Site Services". Specifically, we have a Thawte SuperCert. Note that some versions of MS IE have a buggy step-up (switch from export grade cipher to strong cipher) procedure. If I remember correctly this was discussed several times on the mod_ssl mailing list. There were proposed solutions like this setting (taken from my httpd.conf shipped with SuSE Linux): SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL It's up to you to compare that in detail to the cipher list you suggested. Ciao, Michael. From richard at bizarsoftware.com.au Wed Jul 4 12:29:22 2001 From: richard at bizarsoftware.com.au (Richard Jones) Date: Wed, 4 Jul 2001 20:29:22 +1000 Subject: [PYTHON-CRYPTO] M2Cypto SSL and IE5's 56bit bug In-Reply-To: <3B42ECD2.DC21CC71@stroeder.com> References: <01070417085402.24503@ike> <01070420075905.24503@ike> <3B42ECD2.DC21CC71@stroeder.com> Message-ID: <01070420292206.24503@ike> On Wed, 4 Jul 2001 20:15, Michael Str?der wrote: > Richard Jones wrote: > > I've talked to Thawte about it, and am going with the $50 re-issue of the > > cert. No SGC extension. Guaranteed to work - just like the test cert that > > comes with m2crypto. > > No SGC in extendedKeyUsage extension means that weak ciphers will be > used. You have to clarify if your local security policy allows that. > E.g. SSL-capable banking applications in Germany are not allowed to > run with weak ciphers. But the workarounds for apache/ssl pretty much force the weaker ciphers by removing the 40-bit ones. At least with this the 56-bit browsers will use 56-bit ciphers. And hoperfully, with the @STRONGEST on the end of our cipher list, 128-bit browsers will use 128-bit ciphers. I have to admit a very slight knowledge of SSL though, and no knowledge of the inner workings of SGC, so what I've just said is probably complete garbage :( Richard (who just wants the damn thing to work!) -- Richard Jones richard at bizarsoftware.com.au Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) From itamarst at YAHOO.COM Wed Jul 11 15:13:20 2001 From: itamarst at YAHOO.COM (Itamar S.-T.) Date: Wed, 11 Jul 2001 06:13:20 -0700 Subject: [PYTHON-CRYPTO] Yet another OpenSSL wrapper Message-ID: <20010711131320.80353.qmail@web13003.mail.yahoo.com> Martin Sj?gren (martin at strakt.com) has announced another OpenSSL wrapper for python on the python-dev mailing list. It can be found at: http://www.strakt.com/~martin/pyOpenSSL.tar.gz Anyone care to take a look? ===== Itamar Shtull-Trauring, itamar(at)shtull-trauring.org __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ From bram at GAWTH.COM Sun Jul 22 21:03:00 2001 From: bram at GAWTH.COM (Bram Cohen) Date: Sun, 22 Jul 2001 12:03:00 -0700 Subject: [PYTHON-CRYPTO] I got some rijndael working Message-ID: The latest release of BitTorrent has working rijndael in C. It turns out Mike Scott's implementation was by far the easiest to deal with - http://bitconjurer.org/BitTorrent/ -Bram Cohen "Markets can remain irrational longer than you can remain solvent" -- John Maynard Keynes From Larry.Bugbee at PSS.Boeing.com Tue Jul 24 00:22:03 2001 From: Larry.Bugbee at PSS.Boeing.com (Bugbee, Larry) Date: Mon, 23 Jul 2001 15:22:03 -0700 Subject: PyCrypto Message-ID: <58B6DA1B98AA9149B13B029976A48BCC02D4C010@xch-nw-31.nw.nos.boeing.com> Michael, I was just looking at http://www.stroeder.com/PyCrypto/proposal.html and was wondering... 1. What has happened since February? 2. Had you considered addressing the W3C specifications for SignedXML and EncryptedXML? http://www.w3.org/TR/xmldsig-core/ http://www.w3.org/TR/xmlenc-core/ 3. What kind of cooperation have you gotten from the pyAES and mxCrypto folks? 4. What kind of license did you have in mind? My folks have a need to digitally sign documents and I am planning on doing something.... but what is yet undecided. Perhaps a utility and some libraries, but I'd prefer to leverage the work already done. Regards, Larry Bugbee Boeing Commercial Airplanes From ngps at POST1.COM Wed Jul 25 19:13:34 2001 From: ngps at POST1.COM (Ng Pheng Siong) Date: Thu, 26 Jul 2001 01:13:34 +0800 Subject: [PYTHON-CRYPTO] [ANN] M2Crypto 0.06 and Win32 binaries Message-ID: <20010726011334.B1235@madcap.dyndns.org> Hi, I'm pleased to announce that M2Crypto 0.06 has been released. - M2Crypto now works with (and requires) SWIG 1.3.6. - ZServerSSL has been updated to work with Zope 2.4.0. - Beginnings of unit tests for M2Crypto.SSL. (Uses fork/exec, so presently Unix only.) Going forward, I'm aiming for the following: - SSL HOWTO - Better documentation - XML-dsig implementation - SRP implementation - More unit tests of everything Get M2Crypto here: http://www.post1.com/home/ngps/m2/ As usual, feedback is appreciated. -- Ng Pheng Siong * http://www.post1.com/home/ngps Quidquid latine dictum sit, altum viditur.