Table of Contents for
Network Security with OpenSSL

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Network Security with OpenSSL by Pravir Chandra Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. Network Security with OpenSSL
  3. Network Security with OpenSSL
  4. Dedication
  5. A Note Regarding Supplemental Files
  6. Preface
  7. 1. Introduction
  8. 2. Command-Line Interface
  9. 3. Public Key Infrastructure (PKI)
  10. 4. Support Infrastructure
  11. 5. SSL/TLS Programming
  12. 6. Symmetric Cryptography
  13. 7. Hashes and MACs
  14. 8. Public Key Algorithms
  15. 9. OpenSSL in Other Languages
  16. 10. Advanced Programming Topics
  17. A. Command-Line Reference
  18. asn1parse
  19. ca
  20. ciphers
  21. crl
  22. crl2pkcs7
  23. dgst
  24. dhparam
  25. dsa
  26. dsaparam
  27. enc
  28. errstr
  29. gendsa
  30. genrsa
  31. nseq
  32. passwd
  33. pkcs7
  34. pkcs8
  35. pkcs12
  36. rand
  37. req
  38. rsa
  39. rsautl
  40. s_client
  41. s_server
  42. s_time
  43. sess_id
  44. smime
  45. speed
  46. spkac
  47. verify
  48. version
  49. x509
  50. Index
  51. About the Authors
  52. Colophon
  53. Copyright

Index

A note on the digital index

A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.

Symbols

$how_random variable, Net::SSLeay Variables
$linux_debug variable, Net::SSLeay Variables
$random_device variable, Net::SSLeay Variables
$slowly variable, Net::SSLeay Variables
$trace variable, Net::SSLeay Variables
(PKCS) padding, Encryption
/dev/random, Seeding the Pseudorandom Number Generator, Seeding the PRNG
/dev/urandom, Seeding the Pseudorandom Number Generator, Seeding the PRNG
3DES cipher, Insecure Cryptography, Block Ciphers and Stream Ciphers, Triple DES
: (colon), Seeding the Pseudorandom Number Generator
, (comma), Seeding the Pseudorandom Number Generator
= (equals sign), Configuration Files
# (hash mark), Configuration Files
; (semicolon), Seeding the Pseudorandom Number Generator
@STRENGTH keyword, Cipher suite selection

A

acceleration hardware, Cryptographic acceleration hardware
Aep ID string, Using Engines
Broadcom uBSec ID string, Using Engines
nCipher CHIL, ID string, Using Engines
Nuron, ID string, Using Engines
SureWare ID string, Using Engines
accept sockets, BIO package, Socket sources/sinks
ADH keyword, Cipher suite selection
Adleman, Leonard, RSA
Advanced Encryption Standard (see AES)
Aep ID string, Using Engines
AES (Advanced Encryption Standard) cipher, Insecure Cryptography, Block Ciphers and Stream Ciphers, AES
OpenSSL, support in, Available Ciphers
algorithms, cryptographic (see under cryptography)
anonymous ciphers, Cipher suite selection
Apache, About This Book
mod_ssl, Securing Third-Party Software
ASN.1 (Abstract Syntax Notation 1), Making Certificates
asn1parse command, asn1parse
atomic data structures, Multithread Support
authentication, Goals of Cryptography, General Recommendations
(see also certificates, digital signatures)
availability flags, Non-blocking I/O

B

base64 character set, Secure HTTP Cookies
base64 command, Symmetric Ciphers, Examples
basicConstraints extension, Certificate Extensions
example, Building an OpenSSL Configuration File
batch mode, OpenSSL command-line interface, The Basics
bf command, Examples
BIGNUMs, Arbitrary Precision Math, Using Engines
(see also BN package)
arithmetic functions for, Mathematical Operations
comparisons of, The Basics
context structures, Mathematical Operations
copying, right and wrong methods, The Basics
flat binary representation, conversion to and from, The Basics
initializing, The Basics
binary comparison function for MACs, Using MACs
binary objects (see BIOs, BIO package)
binary-encoded numbers, converting to text, The Basics
BIO package, Abstract Input/OutputFilter BIOs
BIO chains, creating, Filter BIOsFilter BIOs
source/sink BIOs, Source/Sink BIOsBIO pairs
BIO pairs, BIO pairs
file BIOs, File sources/sinks
memory BIOs, Memory sources/sinks
socket BIOs, Socket sources/sinks, Socket sources/sinks
_bio, appending to DER-encoding functions, Writing and Reading DER-Encoded Objects
BIOs, Abstract Input/Output, Using Engines
(see also BIO package)
filter BIOs, Filter BIOsFilter BIOs
key encoding and decoding, Encoding and Decoding ObjectsWriting and Reading PEM-Encoded Objects
DER format, Writing and Reading DER-Encoded ObjectsWriting and Reading DER-Encoded Objects
PEM format, Writing and Reading PEM-Encoded ObjectsWriting and Reading PEM-Encoded Objects
M2Crypto.BIO module, M2Crypto.BIO
BIO_destroy_bio_pair( ), BIO pairs
BIO_do_accept( ), Socket sources/sinks
BIO_do_connect( ), Socket sources/sinks
BIO_flush( ), Abstract Input/Output
BIO_free( ), Abstract Input/Output, BIO pairs
BIO_free_all( ), Abstract Input/Output
BIO_gets( ), Abstract Input/Output
BIO_get_mem_data( ), Memory sources/sinks
BIO_get_mem_ptr( ), Memory sources/sinks
BIO_get_retry_BIO( ), Abstract Input/Output
BIO_get_retry_reason( ), Abstract Input/Output
BIO_make_bio_pair( ), BIO pairs
BIO_METHOD objects, Source/Sink BIOs
BIO_new( ), Abstract Input/Output
source/sink BIOs, and, Source/Sink BIOs
BIO_new_connect( ), The Application(s) to Secure
BIO_new_fd( ), Socket sources/sinks
BIO_new_mem_buf( ), Memory sources/sinks
BIO_pop( ), Abstract Input/Output
BIO_push( ), Abstract Input/Output
BIO_puts( ), Abstract Input/Output
BIO_read( ), Abstract Input/Output
BIO_retry_type( ), Abstract Input/Output
BIO_set( ), Abstract Input/Output
source/sink BIOs, and, Source/Sink BIOs
BIO_set_accept_port( ), Socket sources/sinks
BIO_set_close( ), Memory sources/sinks
BIO_set_conn_hostname( ), Socket sources/sinks
BIO_set_conn_int_port( ), Socket sources/sinks
BIO_set_conn_port( ), Socket sources/sinks, Socket sources/sinks
BIO_set_fd( ), Socket sources/sinks
BIO_set_write_buf_size( ), BIO pairs
BIO_should_io_special( ), Abstract Input/Output
BIO_should_read( ), Abstract Input/Output
BIO_should_retry( ), Abstract Input/Output
BIO_should_write( ), Abstract Input/Output
BIO_s_accept( ), Socket sources/sinks
BIO_s_bio( ), BIO pairs
BIO_s_connect( ), Socket sources/sinks
BIO_s_mem( ), Memory sources/sinks
BIO_s_socket( ), Socket sources/sinks
BIO_vfree( ), Abstract Input/Output
BIO_write( ), Abstract Input/Output
BIO_s_accept( ), The Application(s) to Secure
BIO_s_connect( ), The Application(s) to Secure
blinding, Data Encryption, Key Agreement, and Key Transport
block ciphers (see under ciphers)
blocking flags, Non-blocking I/O
blocking I/O, Blocking I/O
Blowfish, Block Ciphers and Stream Ciphers, Blowfish
decryption, CBC mode, Initializing Symmetric Ciphers, Decryption
encryption, CBC mode, Initializing Symmetric Ciphers
BN package, Arbitrary Precision MathGenerating Prime Numbers, Using Engines
(see also BIGNUMs)
applications, including in, The Basics
binary-encoded numbers, converting to text, The Basics
context structures, Mathematical Operations
header file for, The Basics
mathematical operations, functions for, Mathematical Operations
prime numbers, generating, Generating Prime NumbersGenerating Prime Numbers
BN_bin2bn( ), The Basics
Diffie-Hellman key exchange, and, Generating and Exchanging Parameters
BN_bn2bin( ), The Basics
Diffie-Hellman key exchange, and, Generating and Exchanging Parameters
BN_bn2dec( ), The Basics
BN_bn2hex( ), The Basics
BN_cmp( ), The Basics
BN_CTX_free( ), Mathematical Operations
BN_CTX_new( ), Mathematical Operations
BN_free( ), The Basics
BN_generate_prime( ), Generating Prime Numbers
Diffie-Hellman key agreement, and, Generating and Exchanging Parameters
with callback for status, Generating Prime Numbers
BN_init( ), The Basics
BN_new( ), The Basics
BN_num_bytes( ), The Basics
BN_ucmp( ), The Basics
Broadcom uBSec, ID string, Using Engines

C

C, C++, and OpenSSL, About This Book, OpenSSL Basics
ca command, Building an OpenSSL Configuration File, caNotes
configuration options, Configuration OptionsConfiguration Options
options, OptionsOptions
cA component (basicConstraints extension), Certificate Extensions
capture-replay attacks, Goals of Cryptography
CAs (Certification Authorities), Overview of SSL, Certification Authorities, Certificate Revocation Lists
CA, assigning to a certificate, Background
certificates, issuing, Issuing Certificates
client certificate, creating, Our example extended
configuration files, building, Building an OpenSSL Configuration File
directory structure, Creating an Environment for Your Certification Authority
essential files, Creating an Environment for Your Certification Authority
fraudulent certification, and, Bad Server Credentials
keys, legal values for, Building an OpenSSL Configuration File
private key, key length, Creating an Environment for Your Certification Authority
root CA, creating, Our example extended
root certificates, creating for, Creating a Self-Signed Root Certificate
S/MIME, and, S/MIME
server CA, creating, Our example extended
server certificate, creating, Our example extended
setting up, Setting Up a Certification AuthorityRevoking Certificates
creating an environment, Creating an Environment for Your Certification Authority
case-sensitivity, M2Crypto, Low-Level Bindings
CAST5 cipher, CAST5
CBC (Cipher Block Chaining) mode, Basic Block Cipher Modes
CBC-MAC, CBC-MACCBC-MAC
header file for, CBC-MAC
cert.pem, Incorporating trusted certificates
certificate chain, Background
certificate hierarchy, Our example extended
Certificate Revocation Lists (see CRLs)
certificate signing requests (see CSRs)
certificates, Public key encryption, Overview of SSL, Public Key Cryptography, Certificates, Revoking Certificates, Background
(see also CRLs)
certificate requests, Issuing CertificatesIssuing Certificates
character-encoding specification, Putting it all together
program for generating, Generating RequestsPutting it all together
certificate stores, X.509 Certificate Checking
flags, importance of, X.509 Certificate Checking
chaining, Certificate Hierarchies
commonName field, Our example extended
creating programatically, Making CertificatesMaking Certificates
CA standard parameters, Making Certificates, Making Certificates
CA, signing by, Making Certificates, Making Certificates
certificate extensions, addition, Making Certificates, Making Certificates
certificate request verification, Making Certificates, Making Certificates
essential steps, Making Certificates
example code, Making CertificatesMaking Certificates
CRLs, verification against via X509 interface, Incorporating certificate revocation lists
extensions, Certificate ExtensionsCertificate Extensions
basicConstraints, Certificate Extensions
CRLDistributionPoints extension, Certificate Extensions
KeyUsage, Certificate ExtensionsCertificate Extensions
hierarchies, Certificate Hierarchies
obtaining, Obtaining a CertificateWeb Site Certificates
OCSP (Online Certificate Status Protocol), Online Certificate Status ProtocolOnline Certificate Status Protocol
peer authentication, Step 2: Peer AuthenticationFurther extension of the examples
personal certificates, Personal CertificatesPersonal Certificates
post-connection verification, Post-connection assertionsPost-connection assertions
programmatic verification, X.509 Certificate CheckingX.509 Certificate Checking
example code, X.509 Certificate CheckingX.509 Certificate Checking
revoking, Revoking CertificatesRevoking Certificates
root certificates, creating, Creating a Self-Signed Root Certificate
self-signed, Certificate Hierarchies
SSL server, preparation by, Certificate preparationCertificate preparation
subject names, Subject name
validation, of, Certificate Validation
verification, Certificate verificationCertificate verification
security vulnerabilities of, Post-connection assertions
X.509 format, Certificate Extensions
certs, Incorporating trusted certificates
certs subdirectory, Creating an Environment for Your Certification Authority
cert_file (M2Crypto keyword), Extensions to httplib: httpslib
CFB (Cipher Feedback) mode, Basic Block Cipher Modes
check_availability( ), Non-blocking I/O
Cipher class (M2Crypto.EVP module), M2Crypto.EVP
cipher suites, Step 3: SSL Options and Cipher Suites, Cipher suite selectionCipher suite selection
required algorithms, Cipher suite selection
ciphers, Block Ciphers and Stream CiphersDecryption
block ciphers, Block Ciphers and Stream Ciphers
OpenSSL modes, Basic Block Cipher Modes
vulnerabilities, Block Ciphers and Stream Ciphers
cipher context, Initializing Symmetric Ciphers
decryption, DecryptionDecryption
encryption, EncryptionEncryption
incremental encryption, Encryption
initializing, Initializing Symmetric CiphersInitializing Symmetric Ciphers
OpenSSL, supported in, Available CiphersRC5™
padding, enabling, Specifying Key Length and Other Options
stream ciphers, Block Ciphers and Stream Ciphers
data integrity checking, need for, Block Ciphers and Stream Ciphers
vulnerabilities, Block Ciphers and Stream Ciphers
ciphers command, ciphers
Class 1 Digital ID, Personal Certificates
client authentication, removal, Beyond the example
client-side proxies, Client-Side Proxies
code-signing certificates, Code-Signing Certificates
command-line interface, Command-Line InterfaceSeeding the Pseudorandom Number Generator
CA (Certification Authority), setup using, Setting Up a Certification Authority
configuration files, Configuration FilesConfiguration Files
executable, Unix and Windows, The Basics
message digest algorithms, and, Message Digest AlgorithmsExamples
modes, The Basics
common.c, The Application(s) to Secure
common.h, The Application(s) to Secure
commonName field, Our example extended
Compaq Atalla acceleration hardware, ID string, Using Engines
config script, Unix, OpenSSL Basics
configuration file interface, Configuration Files
configuration files, Configuration FilesConfiguration Files, Importing Objects from PKCS#12 Data
(see also NCONF interface)
CAs (Certification Authorities), for, Building an OpenSSL Configuration File
command-line interface, for, Configuration FilesConfiguration Files
directory location, Building an OpenSSL Configuration File
supported commands, Configuration Files
CONF_METHOD structure, Configuration Files
CONF_VALUE structure, declaration, Configuration Files
Connection class (M2Crypto), M2Crypto.SSL
connection sockets, BIO package, Socket sources/sinks
Context class (M2Crypto), M2Crypto.SSL
context structures, Mathematical Operations
cookies (see secure HTTP cookies)
counter mode and UDP traffic, encryption of, Handling UDP Traffic with Counter Mode
counter_encrypt_or_decrypt( ), Handling UDP Traffic with Counter Mode
create_cookies( ), Secure HTTP Cookies
create_store( ), Signing and Verifying
critical extensions, Certificate Extensions
crl command, crl
crl2pkcs7 command, crl2pkcs7
CRLDistributionPoints extension, Certificate Extensions
CRLs (Certificate Revocation Lists), Overview of SSL, Bad Server Credentials, Certificate Revocation ListsCertificate Revocation Lists, Revoking Certificates
(see also certificates)
applications, incorporation into, Incorporating certificate revocation lists
delta CRLs, Certificate Revocation Lists
distribution, lack of standards for, Certificate Revocation Lists
indirect CRLs, Certificate Revocation Lists
OpenSSL, functionality in, Incorporating certificate revocation lists
problems with, Certificate Revocation ListsCertificate Revocation Lists
publishing frequency, Certificate Revocation Lists
updating of, Certificate Revocation Lists
Version 2 extensions, Certificate Revocation Lists
version compatibility, Certificate Revocation Lists
cryptographic algorithms (see under cryptography)
cryptographic engines, support in OpenSSL, Using Engines
cryptographic hashes (see hashes)
cryptography, Cryptography for the Rest of UsDigital signatures
acceleration hardware, Cryptographic acceleration hardware
algorithms, Introduction, Cryptographic AlgorithmsDigital signatures, Client-Side Proxies, General Recommendations, Writing and Reading PEM-Encoded Objects
(see also ciphers)
(see also hashes)
(see also public key cryptography)
cryptographic hash functions, Cryptographic hash functions and Message Authentication Codes
digital signatures, Digital signatures
MACs (Message Authentication Codes), Cryptographic hash functions and Message Authentication Codes
public key encryption, Public key encryptionPublic key encryption
symmetric key encryption, Symmetric key encryptionSymmetric key encryption
cryptographic acceleration hardware, Keys in the Clear
insecure protocols and methodologies, Insecure Cryptography
primitives, barriers to implementation, Symmetric Cryptography
purpose, Goals of Cryptography
references, Introduction
CryptoSwift acceleration hardware, ID string, Using Engines
CRYPTO_dynlock_value data structure, Dynamic Locking Callbacks
CRYPTO_set_id_callback( ), Static Locking Callbacks
CRYPTO_set_locking_callback( ), Static Locking Callbacks
CSRs (certificate signing requests), Web Site Certificates, Revoking Certificates, Our example extended
(see also certificates)

D

D-U-N-S numbers (Dun & Bradstreet), Code-Signing Certificates
d2i_AutoPrivateKey( ), Writing and Reading DER-Encoded Objects
d2i_PKCS12_fp( ), Importing Objects from PKCS#12 Data
d2i_PrivateKey( ), Writing and Reading DER-Encoded Objects
d2i_PublicKey( ), Writing and Reading DER-Encoded Objects
data enveloping, Encrypting and Decrypting
data integrity, Goals of Cryptography
data structures, Multithread Support
ASN.1, Making Certificates
atomic, Multithread Support
CRYPTO_dynlock_value, Dynamic Locking Callbacks
stack handling, and, Object Stacks
data tampering, Goals of Cryptography
data_transfer( ), Non-blocking I/ONon-blocking I/O
availability flags, Non-blocking I/O
blocking flags, Non-blocking I/O
buffers, Non-blocking I/O
flags, Non-blocking I/O
main loop, Non-blocking I/O
decryption, DecryptionDecryption
default certificate directory, Incorporating trusted certificates
default certificate file, Incorporating trusted certificates
default_bits key, Creating a Self-Signed Root Certificate
default_ca key, Building an OpenSSL Configuration File
default_crl_days key, Building an OpenSSL Configuration File
default_crl_hours key, Building an OpenSSL Configuration File
default_days key, Building an OpenSSL Configuration File
default_keyfile key, Creating a Self-Signed Root Certificate
default_md key, Building an OpenSSL Configuration File, Creating a Self-Signed Root Certificate
delta CRLs, Certificate Revocation Lists
denial of service attacks
MACs, and, General Recommendations
OCSP, and, Online Certificate Status Protocol
DER (Distinguished Encoding Rules) format, Encoding and Decoding Objects
encoding functions, Writing and Reading DER-Encoded Objects
file storage limits, Encoding and Decoding Objects
OpenSSL functions for, Writing and Reading DER-Encoded ObjectsWriting and Reading DER-Encoded Objects
RSA public key
decoding, Writing and Reading DER-Encoded Objects
encoding, Writing and Reading DER-Encoded Objects
DES (Data Encryption Standard) cipher, DES
56-bit version, insecurity of, Insecure Cryptography
DESX cipher, DESX
dgst command, Message Digest Algorithms, Examples, dgst
DH (Diffie-Hellman) algorithm, Diffie-Hellman, Diffie-HellmanPractical Applications
authentication algorithms, and, Practical Applications
DH structure, The Basics
Diffie-Hellman parameters, The Basics
g member, The Basics
generated prime, checking, Generating and Exchanging Parameters
generating and exchanging, Generating and Exchanging ParametersGenerating and Exchanging Parameters
p member, The Basics
priv_key member, The Basics
pub_key member, The Basics
key agreement, Ephemeral keying
M2Crypto support, Miscellaneous crypto
shared secrets, computing, Computing Shared Secrets
dh command, Diffie-Hellman
DH operations, ENGINE_set_defaut flag, Using Engines
dh1024.pem, Our example extended
creating, Our example extended
dh512.pem, Our example extended
creating, Our example extended
dhparam command, Diffie-Hellman, dhparam
DH_check( ), Generating and Exchanging Parameters
bitmask, codes argument, Generating and Exchanging Parameters
DH_compute_key( ), Computing Shared Secrets
DH_free( ), Generating and Exchanging Parameters
DH_generate_key( ), Computing Shared Secrets
DH_generate_parameters( ), Generating and Exchanging Parameters, Generating and Exchanging Parameters
DH_new( ), Generating and Exchanging Parameters
die_if_ssl_error( ) (Net\:\:SSLeay), Net::SSLeay Error Handling
die_now( ) (Net\:\:SSLeay), Net::SSLeay Error Handling
Diffie-Hellman algorithm (see DH)
digest operations, ENGINE_set_defaut flag, Using Engines
Digital Signature Algorithm (see DSA)
digital signatures, Digital signatures
key length, Digital signatures
uses of, Overview of Hashes and MACs
verifying, Message Digest Algorithms
Distinguished Encoding Rules (see DER)
distinguished names (see DNs)
distinguished_name key, Creating a Self-Signed Root Certificate
DNs (distinguished names), Certificates
OpenSSL, display conventions for, Creating a Self-Signed Root Certificate
DNS names, Post-connection assertions
dNSName field, X.509 Version 3 extensions
subjectAltName extension, Our example extended, Post-connection assertions
domain names
secure server certificates, and, Web Site Certificates
do_client_loop function, Our example extended
do_server_loop( ), The Application(s) to Secure
DSA (Digital Signature Algorithm), Digital Signature Algorithm, Digital Signature Algorithm (DSA)Practical Applications
DSA keys and SSL key exchange, Ephemeral keying
DSA parameters, The Basics
generating, Generating Parameters and Keys
DSA structure, The Basics
important members, The Basics
ENGINE_set_defaut flag, Using Engines
k number and digital signatures, Signing and Verifying
key pairs, generating, Generating Parameters and Keys
M2Crypto support, Miscellaneous crypto
message digest algorithms, use with, Signing and Verifying
SHA, and, Digital Signature Algorithm (DSA)
signing and verification, Signing and Verifying
two-way authentication with Diffie-Hellman, Practical Applications
dsa command, Digital Signature Algorithm, dsa
dsaparam command, Digital Signature Algorithm, dsaparam
DSA_generate_key( ), Generating Parameters and Keys
DSA_generate_parameters( ), Generating Parameters and Keys
DSA_sign( ), Signing and Verifying
DSA_sign_setup( ), Signing and Verifying
DSA_verify( ), Signing and Verifying
DSS1 algorithm, Hashing with the EVP API
DSS1 message digest algorithm, Message Digest Algorithms
dynamic locking callbacks, Dynamic Locking CallbacksDynamic Locking Callbacks
extensions, Dynamic Locking CallbacksDynamic Locking Callbacks
dynamic locks, Multithread Support
dyn_create_function( ), Dynamic Locking Callbacks
dyn_lock_function( ), Dynamic Locking Callbacks

E

eavesdropping, Goals of Cryptography
ECB (Electronic Code Book) mode, Basic Block Cipher Modes
datagrams, encryption for UDP, Handling UDP Traffic with Counter Mode
encryption, unsuitability for, Handling UDP Traffic with Counter Mode
EGADS (Entropy Gathering and Distribution System), Poor Entropy, Seeding the Pseudorandom Number Generator, Using an Alternate Entropy SourceUsing an Alternate Entropy Source
initializing, Using an Alternate Entropy Source
egads_entropy( ), Using an Alternate Entropy Source
EGD (Entropy Gathering Daemon), Seeding the Pseudorandom Number Generator, Using an Alternate Entropy Source
OpenSSL, support in, Using an Alternate Entropy Source
Electronic Code Book mode (see ECB)
enc command, Symmetric Ciphers, Examples, enc
for signing data, RSA
encrypted messages, sending to multiple users, Encrypting and Decrypting
encryption, Goals of Cryptography, EncryptionEncryption
engine, Using Engines
ENGINE object type, Using Engines
ENGINE_by_id( ), Using Engines
ENGINE_set_default( ), Using Engines
flags for, Using Engines
entropy, Poor Entropy, Random Number Generation
EGADS, harvesting with, Poor Entropy
Unix systems, sources on, Seeding the PRNG
Entropy Gathering and Distribution System (see EGADS)
Entropy Gathering Daemon (see EGD)
entropy sources, Seeding the Pseudorandom Number Generator
environment variables for RANDFILE, Seeding the Pseudorandom Number Generator
env\:<variable\\> option, Passwords and Passphrases
ephemeral keying, Keys in the Clear, Ephemeral keyingEphemeral keying
security advantages of, Ephemeral keying
equals sign (=), Configuration Files
ERR package, Internal Error Handling
functions, Manipulating Error Queues
error handling, Internal Error HandlingThreading and Practical Applications, Beyond the example
error messages, displaying, Human-Readable Error Messages
format, returned messages, Human-Readable Error Messages
error queues, Internal Error Handling
destroying, Threading and Practical Applications
errstr command, errstr
ERR_error_string( ), Human-Readable Error Messages, Human-Readable Error Messages
ERR_error_string_n( ), Human-Readable Error Messages
ERR_get_error_line_data( ), Human-Readable Error Messages
ERR_load_crypto_strings( ), Human-Readable Error Messages
ERR_load_SSL_strings( ), Human-Readable Error Messages
ERR_print_errors( ), Human-Readable Error Messages
ERR_print_errors_fp( ), Human-Readable Error Messages
ERR_remove_state( ), Threading and Practical Applications, The Application(s) to Secure
EVP interface, Encrypting with the EVP APIGeneral Recommendations
computing a hash value, Hashing with the EVP API
data encryption with multiple keys, Encrypting and Decrypting
encrypting and decrypting, Encrypting and DecryptingEncrypting and Decrypting
envelope encryption/decryption interface, Encrypting and Decrypting
sealing, Encrypting and Decrypting
finalization, Encryption
hashing algorithms, Hashing with the EVP APIHashing with the EVP API
function calls to, Hashing with the EVP API
M2Crypto.EVP module, M2Crypto.EVP
public key cryptography, The EVP Public Key InterfaceEncoding and Decoding Objects
signing and verification, Signing and VerifyingSigning and Verifying
updating, Encryption
EVP_add_cipher( ), Encrypting with the EVP API
EVP_CIPHER_CTX, Initializing Symmetric Ciphers
EVP_CIPHER_CTX object, Encrypting and Decrypting
EVP_CIPHER_CTX_ctrl( ), Specifying Key Length and Other Options
EVP_CIPHER_CTX_init( ), Initializing Symmetric Ciphers
EVP_CIPHER_CTX_mode( ), Handling UDP Traffic with Counter Mode
EVP_CIPHER_CTX_set_key_length( ), Specifying Key Length and Other Options
EVP_CIPHER_CTX_set_padding( ), Specifying Key Length and Other Options
EVP_CIPHER_key_length( ), Specifying Key Length and Other Options
EVP_DecryptFinal( ), Decryption
EVP_DecryptInit( ), Initializing Symmetric Ciphers, Decryption
EVP_DecryptUpdate( ), Decryption
EVP_DigestFinal( ), Hashing with the EVP API
EVP_DigestFinal_ex( ), Hashing with the EVP API
EVP_DigestInit( ), Hashing with the EVP API
EVP_DigestInit_ex( ), Hashing with the EVP API
EVP_DigestUpdate( ), Hashing with the EVP API, Signing and Verifying
EVP_EncodeBlock( )
base64 encoding, Secure HTTP Cookies
EVP_EncryptFinal( ), Encryption
EVP_EncryptFinal_ex( ), Encryption
EVP_EncryptInit( ), Using Engines, Initializing Symmetric Ciphers
EVP_EncryptInit_ex( ), Using Engines
EVP_EncryptUpdate( ), Encryption
EVP_get_cipherbyname( ), Encrypting with the EVP API
EVP_get_digestbyname( ), Hashing with the EVP API
EVP_MD objects, Putting it all together
EVP_MD_CTX objects, Signing and Verifying
EVP_OpenFinal( ), Encrypting and Decrypting
EVP_OpenInit( ), Encrypting and Decrypting
EVP_OpenUpdate( ), Encrypting and Decrypting
EVP_PKEY object, The EVP Public Key Interface
EVP_PKEY objects, Putting it all together
EVP_PKEY_assign_DSA( ), The EVP Public Key Interface
EVP_PKEY_assign_RSA( ), The EVP Public Key Interface
EVP_PKEY_free( ), The EVP Public Key Interface
EVP_PKEY_get1_DSA( ), The EVP Public Key Interface
EVP_PKEY_get1_RSA( ), The EVP Public Key Interface
EVP_PKEY_new( ), The EVP Public Key Interface
EVP_PKEY_set1_DSA( ), The EVP Public Key Interface
EVP_PKEY_set1_RSA( ), The EVP Public Key Interface
EVP_PKEY_size( ), Encrypting and Decrypting
EVP_SealFinish( ), Encrypting and Decrypting
EVP_SealInit( ), Encrypting and Decrypting
calling the function, Encrypting and Decrypting
EVP_SignFinal( ), Signing and Verifying, Signing and Verifying
EVP_SignInit( ), Signing and Verifying
EVP_SignUpdate( ), Signing and Verifying
EVP_VerifyFinal( ), Signing and Verifying
EVP_VerifyInit( ), Signing and Verifying
EVP_VerifyInit_ex( ), Signing and Verifying
EVP_VerifyUpdate( ), Signing and Verifying
example code web site, About This Book
EXP keyword, Cipher suite selection
extensions
basicConstraints, Certificate Extensions
certificates, Certificate ExtensionsCertificate Extensions
CRLs, Version 2, Certificate Revocation Lists
dynamic locking callbacks, Dynamic Locking CallbacksDynamic Locking Callbacks
external session caching, An on-disk, session caching framework
extKeyUsage extension, Certificate Extensions

F

fd\:<number\\> option, Passwords and Passphrases
file BIOs, File sources/sinks
creating, File sources/sinks
file parameter
dyn_create_function( ), Dynamic Locking Callbacks
dyn_destroy_function( ), Dynamic Locking Callbacks
dyn_lock_function( ), Dynamic Locking Callbacks
locking_function( ), Static Locking Callbacks
files
signatures, and, Message Digest Algorithms
symmetric ciphers, encryption using, Symmetric Ciphers
file\:<filename\\> option, Passwords and Passphrases
filter BIOs, Filter BIOsFilter BIOs
finalization, Encryption
ForkingSSLServer class (M2Crypto), M2Crypto.SSL
forward secrecy, Keys in the Clear, Ephemeral keying
_fp, appending to DER encoding functions, Writing and Reading DER-Encoded Objects
FQDN (fully qualified domain name), Post-connection assertions
functions for encodings of public key objects
DER format, Writing and Reading DER-Encoded Objects
PEM format, Writing and Reading PEM-Encoded Objects

G

gendh command, Diffie-Hellman
gendsa command, Digital Signature Algorithm, gendsa
generation, checks required with, Generating and Exchanging Parameters
generators, Diffie-Hellman, The Basics, Generating and Exchanging Parameters
genrsa command, RSA, genrsa
GetCurrentThreadId function, Windows, Static Locking Callbacks
get_https( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
Goldberg, Ian, Poor Entropy

H

handle_error( ), The Application(s) to Secure
handshakes, Efficiency
hardware engines, support in OpenSSL, Using Engines
hash mark (#), Configuration Files
hash values, Overview of Hashes and MACs
computing, Hashing with the EVP API
printing in hexadecimal, Hashing with the EVP API
retrieving, Hashing with the EVP API
hashes, Cryptographic hash functions and Message Authentication Codes, Overview of Hashes and MACs
EVP interface, available in, Hashing with the EVP APIHashing with the EVP API
look up, EVP interface, Hashing with the EVP API
message digests, computing, Message Digest Algorithms
password storage, and, Overview of Hashes and MACs
security of, measuring, Overview of Hashes and MACs
use in digital signatures, Overview of Hashes and MACs
head_https( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
hijacking, Goals of Cryptography
HMAC, Using MACsUsing MACs
computing a MAC, Using MACs
M2Crypto EVP interface, and, M2Crypto.EVP
HMAC class (M2Crypto.EVP module), M2Crypto.EVP
HMAC( ), Using MACs
HMAC_cleanup( ), Using MACs
HMAC_CTX_init( ), Using MACs
HMAC_Final( ), Using MACs
HMAC_Init( ), Using MACs
HMAC_Update( ), Using MACs
httplib extensions (Python), Extensions to httplib: httpslib
Hudson, Tim J., OpenSSL Basics

I

I/O (input and output) (see BIO package)
blocking I/O, Blocking I/O
call template, Reading and writing functions
error checking and threads, Reading and writing functions
non-blocking I/O, Non-blocking I/ONon-blocking I/O
over SSL connections, I/O on SSL ConnectionsNon-blocking I/O
i2d_PKCS12_fp( ), Wrapping Information into a PKCS#12 Object
ID strings, OpenSSL-supported hardware and software engines, Using Engines
IDEA cipher, IDEA
id_function( ), Static Locking Callbacks
incremental_encrypt( ), Encryption
incremental_finish( ), Encryption
incremental_send( ), Encryption
initialization vectors (IVs), Basic Block Cipher Modes, Initializing Symmetric Ciphers
init_dhparams( ), The final product
init_keys( ), Secure HTTP Cookies
input and output (see I/O)
integrity, Goals of Cryptography
interactive mode, OpenSSL command-line interface, The Basics
IVs (initialization vectors), Basic Block Cipher Modes, Initializing Symmetric Ciphers

K

Kelloäki, Sampo, Net::SSLeay for Perl
key generation, Diffie-Hellman
keyed hashes (see message digests)
keys, Goals of Cryptography
CAs, legal values for, Building an OpenSSL Configuration File
DER encoding and decoding of, Writing and Reading DER-Encoded ObjectsWriting and Reading DER-Encoded Objects
key agreement, Diffie-Hellman, Diffie-Hellman
key exchange and RSA, Practical Applications
length
default length, checking, Specifying Key Length and Other Options
security, and, Block Ciphers and Stream Ciphers
specifying, Specifying Key Length and Other Options
length and security, Insecure Cryptography
pairs, storage and exchange, Encoding and Decoding Objects
PEM format, encoding and decoding, Writing and Reading PEM-Encoded Objects
securing, Keys in the Clear
security and PRNGs, Random Number Generation
session keys, replacing via renegotiation, SSL Renegotiations
stolen, Bad Server Credentials
keystream, Block Ciphers and Stream Ciphers
keyUsage extension, Certificate ExtensionsCertificate Extensions
common bit settings, Certificate Extensions
key_file (M2Crypto keyword), Extensions to httplib: httpslib

L

libcrypto, error messages, Human-Readable Error Messages
libssl, error messages, Human-Readable Error Messages
line parameter
dyn_create_function( ), Dynamic Locking Callbacks
dyn_destroy_function( ), Dynamic Locking Callbacks
dyn_lock_function( ), Dynamic Locking Callbacks
locking_function( ), Static Locking Callbacks
Linux, Poor Entropy, Client-Side Proxies
(see also Unix)
locks, OpenSSL, Multithread Support
logging, error messages, Human-Readable Error Messages
LOW keyword, Cipher suite selection

M

m2.bio_init( ) (M2Crypto), Low-Level Bindings
M2Crypto, M2Crypto for PythonExtensions to xmlrpclib: m2xmlrpclib
BIO module, M2Crypto.BIO
case-sensitivity, Low-Level Bindings
DH algorithm, and, Miscellaneous crypto
DSA alogorithm, and, Miscellaneous crypto
EVP module, M2Crypto.EVP
symmetric ciphers, encryption and decryption with, M2Crypto.EVP
high-level classes, High-Level Classes
httpslib module, Extensions to httplib: httpslib
low-level bindings, Low-Level Bindings
m2urllib module, Extensions to urllib: m2urllib, Extensions to urllib: m2urllib
m2xmlrpclib module, Extensions to xmlrpclib: m2xmlrpclib
OpenSSL, supported versions, M2Crypto for Python
Python module extensions, Python Module ExtensionsExtensions to xmlrpclib: m2xmlrpclib
Python, supported versions, M2Crypto for Python
RC4 cipher, and, Miscellaneous crypto
RSA algorithm, and, Miscellaneous crypto
SSL module, M2Crypto.SSL
SWIG, supported versions, M2Crypto for Python
versions, M2Crypto for Python
MACs (Message Authentication Codes), Cryptographic hash functions and Message Authentication Codes, Overview of Hashes and MACs, Using MACsUMAC
block cipher MACs, Other MACs
CBC-MAC, CBC-MACCBC-MAC
HMAC, Using MACsUsing MACs
security properties, Other MACs
symmetric encryption, and, General Recommendations
UMAC, UMAC
validating MAC’d data, Using MACs
weaknesses, block-cipher based MACs, CBC-MAC
XCBC-MAC, XCBC-MACXCBC-MAC
XOR-MAC, XOR-MAC
make test script, OpenSSL Basics
make_form( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
make_headers( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
man-in-the-middle attack
public key cryptography, and, Public Key Infrastructure (PKI)
man-in-the-middle attacks, Overview of SSL, Overview of SSL
Certification Authorities, and, Certificate Validation
digital signatures, prevention with, Digital Signature Algorithm (DSA)
OCSP, and, Online Certificate Status Protocol
mathematical operations, functions for, Mathematical Operations
MD5 keyword, Cipher suite selection
MD5, insecurity of, Overview of Hashes and MACs
MDC2 algorithm, Hashing with the EVP API
memory BIOs, Memory sources/sinks
creating, Memory sources/sinks
memory leaks, preventing, Post-connection assertions, Client-side SSL sessions
message digest algorithms, Message Digest AlgorithmsExamples, Seeding the Pseudorandom Number Generator
(see also MACs)
command-line, accessing through, Message Digest Algorithms
message digests, Cryptographic hash functions and Message Authentication Codes, Overview of Hashes and MACs, Secure HTTP Cookies
(see also MACs)
algorithms, supported in OpenSSL, Hashing with the EVP API
EVP_MD objects, Putting it all together
hexadecimal, printing in, Hashing with the EVP API
keyed hashes, Cryptographic hash functions and Message Authentication Codes
sha1 command, Hashing with the EVP APIUsing MACs
MessageDigest class (M2Crypto.EVP module), M2Crypto.EVP
Microsoft
Authenticode certificates, Code-Signing Certificates
certificate revocation lists, and, Certificate Revocation Lists
Internet Explorer and personal digital certificates, Personal Certificates
MIME headers, Secure HTTP Cookies
mode parameter
dyn_lock_function( ), Dynamic Locking Callbacks
locking_function( ), Static Locking Callbacks
mod_ssl, Securing Third-Party Software
msie_hack option, Building an OpenSSL Configuration File
multithread support, OpenSSL, Multithread SupportDynamic Locking Callbacks
mutex parameter, Multithread Support
dyn_destroy_function( ), Dynamic Locking Callbacks
dyn_lock_function( ), Dynamic Locking Callbacks

N

n parameter, locking_function( ), Static Locking Callbacks
nCipher CHIL acceleration hardware, ID string, Using Engines
NCONF interface, Configuration Files
NCONF objects, Configuration Files
NCONF_default( ), Configuration Files
NCONF_get_number( ), Configuration Files
absence of error checking for, Configuration Files
NCONF_get_number_e( ), Configuration Files
NCONF_get_section( ), Configuration Files
NCONF_get_string( ), Configuration Files, Configuration Files
NCONF_load_bio( ), Configuration Files
NCONF_load_fp( ), Configuration Files
testconf.cnf, Configuration Files
Netscape
Netscape Object Signing certificates, Code-Signing Certificates
SSLv2, flaws in implementation, Poor Entropy
risks of supporting, Insecure Cryptography
network attacks, Goals of Cryptography
Net\:\:SSLeay module, Net::SSLeay for PerlNet::SSLeay Low-Level Bindings
current version, Net::SSLeay for Perl
error handling functions, Net::SSLeay Error Handling
global variables, Net::SSLeay Variables
low-level bindings, Net::SSLeay Low-Level Bindings
Perl bindings compared to C functions, Net::SSLeay Low-Level Bindings
read and write bindings, differences from C functions, Net::SSLeay Low-Level Bindings
supported OpenSSL versions, Net::SSLeay for Perl
thread awareness, absence of, Net::SSLeay Low-Level Bindings
utility functions, Net::SSLeay Utility FunctionsNet::SSLeay Utility Functions
Ng Pheng Siong, M2Crypto for Python
NID, Subject name
non-blocking I/O, Non-blocking I/ONon-blocking I/O
non-repudiation, Goals of Cryptography, Non-Repudiation, When to Use Public Key Cryptography
noncritical extensions, Certificate Extensions
nonrandom seeds, risks of, Poor Entropy
nseq command, nseq
Nuron acceleration hardware, ID string, Using Engines

O

OBJ_txt2nid( ), Putting it all together
OCSP (Online Certificate Status Protocol), Bad Server Credentials, Online Certificate Status ProtocolOnline Certificate Status Protocol
public responders, Online Certificate Status Protocol
OFB (Output Feedback) mode, Basic Block Cipher Modes
one-way authenticating key transport, Practical Applications
one-way functions, Cryptographic hash functions and Message Authentication Codes
one-way hash functions (see hashes)
Online Certificate Status Protocol (see OCSP)
OpenBSD operating system kernel level crypto, ID string, Using Engines
OpenPGP, S/MIME
OpenSSL, About This Book, Introduction, OpenSSL Basics
Apache, and, About This Book
API (application program interface), Programming with SSL
for symmetric cryptography, Symmetric Cryptography
API reference documentation web site, About This Book
binding to Perl, Net::SSLeay for PerlNet::SSLeay Low-Level Bindings
building, OpenSSL Basics
C and C++ languages, and, About This Book, OpenSSL Basics
ciphers, supported, Available CiphersRC5™
client certificate presentation, Certificate preparation
command-line interface (see command-line interface)
configuration files, Configuration FilesConfiguration Files
CA (Certification Authority), for, Building an OpenSSL Configuration File
CRLs (Certificate Revocation Lists), functionality in, Incorporating certificate revocation lists
cryptographic acceleration, support for, Using Engines
cryptography library, OpenSSL Basics
default CA certificate locations, Incorporating trusted certificates
directory locations, OpenSSL Basics
EGD support, Using an Alternate Entropy Source
ENGINE object type, Using Engines
error handling, Internal Error HandlingThreading and Practical Applications, Beyond the example
EVP interface, Encrypting with the EVP APIGeneral Recommendations
hashing algorithms, available in, Hashing with the EVP APIHashing with the EVP API
HMAC, Using MACsUsing MACs
key exchange formats, supported in, Encoding and Decoding Objects
key exchange options, Ephemeral keying
libraries, OpenSSL Basics
load-balancing, Version 0.9.7, Load balancing
MACs and Version 0.9.7, Using MACs
multithread support, Multithread SupportDynamic Locking Callbacks
object stacks, handling, Object StacksObject Stacks
online sources of, OpenSSL Basics
openssl executable, The Basics
packages, Support Infrastructure
BIO, Abstract Input/OutputFilter BIOs
BN, Arbitrary Precision MathGenerating Prime Numbers
ERR, Internal Error Handling
passphrase callback function, Certificate preparation
Perl bindings (NET\:\:SSLeay) compared to C functions, Net::SSLeay Low-Level Bindings
PHP, support by, OpenSSL Support in PHPPKCS#7 (S/MIME) Functions
PRNG, seeding of, Poor Entropy
public key algorithms, supported by, Public Key Algorithms
RAND package, Random Number GenerationUsing an Alternate Entropy Source
renegotiations problems in Version 0.9.6, Implementing renegotiations
session caching features, An on-disk, session caching framework, Further notes
(see also under sessions)
symmetric ciphers, supported, Symmetric Ciphers
third-party software, securing, Securing Third-Party Software
thread-local storage, absence of, Threading and Practical Applications
thread-safety, Multithread Support, Threading and Practical Applications
versions, About This Book
openssl.exe, The Basics
OpenSSL_add_all_algorithms( ), Encrypting with the EVP API
OpenSSL_add_all_ciphers( ), Encrypting with the EVP API
OpenSSL_add_all_digests( ), Hashing with the EVP API
OPENSSL_CONF variable and certificate requests, Issuing Certificates
OPENSSL_free( ), The Basics
OPENSSL_malloc( ), The Basics
OpenValidation.org, Online Certificate Status Protocol
open_https( ) (M2Crypto), Extensions to urllib: m2urllib

P

padding, Encryption
pair BIOs, BIO pairs
creating, BIO pairs
SSL engine, and, BIO pairs
passwd_cb( ), Certificate preparation
passwords
command options, Passwords and Passphrases
passwd command, passwd
pass\:<password\\> option, Passwords and Passphrases
symmetric encryption, and, Symmetric Ciphers
pathLenConstraint component (basicConstraints extension), Certificate Extensions
peer authentication, Step 2: Peer AuthenticationFurther extension of the examples
PEM (Privacy Enhanced Mail) format, Encoding and Decoding Objects
function requirements, Writing and Reading PEM-Encoded Objects
OpenSSL functions for, Writing and Reading PEM-Encoded ObjectsWriting and Reading PEM-Encoded Objects
PEM_read_bio_SSL_SESSION( ), Client-side SSL sessions
PEM_read_SSL_SESSION( ), Client-side SSL sessions
PEM_write_bio_SSL_SESSION( ), Client-side SSL sessions
PEM_write_SSL_SESSION( ), Client-side SSL sessions
pem_password_cb( ), Writing and Reading PEM-Encoded Objects
PEM_write_OBJNAME( ), Writing and Reading PEM-Encoded Objects
perfect security, Block Ciphers and Stream Ciphers
Perl, Net::SSLeay Low-Level Bindings
(see also Net::SSLeay module)
EGD, and, Seeding the Pseudorandom Number Generator, Using an Alternate Entropy Source
Net\:\:SSLeay module, Net::SSLeay for PerlNet::SSLeay Low-Level Bindings
personal certificates, Personal CertificatesPersonal Certificates
PGP (Pretty Good Privacy), S/MIME
PHP, OpenSSL Support in PHPPKCS#7 (S/MIME) Functions
array openssl_x509_parse( ), Certificate Functions
returned keys, Certificate Functions
bool openssl_open( ), Encryption and Signing Functions
bool openssl_pkcs7_decrypt( ), PKCS#7 (S/MIME) Functions
bool openssl_pkcs7_encrypt( ), PKCS#7 (S/MIME) Functions
flags, PKCS#7 (S/MIME) Functions
bool openssl_pkcs7_sign( ), PKCS#7 (S/MIME) Functions
flags, PKCS#7 (S/MIME) Functions
bool openssl_pkcs7_verify( ), PKCS#7 (S/MIME) Functions
flags, PKCS#7 (S/MIME) Functions
bool openssl_sign( ), Encryption and Signing Functions
bool openssl_x509_checkpurpose( ), Certificate Functions
encryption functions, Encryption and Signing Functions
int openssl_seal( ), Encryption and Signing Functions
int openssl_verify( ), Encryption and Signing Functions
mixed openssl_error_string( ), General Functions
OpenSSL extension functions, General Functions
X.509 certificates, handling, Certificate FunctionsCertificate Functions
OpenSSL, support of, OpenSSL Support in PHPPKCS#7 (S/MIME) Functions
experimental aspects, OpenSSL Support in PHP
openssl_get_privatekey( ), General Functions
openssl_get_publickey( ), General Functions
openssl_x509_read( ), General Functions
PKCS#7 (S/MIME) functions, PKCS#7 (S/MIME) FunctionsPKCS#7 (S/MIME) Functions
PHP, supporting versions, PKCS#7 (S/MIME) Functions
PRNG seeding, lack of, Encryption and Signing Functions
resource openssl_get_privatekey( ), General Functions
resource openssl_get_publickey( ), General Functions
resource openssl_x509_read( ), Certificate Functions
signing functions, Encryption and Signing Functions
void openssl_free_key( ), General Functions
void openssl_x509_free( ), Certificate Functions
PKCS#12 standard, PKCS#12Importing Objects from PKCS#12 Data
reading file from disk, Importing Objects from PKCS#12 Data
PKCS#7, PKCS#7 and S/MIMESigning and Verifying
flags, PKCS#7 Flags
S/MIME, contrasted with, PKCS#7 and S/MIME
pkcs12 command, pkcs12Options
PKCS12 object, Wrapping Information into a PKCS#12 Object
PKCS12_create( ), Wrapping Information into a PKCS#12 Object
PKCS12_parse( ), Importing Objects from PKCS#12 Data
pkcs7 command, pkcs7
PKCS7_decrypt( ), Encrypting and Decrypting
PKCS7_DETACHED, PKCS#7 Flags
PKCS7_encrypt( ), Encrypting and Decrypting
PKCS7_NOCERTS, PKCS#7 Flags
PKCS7_NOINTERN, PKCS#7 Flags
PKCS7_NOSIGS, PKCS#7 Flags
PKCS7_NOVERIFY, PKCS#7 Flags
PKCS7_sign( ), Signing and Verifying, Signing and Verifying
PKCS7_verify( ), Signing and Verifying
pkcs8 command, pkcs8
PKCS_verify( ), Signing and Verifying
PKey class (M2Crypto.EVP module), M2Crypto.EVP
PKI (Public Key Infrastructure), S/MIME, Public Key Infrastructure (PKI)Revoking Certificates
POSIX systems, static locking callbacks, Static Locking Callbacks
post_connection_check( ), Post-connection assertionsPost-connection assertions, Further extension of the examples
post_https( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
preserveDN option, Building an OpenSSL Configuration File
prime numbers, strong primes, The Basics
print_errs( ) (Net\:\:SSLeay), Net::SSLeay Error Handling
Privacy Enhanced Mail (see PEM)
private CAs (Certification Authorities), Private Certification Authorities
private keys, Public key encryption
CAs, security concerns for, Creating a Self-Signed Root Certificate
private subdirectory, Creating an Environment for Your Certification Authority
PRNGD, Using an Alternate Entropy Source
PRNGs (pseudorandom number generators), Poor Entropy, Random Number Generation
command line, seeding from, Seeding the Pseudorandom Number Generator
EGD socket, seeding via, Using an Alternate Entropy Source
misuses of, Seeding the PRNG
Netscape SSLv2, flaws, Poor Entropy
PHP, absence in, Encryption and Signing Functions
seeding, in OpenSSL, Poor Entropy, Seeding the PRNGUsing an Alternate Entropy Source
prompt key, Creating a Self-Signed Root Certificate
proxies
client-side, Client-Side Proxies
server-side, Server-Side Proxies
pseudorandom number generators (see PRNGs)
public CAs (Certification Authorities), Public Certification Authorities
public exponent, The Basics
public key, Public key encryption
public key cryptography, Public Key CryptographyExamples, Public Key Algorithms
advantages, When to Use Public Key Cryptography
DH (Diffie-Hellman) algorithm, Diffie-HellmanPractical Applications
DSA (Digital Signature Algorithm), Digital Signature Algorithm (DSA)Practical Applications
EVP interface, and, The EVP Public Key InterfaceEncoding and Decoding Objects
man-in-the-middle attack, and, Public Key Infrastructure (PKI)
RSA (Rivest Shamir Adelman) algorithm, RSAPractical Applications
public key encryption, Public key encryptionPublic key encryption
Public Key Infrastructure (see PKI)
public modulus, The Basics
put_https( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
Python, Extensions to xmlrpclib: m2xmlrpclib
(see also M2Crypto)
httplib extensions, Extensions to httplib: httpslib
urllib extensions, Extensions to urllib: m2urllib
xmlrpclib extensions, Extensions to xmlrpclib: m2xmlrpclib

R

rand command, rand
rand option, Seeding the Pseudorandom Number Generator
RAND package, Random Number GenerationUsing an Alternate Entropy Source
RANDFILE environment variable, Seeding the Pseudorandom Number Generator
random number operation, ENGINE_set_default flag, Using Engines
random numbers, Poor Entropy
generating, Random Number Generation
randomize( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
RAND_add( ), Seeding the PRNG, Using an Alternate Entropy Source
RAND_egd( ), Using an Alternate Entropy Source
RAND_egd_bytes( ), Using an Alternate Entropy Source
RAND_event( ), Seeding the PRNG
RAND_load_file( ), Seeding the PRNG
RAND_query_egd_bytes( ), Using an Alternate Entropy Source
RAND_screen( ), Seeding the PRNG
RAND_seed( ), Seeding the PRNG
RAND_write_file( ), Seeding the PRNG
RAs (Registration Authorities), Private Certification Authorities
RC2 cipher, RC2™
RC4 cipher, Insecure Cryptography, Block Ciphers and Stream Ciphers, RC4™
M2Crypto support, Miscellaneous crypto
RC5 cipher, RC5™
rc5 command, Examples
relatively prime numbers, The Basics
renegotiations, Beyond the example, SSL RenegotiationsFurther notes
byte transfer thresholds, Renegotiations in 0.9.7
error conditions arising from, Blocking I/O
OpenSSL, Version 0.9.7, Renegotiations in 0.9.7
session ID context, and, Implementing renegotiations
verification requirements, strengthening for, Implementing renegotiations
replay attacks, Goals of Cryptography
OCSP, and, Online Certificate Status Protocol
req command, Creating a Self-Signed Root Certificate, Creating a Self-Signed Root Certificate, reqNotes
certificates, for issuing, Issuing Certificates
configuration options, Configuration OptionsConfiguration Options
options, OptionsOptions
revocation lists (see under certificates)
revoking certificates, Revoking CertificatesRevoking Certificates
Rijndael cipher, AES
RIPEMD-160
command-line, accessing through, Message Digest Algorithms
Rivest, Ron, RSA
rmd160 command, Message Digest Algorithms
root CAs, Certificate Revocation Lists
creating, Our example extended
root certificates, creating, Creating a Self-Signed Root Certificate
round-robin DNS, Load balancing
RSA (Rivest Shamir Adelman) algorithm, RSA, RSAPractical Applications
blinding, Data Encryption, Key Agreement, and Key Transport
data enveloping, Encrypting and Decrypting
ENGINE_set_defaut flag, Using Engines
key exchange, and, Practical Applications
M2Crypto support, Miscellaneous crypto
padding, Data Encryption, Key Agreement, and Key Transport
RSA structure, The Basics
important members, The Basics
signing and verification, Signing and Verifying
rsa command, RSA, rsa
rsautl command, RSA, rsautl
RSA_blinding_on( ), Data Encryption, Key Agreement, and Key Transport
RSA_check_key( ), Generating Keys
RSA_free( ), Generating Keys
RSA_generate_key( ), Generating Keys
RSA_private_encrypt( ), Data Encryption, Key Agreement, and Key Transport
RSA_public_decrypt( ), Data Encryption, Key Agreement, and Key Transport
RSA_sign( ), Signing and Verifying
RSA_verify( ), Signing and Verifying

S

S/MIME (Secure Multipurpose Internet Mail Exchange), S/MIMEExamples
Certification Authorities, need for, S/MIME
encrypting and decrypting, Encrypting and DecryptingEncrypting and Decrypting
example code, Encrypting and DecryptingEncrypting and Decrypting
PHP, functions in, PKCS#7 (S/MIME) FunctionsPKCS#7 (S/MIME) Functions
PKCS#7, contrasted with, PKCS#7 and S/MIME
signing and encryption combined, Combined Operations
signing and verifying, Signing and VerifyingSigning and Verifying
example code, Signing and VerifyingSigning and Verifying
salt, Symmetric Ciphers, Overview of Hashes and MACs
sealing, Encrypting and Decrypting
secure HTTP cookies, Secure HTTP CookiesSecure HTTP Cookies
Cookie header, Secure HTTP Cookies
decryption and authentication, Secure HTTP Cookies
encrypting and MACing, Secure HTTP Cookies
MIME headers, Secure HTTP Cookies
Set-Cookie header, Secure HTTP Cookies
Secure Multipurpose Internet Mail Exchange (see S/MIME)
secure server certificates, Web Site Certificates
domain names, and, Web Site Certificates
Secure Sockets Layer protocol (see SSL)
seeds, Poor Entropy, Random Number Generation
nonrandom, risks of, Poor Entropy
security when writing to files, Seeding the PRNG
seed_prng( ), Our example extended
self-signed certificates, Certificate Hierarchies
root, creating for, Creating a Self-Signed Root Certificate
server applications, enabling support of SSLv3 and TLSv1, Background
server CA, creating, signing with root, Our example extended
server-side proxies, Server-Side Proxies
Session class (M2Crypto), M2Crypto.SSL
session ID context, SSL Session Caching
renegotiation, and, Implementing renegotiations
sessions, SSL Session Caching, SSL Session Caching
caching, SSL Session CachingAn on-disk, session caching framework
features, An on-disk, session caching framework
framework, external caching, An on-disk, session caching framework
client-side, Client-side SSL sessions
caching, Client-side SSL sessions
default timeout value, Server-side SSL sessions
keys, replacing via renegotiations, SSL Renegotiations
server-side, Server-side SSL sessions
sess_id command, sess_id
setup_client_ctx( ), Our example extended
set_blocking( ), Non-blocking I/O
set_cert_and_key( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
set_nonblocking( ), Non-blocking I/O
sha1 command, Examples, Hashing with the EVP APIUsing MACs
SHA1 message digest algorithm, Message Digest Algorithms, Hashing with the EVP API
Shamir, Adi, RSA
short keys, risks of, Insecure Cryptography
signatures (see digital signatures)
signing files, Message Digest Algorithms
sink BIO, Source/Sink BIOs
small-subgroup attack, Computing Shared Secrets
smime command, S/MIME, smimeNotes
SMIME_read_PKCS7( ), Signing and Verifying, Signing and Verifying, Signing and Verifying
SMIME_write_PKCS7( ), Signing and Verifying, Signing and Verifying
snooping, Goals of Cryptography
socket BIOs, Socket sources/sinks
creating, Socket sources/sinks
software engines, support in OpenSSL, Using Engines
software, code-signing certificates for, Code-Signing Certificates
source BIO, Source/Sink BIOs
source/sink BIOs (see under BIO package)
speed command, speed
spkac command, spkac
spoofing, Goals of Cryptography
SSL (Secure Sockets Layer), About This Book, Introduction, Overview of SSLLoad balancing, Seeding the Pseudorandom Number Generator, SSL/TLS Programming
(see also public key cryptography)
application software flaws, and, Protection Against Software Flaws
BIO specification, Our example extended
certificate preparation, Certificate preparationCertificate preparation
cipher suites, Cipher suite selectionCipher suite selection
drawbacks of, Problems with SSLLoad balancing
efficiency, Efficiency
general data security, and, General-Purpose Data Security
impractical applications of, What SSL Doesn’t Do WellGeneral-Purpose Data Security
incompatibility, UDP and IPX, Other Transport Layer Protocols
input/output methods, specification, Our example extended
load balancing, Load balancing
non-repudiation, and, Non-Repudiation
options, Setting SSL optionsEphemeral keying
programming, Programming with SSL
example applications, The Application(s) to Secure
references, Introduction
sessions (see sessions)
SSL connections, input and output, I/O on SSL ConnectionsNon-blocking I/O
SSL handshake, Certificate verification
SSL object, Background
v2, security flaws, SSL/TLS Programming
Version 2, flaws in, Poor Entropy
risks of supporting, Insecure Cryptography
version selection, Step 1: SSL Version Selection and Certificate Preparation
sslcat( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
SSLeay, OpenSSL Basics, Net::SSLeay for Perl
SSLServer class (M2Crypto), M2Crypto.SSL
SSLv23_method( ), Step 3: SSL Options and Cipher Suites
$ssl_version variable, Net::SSLeay Variables
SSL_accept( ), Our example extended
SSL_connect( ), Our example extended
ssl_context (M2Crypto keyword), Extensions to httplib: httpslib
SSL_CTX objects, Background , Background
trusted certificates, loading to, Incorporating trusted certificates
SSL_CTX_flush_sessions( ), Server-side SSL sessions
SSL_CTX_get_cert_store( ), Incorporating certificate revocation lists
SSL_CTX_load_verify_locations( ), Incorporating trusted certificates, Further extension of the examples
X509_STORE object, and, Incorporating certificate revocation lists
SSL_CTX_sess_set_get_cb( ), An on-disk, session caching framework
SSL_CTX_sess_set_new_cb( ), An on-disk, session caching framework
SSL_CTX_sess_set_remove_cb( ), An on-disk, session caching framework
SSL_CTX_set_cert_verify_callback( ), Certificate verification
SSL_CTX_set_cipher_list( ), Cipher suite selection
SSL_CTX_set_default_passwd_cb( ), Certificate preparation
SSL_CTX_set_default_passwd_cb_userdata( ), Certificate preparation
SSL_CTX_set_default_paths( )
X509_STORE object, and, Incorporating certificate revocation lists
SSL_CTX_set_default_verify_paths( ), Incorporating trusted certificates, Further extension of the examples
SSL_CTX_set_mode( ), Blocking I/O
SSL_CTX_set_options, Background
SSL_CTX_set_session_cache_mode( ), Server-side SSL sessions
SSL_CTX_set_session_id_context( ), Server-side SSL sessions
SSL_CTX_set_timeout( ), Server-side SSL sessions
SSL_CTX_set_tmp_dh( ), Ephemeral keying
SSL_CTX_set_tmp_dh_callback( ), Ephemeral keying
SSL_CTX_set_verify( ), Certificate verificationCertificate verification
flags, Certificate verification
SSL_CTX_set_verify_depth( ), Certificate verification
security vulnerability, Certificate verification
SSL_CTX_use_certificate_chain_file( ), Certificate preparation, Certificate preparation
SSL_CTX_use_PrivateKey_file( ), Certificate preparation, Certificate preparation
SSL_do_handshake( ), Implementing renegotiations
SSL_ERROR_WANT_READ, Blocking I/O
SSL_ERROR_WANT_WRITE, Blocking I/O
SSL_free( ), Our example extended
SSL_get0_session( ), Client-side SSL sessions
SSL_get1_session( ), Client-side SSL sessions
SSL_get_error( ), Reading and writing functions
common return values, Reading and writing functions
SSL_get_peer_certificate( ), Post-connection assertions
SSL_get_session( ), Client-side SSL sessions
SSL_get_shutdown( ), Our example extended
SSL_get_verify_result( ), Post-connection assertionsPost-connection assertions
SSL_load_error_strings( ), Human-Readable Error Messages, The Application(s) to Secure
SSL_METHOD objects and accessor methods, Background
SSL_OP_SINGLE_DH_USE, Ephemeral keying, The final product
conversion, DSA parameters to DH, and, Beyond the example
SSL_read( ), Reading and writing functions
ssl_read_all( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
ssl_read_CRLF( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
ssl_read_until( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
SSL_regenotiate_pending( ), Renegotiations in 0.9.7
SSL_renegotiate( ), SSL Renegotiations, Renegotiations in 0.9.7
SSL_renegotiate_pending( ), Renegotiations in 0.9.7
SSL_SESSION objects, SSL Session Caching
security requirements, An on-disk, session caching framework
SSL_set_bio( ), Our example extended
SSL_set_mode( ), Blocking I/O, Non-blocking I/O
SSL_set_session( ), Client-side SSL sessions
SSL_set_session_id_context( ), Implementing renegotiations
SSL_shutdown( ), Our example extended
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, Beyond the example
SSL_VERIFY_PEER, Further extension of the examples, Beyond the example
SSL_write( ), Reading and writing functions
ssl_write_all( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
ssl_write_CRLF( ) (Net\:\:SSLeay), Net::SSLeay Utility Functions
stacks, Object StacksObject Stacks
generic stack functions, Object StacksObject Stacks
sk_TYPE_dup( ), Object Stacks
sk_TYPE_free( ), Object Stacks
sk_TYPE_insert( ), Object Stacks
sk_TYPE_new_null( ), Object Stacks
sk_TYPE_num( ), Object Stacks
sk_TYPE_pop( ), Object Stacks
sk_TYPE_pop_free( ), Object Stacks
sk_TYPE_push( ), Object Stacks
sk_TYPE_set( ), Object Stacks
sk_TYPE_shift( ), Object Stacks
sk_TYPE_unshift( ), Object Stacks
sk_TYPE_value( ), Object Stacks
sk_TYPE_zero( ), Object Stacks
type safety, macros for, Object Stacks
standard error messages, Human-Readable Error Messages
static keying, Ephemeral keying
static locking callbacks, Static Locking CallbacksStatic Locking Callbacks
POSIX systems, Static Locking Callbacks
Win32 systems, Static Locking Callbacks
static locks, Multithread Support
stdin option, Passwords and Passphrases
stolen keys, Bad Server Credentials
stream ciphers (see under ciphers)
@STRENGTH keyword, Cipher suite selection
strong primes, The Basics
Stunnel, Securing Third-Party SoftwareClient-Side Proxies
subject names, Subject name
subjectAltName extension, X.509 Version 3 extensions
subjectAltName extension, dNSName field, Our example extended, Post-connection assertions
SureWare acceleration hardware, ID string, Using Engines
SWIG, M2Crypto for Python
symmetric ciphers, Symmetric CiphersExamples
command-line access, Symmetric Ciphers
commands, Examples
symmetric cryptography, Symmetric key encryptionSymmetric key encryption, Block Ciphers and Stream Ciphers, General Recommendations
(see also ciphers)
(see also EVP interface)
OpenSSL API for, Symmetric Cryptography
s_client command, s_clientNotes
s_server command, s_serverNotes
s_time command, s_time

T

tampering, Goals of Cryptography
testconf.cnf, Configuration Files
text files, encoding and decoding keys to, Encoding and Decoding ObjectsWriting and Reading PEM-Encoded Objects
DER format, Writing and Reading DER-Encoded ObjectsWriting and Reading DER-Encoded Objects
PEM format, Writing and Reading PEM-Encoded ObjectsWriting and Reading PEM-Encoded Objects
third-party software, securing with OpenSSL, Securing Third-Party Software
thread-local storage, Threading and Practical Applications
thread-safety, OpenSSL, Multithread Support, Threading and Practical Applications
threading, error check calls, Reading and writing functions
ThreadingSSLServer class (M2Crypto), M2Crypto.SSL
THREAD_cleanup( ), Static Locking Callbacks
THREAD_setup( ), Static Locking Callbacks
TLS (Transport Layer Security), About This Book, Introduction, SSL/TLS Programming
tmp_dh_callback( ), The final product
Transport Layer Security protocol (see TLS)
Triple DES cipher, Triple DES
trust, establishing, Public Key Infrastructure (PKI)
trusted certificate files, Incorporating trusted certificates
on multiuser systems, Incorporating trusted certificates
trusted certificates, loading to an application, Incorporating trusted certificates
two-way authenticating key agreement, Practical Applications
two-way authenticating key transport, Practical Applications
two-way authentication, Beyond the example, Practical Applications

U

UDP traffic, encryption of, Handling UDP Traffic with Counter ModeHandling UDP Traffic with Counter Mode
UMAC, UMAC
Unix
config script, OpenSSL Basics
EGADS, entropy harvesting with, Poor Entropy
entropy, sources of, Seeding the PRNG
make test script, OpenSSL Basics
random number seeding, Seeding the Pseudorandom Number Generator
unordered data streams and encryption modes, Handling UDP Traffic with Counter Mode
updating, Encryption
urllib extensions (Python), Extensions to urllib: m2urllib
user identity information, secure transport, PKCS#12

V

verification mode, SSL_VERIFY_PEER, Further extension of the examples
behavior on the server, Further extension of the examples
verify command, verify
verify_callback( ), Further extension of the examples
VeriSign
certificates, as source of, Obtaining a Certificate
code-signing certificates, Code-Signing Certificates
digital ID enrollment, Personal Certificates
web site, Personal Certificates
web site certificates, Web Site Certificates
version command, version

W

Wagner, David, Poor Entropy
web site certificates, obtaining, Web Site Certificates
Win32 systems, static locking callbacks, Static Locking Callbacks
Windows
EGADS, entropy harvesting with, Poor Entropy
entropy gathering functions for, Seeding the PRNG
GetCurrentThreadId, Static Locking Callbacks
OpenSSL, assembly language dependencies, OpenSSL Basics
random number seeding, Seeding the Pseudorandom Number Generator

X

X.509 certificate requests, Generating Requests
X.509 certificates, Generating Requests
format, Certificate Extensions
names, Subject name
programmatic verification, X.509 Certificate CheckingX.509 Certificate Checking
example code, X.509 Certificate CheckingX.509 Certificate Checking
v3 extensions, Certificate Extensions, X.509 Version 3 extensions
assigning certification authority to certificates, Background
specifying in configuration files, Creating a Self-Signed Root Certificate
x509 command, x509Name Options
display options, Display Options
name options, Name Options
options, General Options
signing options, Signing Options
trust options, Trust Options
X509v3_get_ext_by_NID( ), Making Certificates
X509V3_set_ctx( ), Making Certificates
X509_free( ), Post-connection assertions
X509_load_crl_file( ), X.509 Certificate Checking
X509_LOOKUP_file( ), X.509 Certificate Checking, X.509 Certificate Checking
X509_LOOKUP_hash_dir( ), X.509 Certificate Checking
X509_LOOKUP_METHOD object, X.509 Certificate Checking
X509_NAME object, Subject name
X509_NAME_add_entry( ), Putting it all together
X509_NAME_add_entry_by_txt( ), Subject name
X509_NAME_ENTRY objects, Subject name
X509_NAME_entry_count( ), Putting it all together
X509_NAME_ENTRY_create_by_NID( ), Putting it all together
X509_NAME_print( ), Making Certificates
X509_REQ_get_subject_name( ), Making Certificates
X509_REQ_set_pubkey( ), Putting it all together
X509_REQ_verify( ), Making Certificates
X509_STORE object, X.509 Certificate Checking
X509_STORE_add_lookup( ), X.509 Certificate Checking
X509_STORE_CTX object, X.509 Certificate Checking
X509_STORE_CTX_init( ), X.509 Certificate Checking
X509_STORE_load_locations( ), X.509 Certificate Checking
X509_verify_cert( ), X.509 Certificate Checking
X509_V_OK, Post-connection assertions
x509_extensions key, Building an OpenSSL Configuration File, Creating a Self-Signed Root Certificate
XCBC-MAC, XCBC-MACXCBC-MAC
xmlrpclib extensions (Python), Extensions to xmlrpclib: m2xmlrpclib
XOR-MAC, XOR-MAC

Y

Young, Eric, OpenSSL Basics, Net::SSLeay for Perl

Z

Zimmermann, Phil, S/MIME