The NSS developers (NSS being the library that Firefox uses) have
discussed the concept of "OpenSSL's overspecified Authority Key
Identifier" numerous times. Most recently,
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/2ac539b4447c58cd?pli=1
has the main NSS developer's (Nelson Bolyar
Hello,
I am compiling OpenSSL FIPS-1.2 natively on PPC, the build blocks forever at
:-
+ /bin/rm -f ./libcrypto.so.0.9.8
+ gcc /fips-lib///fipscanister.o /fips-lib/fips_premain.c -fPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DOPENSSL_NO_ERR -DB_ENDIAN
-DTERMIO -O3 -Wall -DOPENSSL_NO_CAMELLI
Great, just great.
My changes worked for IE, but not for Firefox.
Apparently, Firefox does more stringent checking that IE, and indeed,
than OpenSSL s_client ... (which gives a nice cert chain).
-Original Message-
From: Rene Hollan
Sent: Thursday, March 12, 2009 6:34 PM
To: 'openssl-u
Sigh.
Well, I added the intermediate CA to the cert chain sent by my proxy
(and verified this with wireshark).
OpenSSL s_client -CAfile cacert.pem -host login.yahoo.com -port 443
works and shows the trust chain.
But, Firefox, with cacert.pem loaded into it's trust store still
complains. :-(
True, but (a) it doesn't hurt to have both, and (b) if the issuer
doesn't have a SKID, AKID issuer/serial takes the place of an AKID
keyid.
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, Mar
Yup. That fixed it.. At least as far as openssl verify -CAfile
cacert.pem -untrusted intcert2.pem yahoo-x.pem goes.
Oddly, firefox still rejects the end cert, even though both cacert.pem
and intcert2.pem are in it's trust store. Is it possible that browsers
actually ignore intermediate CA certs i
Sincerely,
Giang Nguyen
> Date: Fri, 13 Mar 2009 00:22:56 +0100
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: Can't recognize intermediate CA
>
> On Thu, Mar 12, 2009, Rene Hollan wrote:
>
>> Yeah, I just noticed that.
On Thu, Mar 12, 2009, Rene Hollan wrote:
> Yeah, I just noticed that.
>
> I've been comparing how my intermediate CA resigned an existing cert
> (it's part of a proxy that decrypts, examines, and reencrypts -- the
> downstream client sharing a trust hierarchy with the intermediate
> "resigning" C
Yeah, I just noticed that.
I've been comparing how my intermediate CA resigned an existing cert
(it's part of a proxy that decrypts, examines, and reencrypts -- the
downstream client sharing a trust hierarchy with the intermediate
"resigning" CA) with what "OpenSSL ca ..." does.
OpenSSL ca ... ac
>> I used openssl with the intermediate CA to sign a separate cert, which
>> had a AKID keyid but no issuer, and that chain recongizes fine.
>>
>> Could the problem be the fact that yahoo.pem has an AKID keyid AND
>> issuer? (onr or the other is sufficient, but I could find nothing that
>> said th
> I used openssl with the intermediate CA to sign a separate cert, which
> had a AKID keyid but no issuer, and that chain recongizes fine.
>
> Could the problem be the fact that yahoo.pem has an AKID keyid AND
> issuer? (onr or the other is sufficient, but I could find nothing that
> said that bo
> I tried it with no (i.e. infinite) pathlen specified in cacert.pem. Same
> effect.
>
> Am I wrong in understanding that pathlen:0 implies no intermediate CAs
> and pathlen:1 implies at most one intermediate CA (as is the case here)?
i believe you're right: the pathlen isnt the problem. (i just
I tried it with no (i.e. infinite) pathlen specified in cacert.pem. Same
effect.
Am I wrong in understanding that pathlen:0 implies no intermediate CAs
and pathlen:1 implies at most one intermediate CA (as is the case here)?
I used openssl with the intermediate CA to sign a separate cert, which
h
the cacert has pathlen:1 in its "X509v3 Basic Constraints"
> Subject: Can't recognize intermediate CA
> Date: Thu, 12 Mar 2009 15:00:47 -0700
> From: rene.hol...@watchguard.com
> To: openssl-users@openssl.org
>
> I'm tearing my hair out trying to get an in
I'm tearing my hair out trying to get an intermediate CA to be
recognized.
I have cacert.pem signing intcert.pem signing (well, resigning),
yahoo.pem
Openssl verify verifiies intcert.pem against cacert.pem, but won't
verify yahoo.pem against intcert.pem.
Subject/issuer match. AKID dirname and is
Arg can't even get end cert to paste in email window. Trying once more:
-BEGIN CERTIFICATE-
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+dYhOXhmM6BaBMMA0GCSqGSIb3
DQEBBQUAMEwxIDAeBgNVBAoWF1dhdGNoR3VhcmRfVGVjaG5vbG9naWVzMREwDwYD
VQQLEwhGaXJld2FyZTEVMBMGA1UEAxYMUmVzaWduaW5nX0NBMB4XDTA2MDEwNDE3
Corrected yahoo.pem:
-BEGIN CERTIFICATE-
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+dYhOXhmM6BaBMMA0GCSqGSIb3
DQEBBQUAMEwxIDAeBgNVBAoWF1dhdGNoR3VhcmRfVGVjaG5vbG9naWVzMREwDwYD
VQQLEwhGaXJld2FyZTEVMBMGA1UEAxYMUmVzaWduaW5nX0NBMB4XDTA2MDEwNDE3
MDkwNloXDTExMDEwNDE3MDkwNloweDELMAkGA1UEBhMCVVMxEzARB
> From: owner-openssl-us...@openssl.org On Behalf Of brechmos
> Sent: Thursday, 12 March, 2009 08:25
> I am relatively new at openssl and am just figuring out its
> power. One thing
General suggestion: for any of the openssl commandline
functions, you can get a brief usage display by adding -?
On Thu March 12 2009, The Doctor wrote:
> On Thu, Mar 12, 2009 at 11:58:34AM -0500, Michael S. Zick wrote:
> > On Thu March 12 2009, The Doctor wrote:
> > > On Wed, Mar 11, 2009 at 11:51:23AM +0100, Ger Hobbelt wrote:
> > > > On Tue, Mar 10, 2009 at 8:02 PM, The Doctor
> > > > wrote:
> > > > > Th
On Thu, Mar 12, 2009 at 11:58:34AM -0500, Michael S. Zick wrote:
> On Thu March 12 2009, The Doctor wrote:
> > On Wed, Mar 11, 2009 at 11:51:23AM +0100, Ger Hobbelt wrote:
> > > On Tue, Mar 10, 2009 at 8:02 PM, The Doctor
> > > wrote:
> > > > This is happening again
> > >
> > > Holy (beep)!
> >
On Thu March 12 2009, The Doctor wrote:
> On Wed, Mar 11, 2009 at 11:51:23AM +0100, Ger Hobbelt wrote:
> > On Tue, Mar 10, 2009 at 8:02 PM, The Doctor
> > wrote:
> > > This is happening again
> >
> > Holy (beep)!
> >
> > ... would you do me a favor, please? (and maybe make some others
> > h
Hello everybody
I'm doing code with the ECDSA library. I would like to put an EC_KEY
in a file, copy the file to another computer, then load this file and
find again my EC_KEY.
I don't know which functions of openssl to use to pack the EC_KEY
structure in a binary format and then unpack it to reco
On Wed, Mar 11, 2009 at 11:51:23AM +0100, Ger Hobbelt wrote:
> On Tue, Mar 10, 2009 at 8:02 PM, The Doctor wrote:
> > This is happening again
>
> Holy (beep)!
>
> ... would you do me a favor, please? (and maybe make some others
> happy in the process as well)
>
> I love an essay, but let's
On Thu, Mar 12, 2009, ABDUL BASIT wrote:
> Kyle, Thanks for quick reply.
>
> my understanding is that the openssl fips-1.2 build will also produce the
> shared libraries
> (libssl.so.0.9.8 and libcrypto.so.0.9.8) that includes this resultant
> fipscanister.o,
> so I would just need to link agains
Kyle, Thanks for quick reply.
my understanding is that the openssl fips-1.2 build will also produce the
shared libraries
(libssl.so.0.9.8 and libcrypto.so.0.9.8) that includes this resultant
fipscanister.o,
so I would just need to link against the resultant shared libraries ??
- Basit
On Thu, M
There is no prerequisite (other than compiler and development
environment) for building FIPS 1.2.
You *MUST* have OpenSSL 0.9.8j or later to build a version of openssl
that includes the resultant fipscanister.
-Kyle H
On Thu, Mar 12, 2009 at 8:06 AM, ABDUL BASIT wrote:
> Hello,
>
> is there any
Hello,
is there any requirement that a particular version of openssl must be
installed on the host where
you are compiling openssl FIPS 1.2?
I am trying to compile openssl FIPS 1.2 natively on powerpc, and I have
openssl 0.9.8g on this system.
I am following the build instructions in user guide (
I am relatively new at openssl and am just figuring out its power. One thing
I do not understand is the key creation. For example,
$ openssl des3 -nosalt -P -in bob.txt
and I type in the password 1234 (not my normal password :-) and it comes up
with:
Verifying - enter des-ede3-cbc encryption
Thank you all again for your valuable information. I have been working
with our system administrators on the point of running make install with
sudo privileges, they are recalcitrant in allowing me to put software
into the machine that I cannot give them exact instructions on how to
build on th
Hi Steffen:
On March 12, 2009 06:41:33 am Steffen Fiksdal wrote:
> Hi!
>
> I am currently looking into the usage of EKU's for CA certificates and
> hope someone of you guys can help me.
>
> Given the following scenario:
> 1) A CA certificate with EKU "Client Authentication".
This would mean that t
Hi!
I am currently looking into the usage of EKU's for CA certificates and
hope someone of you guys can help me.
Given the following scenario:
1) A CA certificate with EKU "Client Authentication".
2) An enterprise certificate issued by the CA certificate in 1) with EKU
"Client Authentication"
This is the build script i have used to build the openssl fips 1.2 and
openssl 9.8j . try this and let me know if this help you.
#!/bin/ksh
SOURCEDIR=$(pwd)
SOURCE0=$SOURCEDIR/openssl-fips-1.2.tar.gz
SOURCE1=$SOURCEDIR/openssl-0.9.8j.tar.gz
function openssl_fips_workaround_object_
Jeremy Regan wrote:
Hello,
I was able to build the FIPS 1.2 software successfully using
./config --prefix=/apps/fips_build/fips-1.2-install fipscanisterbuild
no-asm
make
make install
Standard nag: you built it successfully in the sense that it compiled
and linked without error, but you can
Kyle Hamilton wrote:
It was my mistake, I had misunderstood that DES itself was not allowed
and therefore derivatives of it were not allowed either.
While 3DES is currently legal we can expect it to be phased out at some
point just as plain DES has been, so AES is the better choice where yo
34 matches
Mail list logo
