>From the SSL_get_error() man page:
The current thread's error queue must be empty before the TLS/SSL I/O
operation is attempted, or SSL_get_error() will not work reliably.
And don't
When dealing with the high level SSL_* functions, stick with
SSL_get_error() as per s_client.c and s_server.c.
If you are doing things on a lower level, you may need to deal with
the error stack yourself; but for people new to OpenSSL, just stick
with functions starting with SSL_* or BIO_*
On Fri
I should have mentioned ERR_get_error() in my question, that's what's
most heavily on my mind. The question is if you have to call clear the
error stack with ERR_get_error() after every failed SSL call, even
failures that are often "not really failures." For example, my code
considered SSL_read() r
Patrick,
I believe the "sane state" implied here is that if you call
SSL_get_error() some of the time and not all of the time, you may be
getting information about errors that happened any time in the past
for that SSL*. It won't necessarily prevent OpenSSL from working
correctly, just your perce
As an OpenSSL newbie, I'm trouble that the man pages for SSL_write()
and SSL_read() don't stress that you should clear the error stack upon
a failed call. They suggest you check SSL_get_error(), but they make
no mention of clearing the error stack afterward, and I hear that
clearing the error stack
On Fri, Feb 12, 2010 at 01:04:01PM -0700, Thomas J. Hruska wrote:
> Roger Cruz wrote:
>> I posted the following message in the stunnel group. I'm following that
>> posting here because I believe this may be an issue with the underlying
>> library which is OpenSSL. Is there a known issue with cer
Roger Cruz wrote:
I posted the following message in the stunnel group. I'm following that
posting here because I believe this may be an issue with the underlying
library which is OpenSSL. Is there a known issue with certificates for
version 0.9.8b that are aware of? What version of OpenSSL con
On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote:
> (So DER encoding is used, and it is allowing 128 byte long
> length fields allowing 2^1024 [a number taking four and a half
> line in xterm because 309 decimal digits long] bytes long value
> fields sufficient to enumerate
* Victor Duchovni wrote on Fri, Feb 12, 2010 at 14:20 -0500:
> The limit is not (only?) an X.509 limit, rather the SSL/TLS
> record layer cannot carry messages larger than 2^14 bytes (plus
> some overhead for compression algorithms which provably need to
> be able to make some records larger in ord
On Fri, Feb 12, 2010 at 12:41:16PM +0100, Steffen DETTMER wrote:
> * Victor Duchovni wrote:
> > The SSL/TLS record layer has a maximum record size, a
> > certificate probably needs to fit into one record, so if your
> > 500+ domains generate a certificate that is larger than ~16K
> > bytes, you ma
I posted the following message in the stunnel group. I'm following that
posting here because I believe this may be an issue with the underlying
library which is OpenSSL. Is there a known issue with certificates for
version 0.9.8b that are aware of? What version of OpenSSL contains the
fix if the
I believe it's an x.509v3 limitation and not specific to openssl.
After getting Viktor's hint I did a little research and found that the
limitation is set at 2^14.
Ron
Steffen DETTMER wrote:
>
> * Victor Duchovni wrote:
>> The SSL/TLS record layer has a maximum record size, a
>> certificate pr
On 12/02/10 8:51 AM, skillz...@gmail.com wrote:
> Is there a way (via the API rather than the tool) to tell OpenSSL that
> the sub-CA certificate is trusted and it doesn't need to walk further
> up the chain? For my case, I embed the sub-CA certificate in my code
> and I'm space constrained so I'd
* Victor Duchovni wrote:
> The SSL/TLS record layer has a maximum record size, a
> certificate probably needs to fit into one record, so if your
> 500+ domains generate a certificate that is larger than ~16K
> bytes, you may be out of luck.
(I just ask for curiosity, not because I have any problem
That was it. One @ 13k works and one @18k doesn't. Thanks Victor.
Ron
Victor Duchovni wrote:
>
> On Wed, Feb 10, 2010 at 03:23:03PM -0800, rono16 wrote:
>
>>
>> I am using OpenSSL to create a self sign certificate and have a need to
>> add
>> approximately 4000, yes 4000, DNS entries (don't
On Thu, Feb 11, 2010 at 1:31 PM, wrote:
> I have a DER-encoded PKCS#7 file that I'd like to extract the
> certificate from, verify that certificate against a specific sub-CA
> certificate, then use the certificate's public key to verify a
> signature.
>
> I looked at the code for the pkcs7 tool a
16 matches
Mail list logo
