RE: human readable certificate verify error messages?

2010-05-31 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton > Sent: Saturday, 29 May, 2010 14:24 > Don't forget to call SSL_load_error_strings() and > CRYPTO_load_error_strings() just after you initialize the library for > this to work. 1. There is no CRYPTO_load_error_strings. There is E

RE: Openssl req command

2010-05-31 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org On Behalf Of Jamrock > Sent: Sunday, 30 May, 2010 06:35 > In the past I have created my certificates as follows: > /etc/pki/tls/misc/CA -newca > > openssl req -newkey rsa:2048 -nodes -keyout newreq.pem -out newreq.pem > > /etc/pki/tls/misc/CA -sign > > T

RE: How to make a legit CA cert?

2010-05-31 Thread Thomas Hardjono
Back it up with a strong Certificate Practices Statement (CPS): https://www.verisign.com/repository/cps/index.html (Also some lawyers :) /thomas/ - hardjono[AT]mit.eu > -Original Message- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of D

Re: TLS version on openssl

2010-05-31 Thread Dr. Stephen Henson
On Mon, May 31, 2010, Aravind GJ wrote: > Hi, > > I am trying to use openssl in a client for communicating using TLS v1.2 > protocol. > > The openssl home page mentions about TLSv1 but no mention about 1.1 or 1.2. > > Is TLS V1.2 supported in openssl? (I am using openssl-1.0.0 version) > Open

TLS version on openssl

2010-05-31 Thread Aravind GJ
Hi, I am trying to use openssl in a client for communicating using TLS v1.2 protocol. The openssl home page mentions about TLSv1 but no mention about 1.1 or 1.2. Is TLS V1.2 supported in openssl? (I am using openssl-1.0.0 version) Regards Aravind GJ

x509v3: length of extension field

2010-05-31 Thread Leon Winter
Hi, securely verifying the CN of a x509 cert seams to pretty easy, since the length of the CN field is returned by X509_NAME_get_text_by_NID(). Unfortunately the length of single fields in the x509v3 extension are not returned. Assuming a value contains a NUL-character, we cannot distinguish b

Re: Valid TSA certificate

2010-05-31 Thread Kyle Hamilton
Most of the commercial CAs won't issue a timestamping certificate, because it would be too easy to forge a time in the past. Thawte, Verisign, and Startcom all offer their own timestamping services, which are accurate (within the tolerances of GPS and NTP). Startcom's timestamping server is locat

Valid TSA certificate

2010-05-31 Thread Māris Ruskulis
Hello! Our company currently implementing TSA (Time Stamp Atuhority) service. And now we are searching CA (Certification Authority), which could issue certificate with intended usage: Timestamping. I contacted with few CA's, but they offer just Digital ID sertificates, and know nothing about T