Error while verifying X509 certificate

Hi, I have following set of certificates with X509 extensions defined for code signing in PKCS7 format. Root CA - Key usage (critical): Certificate Sign, CRL Sign CVC Sub-CA - Key usage (critical): Certificate Sign, CRL Sign CVC cert - Key usage(critical): Digital Signature, Key Encipherment. E

RE: how to desable data compression

> From: owner-openssl-us...@openssl.org On Behalf Of ikuzar > Sent: Wednesday, 16 March, 2011 11:21 (topposting fixed) > 2011/3/15 Dave Thompson > > Option SSL_OP_NO_COMPRESSION is commented as > /* Don't use compression even if supported */ >

RE: verify trusted certificates: ts response

> From: owner-openssl-us...@openssl.org On Behalf Of Yessica De Ascencao > Sent: Wednesday, 16 March, 2011 16:23 > How I can verify a document that was signed with a certificate of level three. > That is, I have a Root CA, then a certification authority and finally > the c

timestamping DETACHED SMIME

Hi all, due to the new streaming support in OpenSSL 1.0.0d the calculations for completing the signature are delayed now. I guess streaming support was meant especially for DETACHED SMIME, but complicates the handling. The PKCS7_sign() routine still does most of the initialization on the p7 stru

RE: Question regarding PKCS7_verify

Hi, I am having trouble again with verifying certs in PKCS7 structure. Setting purpose to 'any' using openssl api worked for very first time. >From second run onwards it keep throwing >errror:0B086079:lib(11):fun(134):reason(121) I believe the error is - x509 certificate routines:X509_STOR

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 7:43 AM, ikuzar wrote: I am confused. When I used a simple c++ program which uses SSL functions for the first time, I need not implement a protocol. when I tell SSL_write( ) to send 5 bytes and tell SSL_read( ) to read 10 bytes, the last reads 5 bytes ! ( doesn't it ? am I wrong ?

Re: Handling Indirect CRL Issuer

On Thu, Mar 17, 2011, Jeff Saremi wrote: > It looks like we need to support indirect CRL Issuers at least for CRL's > issued for ourselves. > If you don't mind my asking, why do you think you need to do that? I'm curious because so far you're the only person who has needed that functionality an

Re: How can I make CertificateIssuer extension show up in CRL Entries?

On Thu, Mar 17, 2011, Jeff Saremi wrote: > I'm generating my CRLs using "openssl ca" command. In the CRL entry > extension list, I can see "X509v3 CRL Reason Code" but I'd like to also > include the certificate issuer. (I think this is needed if an issuer > does the issuing indirectly for another

How can I make CertificateIssuer extension show up in CRL Entries?

I'm generating my CRLs using "openssl ca" command. In the CRL entry extension list, I can see "X509v3 CRL Reason Code" but I'd like to also include the certificate issuer. (I think this is needed if an issuer does the issuing indirectly for another CA). Is there a command line option of config en

Re: Handling Indirect CRL Issuer

It looks like we need to support indirect CRL Issuers at least for CRL's issued for ourselves. I have done most of the work. It looks I don't quite know how to generate CRLs with the indirect CRL issuer or I don't know how to generate the CRL issuer's certificate using the root certificate. So I

Re: data size issue with SSL_read( ) / SSL_write

I am confused. When I used a simple c++ program which uses SSL functions for the first time, I need not implement a protocol. when I tell SSL_write( ) to send 5 bytes and tell SSL_read( ) to read 10 bytes, the last reads 5 bytes ! ( doesn't it ? am I wrong ? I assume SSL reads expect \0 then it st

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 6:40 AM, ikuzar wrote: Why do we expect \r\n ? why not \0 ? That's why you need to implement a protocol. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: data size issue with SSL_read( ) / SSL_write

Why do we expect \r\n ? why not \0 ? 2011/3/17 > Hi > > does your server send \r\n with hello? > > i read byte by byte until i found an \r\n > > Regards > Luiz > > > Hello, > > > > In my programm, client send "HELLO" message to server. > > > > 1) > > > ---

Re: Handling Indirect CRL Issuer

On Thu, Mar 17, 2011, Jeff Saremi wrote: > Does anyone have an example of how an indirect CRL issuer is handled? > This is my understanding of needs to be done. > If at least someone could verify that, I'd be really appreciative: > > 1. download the CRL > 2. If not indirect, handle as usual (let'

Re: data size issue with SSL_read( ) / SSL_write

Hi does your server send \r\n with hello? i read byte by byte until i found an \r\n Regards Luiz > Hello, > > In my programm, client send "HELLO" message to server. > > 1) > --- > SSL_write is encapsulated in MY_sen

Re: Need Help with Programmatic Downloading+Checking of CRLs

On Wed, Mar 16, 2011, Jeff Saremi wrote: > So as per previous posts, I implemented lookup_crl(). > Now one of the major problems is what do I return from this method, if > the certificate has no CRL distribution points! > Returning an empty stack causes get_crl_delta() to fail. > Is there a flag t

Re: what does X509_STORE_get1_crls() return and how?

On Wed, Mar 16, 2011, Jeff Saremi wrote: > If I call X509_STORE_get1_crls(ctx, nm) with nm being the issuer name, > the method is supposed to return a list of CRL's with that issuer name. > How does it do that when it comes to CRLs issued by a CRL issuer > authorized by the original issuer? > Does

Handling Indirect CRL Issuer

Does anyone have an example of how an indirect CRL issuer is handled? This is my understanding of needs to be done. If at least someone could verify that, I'd be really appreciative: 1. download the CRL 2. If not indirect, handle as usual (let's pretend for now that we know how to handle these in

Re: data size issue with SSL_read( ) / SSL_write

On 3/17/2011 5:00 AM, ikuzar wrote: The problem : when I print data, I have got : HELLO��y0�y 0�y��y i`�

0�y ������L���L��-M etc... instead of HELLO. in MYrecv, when I make L = 5, it works what should I do to read just the right size so that when I print I get HELLO, GOODBYE, etc .

data size issue with SSL_read( ) / SSL_write

Hello, In my programm, client send "HELLO" message to server. 1) --- SSL_write is encapsulated in MY_send( ) function like this : MY_send(MY_cn sd, const char* data, size_t len) { ret = SSL_write(socki->ssl, d

Double-Extensions in X509 Cert

Hi i have a problem. I create Certificates using openssl: I try to use OCSP-Verifiaction and so i created Extensions: x509 -req -CAkey ' . $pathToPrivKey . ' -set_serial ' . $serial . ' -in ' . $csrFile . ' -days ' . $days . ' -out ' . $pathToCert . ' -extfile ' . $th

fatal handshake failure

I've written a code for ssl server that supports multiple clients but if any 1 of the clients can't authenticate the server ,the client sends the following alert message and causes the server to exit, including closing all existing connections the server may have with other clients. *error on clie

Re: Need Help with Programmatic Downloading+Checking of CRLs

So as per previous posts, I implemented lookup_crl(). Now one of the major problems is what do I return from this method, if the certificate has no CRL distribution points! Returning an empty stack causes get_crl_delta() to fail. Is there a flag that I can setup to let this cert be excluded from CR

what does X509_STORE_get1_crls() return and how?

If I call X509_STORE_get1_crls(ctx, nm) with nm being the issuer name, the method is supposed to return a list of CRL's with that issuer name. How does it do that when it comes to CRLs issued by a CRL issuer authorized by the original issuer? Does it use Authority Key Identifier? thanks, jeff