> From: owner-openssl-us...@openssl.org On Behalf Of Rajib Karmakar
> Sent: Monday, 19 September, 2011 03:53
> Thanks for your reply. I got the steps I mentioned after some
> googling. But
> those steps are not working. I understand you must be very
> busy, but I am
> stuck into there from then
Nice tip. I'll look into that.
On Thu, Sep 22, 2011 at 4:19 AM, Frank Morgner wrote:
> On Thursday, September 22 at 08:41AM, Dominik Oepen wrote:
> >
> > Am 21.09.2011 23:27, schrieb Chang Lee:
> > > Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> > > DER encoded Seque
On Thu, Sep 22, 2011, Gabriel Marques wrote:
> Thanks Steve and Erwann,
>
> Putting the OCSP response inside a tagged object did the job for
> OpenSSL recognizing the OtherRevocationInfoFormat.
> BouncyCastle also changed the CMS version to 5 automatically when I
> did it, and I've changed the OI
A failed signature verification can have many causes. E.g.,
- bad digest
- bad signature
- bad public key
- bad OID
I debug by doing a raw public key operation on the signature. If you see
obvious padding and a good OID, and the digest doesn't match, then you
have to debug why the hash that wa
Hi,
As far as I know, there is no point going again to the loop when we have
SSL_ERROR_SSL.
Suppose in case of SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE this would
have made sense.
Maybe there is a timeout or watchdog which stops it from consuming a lot of
time and closes the socket.
Since ev
On Thursday, September 22 at 08:41AM, Dominik Oepen wrote:
>
> Am 21.09.2011 23:27, schrieb Chang Lee:
> > Does anyone know of a way to take an ASN1_OCTET_STRING that contains a
> > DER encoded Sequence and extract the contents of the Sequence as an
> > ASN1_STRING. Essentially, I want to constru
rbrahmaa wrote:
>
> Hi All,
>
> I am entirely new to OpenSSL, 0% knowledge of this.
>
> My Requirement is to Parse the *.crt extension certificate and extract all
> the details like issuer, public key,validity details,serial
> no,OU,O,C,Signature Algorithm,subject and display same on the scree
I have attempted several scripts to create a ca and then a client cert p12
bundle. The p12 is then downloaded on an android device, and it seems to be
hit-and-miss. Some certs work, some certs never work. It stops at the point
where the android is importing the cert and asks for the password. There
On Wed, Sep 21, 2011 at 3:48 PM, Thomas J. Hruska
wrote:
> The Register published an article yesterday that some people here might be
> interested in on TLS 1.0 being "cracked":
>
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
>
>
> The Register points their Finger of Blame r
Does the OpenSSL OCSP stack support IPv6 in version 0.9.8r?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
I have attempted several scripts to create a ca and then a client cert p12
bundle. The p12 is then downloaded on an android device, and it seems to be
hit-and-miss. Some certs work, some certs never work. It stops at the point
where the android is importing the cert and asks for the password. There
I have config TLS on my sendmail server but when i try to verify it i get
this errors:
#openssl verify -CApath /etc/mailcerts/CA -CAfile cacert.pem
openssl s_client -CAfile /etc/mailcerts/cacert.pem -CApath /etc/mailcerts/CA
-connect localhost:25 -starttls smtp
CONNECTED(0003)
depth=0 C = SE
Thanks Steve and Erwann,
Putting the OCSP response inside a tagged object did the job for OpenSSL
recognizing the OtherRevocationInfoFormat.
BouncyCastle also changed the CMS version to 5 automatically when I did
it, and I've changed the OID to the proper one (id-ri-ocsp-response).
Now OpenSS
ASN1_get_object() got the job done. Thanks.
On Thu, Sep 22, 2011 at 1:34 PM, Dr. Stephen Henson wrote:
> On Thu, Sep 22, 2011, Chang Lee wrote:
>
> > Thanks for the info. I'll try to get it to work using ASN1_get_object().
> > Just for my edification, was my approach using the templates and mac
On Thu, Sep 22, 2011, Chang Lee wrote:
> Thanks for the info. I'll try to get it to work using ASN1_get_object().
> Just for my edification, was my approach using the templates and macros not
> a viable option?
>
Well it would work but you'd have to parse the whole structure which isn't
necessar
Thanks for the info. I'll try to get it to work using ASN1_get_object().
Just for my edification, was my approach using the templates and macros not
a viable option?
On Thu, Sep 22, 2011 at 12:22 PM, Dr. Stephen Henson wrote:
> On Thu, Sep 22, 2011, Chang Lee wrote:
>
> > I'm trying to parse the
On Thu, Sep 22, 2011, Chang Lee wrote:
> I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect
> to be a DER encoded SEQUENCE, into an object. I need to do this because I'm
> trying to verify an Authenticode signature. I need to generate a digest of
> the contents of the s
I'm trying to parse the content of an ASN1_OCTET_STRING, which I know/expect
to be a DER encoded SEQUENCE, into an object. I need to do this because I'm
trying to verify an Authenticode signature. I need to generate a digest of
the contents of the signedData sans the type & length bytes. Now gene
On Thu September 22 2011, Chang Lee wrote:
> Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail. As you say, there are templates
> for primitives and I looked
Le 22/09/2011 16:10, Dr. Stephen Henson a écrit :
On Thu, Sep 22, 2011, Erwann Abalea wrote:
[...]
In your examples, you set version to 3.
Based on your parsed example, it seems you correctly set the tag
([1]) for the "crls" element, but you didn't use the good encoding
for the "other" field (
Le 22/09/2011 16:10, Roger No-Spam a écrit :
Hi,
I'm trying to understand if openssl is a good base when implementing a
system that is to be compliant with rfc 5280. Are there any
limitations or missing parts in openssl?
Using OpenSSL, you can implement a system mostly compliant with RFC5280
I have attempted several scripts to create a ca and then a client cert p12
bundle. The p12 is then downloaded on an android device, and it seems to be
hit-and-miss. Some certs work, some certs never work. It stops at the point
where the android is importing the cert and asks for the password. There
I should perhaps mention that the title of rfc 5280 is PKIX Certificate and CRL
Profile.
The system we are implementing is an 'end entity'.
Regards Roger
From: roger_no_s...@hotmail.com
To: openssl-users@openssl.org
Subject: openssl and rfc 5280
Date: Thu, 22 Sep 2011 16:10:12 +0200
Hi
Hi,
I'm trying to understand if openssl is a good base when implementing a system
that is to be compliant with rfc 5280. Are there any limitations or missing
parts in openssl?
Regards Roger
On Thu, Sep 22, 2011, Erwann Abalea wrote:
> Le 21/09/2011 21:20, Gabriel Marques a écrit :
> >I'm developing a tool for signing digital TV apps, and one of the
> >goals was to embed OCSP responses into the CMS signature file of
> >the application.
> >The idea is that the broadcaster equipment wou
On Thu, Sep 22, 2011, Chang Lee wrote:
> Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL
> code, though we're using the 0.9.8 branch, hoping to find a built-in
> primitive SEQUENCE to use but to no avail. As you say, there are templates
> for primitives and I looked at
On Thu, Sep 22, 2011, Dominik Oepen wrote:
>
> However, I'm not exactly sure whether or not the ASN1 subsystem is meant
> to be used outside of OpenSSL. I couldn't find a lot of documentation
> about it and learned how to use it by reading the source. Maybe one of
> the OpenSSL developers could c
Mounir IDRASSI wrote:
> So, an OpenSSL based web server is immune from this attack, unless it
> uses the flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
Which is exactly what Apache and some other popular applications seem to
be doing. Maybe this flag should not be included in SSL_OP_ALL after all.
Reg
Thanks Dominik for the tip. Actually, I have been poring over the OpenSSL
code, though we're using the 0.9.8 branch, hoping to find a built-in
primitive SEQUENCE to use but to no avail. As you say, there are templates
for primitives and I looked at how the PKCS7 was composed from those
primitives
hi i am using openssl 0.9.8g version to verify the Java signed message. while
verifing i got bad signature error how ever the same signature is verified
in the Java correctlu ... erro occur in
if (((unsigned int)sig->digest->length != m_len) ||
(memcmp(m,sig->digest->data,m_len) != 0))
Hi,
You can try this once.
Use socket library connect() to get the connected socket. Then use
BIO_new_socket() and pass the connected socket descriptor.
Then, on the socket BIO you can try BIO_set_nbio() and BIO_do_connect().
With regards,
Nilotpal
On Thu, Sep 22, 2011 at 2:15 PM, A
Hi Wim,
Thanks a lot for your reply. But I am still left with few queries:
1) From your reply, what I understood is that Bio_new_connect() doesn't
support IPv6. But what about other two API's BIO_set_nbio() and
BIO_do_connect() ??. Do these API's support IPv6?
2) Are there any OpenSSL API which ca
Le 21/09/2011 21:20, Gabriel Marques a écrit :
I'm developing a tool for signing digital TV apps, and one of the
goals was to embed OCSP responses into the CMS signature file of the
application.
The idea is that the broadcaster equipment would query the OCSP and
update the response with certain
33 matches
Mail list logo
