During the test of my C code using OpenSSL, I noticed that even though
CA certs were not loaded, SSL verification succeeded unexpectedly.
Attached below is a simplified code that demonstrates what I have been
seeing. I intentionally commented out the section where tries to load
CA certs, but SSL_g
Sorry, but this is just getting more interesting: it seems that the call
fails when I type the right password (within the app, not in my sample).
It is when I typed the wrong password that the call succeeded, but
returned the empty key...
Will keep investigating...
Dirce
> I made some progress.
I made some progress. The call to PKCS12_parse succeeded, but the pkey
returned was NULL. Please see below where I indicated how I created this
.p12 file. I wonder why the PKCS12_parse command can't read its private
key. I keep suspecting on permissions, but they seem ok - this app is
running as c
> From: Jakob Bohm [mailto:jb-open...@wisemo.com]
> Sent: Tuesday, November 15, 2011 2:28 PM
>
> On 11/15/2011 11:39 AM, Henrik Grindal Bakken wrote:
> > Jonas Schnelli
> > writes:
> >
> >>> #include
> >>> #include
> >>> #include
> >>>
> >>> char key[20] = { 0 };
> >>>
> >>> int
> >>> main()
>
On Tue, Nov 15, 2011, Tobias Nissen wrote:
> Dr. Stephen Henson wrote:
> > On Tue, Nov 15, 2011, Tobias Nissen wrote:
> >> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use
> >> through AnyEvent::TLS². AnyEvent::TLS provides the means to define
> >> a custom verification mechanism by
Dr. Stephen Henson wrote:
> On Tue, Nov 15, 2011, Tobias Nissen wrote:
>> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use
>> through AnyEvent::TLS². AnyEvent::TLS provides the means to define
>> a custom verification mechanism by setting verify_cb³. Here's an
>> example (keys include
On Tue, Nov 15, 2011, Tobias Nissen wrote:
> Hi,
>
> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through
> AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom
> verification mechanism by setting verify_cb³. Here's an example (keys
> included):
>
> http://past
On Tue, Nov 15, 2011, dricha...@globalcerts.net wrote:
> Hello,
>
> I am maintaining a piece of code that calls PKCS12_parse. It worked with
> an older version of openssl (0.9.8m), but it is not working with version
> 1.0.0
> Here are some clips:
>
> X509 *cert = NULL;
> BIO
Hello,
I am maintaining a piece of code that calls PKCS12_parse. It worked with
an older version of openssl (0.9.8m), but it is not working with version
1.0.0
Here are some clips:
X509 *cert = NULL;
BIO*in = NULL;
STACK_OF(X509) *ca_certs = NULL;
PKCS12
Thank you - that was my problem
On Tue, Nov 15, 2011 at 9:43 AM, Dr. Stephen Henson wrote:
> On Mon, Nov 14, 2011, Kevin Fowler wrote:
>
>> Hi,
>> I successfully built the FIPS 2.0 module (2010), its tests passed, and
>> it was installed correctly in /usr/local/ssl/fips-2.0.
>>
>> I then buil
Hi, Arjun,
For non-blocking case, you have to handle SSL_ERROR_WANT_READ and
SSL_ERROR_WANT_WRITE
In that case you need to redo *SSL_connect.*
*
*
Huaqing
On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM wrote:
> Hi all,
>I am newbie to openssl any help is greatly appreciated.
>
> I have a requir
Hi,
I'm indirectly using OpenSSL through Net::SSLeay¹, which I use through
AnyEvent::TLS². AnyEvent::TLS provides the means to define a custom
verification mechanism by setting verify_cb³. Here's an example (keys
included):
http://paste.scsys.co.uk/159837
If the custom verification callback de
thank you.
We'll probsbly switch to OCSP then.
Olivier
2011/11/15 Jakob Bohm :
> The concatenation of two digitally signed CRLs is not a
> valid digitally signed CRL. Some applications may
> happen to have code to explicitly support this hack, but
> that ability could actually be a security hol
On Mon, Nov 14, 2011, Kevin Fowler wrote:
> Hi,
> I successfully built the FIPS 2.0 module (2010), its tests passed, and
> it was installed correctly in /usr/local/ssl/fips-2.0.
>
> I then build openssl 1.0.1 (2010):
>
> ./config fips shared
> make
>
> which all seems to go ok
>
> Then
On 11/15/2011 11:39 AM, Henrik Grindal Bakken wrote:
Jonas Schnelli
writes:
#include
#include
#include
char key[20] = { 0 };
int
main()
{
HMAC_CTX * context;
context = (HMAC_CTX *) malloc(sizeof(*context));
Do you need to malloc the context (a pointer) ?
I don't think so.
Remove
Jonas Schnelli
writes:
>> #include
>> #include
>> #include
>>
>> char key[20] = { 0 };
>>
>> int
>> main()
>> {
>>HMAC_CTX * context;
>>
>>context = (HMAC_CTX *) malloc(sizeof(*context));
>
> Do you need to malloc the context (a pointer) ?
> I don't think so.
> Remove the line?
T
You are getting the question completely wrong!
This is not about CAs issuing partial, incremental and complete CRLs
(something OpenSSL has silly problems with handling). This is about
a user who though that concatenating CRL files as text would be a
valid way to produce a complete/combined CRL f
The combined crl means a certificate revocation list including all revoked
certificate for the whole (and single) CA and the partitioned one is a more
light crl limited to a known number of emitted certificate. CAs must publish a
number of partitioned crls that covers all issued certificates and
The concatenation of two digitally signed CRLs is not a
valid digitally signed CRL. Some applications may
happen to have code to explicitly support this hack, but
that ability could actually be a security hole as an enemy
could concatenate an outdated and a current CRL, fooling
such applications
Hi all,
on various sources on the internet I found that it is possible to
concatenate two X509 CRL's together.
cat file1.pem file2.pem > combined.pem
However, if I run
openssl crl -in combined.pem -text -noout
I see only the revoked certificates from file1.pem
Is this not supported? Should I us
Hi all,
I am newbie to openssl any help is greatly appreciated.
I have a requirement of fetching the Common name (domin name ) from the
certificate that I request from any HTTPS websites. I followed the regular
method of
1. establish a connection with the ip address using *connect() *system c
>
>
>
> #include
> #include
> #include
>
> char key[20] = { 0 };
>
> int
> main()
> {
>HMAC_CTX * context;
>
>context = (HMAC_CTX *) malloc(sizeof(*context));
Do you need to malloc the context (a pointer) ?
I don't think so.
Remove the line?
>
>HMAC_CTX_init(context);
>
I've just started using openssl, and have been having some problems with
valgrind. Here's my distilled test program:
#include
#include
#include
char key[20] = { 0 };
int
main()
{
HMAC_CTX * context;
context = (HMAC_CTX *) malloc(sizeof(*context));
HMAC_CTX_init(context);
Hi Steve,
A Lotus Domino server v8 wants to connect to my postfix like several others
do with client certificate authentication over TLS.
Unfortunately, it fails early on with
warning: TLS library problem: 25785:error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1053:SSL alert numb
Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.
I then build openssl 1.0.1 (2010):
./config fips shared
make
which all seems to go ok
Then I do:
make test
and eventually get this error:
...
Testing key g
25 matches
Mail list logo
