> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
> Sent: Wednesday, 07 March, 2012 05:33
> While setting up the TLS session i am facing below error.
>
> TLS Alert Level: Fatal, Description: Unable to verify leaf
> signature (21)
>
> I created the Chained certfificate like below :
I just put together a mini workstation intended to run a VPN
gateway/firewall that uses a Via Nano X2 CPU. From what I've read,
Padlock (Via's hardware encryption) support should be working out of
the box. So, I set out to benchmark the engine on 32-bit Ubuntu 10.04
using their default OpenSSL 0.9.
Steve,
First let me clarify that it isn't my intent to challenge OpenSSL
validation. In fact the reason I started down this path is because I have a
product that uses v1.2 and needs to claim FIPS compliance. I cannot
legitimately make that claim if v1.2 is not listed.
However I have sent a query
On 03/08/2012 06:09 PM, Ashit Vora wrote:
> Regarding the certificate, it will never be updated. Whenever the CMVP
> updates a listing because of a change letter process (IG G.5 scenario 1)
> they only update the website listing. They never update the certificate.
> The understanding is that the we
On Thu, Mar 08, 2012, David Holmes wrote:
> I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
>
> s_server is complaining of an unknown extension (see debug output below).
>
> Openssl 0.9.8h works just fine though.
>
> Is this a known issue?
>
There was an issue re
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
127.0.0.1 is not a valid serverna
Regarding the certificate, it will never be updated. Whenever the CMVP
updates a listing because of a change letter process (IG G.5 scenario 1)
they only update the website listing. They never update the certificate.
The understanding is that the website listing supersedes the certificate.
Please s
On 03/08/2012 05:12 PM, Steve Marquess wrote:
> On 03/08/2012 04:05 PM, Ashit Vora wrote:
>> Thanks Steve. This makes sense (i.e. newer versions subsuming older
>> versions).
>>
>> However given that 1.2 is no longer listed on the NIST website, that
>> version can no longer be considered FIPS valid
On 03/08/2012 04:05 PM, Ashit Vora wrote:
> Thanks Steve. This makes sense (i.e. newer versions subsuming older
> versions).
>
> However given that 1.2 is no longer listed on the NIST website, that
> version can no longer be considered FIPS validated. This is an issue for
> deployed products that
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
./openssl s_server -key src/data/server.key -cert src/data/server.crt
-tlsextde
> None of the above ;-)
>
> If you have the CHIL ENGINE you load a private key using
> ENGINE_load_private_key() and pass the appropriate ENGINE pointer and the name
> of the key which will presumably be "rsa-test".
>
> That will get you an EVP_PKEY pointer which you can pass to
> SSL_CTX_use_Pr
Hi Sander,
Thank you for your elaborate response. It has helped me a great deal.
A follow-up question-
> fookey
> fookey_certreq
> fookey_selfcert
>
> The first one looks a lot like a private key, but it is a dummy key. This is
> the key file you pass to the OpenSSL library. It looks so muc
On Thu, Mar 08, 2012, Nou Dadoun wrote:
> Thanks for the response, I'm trying to allow end-users to use commercially
> purchased certificates so I'd rather not make the assumption that the key is
> exportable.
>
> Using the capi engine sounds like a viable alternative, but I've had trouble
> t
Thanks Steve. This makes sense (i.e. newer versions subsuming older
versions).
However given that 1.2 is no longer listed on the NIST website, that
version can no longer be considered FIPS validated. This is an issue for
deployed products that have depended on v1.2 for FIPS compliance.
-Ashit
On
On 03/08/2012 01:43 PM, Ashit Vora wrote:
> Hello,
>
> I searched the archives but did not find the answer to this question.
>
> What is the reason OpenSSL FIPS Object Module v1.2 is no longer listed
> as FIPS validated? It seems only v1.2.3 is now listed:
That's because the original validation
Thanks for the response, I'm trying to allow end-users to use commercially
purchased certificates so I'd rather not make the assumption that the key is
exportable.
Using the capi engine sounds like a viable alternative, but I've had trouble
tracking down details on how to use it.
Unfortunately
Hello,
I searched the archives but did not find the answer to this question.
What is the reason OpenSSL FIPS Object Module v1.2 is no longer listed as
FIPS validated? It seems only v1.2.3 is now listed:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm#1051
Thanks in advance!
Hi,
We are using openssl1.0.0g for windows. But when we tried to use same
for Linux, we are running into issue while compiling SSL module. And we
found that the issue in Apache2.0.63 and openssl1.0.0g integration
http://serverfault.com/questions/159883/installing-apache-with-openssl
Mohamed Riyazudeen Kandrath Mohamed Ibrahim would like to recall the
message, "OpenSSL for Linux".
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
Hi All,
Please let me know if there is an API that will resume the session without
going through the handshake process again ( the session might have broken
down due to unplugging of LAN cable etc)
Thanks,
Gayathri
Hi,
We are using openssl1.0.0g for windows. But when we tried to use same
for linux, we are running into issue while compiling SSL module. And we
found that the issue in Apache2.0.63 and openssl1.0.0g integration
http://serverfault.com/questions/159883/installing-apache-with-openssl
Hi,
I want to enable HTTPD to support multi-layer certificates (ca chain).
I had 2 options
Option 1:
We can configure SSLCertificateFile (EE file) and
SSLCertificateChainFile (CA Chain)
Option 2:
We can configure SSLCertificateFile (EE+CA Chain)
When we tested we found that Option 2 worked and Op
22 matches
Mail list logo
