Re: openssl rsa command

2012-12-05 Thread Christian Hohnstaedt
On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote: > I am trying to change the password of a private key with 'openssl rsa' > command. The original key file, server.key.enc has the following format: > -BEGIN ENCRYPTED PRIVATE KEY- > > -END ENCRYPTED PRIVATE KEY- This

Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine

2012-12-05 Thread Ashok C
Thanks Steve and Kent for the pointers. Makes things clear for now. On Thu, Dec 6, 2012 at 4:22 AM, Dr. Stephen Henson wrote: > On Wed, Dec 05, 2012, Ashok C wrote: > > > Hi, > > > > Our current SSL server loads plain-text private keys using the > > SSL_CTX_use_PrivateKey_file() > > method. We ar

Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine

2012-12-05 Thread Dr. Stephen Henson
On Wed, Dec 05, 2012, Ashok C wrote: > Hi, > > Our current SSL server loads plain-text private keys using the > SSL_CTX_use_PrivateKey_file() > method. We are moving from this strategy to use custom encrypted private > keys using the TPM concept. For this, we have an engine implemented. Now > the

Head check on SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option

2012-12-05 Thread no_spam_98
The SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option only affects how the OUTBOUND (i.e. SSL_write) records are split (or not), correct?  It doesn't define any behavior for how the INBOUND records (i.e. SSL_read) should be split (or not), correct? So, it's possible that different sides of an SSL conne

Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine

2012-12-05 Thread Kent Yoder
Hi Ashok, On Wed, Dec 5, 2012 at 12:29 AM, Ashok C wrote: > Hi, > > Our current SSL server loads plain-text private keys using the > SSL_CTX_use_PrivateKey_file() method. We are moving from this strategy to > use custom encrypted private keys using the TPM concept. For this, we have > an engine i

openssl rsa command

2012-12-05 Thread Alex Chen
I am trying to change the password of a private key with 'openssl rsa' command. The original key file, server.key.enc has the following format: -BEGIN ENCRYPTED PRIVATE KEY- -END ENCRYPTED PRIVATE KEY- When I used the command "openssl rsa -in server.key.enc -passin pass:ol

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
On Wed, Dec 5, 2012 at 12:18 PM, Jakob Bohm wrote: > On 12/5/2012 5:30 PM, Will Nordmeyer wrote: >> >> On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson >> wrote: >>> >>> On Wed, Dec 05, 2012, Will Nordmeyer wrote: >>> On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson wrote: >

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Jakob Bohm
On 12/5/2012 5:30 PM, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates & CRLs,

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson wrote: > On Wed, Dec 05, 2012, Will Nordmeyer wrote: > >> On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson >> wrote: >> > On Wed, Dec 05, 2012, Will Nordmeyer wrote: >> > >> >> They are US. gov't certificates & CRLs, so providing them is a l

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Dr. Stephen Henson
On Wed, Dec 05, 2012, Will Nordmeyer wrote: > On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson wrote: > > On Wed, Dec 05, 2012, Will Nordmeyer wrote: > > > >> They are US. gov't certificates & CRLs, so providing them is a little > >> complicated. Before I had the proper root & intermediate CA

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson wrote: > On Wed, Dec 05, 2012, Will Nordmeyer wrote: > >> They are US. gov't certificates & CRLs, so providing them is a little >> complicated. Before I had the proper root & intermediate CAs loaded >> and hashed, I would get errors about missin

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Dr. Stephen Henson
On Wed, Dec 05, 2012, Will Nordmeyer wrote: > They are US. gov't certificates & CRLs, so providing them is a little > complicated. Before I had the proper root & intermediate CAs loaded > and hashed, I would get errors about missing certs in the chain. > Similarly, before I loaded the CRL, it wou

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
They are US. gov't certificates & CRLs, so providing them is a little complicated. Before I had the proper root & intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would have issues. The CERTs are in PEM formats, as wel

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Erwann Abalea
OpenSSL 1.0.1 works fine here, both with expired and revoked certificates (i.e. correctly reports the status). Could you share your elements (certs, CRLs)? -- Erwann ABALEA - chlorophytophonie: musique pour les plantes vertes Le 05/12/2012 15:11, Will Nordmeyer a écrit : Hi, I've done some

Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
Hi, I've done some googling and failed to come up with an answer... I have openssl 1.0.0-25 (also seeing it as 1.0.0-fips) installed on a test server running CentOS 6.3 (2.6.32-279.14.1.el6.x86_64). It is the latest one avaialble from the CentOS repositories. I've downloaded and set up severa