> From: owner-openssl-users On Behalf Of Danyk
> Sent: Tuesday, November 26, 2013 06:07
> I am not using the openssl commandline, I have to use the API's (the
> openssl.cng is not used/parsed when using API's, right?)
>
Mostly up to you. If you call the simple wrapper OPENSSL_config(),
or the mo
Assuming this is tomcat with JSSE since tomcat with APR would use the PEM
files:
- you don't actually need the (own) root cert for JSSE server including
tomcat.
A server "MAY" omit the root, if it sends any other chain certs, and tomcat
can.
- if you specify -chain to pkcs12 -export, that
> From: owner-openssl-users On Behalf Of Wubin Cheng
> Sent: Tuesday, November 26, 2013 01:22
> I'm in trouble to use X509_verify and X509_CRL_verify function.
> i create a certificate,then sign it and verify it. Sometimes I would get
> verify failure when I repeat that.
> i checked the public key
Yes, same as for the other ASN.1 primitive types. See
DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING)
in asn1.h which expands to declare i2d_ d2i_ _new _free routines.
(I'm pretty sure) they don't enforce the characterset restrictions for T.61,
though,
if you care about that you probably have to do
Am 25.11.2013 17:14, schrieb Sassan Panahinejad:
> Hi,
>
> I am dealing with a CA certificate bundle, similar to this one:
> https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt,
> like the example, the one I am dealing with was automatically generated
> from mozilla's ce
hi!
I'm in trouble to use X509_verify and X509_CRL_verify function.
i create a certificate,then sign it and verify it. Sometimes I would get
verify failure when I repeat that.
i checked the public key and the private key were both correct.
the error strings:
error:0407006A:rsa routines:RSA_paddin
I am trying to help a client convert his SSL certificate to a .p12 format so it
can be installed in a Java keystore on a server running Apache. Based on the
various error messages I am getting, I think that the root certificate needs to
be a part of the conversion command (sample shown below):
Hi,
> Thanks for your response. I'm sorry my question wasn't clearly defined
> (it was "will this file work correctly? If so, why?"), but you seem to
> have answered nonetheless, thank you.
>
> As a followup question, is there a way to include these certs in the way
> originally intended by the
> Server side at least it would be theoretically possible: i.e. only choose a
> ciphersuite if TLS v1.2 is negotiated. OpenSSL doesn't support this though.
I didn't think so, thanks. One possibility is to add a construct like
proto?cipher
to the colon-separated list. Any interest in a p
On Mon, Nov 25, 2013, Salz, Rich wrote:
> Is there a way to see something like AES128-SHA is okay with TLSv1.2, but not
> with SSLv3?
>
On the client side there's no way to represent this in the protocol, if you
support SSLv3 and TLS v1.2 then it is assumed that any cipher which can be
legally
I am not using the openssl commandline, I have to use the API's (the
openssl.cng is not used/parsed when using API's, right?)
Regarding "the value in an extension is an OCTET STRING containing
the DER of the value, not the value itself", so basicly do I need to convert
the string to DER encoded?
Thanks,
Sanjay
> From: owner-openssl-users On Behalf Of shath...@e-z.net
> Sent: Monday, November 25, 2013 19:31
> An RSA cipher algorithm is not a block cipher. It treats the entire
> message as a very big integer. The better way is to use the RSA
> cipher algorithm to transmit some symmetric cipher key for A
The commandline utility 'ciphers' with the -V option (upper case V) displays
details for each selected suite including the minimum protocol version.
The specific case AES128-SHA is SSLv3 or higher. So far the only suites
limited to TLSv1.2
are the ones with SHA-2 (SHA256 or SHA384) MAC or w
14 matches
Mail list logo
