Hi folks -
I've been struggling mightily with attempting to generate signatures for
arbitrary payload in a correct and consistent fashion. I've managed to
generate (some kind of) signature in C, and in Python (the two languages I
have to exchange between), both are validated by the openssl dgst c
On Tue, Jan 7, 2014 at 12:58 AM, Jeffrey Walton wrote:
> On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
> wrote:
>> On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
>>
>>> I can't seem to find information on using the hostname and email
>>> verification functionality.
>>>
>>> *
On Mon, Jan 6, 2014 at 11:48 PM, Viktor Dukhovni
wrote:
> On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
>
>> I can't seem to find information on using the hostname and email
>> verification functionality.
>>
>> * SSL_CTX_set_verify does not discuss it
>> * www.openssl.org/d
On Mon, Jan 06, 2014 at 08:49:15PM -0500, Jeffrey Walton wrote:
> I can't seem to find information on using the hostname and email
> verification functionality.
>
> * SSL_CTX_set_verify does not discuss it
> * www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
> * No mention if it was rol
I can't seem to find information on using the hostname and email
verification functionality.
* SSL_CTX_set_verify does not discuss it
* www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
* No mention if it was rolled into SSL_VERIFY_PEER
* s_client does not have any new switches
* no
Can anyone confirm that ENGINE_rdrand is no longer a default engine
(if available).
The change log does not mention it.
http://www.openssl.org/news/changelog.html (the ENGINE is not
mentioned anywhere, including the change from 1.0.1e).
Thanks in advance.
_
You might want to ask the CAcert folks what they do. I generate certs
thru them with SANs all the time.
--
Harlan Stenn
http://networktimefoundation.org - be a member!
__
OpenSSL Project http://
I am using 'ca' not 'x509'. It too ignores/discards extensions. Turning on
copy_extensions solved the issue though, thanks. I have some follow-up
questions:
1. If including SANs in CSRs is non-standard, what is the accepted way of
passing all the metadata you want to an authority to con
On Mon, Jan 06, 2014 at 09:16:16PM +, Biondo, Brandon A. wrote:
> I am having trouble tracking down information regarding how you
> reconfigure an OpenSSL CA to handle SANs in requests. When you use
> an OpenSSL CA to sign this type of request, the certificate is made
> without issue but the S
1: 0.9.8a is VERY old, and contains quite a few security flaws that have
been fixed since.
Even if your application(s) can't accept the fairly small changes needed to
move to
1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y.
2: whenever you get ERROR_SYSCALL you should always
To be certain I'm clear, since your terminology is a bit unusual:
you have a server application using openssl library (libssl), which
has a cert that was issued by a CA using intermediate certs.
The prover (server in nearly all cases, client in rare cases)
per RFC MUST send the full chain exc
It is debatable whether putting SAN in the request is really 'proper';
I don't know of any 'real' (public) CA that accepts it that way.
But for openssl:
If you are using 'ca', set copy_extensions in the config file. See the man
page.
If you are using 'x509 -req', that ignores/discards ex
On Jan 5, 2014, at 11:49 AM, Alan D. Cabrera wrote:
> I've created a public key file using the following commands:
>
> openssl genrsa -out mykey.pem 2046
> openssl rsa -in mykey.pem -pubout > mykey.pub
>
> I then read it from some C code:
>
> public_key = PEM_read_RSA_PUBKEY(fp, NULL, NULL, N
Hello,
Forgive me if I breach etiquette. This is my first post to this list in quite a
while.
I am having trouble tracking down information regarding how you reconfigure an
OpenSSL CA to handle SANs in requests. There is a wealth of information on how
to configure OpenSSL to form a proper requ
On Mon, Jan 06, 2014 at 12:31:35PM -0800, Gammadyne wrote:
> I just tried 1.0.1f and the problem that I reported in May 2012 is still
> present.
>
> If you want to try it for yourself, try sending an email over SSL to
> nob...@cetest.nl
>
> To summarize, after the AUTH LOGIN command is sent, Ope
*) Integrate hostname, email address and IP address checking with certificate
verification. New verify options supporting checking in opensl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
functions. Add manual page.
[Florian
I just tried 1.0.1f and the problem that I reported in May 2012 is still
present.
If you want to try it for yourself, try sending an email over SSL to
nob...@cetest.nl
To summarize, after the AUTH LOGIN command is sent, OpenSSL will produce
this error:
error:1408F10B:SSL routines:SSL3_GET_RECORD
Hi all.
It seems subj is not present in OpenSSL as implementation or any helper
functionality.
At the moment I have no deep understanding of both MSS and OpenSSL
design, but I'd like to know qualified opinions: is there a possibility
for adding MSS implementation to OpenSSL? If yes, I could wor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.0l released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.0l of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.1f released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.1f of our open source
On Sun, Jan 05, 2014, Alan D. Cabrera wrote:
> I've created a public key file using the following commands:
>
> openssl genrsa -out mykey.pem 2046
> openssl rsa -in mykey.pem -pubout > mykey.pub
>
> I then read it from some C code:
>
> public_key = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL);
>
Hey
After successfully built openssl 32-bit for HPUX, I'm now trying to build
the 64-bit version (hpux64-parisc2-cc).
But I have this error crypto/dso/dso_dlfcn.c:
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include
-DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H +DD64 +O3
+Optrs_strongl
On Mon, Jan 06, 2014 at 09:02:22AM +0100, Dereck Hurtubise wrote:
> There is currently a parsing bug when converting from PEM to DER.
> I encountered this as well, but with DSA keys.
> I suppose the same bug occurs with RSA keys.
No.
> > public_key = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL);
>
Hello Steve,
Thanks for your clear answer.
Regards,
Thomas.
Re: Delete (not display) header after decryption of p7m file.
(Internet)
steve
A :
openssl-users
04/01/2014 03:29
Envoyé par: owner-openssl-us...@openssl.org
Veuillez répondre à openssl-users
On Fri, Jan 03, 2014, thoma
There is currently a parsing bug when converting from PEM to DER.
I encountered this as well, but with DSA keys.
I suppose the same bug occurs with RSA keys.
In DSA the G component gets copied to the pub component when converting
from PEM to DER.
>From DER to PEM works fine.
Regards,
Dereck
25 matches
Mail list logo
