To handle CA cert chain, you can use SSL_CTX_add_extra_chain_cert..
are you expect certificate form client ?
-
Saurabh
On Thu, Jun 12, 2014 at 7:09 AM, Hafedh TRIMECHE
wrote:
> Hi,
> I would implement an OpenSSL Server which can handle authentication
> initiated by 2 client certificates issue
Hi,
I would implement an OpenSSL Server which can handle authentication
initiated by 2 client certificates issued by 2 CAs:
Client1 < CA1 < Root1
and
Client2 < CA2 < Root2
Please how to achieve mutual authentication using some APIs:
- X509_STORE_add_cert
- SSL_CTX_add_extra_chain_cert
- SSL_CTX_ad
Following page mentions about known issues with OpenSSL 1.0.1h and OpenSSL
1.0.1i in progress:
http://www.openssl.org/news/openssl-1.0.1-notes.html
What is the expected timeline for OpenSSL 1.0.1i release?
Thanks
__
OpenS
Following page mentions about known issues with OpenSSL 1.0.1h and OpenSSL
1.0.1i in progress:
OpenSSL: OpenSSL 1.0.1 Release Notes.
OpenSSL: OpenSSL 1.0.1 Release Notes.
OpenSSL 1.0.1 Branch Release notes
The major changes and known issues for the 1.0.1 branch of the OpenSSL
toolkit are s
On Wed, Jun 11, 2014 at 03:15:06PM -0400, Salz, Rich wrote:
> You *cannot* just set or clear them all...
Except that SSL_OP_ALL is implicitly recommended, while no options
is the default. This said "SSL_OP_ALL" is a compile-time constant,
which is a bit of a nuisance when the run-time library ha
On Wed, Jun 11, 2014 at 07:07:09PM +, Scott Neugroschl wrote:
> We are aware of this, and are looking to upgrade. Does anyone
> have a recommendation as to 0.9.8 vs 1.0.0 (1.0.1 is too bleeding
> edge)? If you have a recommendation, may I ask what led you to
> choose that path?
I would reco
AARGH.
You *cannot* just set or clear them all...
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Salz, Rich
Sent: W
>From Victor:
>On Wed, Jun 11, 2014 at 04:09:47PM +, Scott Neugroschl wrote:
>> I know 0.9.7 is no longer under development, but for various reasons,
>> I have an app that is still using 0.9.7g.
>> Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
>There are I expect many unresolve
The subtle issue is that some option settings *enable* behavior, and some
option settings *disable* behavior. You can just set/clear them all and really
expect something good to happen.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter
On Wed, Jun 11, 2014 at 07:24:05PM +0200, Dimitrios Apostolou wrote:
> Hello list,
>
> given that I'm developing a custom client-server application that
> communicates via TLS, I decided to zero-out all options since I don't care
> about backwards compatibility and heterogenous clients like brows
On Wed, Jun 11, 2014 at 04:09:47PM +, Scott Neugroschl wrote:
> I know 0.9.7 is no longer under development, but for various
> reasons, I have an app that is still using 0.9.7g.
> Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
There are I expect many unresolved issues (even if not
Hello list,
given that I'm developing a custom client-server application that
communicates via TLS, I decided to zero-out all options since I don't care
about backwards compatibility and heterogenous clients like browsers by
doing:
SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx))
On Wed, Jun 11, 2014, Scott Neugroschl wrote:
> Hi guys,
>
> I know 0.9.7 is no longer under development, but for various reasons, I have
> an app that is still using 0.9.7g.
> Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
>
I think you mean CVE-2014-0224. Yes it is vulnerable as
Hi guys,
I know 0.9.7 is no longer under development, but for various reasons, I have an
app that is still using 0.9.7g.
Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
Thanks,
ScottN
__
OpenSSL Project
Added the command line used and the error.
perl Configure VC-WIN32 no-asm fips no-ec
--with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX
/Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_
On Wed, Jun 11, 2014, Jeffrey Walton wrote:
> I'm working with OpenSSL 1.0.1h. I'm configuring for android-x86.
>
> setenv-android.sh worked fine, and exported the following:
>
> export MACHINE=i686
> export RELEASE=2.6.37
> export SYSTEM=android
> export ARCH=x86
>
> export
Added the command line used and the error.
perl Configure VC-WIN32 no-asm fips no-ec
--with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX
/Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_
Hi Matt,
Thanks very much!
I'm glad I'm on the right track in regards to EVP vs EC.
The signature is generated by a client program (also a 'c' program). What
is the format of a signature? How do I find out?
Just to confirm - whether it's ECDSA or RSA, for verification, we just get
the EVP_PKEY d
On Wed, Jun 11, 2014, Zhang, Ping (Unisphere) wrote:
> Added the command line used and the error.
>
> perl Configure VC-WIN32 no-asm fips no-ec
> --with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
>
> cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX
> /Gs
Thanks you very much for prompt info.
What could be the end-user effect if I start using openssl with no-ec ?
(sorry for a silly question !!)
-
Saurabh
On Wed, Jun 11, 2014 at 5:17 PM, Dr. Stephen Henson
wrote:
> On Wed, Jun 11, 2014, Saurabh Pandya wrote:
>
> > Adding further I already tried
Hey Jeff,
You might want to look at Arne Swabe's ics-openvpn.
https://code.google.com/p/ics-openvpn/
If you are just looking for how to compile for various android chip arch's.
He is using and Android.mk file which is a Make file that is specific to
Android, but if you know one you can figure ou
I am trying to create an android app which can send sign and encrypted
mails using OpenSSL.
So far I am able to send Signed Emails and verify them using both web
browsers and my android apps.
Same is the case with Encryption and Decryption.
But now when I am trying to send signed+encrypted mails
On Wed, Jun 11, 2014, Bala Duvvuri wrote:
> Hi All,
>
> During linking my application with the OpenSSL FIPs, fipsld is invoked to
> embed the digest and during runtime it is calculated and verified during
> FIPS_mode_set.
>
> Can you help me to understand if digest is calculated only for fipscan
On Wed, Jun 11, 2014, Saurabh Pandya wrote:
> Adding further I already tried below to build openssl, I already built fips
> libs with /tmp/_install path
>
> /config fips --prefix=/tmp/_install --with-fipslibdir=/tmp/_install/lib
> -DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH
>
> It also
Hi All,
During linking my application with the OpenSSL FIPs, fipsld is invoked to embed
the digest and during runtime it is calculated and verified during
FIPS_mode_set.
Can you help me to understand if digest is calculated only for fipscanister
module or the entire application code?
My obser
Hi Stephen,
I understand it got fixed with development version. I tried it its working
fine. But I want to build 0.9.8za with FIPS, and release notes says it
could be done by compiling openssl without EC algorithms,can you point me
out how can I do that ?
-
Saurabh
On Tue, Jun 10, 2014 at 8:23
Adding further I already tried below to build openssl, I already built fips
libs with /tmp/_install path
/config fips --prefix=/tmp/_install --with-fipslibdir=/tmp/_install/lib
-DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH
It also gives below build error
../../include/openssl/ec.h:78:2: er
Hi,
I am trying to build "openssl-0.9.8za" with "openssl-fips-1.2", but with no
luck. Came to know from release notes, that "openssl-0.9.8za" have know
compilation issues with FIPS. I got below statement from release notes
"FIPS capable link failure with missing symbol
BN_constti
Hi Charles,
I was facing the same problem here. I did now quite get where to add the
'includes' code part in.
Can you suggest me more detailed steps to take?
I'm using nmake.exe and .mak to build from the visual studio command prompt
(2010).
Thank you.
Eirene
Charles Mills wrote
> The followi
On Wed, Jun 11, 2014 at 01:04:14PM +0530, Rahul Godbole wrote:
> Tried this. Still doesn't solve my problem. I still do not see 1.0.1g libs
> being copied to /usr/lib or /usr/lib64.
>
> I also tried installing from 1.0.1g RPM but the installation failed.
>
> I already have 1.0.1e installed and w
On Wed, Jun 11, 2014 at 03:17:10AM -0400, Jeffrey Walton wrote:
> > The make install is not installing libcrypto.so, libssl.so and openssl
> > binary into /usr/bin and /usr/lib64. I need it to be installed there.
>
> By default, the library is installed at /usr/local/ssl.
One can override the par
Tried this. Still doesn't solve my problem. I still do not see 1.0.1g libs
being copied to /usr/lib or /usr/lib64.
I also tried installing from 1.0.1g RPM but the installation failed.
I already have 1.0.1e installed and want to upgrade to 1.0.1g. Any other
way out?
Thanks
Rahul
On Wed, Jun 1
On Wed, Jun 11, 2014 at 2:50 AM, Rahul Godbole wrote:
> Hi
>
> I want to install OpenSSL 1.0.1e on my CentOS 6.4. I downloaded the souce
> and built it by running
> ./config
> make
> make install
>
> The make install is not installing libcrypto.so, libssl.so and openssl
> binary into /usr/bin and
33 matches
Mail list logo
