> On Nov 30, 2018, at 7:33 PM, Sands, Daniel via openssl-users
> wrote:
>
>> Viktor's points are all good ones, but considering how often this
>> particular message causes confusion for users and developers (at
>> least in my experience), I wonder whether changing the text to
>> "Untrusted self-
On Fri, 2018-11-30 at 23:55 +, Michael Wojcik wrote:
> > "Self-signed certificate in certificate chain" does not to me
> > > convey "No
> > > certificate hash links" (or "CA certificate not found in hash
> > > links").
> >
> Viktor's points are all good ones, but considering how often this
> p
> On Nov 30, 2018, at 7:25 PM, Charles Mills wrote:
>
> Well, it ought then to say "I couldn't find any certificates at all" rather
> than "I found a self-signed certificate" when it did not.
A self-signed certificate was found, in the chain being verified.
The message should likely be more clea
Well, it ought then to say "I couldn't find any certificates at all" rather
than "I found a self-signed certificate" when it did not.
I used to manage product developers. Sometimes I would point out a need for
product improvement and they would say "the code doesn't work that way." I
would reply "
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Friday, November 30, 2018 16:35
>
> > On Nov 30, 2018, at 5:00 PM, Charles Mills wrote:
> >
> > "Self-signed certificate in certificate chain" does not to me convey "No
> > certificate hash link
> On Nov 30, 2018, at 5:00 PM, Charles Mills wrote:
>
> "Self-signed certificate in certificate chain" does not to me convey "No
> certificate hash links" (or "CA certificate not found in hash links").
That's not really possible, because the code that's doing certificate
validation works with a
Thank you, yes, that solved it.
May I respectfully suggest that you consider improving the error message?
"Self-signed certificate in certificate chain" does not to me convey "No
certificate hash links" (or "CA certificate not found in hash links").
Charles
-Original Message-
From: op
> On Nov 30, 2018, at 12:47 PM, Charles Mills wrote:
>
> I am using a client certificate that was signed by my “homegrown” CA (which
> uses the OpenSSL utility). When I point to the CA .PEM with
> SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use
> CApath to point to
The way I understand the ECDSA standard, it is supposed to truncate the
provided hash - which is why it is possible to have ECDSA-over-P256-SHA384.
One possibility would be for you to truncate the SHA2 output yourself, IMHO.
On 11/30/18, 12:36 PM, "openssl-users on behalf of Fuchs, Andreas"
w
(Apologies if a duplicate - I think I mis-sent the first attempt.)
I wrote a TLS server application that runs under Windows and has been
working successfully for years. I am currently using OpenSSL 1.1.0f. When I
wrote the code I only supported a single CA file for client certificates. I
pass t
The problem is as follows:
The digest parameter of the TPM2_Sign command is checked against the hash
algorithms supported by the TPM.
If the TPM only supports SHA256, then the maximum size for the digest parameter
is 32 bytes.
So you cannot pass in a SHA512 hash, even though the TPM does not even
On Wed, Nov 28, 2018 at 1:22 AM Fuchs, Andreas
wrote:
>
> Hi all,
>
> I'm currently implementing a TPM2 engine for OpenSSL over at
> https://github.com/tpm2-software/tpm2-tss-engine
> The problem I'm facing is that OpenSSL's TLS negotiation will request ECDSA
> from my engine with any hash alg,
The DER (Distinguished Encoding Rules of ASN.1, which can be found in ITU-T
recommendation X.680 and X.681) requirement is that if a particular number
is positive, the highest-order bit can never be set (since the
highest-order bit is always the negative sign indicator). The rules further
explain t
On 30/11/2018 05:26, M K Saravanan wrote:
> Hi,
>
> When I create static DH key pair using openssl, why the public key and
> prime contains the prefix 0x00 byte?
Because otherwise those numbers would be treated as negative (due to the most
significant bit being set) which is incorrect.
Matt
-
14 matches
Mail list logo
