Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

> On Dec 2, 2018, at 7:43 PM, Charles Mills wrote: > > Sorry, I do not have a packet capture tool configured. > > I have a verify callback with a lot of trace messages. I can see that it is > only entered once; X509_STORE_CTX_get_error_depth() is 1. > > Does that tell us anything useful? No fu

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

> On Dec 2, 2018, at 7:38 PM, Charles Mills wrote: > > I have an OpenSSL (v1.1.0f) server application that processes client > certificates. > > The doc for SSL_CTX_load_verify_locations() states “In server mode, when > requesting a client certificate, the server must send the list of CAs of

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Do I need to say no calls to SSL_CTX_set_client_CA_list() nor any of the three related functions listed on the man page? Charles From: Charles Mills [mailto:charl...@mcn.org] Sent: Sunday, December 2, 2018 4:38 PM To: 'openssl-users@openssl.org' Subject: Question on necessity of SSL_CTX_se

Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

Sorry, I do not have a packet capture tool configured. I have a verify callback with a lot of trace messages. I can see that it is only entered once; X509_STORE_CTX_get_error_depth() is 1. Does that tell us anything useful? Charles -Original Message- From: openssl-users [mailto:openssl

[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

I have an OpenSSL (v1.1.0f) server application that processes client certificates. The doc for SSL_CTX_load_verify_locations() states "In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influen

[openssl-users] stunnel 5.50 released

Dear Users, I have released version 5.50 of stunnel. Version 5.50, 2018.12.02, urgency: MEDIUM * New features   - 32-bit Windows builds replaced with 64-bit builds.   - OpenSSL DLLs updated to version 1.1.1.   - Check whether "output" is not a relative file name.   - Major code cleanup in the con

Re: [openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

On 02/12/2018 22:13, Viktor Dukhovni wrote: > > [ While I could ask off-list, or RTFS, someone else might have the > same question later, so might as well ask on-list. ] > > Postfix added support for ECDHE ciphers long ago, back when OpenSSL > 1.0.0 was shiny and new, and the server-side ECD

[openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x?

[ While I could ask off-list, or RTFS, someone else might have the same question later, so might as well ask on-list. ] Postfix added support for ECDHE ciphers long ago, back when OpenSSL 1.0.0 was shiny and new, and the server-side ECDHE support was enabled by specifying a single preferred "t

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Fri 2018-11-30 20:38:01 -0500, Viktor Dukhovni wrote: > Are there compatibility concerns around changing error message > text for which users may have created regex patterns in scripts? I advocate making the error message in english more comprehensible. Michael Wojcik's suggestion of "Untruste