Fun Fact: (For me) Gmail often marks completely legit emails from
mailing lists as spam and you manually have to mark them as "no spam".
The fun comes in when you notice that actual spam is not marked as
such at all.
Looks like strong encryption is much easier to develop than a decent
spam filter.
I see. Thank you very much Jakob and Jeffrey!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
2016-03-31 18:09 GMT+02:00 Jakob Bohm :
> On 31/03/2016 17:16, warron.french wrote:
> 3. Then create new server certificates for the 2 servers again.
>
> Yep, and give the new ones a slightly different "full"
> distinguished name (important for CRL and "ca" database).
> My approach is to include t
2015-12-13 22:57 GMT+01:00 Salz, Rich :
>
>> And we don't know on which client OP will have to use that pem file, thus
>> give advise that works on all clients, not just OpenSSL or GnuTLS or
>> whatever.
>
> It is quite reasonable to give openssl-specific answers on the openssl-users
> mailing li
2015-12-13 20:27 GMT+01:00 Viktor Dukhovni :
>
> This is both wrong and irrelevant. The OP should proceed as instructed.
> OpenSSL's CAfile feature reads multiple certificates from a single file.
Exactly that is the point. Only "linux based" tools will be able to
read such a pem file. Windows cer
2015-12-13 3:53 GMT+01:00 Viktor Dukhovni :
>
> In other words, you can concatenate all the trusted root CA
> certs into the "cert.pem" file in that directory, but this
> has a performance cost, as all the certificates are loaded
> into memory and parse even though most go unused. Alternatively,
Hi,
so if I understand you correctly you want to create one file that
contains more than one CA certificate and can be installed onto
Windows, Mac, etc.? You only can do that if you create a p12 file and
that must contain a leaf certificate and its private key.
openssl pkcs12 -export -in out/X.cr
Tell the person who created the CSR that the value of the
stateOrProvinceName field has to be HK. If that is not possible
because the subCA is in a different country you can change your
openssl.cnf to allow different values in that field so instead of
stateOrProvinceName = match you have to use at
://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
2015-11-04 16:06 GMT+01:00 Ben Humpert :
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here
That guide is a little bit old and not very accurate. I setup my PKI
using the OpenSSL Cookbook recommended to me by Rich Salz. This free
guide / documentation is here:
https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other sourc
Take a look in your openssl.cnf and you should see the option "serial"
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate is created then 01 is used as a serial for it.
Rich Salz recommended me this SSL Co
2015-06-24 1:35 GMT+02:00 Jakob Bohm :
> On 19/06/2015 16:24, Ben Humpert wrote:
>>
>> When the CSR contains an email address and the email_in_dn setting in
>> the config file is set to "no" the email address is actually present
>> in the issuer DN but not
; permitted;DNS.0 = example.com
>
> client configuration file has subjectAltName:
> subjectAltName = DNS: www.cs.com
>
> So is this a mismatch? How come s_client/s_server test was okay?
>
>
>
>
>
> On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert wrote:
>> Do you us
Do you use nameConstraints or have specified IP in subjectAltName?
Because OpenSSL can't handle that correctly.
2015-06-29 22:51 GMT+02:00 David Li :
> Hi,
>
> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
> a client cert (signed by the subCA). Now I want to use verify,
>
When the CSR contains an email address and the email_in_dn setting in
the config file is set to "no" the email address is actually present
in the issuer DN but not in the subject DN. This causes errors when
verifying certificate chains since the subject hash is used to
identify a cert but the issue
As a workaround try running openssl with the -config command line option.
2015-06-04 22:17 GMT+02:00 Cathy Fauntleroy :
> Hello,
>
>
>
> I have OpenSSL 1.0.2a installed on my Windows 7 box. I am attempting to
> generate a CSR so new security certificates can be issued and am running
> into the fo
Hi,
Based on
https://tools.ietf.org/pdf/draft-wilson-wpkops-browser-processing-02.pdf
section 3.3.1.2. I ran my own tests. I wrote an email
(https://mta.openssl.org/pipermail/openssl-users/2015-May/001387.html)
with the results (attachments in
https://mta.openssl.org/pipermail/openssl-users/2015-
2015-05-27 14:02 GMT+02:00 Jakob Bohm :
> Just to clarify: The log messages in your original post,
> were those from Android or from the server?
These are from the RADIUS server debug output.
___
openssl-users mailing list
To unsubscribe: https://mta.ope
2015-05-27 8:17 GMT+02:00 Jakob Bohm :
> Maybe the Android user interface is really asking about
> something other than the issuing CA cert.
>
> What are you trying to achieve by selecting a CA cert
> in the client UI?
The official Google documentation as well as other sources say that it
asks for
Hi everybody,
I have my RADIUS server running and Windows as well as MacOS and iOS
can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
with server certificate validation. However, Android 4.4.4 can not and
I can't figure out why.
The complete Cert Chain:
Root CA
- Intermedia
Technical report: https://weakdh.org/imperfect-forward-secrecy.pdf
Check your browser (currently all are affected) at https://weakdh.org/
Check your Server at https://weakdh.org/sysadmin.html
Deploying Guide: https://weakdh.org/sysadmin.html
___
openss
I love that when it happens :)
2015-05-12 16:56 GMT+02:00 Ben Humpert :
> Ok, after plenty of testing and some googling: the name constraints
> extension is ... improvable. I ran plenty of tests but it looks like
> that the extension is not very well implemented in todays browsers.
&
Ok, after plenty of testing and some googling: the name constraints
extension is ... improvable. I ran plenty of tests but it looks like
that the extension is not very well implemented in todays browsers.
I have attached three txt files (DOS format) with the settings and
results of each test run.
Hi,
I read the OpenSSL Cookbook by Ivan Ristic and saw how he configured
nameConstraints so I adapted it for my setup.
First I tried the following but that doesn't work.
permitted;DNS.0=lan
permitted;DNS.1=local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
permitted;IP
2015-05-09 21:47 GMT+02:00 Salz, Rich :
>
>> After getting into building and especially configuring my own CA again I'm
>> nearly at the end and I've noticed some errors in the documentation I want
>> to report.
>
> I like the "again" :)
Yeah, once upon a time I had done a comprehensive configurat
Hello list!
After getting into building and especially configuring my own CA again
I'm nearly at the end and I've noticed some errors in the
documentation I want to report.
1) On https://www.openssl.org/docs/apps/ca.html for the -md option not
all possible values (sha256, sha384, etc.) are list b
26 matches
Mail list logo
