Hi,
Is there any way to retrieve the server certificate from the SSL_CTX object?
Thanks,
-binlu
Thanks!
where are key usages checked?
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu
> Sent: Monday, 31 March, 2014 16:34
>
> During SSL handshake with client cert auth, is openssl checking the
> key usages, such as digital
Hi,
During SSL handshake with client cert auth, is openssl checking the key usages,
such as digital signature, non-repudiation etc, for the client cert passed in
(to make sure it is a valid client cert)? If it is, where is the code that does
it? I cannot find it in X509_verify_cert().
Thanks,
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, January 09, 2014 5:08 AM
To: openssl-users@openssl.org
Subject: Re: CRL checking failing in 1.0.1
On Thu, Jan 09, 2014, Bin Lu wrote:
> Hi,
>
> I have a piece of code
Hi,
I have a piece of code doing CRL revocation check which worked fine with 0.9.8
but now failing in 1.0.1.
The code does something like:
X509_STORE_add_crl(store,crl);
X509_STORE_CTX_init(ctx, store, cert, NULL);
Ctx->check_revocation(ctx);
In openssl lib (x
inlu
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Bin Lu
Sent: Wednesday, September 04, 2013 6:09 PM
To: openssl-users@openssl.org
Subject: multi-byte subject DN display
Hi,
This looks too easy but I am stuck ... I am trying to display the subject
Hi,
This looks too easy but I am stuck ... I am trying to display the subject name
of a certificate which contains multi-byte characters. I tried
$ openssl x509 -in -noout -subject -nameopt RFC2253 ( or
oneline,-esc_msb)
And display the output in a web browser (IE or firefox) with character e
Hi,
Could somebody tell me what names I should use in EVP_get_cipherbyname() to
return the AES_128_GCM and AES_256_GCM ciphers? I looked into openssl code but
got lost.
Thanks a lot,
-binlu
X509_CRL_free().
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Shawn Webb
Sent: Tuesday, April 23, 2013 11:29 AM
To: openssl-users@openssl.org
Subject: Destroying X509_CRL Object
Hey All,
I'm trying to figure out how to properly destroy an X509_CRL s
Hi,
Can I do CRL checking by adding both the base and delta CRLs with
X509_STORE_add_crl() or should I construct a complete CRL with the base and
delta CRLs and then add it to the store?
Thanks,
-binlu
Sat, Apr 13, 2013, Bin Lu wrote:
> Hi,
>
> I have a CRL data which worked fine with 0.9.8d but now is failing with
> 1.0.1c. The IDP contains the following info:
>
> Distribution Point Name:
> Full Name:
> URL =http://...
> Directory Address:
>
Hi,
I have a CRL data which worked fine with 0.9.8d but now is failing with 1.0.1c.
The IDP contains the following info:
Distribution Point Name:
Full Name:
URL =http://...
Directory Address:
CN=...
O=...
Only Contains User Certs=No
Only Contains CA Certs=No
Indirect CR
nssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Bin Lu
Sent: Tuesday, May 22, 2012 7:00 PM
To: openssl-users@openssl.org
Subject: OCSP proxy support
Hi,
Is BIO_set_proxies() supported in 1.0.1? What is the proxy solution for OCSP
query?
Thanks,
-binlu
For ecdh_tmp, should it be the same as what is set in the pkey in CTX->CERT?
What is the purpose of these _tmp keys?
Regards,
-binlu
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Bin Lu
Sent: Thursday, June 07, 2012 4
/DSA cert as server cert
>From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu
>Sent: Thursday, 07 June, 2012 14:53
>I am trying to use an ECDSA certificate the correct cipher suite
>is not being chosen dh_tmp, ecdh_tmp and their callback
>functions not set
>Is
Hi,
I am trying to use an ECDSA certificate as the server cert, basically I created
an EC_KEY and loaded it into SSL_CTX using SSL_CTX_use_PrivateKey(), after the
cert is loaded using SSL_CTX_use_certificate().
The problem I am facing is that during SSL handshaking, the correct cipher
suite is
Hi,
Is BIO_set_proxies() supported in 1.0.1? What is the proxy solution for OCSP
query?
Thanks,
-binlu
If that is the case, why EC_KEY is exposed in ec.h, and how do I make use of
the functions that requires this object, e.g. EVP_PKEY_get1_EC_KEY()?
How do you solve the problem like the following without directly accessing to
this object:
I have one EVP_PKEY contains the ECDSA private key and an
Hi,
I noticed that EC_KEY (ec_key_st) is not defined in ec.h but in ec_lcl.h which
is not a public header file, not like RSA(rsa_st) in rsa.h and DSA in dsa.h. Is
that correct?
Regards,
-binlu
: pkcs12 error
On Tue, Apr 03, 2012, Bin Lu wrote:
> Hi,
>
> When I tried the pkcs12 command (as below) in openssl 1.0.1, it gave me the
> following error.
> The same command worked fine in openssl 0.9.8d. Any idea?
>
> $ openssl pkcs12 -export -in test.cer -inkey test.key -
Hi,
The behavior of this function in openssl 1.0.1 seems changed (compared with
0.9.8d).
In the early release, the user key parameter could be NULL if only the user
cert was interested.
e.g. PKCS12_parse(p12, password, NULL, &cert, NULL) used to return the cert.
In 1.0.1, both the key and the
Hi,
When I tried the pkcs12 command (as below) in openssl 1.0.1, it gave me the
following error.
The same command worked fine in openssl 0.9.8d. Any idea?
$ openssl pkcs12 -export -in test.cer -inkey test.key -out test.p12
Enter pass phrase for test.key:
Enter Export Password:
Verifying - Ent
While we are running test for client cert auth between the new IE version that
supports TLS 1.1/1.2 and our server (running openssl 0.9.8d, only supports up
to TLS1.0) which initiates server renegotiation for the client cert, we noticed
that the IE sends the wrong version number in the PreMaster
When I run the following command:
% openssl ecparam -list_curves
It lists
...
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp
On Tue, Nov 01, 2011, William A. Rowe Jr. wrote:
> On 11/1/2011 8:35 PM, Bin Lu wrote:
> >
> > Do you have an answer for my question below? Is the fips-2.0-test code
> > branched off from a
> > FIPS-capable version? Which version is it based on if yes?
>
> AIUI,
Hi Steve,
Do you have an answer for my question below? Is the fips-2.0-test code branched
off from a FIPS-capable version? Which version is it based on if yes?
Thanks a lot, as always,
-binlu
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Bin Lu
Hi Steve,
Is it still disabled by default? In build 1.0.1-stable-SNAP-20111028, I do not
see that line in ssl/ssl_lib.c as you mentioned, meaning enabled by default
going forward?
Thanks,
-binlu
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openss
Hi there,
Could somebody confirm if the OpenSSL FIPS validation includes TLS 1.2? My
check of the FIPS module code (openssl-fips-2.0-test-20111028.tar.gz) shows it
is not.
Please confirm. And what is the plan to include it if it is not currently.
Thanks,
-binlu
sl.org
Subject: Re: OCSP_BASICRESP_free() segmentation fault
On Wed, Dec 29, 2010, Bin Lu wrote:
> Hi Steve,
>
>
>
> My code looks like this(error checking is omitted):
>
>
>
> OCSP_BASICRESP* bs = OCSP_response_get1_basic(resp);
>
> OCSP_check_nonce(req
!
-binlu
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Monday, December 13, 2010 11:49 AM
To: openssl-users@openssl.org
Subject: Re: OCSP_BASICRESP_free() segmentation fault
On Mon, Dec 13, 2010, Bin
Behalf Of Dr. Stephen Henson
Sent: Saturday, December 11, 2010 5:21 AM
To: openssl-users@openssl.org
Subject: Re: OCSP_BASICRESP_free() segmentation fault
On Thu, Dec 09, 2010, Bin Lu wrote:
> Hi,
>
> I am getting the following crash in openssl-0.9.8d:
>
> #0 0x2332885e in ASN1
Hi,
I am getting the following crash in openssl-0.9.8d:
#0 0x2332885e in ASN1_primitive_free ()
#1 0x233288a4 in ASN1_primitive_free ()
#2 0x23328935 in ASN1_primitive_free ()
#3 0x23328b5a in ASN1_template_free ()
#4 0x23328a74 in ASN1_primitive_free ()
#5 0x23328b5a in ASN1_template_free ()
#6
Hi Steve,
Another question that was not answered last time is that, is the reason
also because of my old openssl version? Shouldn't the right behavior be
returning failure until it times out?
Regards,
-binlu
-Original Message-
From: Bin Lu
Sent: Tuesday, May 25, 2010 11:42
@openssl.org
Subject: Re: BIO_do_connect() strange return
On Thu, Mar 11, 2010, Bin Lu wrote:
> It is running on Linux with openSSL 0.9.8d.
>
Ah that's pretty old. I'd suggest trying 0.9.8m. That includes proper
non-blocking I/O support for OCSP with the new function OCSP_sendre
() strange return
On Wed, Mar 10, 2010, Bin Lu wrote:
>
> Thanks Steve.
>
> Why the connection is still invalid, because subsequent OCSP_sendreq_bio()
> receives no response(while in blocking mode it does), after the 2nd time call
> to BIO_do_connect() in the loop whic
>> Hi,
>>
>> I have the following code snippet:
>>
>> bio = BIO_new_connect(host);
>> BIO_set_conn_port(bio, port);
>> BIO_set_nbio(bio, 1)
>> while (true) {
>> status = BIO_do_connect(bio);
>> if (status > 0 || !BIO_should_retry(bio)) {
>> break;
>> }
>>sleep(1);
>> }
>>
Hi,
I have the following code snippet:
bio = BIO_new_connect(host);
BIO_set_conn_port(bio, port);
BIO_set_nbio(bio, 1)
while (true) {
status = BIO_do_connect(bio);
if (status > 0 || !BIO_should_retry(bio)) {
break;
}
sleep(1);
}
BIO_do_connect() always returns -1 the firs
Hi,
I have the following code snippet:
bio = BIO_new_connect(host);
BIO_set_conn_port(bio, port);
BIO_set_nbio(bio, 1)
while (true) {
status = BIO_do_connect(bio);
if (status > 0 || !BIO_should_retry(bio)) {
break;
}
sleep(1);
}
BIO_do_connect() always returns -1 the firs
Hi,
I am using 0.9.8d. I am getting the following error when verifying a cert:
#0 0xb7b163ab in X509_policy_check (ptree=0xbfffd310,
pexplicit_policy=0xbfffd314,
certs=0x81c0f58, policy_oids=0x0, flags=172) at pcy_tree.c:313
313 pcy_tree.c: No such file or directory.
in pcy_tree.
Hi,
Anybody knows are certificate policies and policy constraints
extensions supported and if yes, from which release ? 'supported' here
I mean X509_supported_extension() returns '1' . 0.9.8d has policy
constraints support but somehow this call still returns '0'.
Regards,
binlu
_
Hi,
I need to retrieve the "requireExplicitPolicy" value from a policy
constaints extension. The version of openssl that I am using is old
and does not seem to support policy constaint. What is the right way
to retrieve the value of that attribute from ASN1_OCTET_STRING* within
the X509_EXTENSION
Hi,
I am getting the following error in calling OCSP_basic_verify():
error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
Could somebody advice what is going wrong?
Regards,
-wenwu
__
OpenSSL Project
ng
the key of the issueing CA.
Olaf
> On 11/2/06, Bin Lu <[EMAIL PROTECTED]> wrote:
>>
>> Hi there,
>>
>> I have 2 certificates in X509 and I want to verify if one cert is the
>> issuer of the other, not using the (issuer)name comparison. What is
>> the A
Hi there,
I have 2 certificates in X509 and I want to verify if one cert is the
issuer of the other, not using the (issuer)name comparison. What is
the APIshould I use to verify the signature ? I tried the following but it
doesn't work:
X509 *cert, *issuer;
int result = X509_verify(cert,
Hi there,
I have 2 certificates in X509 and I want to verify if one cert is the
issuer of the other, not using the (issuer)name comparison. What is
the APIshould I use to verify the signature ? I tried the following but it
doesn't work:
X509 *cert, *issuer;
int result = X509_verify(ce
46 matches
Mail list logo
