Re: [EXTERNAL] RE: enforcing mutual auth from the client

On Fri, 2022-09-02 at 00:22 +, Wall, Stephen wrote: > > A compromised server could easily still request the client > > certificate, no? > > But as noted, even a compromised server can ask for client > > credentials and then > > Yes, that's true. If the intruder knew to do so. Also, a thief c

RE: [EXTERNAL] RE: enforcing mutual auth from the client

> > It is not clear what threat model warrants taking special action when > > the client certificate is not requested. It could equally be > > requested and then largely ignored. > > A client in a highly secured network knows that every server it connects to > will > require a client certificate

RE: [EXTERNAL] Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

> My latest attempt to code the below DER is this. It compiles, but the d2i > segfaults on apparently the second element. > > Anything obviously wrong? > > typedef struct { > ASN1_INTEGER *version; > ASN1_INTEGER *serialNumber; > X509_ALGOR *signature; > X509_PUBKEY *key; >

RE: [EXTERNAL] Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

> >> Now I would like to do the other end, where I have der and I want to > >> parse back to the structure, using d2i() > >> > >> 1 - Is there a tutorial on this? > > > > Seems like you don't need one. If you got i2d working you should have d2i > already! > > > > I wasn't clear. The input and out

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

From: Narayana, Sunil Kumar Sent: Thursday, December 17, 2020 8:17 AM To: Sands, Daniel ; openssl-users@openssl.org Subject: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0 Hi, For the equivalent replacement of DH_compute_key in 3.0, we tried to perform the steps

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

Hi Daniel, Thanks we will try it out. One more doubt regarding DH_generate_key, as per earlier suggestion we tried following changes to replicate the generate key, but we observe that the out put key is not matching with the one that is obtained by DH_generate_key() of older

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

We do have generated the key using EVP_PKEY_gen as suggested in earlier emails, but since this was a non-ephemeral and we wanted to store the key in "raw" octet bytes, so we did extracted the whole DH priv/pub key pair out from the key generated via EVP_PKEY_gen ( using as suggested… EVP_PKEY

RE: DH_compute_key () - replacement in 3.0

to exactly replace this we are generating “pubparam_key/priparam_key” using bn_publicKey/dh->priv_key as below OSSL_PARAM_BLD *pubparamsbld = NULL, priparamsbld = NULL; OSSL_PARAM *pubparams = NULL, priparams = NULL; EVP_PKEY *pubparam_key = NULL, *priparam_key = NULL; EVP_PKEY_CTX *pubctx =

RE: DH_generate_key

Dear openssl team, While migrating from 1.0.2 to 3.0, we found that DH_generate_key() has be deprecated. And as per the man page, it is advised to use EVP_PKEY_derive_init & EVP_PKEY_derive

Re: checking for enable-weak-ssl-ciphers at runtime?

RSA_DES_192_CBC3_SHA) && m->get_cipher_by_char(ch_SSL3_CK_RSA_RC4_128_SHA)) return 0; return -ENOENT; } On Sun, May 24, 2020 at 2:49 PM Matt Caswell wrote: > > > On 23/05/2020 21:08, Daniel Lenski wrote: > > When OpenConnect is explicitly requested to connect to an

Re: checking for enable-weak-ssl-ciphers at runtime?

e actually creating an SSL_CTX? On Sat, May 23, 2020 at 1:08 PM Daniel Lenski wrote: > > Hi all, > > What I'm trying to figure out: what's the best way to check whether > 3DES/RC4 support are available in the OpenSSL build we're using, so > that we can give users a

checking for enable-weak-ssl-ciphers at runtime?

Hi all, What I'm trying to figure out: what's the best way to check whether 3DES/RC4 support are available in the OpenSSL build we're using, so that we can give users a clearer explanation of why a connection to an ancient server fails? Background: I'm one of the developers of OpenConnect and re

RE: [EXTERNAL] How to get all certs into a .der file.

According to the documentation, cURL can use p12 files just fine. curl --cert bob.p12:bobspassword --cert-type p12 https://some.secure.site Or you can omit the password part and use -key mykey with your password in the mykey file, in order to hide the password from PS queries. From: openssl-user

Re: Trying to get a public info for a certificate

ave the "correct" data. My guess is you're right and the application has been hashing the wrong thing all along. I will look into it. Anyway, thanks a lot you guys, you are the best! On Mon, Jun 3, 2019 at 11:31 AM Viktor Dukhovni wrote: > On Mon, Jun 03, 2019 at 10:40:02AM -0500, D

Trying to get a public info for a certificate

anted, I am not very savvy with OpenSSL, or with ssl in general, so maybe I'm doing something wrong/dumb? I've spent a fair bit of time on the documentation/wiki but I can´t seem to find the answer. Seems to me like this should be something very straightforward? Any help would be v much appreciated -Daniel

OCSP validation via AIA responders through a proxy

any *_proxy variables, and consequently validation fails when there's no direct internet access. Research I've done so far suggests that the limitation lies in OpenSSL, not stunnel, hence this email. Regards, Daniel O. Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855

libssl 1.1 blocking with multi-forking application

se of a tls connection between child processes? Thanks, Daniel #0 0x7ff8eedb7470 in futex_wait (private=, expected=18780, futex_word=0x7ff8de86130c) at ../sysdeps/unix/sysv/linux/futex-internal.h:61 __ret = -512 err = #1 futex_wait_simple (private=, expected=18780, futex

Re: OpenSSL 3.0 vs. SSL 3.0

On Wed 2019-02-27 16:02:32 +0100, Christian Heimes wrote: > In my humble opinion, it's problematic and confusing to use "OpenSSL > 3.0" for the next major version of OpenSSL and first release of > OpenSSL with SSL 3.0 support. Sigh. You're right, but i wish you weren't. :) Part of the problem of

Re: [openssl-users] is there an API to list all the TLS 1.3 cipher suite names?

On Wed 2019-01-09 04:16:05 +, Jordan Brown wrote: > On 1/8/2019 7:44 PM, Viktor Dukhovni wrote: >> You could just provide a free-form emergency string parameter that >> users are advised to not change unless some major advance makes it >> necessary. At that time, advice can be published as to w

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Sat, 2018-12-01 at 15:53 -0500, Viktor Dukhovni wrote: > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text co

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Fri 2018-11-30 20:38:01 -0500, Viktor Dukhovni wrote: > Are there compatibility concerns around changing error message > text for which users may have created regex patterns in scripts? I advocate making the error message in english more comprehensible. Michael Wojcik's suggestion of "Untruste

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Fri, 2018-11-30 at 23:55 +, Michael Wojcik wrote: > > "Self-signed certificate in certificate chain" does not to me > > > convey "No > > > certificate hash links" (or "CA certificate not found in hash > > > links"). > > > Viktor's points are all good ones, but considering how often this > p

Re: [openssl-users] [openssl-announce] OpenSSL Versioning and License

On Wed 2018-11-28 19:54:34 +, Jonathan Larmour wrote: > On 28/11/18 17:02, Matt Caswell wrote: >> Please see the following blog post about OpenSSL Versioning and License: >> >> https://www.openssl.org/blog/blog/2018/11/28/version/ > > :-( > > The Apache license is incompatible with GPLv2: > >

[openssl-users] M2Crypto Updates

#x27;s pushed a release 0.29 this morning. At this time there has only been a few people actually look at the changes. I'm reaching out to the OpenSSL community in hopes one or more people will review the changes that were made: https://gitlab.com/m2crypto/m2crypto/merge_requests

Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote: Hi Matt, >If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and >1.1.0. Awesome thought, but I'm also using 1.0.2: $ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 (I also tried adding -md md5 to the previous command,

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote: > Unfortunately this didn't work either. The end result is the same; > OpenSSL still emits a "certificate signature failure" with an error > depth of 0. > In light of what Salz said about verification, could we assume that the openssl v

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

I'm a fellow SSL-USER and not an expert, but my verification flow goes as follows: X509_STORE_CTX_new() X509_STORE_CTX_init(ctx,NULL,cert,NULL) <-- The certificate to verify X509_STORE_CTX_trusted_stack(ctx,CACertificateStack) <-- Perhaps this is the difference? X509_verify_cert(ctx) On Thu, 201

[openssl-users] AES-CMAC digest with EVP

. CMAC_Update 4. CMAC_Final 5. CMAC_CTX_free Can this be done with the high-level EVP interface? The EVP_DigestSign* set of functions expects a type EVP_MD, but EVP_aes_128_cbc() is of type EVP_CIPHER. Daniel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl

[openssl-users] Fixed-size digest using EVP with algos ECDSA+SHA256

pointers on how to proceed to convert that result to the 64-byte fixed size? Daniel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] certificate renewal without restarting processes

eanup needed before trying to load the new cert? Regards, Daniel 1. https://github.com/resiprocate/resiprocate/blob/master/resip/stack/ssl/Security.cxx#L386 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [EXTERNAL] How do I connect to this server

On Fri, 2017-04-21 at 16:09 -0400, Jeff Archer wrote: > I have a server that requires that username and password be used as > https://username:passw...@server.com > > > How do I specify this username and password when using SSL_connect()? You don't. The username and password are encoded into th

Re: [openssl-users] [EXTERNAL] Re: error making Private RSA

First, to get intelligible text errors, replace your initial call with ERR_load_crypto_strings(). The ERR_load_ERR_strings call doesn't even seem to be documented, likely because it only loads the strings associated with the ERR API, and you likely need PEM and BIO error strings. When I did this,

Re: [openssl-users] Possible to control session reuse from the client?

Viktor Dukhovni wrote: > > > On Sep 29, 2016, at 11:55 AM, Daniel Janzon wrote: > > > > For performance testing purposes, I would like to turn off session reuse > in the (homegrown) client I use for testing. Is there a function in the > openssl library to do it? > >

[openssl-users] Possible to control session reuse from the client?

Hi! For performance testing purposes, I would like to turn off session reuse in the (homegrown) client I use for testing. Is there a function in the openssl library to do it? I tried googling for "openssl client don't send session id" but I didn't find anything use

Re: [openssl-users] Using RSA_PKCS1_OAEP_PADDING with high level EVP_Seal functions

ormally you would wrap an encrypted message in a "digital envelope" using the EVP_SealInit and EVP_OpenInit functions." Best regards, Daniel [1] https://www.openssl.org/docs/manmaster/crypto/evp.html On 8-9-2016 21:18, Dr. Stephen Henson wrote: > On Wed, Sep 07, 2016, Daniel

[openssl-users] Using RSA_PKCS1_OAEP_PADDING with high level EVP_Seal functions

ed on a public key (using RSA-4096 + block cipher like AES-256-CBC) which is then transmitted to a webbased backend, with a final response back to the client. Nothing very special, although a high number of different clients is expected (i.e. high volume at the backend). Best regards, Daniel [1]

[openssl-users] AUTO: Marcus Daniel is out of the office (Rückkehr am 17.08.2016)

Ich kehre zurück am 17.08.2016. Hinweis: Dies ist eine automatische Antwort auf Ihre Nachricht "[openssl-users] EVP_SealInit question" gesendet am 15.08.2016 21:03:59. Diese ist die einzige Benachrichtigung, die Sie empfangen werden, während diese Person abwesend ist. -- openssl-users maili

[openssl-users] Call rsa_mod_exp for more than one exponentiation

Hi. Is it possible to call the rsa_mod_exp method in RSA_METHOD structure for more than one exponentiation? E.g.: openssl `speed rsa -engine my_engine` will call rsa_mod_exp for every single rsa sign/verify operation, but I want to queue, let's say 10 of these operations and process them in a sing

Re: [openssl-users] OpenSSL s_time output meaning

I've created an OpenSSL engine in order to use the GPU for RSA operations (modular exponentiation) and I have integrated this engine with mod_ssl in the Apache web server. So, knowing about s_time command, I wanted to obtain the number of secured connections per sec that Apache can handle using my

Re: [openssl-users] good riddance to PayPal

What about stripe? Le 5 mai 2016 4:57 PM, "Steve Marquess" a écrit : > We've had a PayPal account for years, as the most convenient way for > individuals to send small donations. However, as the person who has > managed that account I can attest that PayPal has always been rather > annoying to de

Re: [openssl-users] OCSP service dependant on time valid CRLs

on, we are used the CA Designated >> Responder (Authorized Responder). meaning that the issuer of serial >> 0x500c8bd was the same issuer of the OCSP Signing response (ABC CA3 DEV). >> However, my testing shows that this only affects the "response verification >>

[openssl-users] OCSP service dependant on time valid CRLs

Hello, I was researching how expired CRLs affect revocation checking via openssl. * TEST #1: *The first test was to find out what status is returned when i verify a certificate against the CRL: [dan@canttouchthis PKI]$ openssl verify -CAfile CAS/cabundle.pem -CRLfile CRLS/ABC-expired.crl -crl_ch

Re: [openssl-users] [EXTERNAL] Re: SOLVED --- ASN.1: Parsing a 'context-specific' class (or app/private class)

> Well at first sight that looks like an IMPLICIT tag which replaces > the normal > tag with the context specific value. It is not possible to determine > the > underlying type from the encoding itself as it has been replaced. So > you need > the ASN.1 spec to see the appropriate type to use. > >

[openssl-users] AUTO: Marcus Daniel is out of the office (Rückkehr am 24.08.2015)

Ich kehre zurück am 24.08.2015. Hinweis: Dies ist eine automatische Antwort auf Ihre Nachricht "[openssl-announce] 1.0.2 long term support" gesendet am 08.08.2015 09:11:04. Diese ist die einzige Benachrichtigung, die Sie empfangen werden, während diese Person abwesend ist. __

Re: [openssl-users] [EXTERNAL] imap.gmail.com

IMAP is probably based on the Telnet protocol, so the server is expecting CRLF instead of just CR. Try running s_client with the -crlf option. On Wed, 2015-07-15 at 19:34 +0200, Henrie Cuijpers wrote: > Hi all, > > i try to connect to the gmail imap service, but after the connection has > been

Re: [EXTERNAL] howto get a .so.X.Y.Z file rather than indivdual .o files in a libSOMETHING.a

On Mon, 2014-08-04 at 22:45 +0200, Michael Felt wrote: And finally - read exactly what is there: -- Dependent module libcrypt.so could not be loaded, not as above 0509-150 Dependent module /usr/lib/libssl.a(libssl.so.0.9.8) could not be loaded. (libssl.a(member)) The problem there is

Re: [EXTERNAL] howto get a .so.X.Y.Z file rather than indivdual .o files in a libSOMETHING.a

On 8/4/2014 7:06 PM, Sands, Daniel wrote: > To generate a .a of shared objects instead of static objects, really all you > do is build the shared object(s) and create an archive out of them. There is > no special magic about it beyond creating the shared object in the first >

Re: [EXTERNAL] howto get a .so.X.Y.Z file rather than indivdual .o files in a libSOMETHING.a

To generate a .a of shared objects instead of static objects, really all you do is build the shared object(s) and create an archive out of them. There is no special magic about it beyond creating the shared object in the first place. When linking a new program to an archive of shared objects,

Re: certificate regeneration problem: how to create certs for use in a client/server application

to test/verify your setup: > >openssl s_client -connect : -CAfile > > It should complete with "Verify OK (0)" or similar. > > Jeff > > On Wed, Jul 23, 2014 at 4:24 PM, Daniel Bertrand > wrote: >> Hi, >> >> I have inherited s

certificate regeneration problem: how to create certs for use in a client/server application

Hi, I have inherited  some c code which implements client/server communication. The certs expired last week and there is no documentation as to how the certs were generated. I would like to know the correct sequence of openssl commands to generate the certificate files on server S and client

compile errors

First time trying to retro-fit an app with SSL so could use some help... Compiling on Scientific Linux 6.4 openssl-devel 1.0.1e-15.el6_5.x86-64 #include gcc -lssl -lcrypto-pipe -Wall -Wno-unused-parameter -ggdb3 -fPIC -fno-strict-aliasing -rdynamic -I/opt/apps/include -D__USE_FILE_OFFSET64

compile errors

First time trying to retro-fit an app with SSL so could use some help... Compiling on Scientific Linux 6.4 openssl-devel 1.0.1e-15.el6_5.x86-64 #include gcc -lssl -lcrypto-pipe -Wall -Wno-unused-parameter -ggdb3 -fPIC -fno-strict-aliasing -rdynamic -I/opt/apps/include -D__USE_FILE_OFFSET64

Re: openssl can't connect from a single host

On 11/07/13 19:20, Ben Schmidt wrote: > Hello everyone, > > I got a problem that I don't understand. When I try to check the Cert of > a website from a single specific host I get: > ### > $ openssl s_client -connect www.example.com:443 > CONNECTED(0003) > -

RE: Building on Windows in 64 bit mode

G /PDB:$(OUT_D)/$(CRYPTO).pdb echo - For O_CRYPTO, add the /libpath: for zlib from earlier echo Then hit any key to continue notepad ms\ntdll.mak pause @echo on nmake -f ms\ntdll.mak nmake -f ms\ntdll.mak test nmake -f ms\ntdll.mak install popd - -Dani

Re: Possible to create a CSR from just a certificate?

On 15/05/13 18:37, Felipe Gasper wrote: > If I have an SSL certificate, it is possible to create a CSR with that > certificate’s subject and public key? A certificate request is signed by the private key so no, its not possible.

extensions

ssl_crtl function to use all the defines? Hope someone can help me. Thanks, Daniel

TLS extensions

regards, Daniel

Re: SNI: What *doesn’t* support it?

On 20/04/13 06:06, Felipe Gasper wrote: > Hi folks, > > What are the big things out there that still don’t have SNI support? > > As far as I know: > > CentOS 5 (by default) > Android 2.x > original iPhone & iPod Touch > IE on WinXP > > I’m looking for “major obstacles to deployment”

Re: how to STORE encrypted string in database

On 29/03/13 05:24, Matthias Apitz wrote: > El día Thursday, March 28, 2013 a las 01:14:35PM -0500, Salz, Rich escribió: > >> Encrypted data is not a text string, it is an array of binary octets. You >> will have to do something like base64 encode/decode when treating it as a >> text string. >

Re: X509* and Extract Public Key?

On 11/02/13 14:12, Jeffrey Walton wrote: > Hi All, > > I'm trying to extract a public key (subjectPublicKeyInfo) form an X509 > certificate. > > Should I look for the subjectPublicKeyInfo in X509_EXTENSION_get_object? > > What is the easiest (or recommended) way? > > Jeff >

Re: BIO/SSL concepts and multiple connections

On 03/12/12 14:25, TJ wrote: > Can someone please explain these concepts to me? I can't find much > that explains it in plain English in the docs... I'd suggest using the apps/s_server.c of the openssl source as a reference. Its the implementation of the command "openssl s_server" and will contain

Trouble with Windows DLL

Hello, I am trying to use openssl in a Windows DLL. However, on the first openssl call I make after these: CRYPTO_malloc_init(); OpenSSL_add_all_algorithms(); I get the "no OPENSSL_Applink" error. I read the FAQ, and I have compiled with /MD, I have included applink.c in my code (and it is a

FIPS self-test failing on iOS platform

macho utility. And I'm using iOS 5.1 SDK. Any ideas what could cause these self-tests to fail? And any ideas how to pass them ;)? Thank you for your suggestions! Daniel __ OpenSSL Project htt

SV: PHP openssl_x509_parse extensions=>subjectAltName

Hi. Thanks for looking into this. Would this say that the php_openssl is bugged, or can`t do the job ? -Opprinnelig melding- Fra: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] På vegne av Jeffrey Walton Sendt: 13. mai 2012 22:39 Til: openssl-users@openssl.org

Re: PHP openssl_x509_parse extensions=>subjectAltName

Daniel Bjørnådal Johansen IT Konsulent, ITO Card Services daniel.johan...@evry.com T +47 75 12 81 61 M +47 909 15 267 -Opprinnelig melding- Fra: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] På vegne av Thomas Anderson Sendt: 8. mai 2012 14:49 Til: openssl-users

PHP openssl_x509_parse extensions=>subjectAltName

[?php] $x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']); $subjectAltName = $x509['extensions']['subjectAltName']; [/?php] When parsing a x509 certificate and ['extensions']['subjectAltName'] contains a newline or space as shown below: othername: Princpal name=t...@test.com The value in

RE: SSH/SFTP - DH_GEX group out of range

TCP 54 EtherNet-IP-1 > 43161 [FIN, ACK] Seq=474 Ack=839 Win=7424 Len=0 272 117.527293 TCP 60 43161 > EtherNet-IP-1 [ACK] Seq=839 Ack=475 Win=8064 Len=0 Vennlig hilsen Daniel Bjørnådal Johansen IT Konsulent, ITO Card Services daniel.johan...@evry.co

SSH/SFTP - DH_GEX group out of range

s us, and no one else. Anyone have a clue on what this could be ? Google will not help me on this one :( Best regards Daniel Bjørnådal Johansen IT Consultant, ITO Card Services

SV: SSH/SFTP - DH_GEX group out of range

Why did my message become base64 encoded ? Vennlig hilsen Daniel Bjørnådal Johansen IT Konsulent, ITO Card Services -Opprinnelig melding- Fra: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] På vegne av Johansen Daniel Sendt: 25. april 2012 14:39 Til: openssl

SSH/SFTP - DH_GEX group out of range

nyone have a clue on what this could be ? Google will not help me on this one ☹ Best regards Daniel Bjørnådal Johansen IT Consultant, ITO Card Services :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

RE: Difference in Private Key?

Thank you Steve. I have used the rsa tool to convert the PKCS#8 format key to RSA format and then the embedded system was fine with. Best regards, Daniel Doron Customer Support & FAE Manager Connect One 20 Atir Yeda st. Kfar Saba 44643 Israel Phone: 972-9-7660456 x138 Mobile: 972-54-495

RE: Difference in Private Key?

Thanks Richard. That helps the choke part. Now I can investigate the actual error in our system. Best regards, Daniel Doron Customer Support & FAE Manager Connect One 20 Atir Yeda st. Kfar Saba 44643 Israel Phone: 972-9-7660456 x138 Mobile: 972-54-495

Difference in Private Key?

XfqvlWK+SFyk0M29PsNqzkPATwEhP8mz898osvsL2 gWEAJfp+ATEXDL5IL60CQFhtbyiFBuKPH3oAUymV+laWTCux6S0Clx2K47QZWeKU 9m+BZU8GBSO0mQZv2GzIhjEfedT8KjlYQdgOZwMQyKc= -END RSA PRIVATE KEY- Best regards, Daniel Doron Customer Support & FAE Manager Connect One 20 Atir Yeda st. Kfar Saba 44643 I

Re: Re: client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12 -> User error, not a library error

I just want to wrap up my problem so that others can learn from my ignorance: Squid's logs aren't very verbose, so I only got "SSL unknown certificate error 12" , when it suddenly wouldn't accept my client certificates anymore. That's the same error you get when a certificate has expired. But

Re: client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12

I probably shouldn't have posted so hastily. Now I think that it it more of a squid problem, because if I put stunnel in front of it, stunnel handels the certificates fine. pfSense 2.0.1 (FreeBSD 8.1-RELEASE-p6)stunnel-4.35 openssl-1.0.0_5 __

client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12

I am using squid as a reverse proxy with client certificates and everything was working fine for a month. But after 02 MAR 2012 17:56 CET client certificates stopped working even though my self signed ca and certificates are valid way longer. I think it might be an openssl problem, but feel free

Re: Support for SOCKS proxy

Give a try too ss5 Socks proxy that claims to support ssl and much more capabilities El sep 3, 2011 7:04 a.m., "sshetty" escribió: > > Does OpenSSL support SOCKS proxy? The documentation talks only about the HTTP > proxy. > -- > View this message in context: http://old.nabble.com/Support-for-SOCKS

Re: revoking crt

he entry in index.txt lokks like this: R 191122112605Z 100607152858Z 0B unknown /C=DE/ST=BY/O=xxx/OU=Ben Zuhause/CN=Ben Zuhause/Email=xxx Regards Daniel > > > Citējot *Daniel Spannbauer <mailto:d...@marco.de>*: > > Hello, > > I use self-sign

revoking crt

e am/Email=xxx In my opinion, there is no error in crt or index.txt. Can anybody help me to find the error? Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 B

How is key calculated from passphrase

Hello list. Sorry for what is likely a simple question but I'm running out of time and could use a quick hand. I have a program that encrypts data using AES256 CBC mode and a 256 bit (obviously) key provided directly to the encryption engine as-is. I need our Windows-using counterpart to encrypt

SMIME certificates used to encrypt email

some alternative. regards, -- Daniel Zamorano Research & Development __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated Lis

Re: Proxy for content filtering

Le jeudi 29 juillet 2010 23:38:27, vous avez écrit : > Hi All > > > I want to build a proxy server, which acts as man in the middle proxy. The > main intention of application is to do content filtering, whether it is an > http or https request. I want to block some specified URL. Can anybody > te

Re: Wildcard certs?

lowing links for Comodo, Thawte and Verisign : > >- http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php > >- http://www.thawte.com/ssl/wildcard-ssl-certificates/ > >- http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ > > > > Che

Wildcard certs?

Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: I want to build a man in the middle proxy server application.

Le vendredi 23 juillet 2010 06:29:11, vous avez écrit : > Sub : I want to build a man in the middle proxy server application. > > I have experimented so many methods to achieve this. But my application is > failing when I tried to browse from the browser (IE 8 and Firefox 3.7). > > I have configu

RE: Missing Headers

The headers are in openssl-1.0.0\inc32. Dan W. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Harshvir Sidhu Sent: Thursday, June 17, 2010 12:01 PM To: openssl-users@openssl.org Subject: Missing Headers I just downl

Problem making openssl0.9.8n in solaris 10

ory /home/ed855238/cruise_sources/openssl-0.9.8n/crypto *** Error code 1 make: Fatal error: Command failed for target `build_crypto' If anyone can help me I would appreciate very much. Thanks Daniel

Error in BIO_should_retry man page

eason(). I would appreciate if someone could look into this and let me know their opinion. Thanks Daniel __ OpenSSL Project http://www.openssl.org User Support Mailing List

Broadcom & OpenSSL support

Hi SSL'es We are planning to buy this hardware http://www.broadcom.com/products/BCM800 It claims to run under linux, how ever after linux loads its module. I wonder to know if openssl will take advantege of it? Regards, LD _

Re: New to Openssl - recover public key

Le Mercredi 10 Février 2010 12:32:50, vous avez écrit : > Hi, > > I have lost my public key, I used this public key to generate a certificate > request which has been signed. I need to try and recover my key to a .p12 > file and reimport it into my program to match the signed cert. > > All I have

Re: Subject Issuer Mismatch Bug!!

2009/10/30 Dr. Stephen Henson : > On Fri, Oct 30, 2009, Daniel Marschall wrote: > >> >> > >> > 2) When you enable informational messages, you get accurate informational >> > messages. >> >> Please tell me, why it isn't a bug! I don't u

Re: Subject Issuer Mismatch Bug!!

2009/10/29 David Schwartz : > > Daniel Marschall: > >> Hello. >> >> I am not searching bugs in my code. I have a certificate and a CRL. >> And the functionality -issuer_checks is buggy. My cert and CRL have >> exactky the same DN as issuer. > > What i

Re: Subject Issuer Mismatch Bug!!

Hello. I am not searching bugs in my code. I have a certificate and a CRL. And the functionality -issuer_checks is buggy. My cert and CRL have exactky the same DN as issuer. 2009/10/28 David Schwartz : > Daniel Marschall wrote: > >> Any idea? This problem exists since 2003 and no

Re: Subject Issuer Mismatch Bug!!

Any idea? This problem exists since 2003 and noone found an answer - this is unbelievable. 2009/10/26 Daniel Marschall : > 2009/10/25, Dr. Stephen Henson : >> On Sun, Oct 25, 2009, Daniel Marschall wrote: >> >> > Hello. >> > >> > I have a problem with

Re: Unable to get certificate CRL

CANNOT change the openssl version since I already use the latest stable of my debian system. The system administrator does not allow me to enforce an update to an unstable version. Regards Daniel Marschall 2009/10/25, Daniel Marschall : > Hello. > > I have a problem with verification of cer

Unable to get certificate CRL

Client Certificate Authority (CRL: Intermediate) - - Daniel Marschall (CRL: Intermediate) At the verification process I get 2 types of errors 1. Issuer subject name errors 2. A CRL-Retriving error How can I solve these errors? Here is my command line: cat root.crt > tmp_cachain.pem

Re: Subject Issuer Mismatch Bug!!

2009/10/25, Dr. Stephen Henson : > On Sun, Oct 25, 2009, Daniel Marschall wrote: > > > Hello. > > > > I have a problem with verification of certificates. > > > > My command line is: > > > > openssl verify -verbose -issuer_checks -crl_check_all

Subject Issuer Mismatch Bug!!

Hello. I have a problem with verification of certificates. My command line is: openssl verify -verbose -issuer_checks -crl_check_all -CAfile tmp_cachain.pem daniel-marschall.crt The tmp_cachain.pem file is a conclusion of all root and intermediate certificates + their CRLs. (Mh... the trick

Re: OCSP Crashes - What's wrong?

Hello Steve. Dr. Stephen Henson schrieb: On Tue, Oct 20, 2009, Daniel Marschall wrote: Hello. I am trying to set up an ocsp server. I have following line: openssl ocsp -index codesign_intermediate/index.txt -url http://www.myhost.com:/codesign/ -rsigner root_ca/certs/cacert.crt

OCSP Crashes - What's wrong?

process when I have a Root-CA and a Intermediate-CA and both should use OCSP? Should both get different ports? 4) How can I add the OCSP URL to the root and intermediate certificates (I use the subprograms req + ca) Regards Daniel Marschall

  1   2   3   >