> From: openssl-users On Behalf Of Viktor Dukhovni
> Sent: Friday, June 12, 2015 02:47
> > 1) 1.0.1l
> > ./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
> > certdb/cafile.pem
> > Using default temp DH parameters
> > Using default temp ECDH parameters
> > ACCEPT
>
> With SSL
> From: openssl-users On Behalf Of Aaron
> Sent: Wednesday, June 10, 2015 03:47
> We are using executable 'apps/openssl' in our test cases. We upgraded from
> OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test
cases
> started to fail. After checking, I noticed that the default c
> From: openssl-dev On Behalf Of Nayna Jain
> Sent: Wednesday, June 10, 2015 20:31
> If I have a pem file with private key in that, how do I check if that is
RSA/DSA ?
If it uses a "legacy" format, the BEGIN line specifies the algorithm
-BEGIN RSA PRIVATE KEY-
-BEGIN DSA PRIVATE KEY--
> From: openssl-users On Behalf Of Marcus Vinicius do Nascimento
> Sent: Tuesday, May 12, 2015 16:50
> I did some quick research and found this:
http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
> If my understanding is correct, the public key is (p, q, g, y).
You might want to look at the
> From: openssl-users On Behalf Of Nayna Jain
> Sent: Friday, May 01, 2015 22:37
> I have a privatekey file written using the call
PEM_write_bio_RSAPrivateKey(...)
> The file write operation has been successful.
Do you mean the PEM_write_ returned 1, or do you mean the file contains
correct (or
> From: openssl-users On Behalf Of m.de.groot
> Sent: Thursday, April 30, 2015 14:46
> I converted the pfx file to a pem file using the following command
> openssl pkcs12 -in CustKeyIcBD001.pfx -out CustKeyIcBD001.pem -nodes
>
> After this I trying to sign a file using this key with the following
> From: openssl-users On Behalf Of jonetsu
> Sent: Wednesday, April 29, 2015 10:07
> The man page (the one online from OpenSSL project - SHA256.html)
> gives a description using SHA1() which computes a message digest.
Note this is the same page for
SHA{1,224,256,384,512}{,_Init,_Update,_Final}.ht
> From: openssl-users On Behalf Of jonetsu
> Sent: Tuesday, April 28, 2015 13:53
> What would be the equivalent of the SHA256() function in the EVP
> class of methods ? EVP_sha256() could be it, although from the
> short description in manual page it does not seemingly fit in,
> returning a EVP_M
> From: openssl-users On Behalf Of Prashant Bapat
> Sent: Wednesday, March 18, 2015 03:37
> I'm trying to use the base64 decode function in C.
> This works well for simple b64 encoded strings like "hello world!" etc.
> But when I want to b64 decode the contents of a SSH public key, it fails.
>
> From: openssl-users On Behalf Of Viktor Dukhovni
> Sent: Monday, March 09, 2015 12:47
> On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
> > "kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH"
> > with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56
> and 1024?
>
You only
> From: openssl-users On Behalf Of Dr. Stephen Henson
> Sent: Friday, February 20, 2015 17:24
> On Fri, Feb 20, 2015, Nathaniel McCallum wrote:
>
> > I'd like to use ASN1_item_d2i_bio() (or something similar) to parse an
> > incoming message. However, given that types like ASN1_OCTET_STRING
> > h
> From: openssl-users On Behalf Of open...@lists.killian.com
> Sent: Wednesday, February 18, 2015 13:26
> I noticed that openssl(1) says that various things have been superseded by
> genpkey, so I tried changing my scripts to use it. It works fine for RSA,
but the
> man page is not very helpful on
> From: openssl-users On Behalf Of Rajeswari K
> Sent: Friday, February 13, 2015 23:50
> Hello Dave,
> Based on your input, have stopped calling i2d_ECDSA_SIG()
> and used BN_bn2bin() to overcome the der headers.
> And now, my verification is working fine.
ECDSA_verify in ecs_vrf.c only uses i2d
> From: openssl-users On Behalf Of Rajeswari K
> Sent: Monday, February 16, 2015 03:05
> Our current signature and verification logics are working just fine
> with TLS1.0 and TLS1.1 for ECDHE_ECDSA cipher suite.
> But, when tested the same cipher suite with TLS1.2, SSL handshake
> always failin
> From: openssl-users On Behalf Of Rajeswari K
> Sent: Friday, February 13, 2015 09:48
> As part of [ECDSA] signature verification, we first take lenght_of_signature
> received
> and compare with double the size of number_of_bytes from curve parameter.
> Have converted the ECDSA_SIG to unsigned
> From: openssl-users On Behalf Of Rajeswari K
> Sent: Thursday, February 12, 2015 00:40
> I have a query on d2i_PUBKEY() and i2d_PUBKEY().
> i have a EC public key in form of character buffer.
> Have inputted this character buffer to d2i_PUBKEY() and got EVP_PKEY format
> EC key.
To be exact
> From: openssl-users On Behalf Of Jörg Eyring
> Sent: Wednesday, February 11, 2015 03:44
> I'm generating a certificate request and the necessary entries are added
> with:
> ...
> if(!X509_NAME_add_entry_by_txt(subj,"C", MBSTRING_ASC, (unsigned
> char *) CountryName,-1,-1,0))
> X509_NAME_add_ent
> From: openssl-users On Behalf Of Jerry OELoo
> Sent: Wednesday, February 04, 2015 21:54
> I am using openssl 1.0.2 on windows 7 OS.
>
> I have put some root certificate files into a folder certs. when I
> using X509_STORE_load_locations() to load this folder into store, it
> returns 1 means suc
> From: openssl-users On Behalf Of Rajeswari K
> Sent: Monday, February 02, 2015 22:17
> Thanks for responding. Following is the output printed by openssl
> ./openssl req -in csr.csr -noout -text
>Subject Public Key Info:
>Public Key Algorithm: id-ecPublicKey
>
> From: openssl-users On Behalf Of Rajeswari K
> Sent: Sunday, February 01, 2015 21:18
> Am facing an issue of "no shared cipher" error during SSL Handshake,
> when tried to negotiate ECDHE cipher suite.
> *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C
> *Feb 2 01:00:47.89
> From: openssl-users On Behalf Of Kurt Roeckx
> Sent: Tuesday, January 27, 2015 17:14
> On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote:
> What browsers do is cache the intermediate certificates.
That's one possibility. Another is that it uses AuthorityInfoAccess
to fetch the cert autom
> From: openssl-users On Behalf Of Dr. Stephen Henson
> Sent: Wednesday, January 21, 2015 09:28
> On Wed, Jan 21, 2015, John Laundree wrote:
>
> > Ok, so I will naively ask the question "How does one do TLS 1.0/1.1 in
FIPS
> mode? Or is this no longer allowed, i.e. TLS 1.2 only?"
>
> The use of
> From: openssl-users On Behalf Of Jerry OELoo
> Sent: Tuesday, January 20, 2015 00:34
> I am reading cer file into X509 object,
> http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
>
> cert = d2i_X509_fp(fp, NULL);
> it will return fail, as below
>
> Error: error:0D07207B:asn1 encoding routin
> From: openssl-users On Behalf Of Purushotham Nayak
> Sent: Wednesday, December 31, 2014 12:22
> I have some data that was encrypted using the openssl (`AES_*`) functions.
> I want update this code to use the newer (EVP_*) functions which are
> FIPS compliant. But I should be able to decrypt da
> From: openssl-users On Behalf Of Bear Giles
> Sent: Tuesday, December 30, 2014 16:53
> I've been able to read and write most objects using both the PEM bio
> and i2d/d2i functions. I know I can write an encrypted PKCS8 file with
> PEM_write_bio_PKCS8PrivateKey().
> How do I read encrypted PKCS
> From: openssl-users On Behalf Of Jaya Nageswar
> Sent: Tuesday, December 30, 2014 02:36
> ... the output [is] different between openssl 0.9.8 and 1.0.1x versions as
> the following methods
> are being used in the code flow for the method PEM_write_bio_PrivateKey.
> 1.0.1x - PEM_write_bio_PKCS8
> From: openssl-users On Behalf Of Jaya Nageswar
> Sent: Monday, December 22, 2014 05:51
> In our application, we have been using openssl 0.9.8 and trying to move to
> openssl 1.0.1x as 0.9.8 is going to be EOS by December 2015. We have a
> sample application where we try to read a sample pem k
> From: openssl-users On Behalf Of Kurt Roeckx
> Sent: Thursday, December 18, 2014 16:36
> On Fri, Dec 19, 2014 at 02:30:07AM +0530, Prabhat Puroshottam wrote:
> > ***
> > This is for *Client -> Agent*
> > ***
> [...]
> >
> From: openssl-users On Behalf Of Michael Wojcik
> Sent: Thursday, December 18, 2014 21:27
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf
> > Of Kurt Roeckx
> > Sent: Thursday, December 18, 2014 16:36
> > To: openssl-users@openssl.org
> > Subject: Re: [openssl-user
> From: openssl-users On Behalf Of Hooman Fazaeli
> Sent: Monday, December 08, 2014 09:36
> 1. The SSL_read in my http server app always reads the first byte of
> http request, instead of the whole. To read the rest, I should do
> further SSL_reads:
> I have seen this pattern with firefox
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
> Sent: Monday, December 01, 2014 16:18
(reordered)
> On Mon, Dec 1, 2014 at 3:47 PM, Tanel Lebedev wrote:
> > I'm building and packaging OpenSSL as a third party library in my app. I
> > also include a certificate bundle with it.
> From: owner-openssl-us...@openssl.org On Behalf Of Prabhat Puroshottam
> Sent: Tuesday, December 02, 2014 07:04
> We have a product which uses OpenSSL to connect and transfer
> application level data. There are two ways to connect, and get the
> application level data from *Agent* to *Client*
>
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Friday, November 21, 2014 12:30
> Thanks. I guess I may have to open a problem with IBM. The IBM
> documentation
> clearly lists a number of "cipher suites" (at they call them) that use
SHA1
> (including the one we (IBM+Ope
> From: owner-openssl-us...@openssl.org On Behalf Of Joerg Schmitz
> Sent: Saturday, November 15, 2014 12:16
> I hope you can help me. I'm about to sign jar-files with a self created
> certificate
> using OpenSSL. The jar-File contains an old Java-Applet which Java is
> blocking
> (as long as
> From: owner-openssl-us...@openssl.org On Behalf Of Malatesh Ankasapur
> Sent: Tuesday, November 18, 2014 23:17
Note: you should post a new topic as a new message, not a reply. subject fixed
> citrix reciever using the symbolic link .pem certificate so i did c_rehash
> for my ceritficate
> 1. op
> From: owner-openssl-us...@openssl.org On Behalf Of Dan Si Atat
> Sent: Wednesday, November 19, 2014 14:32
> I am trying to emulate in OpenSSL java encryption algorithm.
> When using "RSA_public_encrypt" are there parameters to emulate any of
these
> combinations of parameters in Java?
> "RSA/
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Wednesday, November 19, 2014 14:08
> 10280:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error:.\ssl\s3_pkt.c:1275:SSL alert number 51
http://tools.ietf.org/html/rfc5246.html#section-7.2
decrypt_error
Your questions are confused and I don’t have time to read through a lot of
code, but:
In OpenSSL, type RSA (typedef struct rsa_st) is used for both/all RSA keys.
When you generate a new keypair, the RSA structure is filled with fields for
both private key and public key. If you use the
> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
> Sent: Friday, November 14, 2014 22:03
> SSL_OP_* are bitmasks.
> SSL_CTX_set_options(conn->ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
> On 11/14/2014 12:37 AM, Vaghasiya, Nimesh wrote:
>conn->ssl_ctx = SSL_CTX_new(S
> From: owner-openssl-us...@openssl.org On Behalf Of Amir Reda
> Sent: Wednesday, November 05, 2014 02:42
> 1- i generate rsa key pairs and try to print it in a pem file but when i open
> the file it was empty
You never close or even flush the file. openssl uses C I/O and C I/O by default
is us
> From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
> Sent: Wednesday, November 05, 2014 03:11
> But when I go to www.google.com website, I find the leaf certificate
> and intermediate certificate is ok, but root CA certificate (GeoTrust
> Global CA) is not.
> Public Key SHA1:
> 00:f
> From: owner-openssl-us...@openssl.org On Behalf Of Marcus Meissner
> Sent: Wednesday, November 05, 2014 04:10
> On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan)
> wrote:
> > Hi,
> >
> > Does Openssl support IPv6 officially?.
>
> AFAIK the libssl and libcrypto libraries do not u
> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
> Sent: Thursday, October 30, 2014 14:50
> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
> I would expect the two to form a valid chain. And indeed,
> verification succeeds:
> ... openssl verify -CAf
> From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
> Sent: Tuesday, October 28, 2014 04:20
> Now I use i2d_RSAPublicKey() to encode on RSA* from EVP_PKEY which
> will show same as [Chrome]
>
> One more thing, I find use i2d_RSAPublicKey() will be get same public
> between openssl A
> From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
> Sent: Tuesday, October 28, 2014 02:03
> I use SSL_get_peer_certificate(), X509_get_pubkey() API to get web
> site https certificate public key, when I dump public key, I find
> which is not same as I see in browser (In Chrome, clic
> From: owner-openssl-us...@openssl.org On Behalf Of Lewis Rosenthal
> Sent: Wednesday, October 08, 2014 10:57
> Actually, Jakob, I think it's the second one (the first one after the
> pipe) which can come out, i.e.:
>
Yes.
> openssl s_client -showcerts -connect google.com:443 < \
> /dev/null |
verify status 18 (not strictly an openssl error) means that you (usually as a
client)
received a cert chain (usually from the server) with a root cert that is not in
your
truststore. Yes, this is a slightly confusing error description for this case.
If the root cert used should be trusted,
> From: owner-openssl-us...@openssl.org On Behalf Of salih ahi
> Sent: Thursday, October 02, 2014 04:03
> I wrote an openssl server, which uses an on-the-fly created certificate
> and signs it with the private key of another already created self-signed
> certificate file. I am adding them both t
(Sorry, got stuck in my outbox and I didn't notice for a while)
> From: owner-openssl-us...@openssl.org On Behalf Of Marco Bambini
> Sent: Monday, September 22, 2014 02:44
> Thanks a lot for the explanation, so instead of generating new parameters
on
> the fly I could just create them once and th
> From: owner-openssl-us...@openssl.org On Behalf Of Marco Bambini
> Sent: Friday, September 19, 2014 12:04
> my server needs to accept DHE ciphers from clients so I think I would need
to
> be able to load static dh512.pem, dh1024.pem, dh2048.pem and dh4096.pem
> certificates on server side. In or
> From: owner-openssl-us...@openssl.org On Behalf Of Andy Schmidt
> Sent: Wednesday, September 17, 2014 18:28
> I just tracked down an obscure bug in our certificate authentication
> code to a change in in the global mask for ASN.1 strings in
> crypto/asn1/a_strnid.c.
> (https://github.com/openssl
> From: owner-openssl-us...@openssl.org On Behalf Of Francis GASCHET
> Sent: Wednesday, September 17, 2014 13:35
> We use openSSL in OFTP2 implementation. The OFTP2 working group
> decided
> to strongly recommend to use preferably the cipher suites including PFS
> (ephemeral Diffie Hellman).
To
> From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop
> Sent: Monday, September 15, 2014 22:50
> And, one more question:
> How can I tell what format/encryption my pkcs12 files are in?
> [I believe for Android platform use, I need p12 certs/keys - so I'm working
> on the export/con
> From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop
> Sent: Monday, September 15, 2014 17:14
> I've gone back and re-encrypted the private keys [thanks Dave, again!]
> and this is the result from an asn1parse
> Is that the new format? [It looks like it, but I'm such a "babe in the
> From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson
> Sent: Friday, September 12, 2014 04:31
> *If* you are now using a legacy-format encrypted private-key (and your
> original
> error message suggested you might need some form of private key, which does
>
line is causing the problem with
openSSL?
Thank you,
Liz
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Tuesday, September 09, 2014 5:49 PM
To: openssl-users@openssl.org
Subject: RE: cannot read PEM key file - no start line
-fingerprint is the hash of the whole cert. The question was hash of issuer
name.
If youre satisfied with hash of the issuer name >as encoded<, which should
not
but can differ from the canonicalized form OpenSSL uses for lookup, you can:
- use asn1parse to find the byte position of the issu
I was half wrong before.
The base64 read in EVP_Decode* allows 76. But the PEM parser in PEM_read_bio
enforces exactly 64 >>only for input files that have PEM-encrypt headers<<
which in practice is only encrypted legacy-format privatekey files.
(Nonprivate things like cert, CSR, publickey
(Sorry not inline, my Outlook can’t do that for HTML.)
That’s actually a subvariant I forgot to describe: PKCS#8 *version 2*.
It has “BEGIN ENCRYPTED PRIVATE KEY” (not specifying RSA etc.) like version 1,
but instead of a single PBE algorithm-id PBE-with-$kdf-and-$cipher it has a
structure
For the legacy formats (dashes-BEGIN PRIVATE RSA KEY or PRIVATE EC KEY)
just look on the DEK-Info: header line.
For PKCS#8 format (dashes-BEGIN ENCRYPTED PRIVATE KEY) do
openssl asn1parse and.
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf O
> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
> Sent: Monday, September 08, 2014 08:42
> On Sun, Sep 07, 2014 at 07:26:05PM -0700, Liz Fall wrote:
>
> > I have checked and verified that there is no whitespace. Also, the
BEGIN
> > and END statements look correct. However,
This is not a –dev question, and there’s no need to send three times.
scp uses the SSH protocol. OpenSSL does not implement SSH.
OpenSSH, which is a different product from a different source, implements
SSH, although in their design the scp program doesn’t do any comms at all,
it just pipe
1) That doesn't make sense. Maybe you mean the socket come from (TCP-level)
accept and you give it to SSL_set_fd?
That does make sense and should work for one connection=socket at a time
i.e. accept #3, connect SSL to #3,
do send and receive until connection closed, close socket and SSL_clear,
a
> and how do I generate an ECDSA certificate?
To generate a selfsigned ECDSA cert the same ways you do RSA,
except use EC instead of RSA.
- use req -new with EC key or -newkey with EC parms and -x509
to generate selfsigned cert directly.
- use req -new with key or -newkey to generate CSR,
then
Both of those are using an RSA certificate; DHE or ECDHE is key-exchange
only
not authentication. However the servers must configure *parameters* for
"temp DH" and "temp ECDH" respectively; do they? For ECDHE the parameters
must use one of the (named) curves specified by the client; openssl c
> From: owner-openssl-us...@openssl.org On Behalf Of dave
> Sent: Monday, August 04, 2014 15:50
> I have it that the elliptic multiply is not standard. So I have been
> skip tracing though the code.
> It starts with ec_key.c, with EC_KEY_generate_key. This grabs the
> group or or the particula
> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
> Sent: Monday, August 04, 2014 11:21
> On Mon, Aug 04, 2014 at 05:43:47AM +, Mitra, Rituparna (STSD) wrote:
>
> > 1. app1: sends a CGI POST request to app2 ? the POST request has
the
> UN (username).
> >
> > 2.
> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
> Sent: Thursday, August 07, 2014 16:48
> Your client is saying that it's failing the certificate verification of
> the server certificate. It's probably not using the CAfile that you
> passed to openssl s_client.
>
> -Kyle H
>
This is almost certainly belongs in -users only, but if I restrict reply it
looks unanswered.
> From: owner-openssl-us...@openssl.org On Behalf Of Nayna Jain
> Sent: Thursday, July 31, 2014 17:37
> We got one of our openssl version upgraded to openssl 1.0.1e version.
> But after that I am facing
If by "heavy bit" you mean the most significant bit, that's backwards.
DES (and 3DES) keys put the parity bits in the least significant bit.
The low-level DES_* API in OpenSSL has options to set a key with
checking for parity and "weak" and "semi-weak" keys, or without,
and also routines to
> From: owner-openssl-us...@openssl.org On Behalf Of dave paxton
> Sent: Thursday, July 31, 2014 20:12
> In looking at this today I found what the new ec key is doing. It
> does a BN_rand_range operation. That does have the rand.h include. It
> looks like it is using from the random area pseu
It's a good idea for server to set client-CA list, but not required. If it
isn't set,
libssl server will send CertReq with an empty list, which the RFCs permit,
and the browsers I have to hand (IE9, FF31, Chrome36.something) all handle.
The OP's problem is more likely on the client side.
Fro
> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
> Sent: Thursday, July 24, 2014 14:18
> On Thu, Jul 24, 2014 at 08:07:01AM -0700, phildoch wrote:
>
> > The key format needed by the system is algorithm-specific DER format.
>
> I am not aware of any standard formats for keys o
Did you successfully load the root cert into the SERVER truststore?
The requirements are not quite symmetric:
Almost always (except for anon and non-PK):
server MUST set privatekey and matching cert, and preferably any chain
cert(s) (you have none)
client MUST set truststore containing r
-4ubuntu5.14 installed
OpenSSL 1.0.1 14 Mar 2012
built on: Fri Jun 20 18:54:15 UTC 2014
platform: debian-amd64
As you pointed yes the server preference is set on the origin side.
--David
On Tue, Jul 22, 2014 at 9:17 AM, Dave Thompson wrote:
You can’t be running 1.0.1 as released; it
You can’t be running 1.0.1 as released; it doesn’t have
BLOCK_CIPHER_PAD_IS_WRONG
in s3_pkt at all (instead in s3_enc and t1_enc) and doesn’t have
UNKNOWN_ALERT_TYPE
at that line number. BLOCK_CIPHER_PAD is at 419 in 1.0.1e through g, and
UNKNOWN_ALERT_TYPE shortly before (but not at) 1270
> From: owner-openssl-us...@openssl.org On Behalf Of Walter H.
> Sent: Thursday, July 17, 2014 13:58
> does anybody know what to write in the extension config to get this
> X509v3 Name Constraints as the attached certificate (intel-ca.pem,
> intel-ca.text)?
>
http://www.openssl.org/docs/apps/x509
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
> Sent: Tuesday, July 08, 2014 20:33
> On Tue, Jul 8, 2014 at 7:00 PM, Dave Thompson
> wrote:
> >> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
> >> Sent: Tuesday, July 08, 20
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
> Sent: Tuesday, July 08, 2014 16:20
> On Tue, Jul 8, 2014 at 3:39 PM, Barbe, Charles
> wrote:
> > I figured it out and am now wondering if there is a defect in the openssl
> verify command. This suggesti
> From: owner-openssl-us...@openssl.org On Behalf Of Barbe, Charles
> Sent: Monday, July 07, 2014 21:59
> I will try an ASN.1 decoder tomorrow. Thanks for the suggestion!
>
> One thing I did try today was to have both servers generate their
certificates
> using the same private key. Theoretically
> From: owner-openssl-us...@openssl.org On Behalf Of Barbe, Charles
> Sent: Sunday, July 06, 2014 22:42
> I have the following certificates and associated private keys:
>
> A - certificate A generated with one version of my software not using
openssl
> B - certificate B generated with a new versi
> From: owner-openssl-us...@openssl.org On Behalf Of nicolas@free.fr
> Sent: Friday, June 13, 2014 06:15
> the fact is a server can only send a single certificate, however this one can
> be
> signed by multiple CAs
Kind of. There's a difference between what we humans perceive as a CA
(someb
> From: owner-openssl-us...@openssl.org On Behalf Of Anant Rao
> Sent: Wednesday, June 11, 2014 09:45
> The signature is generated by a client program (also a 'c' program). What is
> the format of a signature? How do I find out?
The format for an ECDSA or DSA signature is an ASN.1 SEQUENCE of tw
> From: owner-openssl-us...@openssl.org On Behalf Of open...@comaxis.com
> Sent: Saturday, June 07, 2014 09:35
> I am attempting to use the d2i_PKCS12_fp() API call in a Windows DLL
> compiled with the multi-threaded (/MT) runtime library. On this call I
> get the runtime error "OPENSSL_Uplink(03
On platforms where shared-lib is supported at all it is usually the default
build
and the conventional packaging. Are you sure you don’t already have it?
Or do you mean you want to build a different and/or modified version, as shared?
What almost(?) everybody does and the build process is se
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
> Sent: Wednesday, May 28, 2014 13:04
> On 5/25/2014 2:22 PM, Hanno Böck wrote:
> > Some clients (e.g. all common browsers) do fallbacks that in fact
> > can invalidate all improvements of later tls versions.
> >
> > These fallbacks
> From: owner-openssl-us...@openssl.org On Behalf Of Sven Reissmann
> Sent: Thursday, May 29, 2014 12:24
> What I did was:
>
> - I generated a newRootCA (new keypair, selfsigned certificate).
>
> - I generated another selfsigned certificate (bridgeCert) from the
> newRootCA's private key. From
The third arg of PKCS7_verify (indata) should only be used for an ‘external’ or
‘detached’ signature
where the PKCS#7 does not contain the data. In your case it should be null.
Also note that the _BINARY flag isn’t actually used for “plain” PKCS#7, only
for SMIME.
And I don’t think it reall
> From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, Patrick
> Sent: Tuesday, May 27, 2014 12:41
> > From: Sven Reissmann
> >
> > What I want to achieve is having a new rootCA, which replaces an
> > oldRootCA, which I am using until now.
> >
> > So far the trust chain is: oldRoot -> ol
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dustin Oprea
> Sent: Tuesday, May 20, 2014 14:07
> On Tue, May 20, 2014 at 1:04 PM, David Li wrote:
> The code that you cited doesn't use SSL_CTX_use_certificate_chain_file.
You're right; I missed
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of David Li
> Sent: Tuesday, May 20, 2014 13:05
> I am using SSL_CTX_use_certificate_chain_file() to load my server certificate
> files at initialization.
> The PEM file is created by concatenating serv
http://www.openssl.org/support/faq.html#PROG6
and if you haven't loaded error strings
http://www.openssl.org/support/faq.html#PROG7
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Darshan Mody
Sent: Monday, May 19, 2014 09:13
To: openssl-users
EVP_BytesToKey implements (a tweak on) the original PKCS#5, which derived a key
and IV
by iterated hashing of a (reusable but secret) password with random (i.e.
unique) salt.
Given random salt this gives effectively random IV, but is unnecessarily
complicated.
This was recognized as a not
> From: owner-openssl-us...@openssl.org On Behalf Of Edward Ned Harvey
(openssl)
> Sent: Thursday, April 24, 2014 16:15
> > > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
> > mycert.crt -certfile intermediate.crt -CAfile ca.crt
> > > (Correct?)
>
> So ... I just tried t
A lot of things on the Internet are wrong. The OpenSSL man page does not say
multiple
occurrences work and I'm pretty sure it never did, nor did the code. In
general
OpenSSL commandlines don't handle repeated options; the few exceptions are
noted.
pkcs12 -caname (NOT -cafile) IS one of the few
What exactly do you include in correctly?
As that entry (rightly) explains, the (or each) server must have a key & cert
from a CA
trusted by the client, and the (or each) client must have a key & cert from a
CA trusted
by the server. Most clients trust the “well-known” CAs like Verisign a
Possibly too Postelian, OpenSSL answers a received heartbeat request
(and thus before the fix answers a malicious request with leaked data)
even if the heartbeat extension was negotiated off.
Only the build option to exclude the code stops it.
OpenSSL will *send* hb request only if/after nego
> From: owner-openssl-us...@openssl.org On Behalf Of chetan
> Sent: Monday, April 14, 2014 00:42
> xxx.c is my program file.
> So, i'm compile simply like "cc xxx.c ".
> I am Gettting [undefined reference]
This is basic C programming. Whenever you link (not just compile) a C
program
that uses a
1. Modify the uplink logic to hardcode your DLL, and make sure your users'
programs never call this modified openssl, probably by using a nonstandard
filename(s), and then stand ready to provide updates every few months.
2. Rewrite the uplink logic to figure out which DLL is providing the
tr
cates to use during client authentication
and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
Thanks,
Lakshmi.
From: Dave Thompson < <mailto:dth
1 - 100 of 1134 matches
Mail list logo
