Hi Jeff,
I am not sure I can post the entire cert here. Is there any part in
particular that would be useful to debug the Alert Number 43 problem?
David
On Tue, Nov 1, 2016 at 8:07 PM, Jeffrey Walton wrote:
>> When I tested a remote server using s_client, it responded with:
>>
>> verify return:
Hi,
When I tested a remote server using s_client, it responded with:
verify return:1
139790582232992:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3
alert unsupported certificate:s3_pkt.c:1259:SSL alert number 43
139790582232992:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failu
Hi Jakob,
The computer has been up running for quite a while. I wonder if it
really needs NTP to take that long to sync up.
David
On Thu, Sep 10, 2015 at 7:20 PM, Jakob Bohm wrote:
> On 11/09/2015 02:13, David Li wrote:
>>
>> Hi,
>>
>> I am using "openssl
Hi,
I am using "openssl verify -CAfile " to verify the
certificate. It's been running as expected.
Recently I started to run this command on a different x86 platform.
What I found is the the first few times I always got:
error 9 at 1 depth lookup:certificate is not yet valid
Then I waited 10 m
ay/001387.html
> and https://mta.openssl.org/pipermail/openssl-users/2015-May/001388.html
>
> 2015-06-29 23:58 GMT+02:00 David Li :
>> The subCA has nameConstraints in the subCA configuration file:
>>
>> [name_constraints]
>> permitted;DNS.0 = example.com
>>
&
, Ben Humpert wrote:
> Do you use nameConstraints or have specified IP in subjectAltName?
> Because OpenSSL can't handle that correctly.
>
> 2015-06-29 22:51 GMT+02:00 David Li :
>> Hi,
>>
>> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
&g
Hi,
As a test, I have created a rootCA, a subCA (signed by the rootCA) and
a client cert (signed by the subCA). Now I want to use verify,
s_client and s_server to test them together.
However I searched and tried a number of times but still unsure about
the correct syntax format in verify command.
On Fri, Oct 24, 2014 at 1:28 PM, Richard Könning <
richard.koenn...@ts.fujitsu.com> wrote:
> Am 24.10.2014 20:47, schrieb David Li:
>
>>
>>
>> On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning
>> > <mailto:richard.koenn...@ts.fujitsu.com>> wrot
On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning <
richard.koenn...@ts.fujitsu.com> wrote:
> At 24.10.2014 19:03, David Li wrote:
>
>> I am still a little unclear by what exactly TLS_FALLBACK_SCSV option
>> would do.
>>
>> What if the server only supports SSL
I am still a little unclear by what exactly TLS_FALLBACK_SCSV option would
do.
What if the server only supports SSLv3 + TLSv1 and client only connects
with SSLv3? Without the patch, both would agree to SSLv3. So this is a
problem.
What happens with the patch only on the server? And what happens
Hi Thulasi/Rich,
Thanks! This prompted me to uncover another bug in the code. I did encrypt
an extra block of zeros! Now everything makes sense.
Can't help to dig a little deeper into this: In AES-CBC mode, the
decryption can be paralleled. Is this what the EVP_DecryptUpdate is doing
behind the s
ote:
>
>
>
> On Fri, Aug 1, 2014 at 5:46 AM, David Li wrote:
>
>> Hi,
>>
>> I am using openssl 1.0.1h and AES128 CBC mode to encrypt some arbitrary
>> long ASCII string.
>> I encountered an issue at decryption. If I use EVP_DecryptFinal_ex then
>&g
Hi,
I am using openssl 1.0.1h and AES128 CBC mode to encrypt some arbitrary
long ASCII string.
I encountered an issue at decryption. If I use EVP_DecryptFinal_ex then the
output is unrecognizable. If I remove the following then the output is OK.
if ((rc = EVP_DecryptFinal_ex(&ctx, debuf, &tmplen)
Hi,
Say, I have a servercert.pem, serverkey.pem and cacert.pem. When
using SSL_CTX_use_certificate_chain_file() to load a cert file as the
second argument, I will have to construct the file like this:
cat servercert.pem serverkey.pem cacert.pem > server.pem
and use server.pem in the API.
My qu
Oh, I see,
I should have used SSL_library_init() rather than OPENSSL_init_library().
Thanks everyone! Great help!
David
On Tue, May 20, 2014 at 1:38 PM, David Li wrote:
> Rich,
>
> I did the following calls:
>
> OpenSSL_add_all_algorithms();
> OP
Rich,
I did the following calls:
OpenSSL_add_all_algorithms();
OPENSSL_init_library();
SSL_load_error_strings();
Are these enough?
On Tue, May 20, 2014 at 1:32 PM, Richard Moore wrote:
> On 20 May 2014 20:13, David Li wrote:
>
>> So obviously my SSL_CTX object wa
Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us...@openssl.org] On Behalf Of David Li
> > Sent: Tuesday, May 20, 2014 13:05
>
> > I am using SSL_CTX_use_certificate_chain_file() to load my server
> certificate files at initiali
20, 2014 at 11:07 AM, Dustin Oprea wrote:
> On Tue, May 20, 2014 at 1:04 PM, David Li wrote:
>
>> Hi,
>>
>> I am new to openssl programming. My goal is trying to get a simple server
>> up and running. I am using OpenSSL 1.0.1e-fips 11 Feb 2013 on Centos6.5.
>>
>&
Hi,
I am new to openssl programming. My goal is trying to get a simple server
up and running. I am using OpenSSL 1.0.1e-fips 11 Feb 2013 on Centos6.5.
I am using SSL_CTX_use_certificate_chain_file() to load my server
certificate files at initialization. The PEM file is created by
concatenating se
19 matches
Mail list logo
