LS functionality
work". But you should be careful not to give the impression that DTLS
will magically give you an in-order, guaranteed-delivery data stream.
It won't; it's still a datagram protocol at heart.
--
David WoodhouseOpen Sour
In my VPN client I'd like to warn the user when their certificate is
almost out of date.
Is there a way to get the client certificate from the SSL_CTX after the
client cert has been loaded?
As discussed elsewhere, it's quite painful for an application simply to
undertake the task of "load a clien
On Thu, 2010-08-26 at 14:41 +0530, Raj wrote:
> Can anybody tell me the function for loading a certificate file
> (from my local hdd) to X509 object
http://www.advogato.org/person/dwmw2/diary/205.html
--
dwmw2
__
OpenSSL
On Thu, 2010-06-03 at 21:35 -0400, Victor Duchovni wrote:
> The problem is that only the application knows which names are those of
> the peer it tried to reach.
True, but the app could easily provide that information to a library
function.
If you look at the 250 lines of code I referenced, almo
On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote:
> Generally, OpenSSL does not verify peer names, only the certificate
> trust chain, and peername checks are left up to applications.
Which is a shame... I'm far too stupid to be writing code like
http://git.infradead.org/users/dwmw2/openco
On Tue, 2010-05-11 at 09:58 -0400, Chris Bare wrote:
> That's almost perfect, but doesn't putting it inside the X509_STORE like this
> tell the rest of the code it's trusted? If I'm downloading it using AIA I
> can't trust it and still need to chain up to a trusted root.
Hm, true. But surely there
);
if (ret > 0)
return ret;
/* Do whatever you need to look up the issuer... */
}
... and somewhere else in your SSL_CTX setup:
X509_STORE *store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
store->get_issuer = my_get_i
On Sun, 2010-05-09 at 12:12 +0100, David Woodhouse wrote:
> Although that's OK for my purposes, I think it's actually a bug. The man
> page for PKCS12_parse() says that *ca can be a valid stack, in which
> case additional certificates are appended to *ca.
>
> It _doesn&#
On Fri, 2010-05-07 at 23:37 +0200, Dr. Stephen Henson wrote:
>
>
> If you pass a NULL for the final argument in PKCS12_parse() extra CA
> certificates are ignored as it has nowhere to put them.
>
> If you pass a pointer to a NULL STACK_OF(X509) i.e do:
>
> STACK_OF(X509) *ca = NULL;
>
> and pa
On Fri, 2010-05-07 at 19:24 +0200, Dr. Stephen Henson wrote:
> Setting ca to NULL if it fails should work. That should be done in
> PKCS12_parse() on error.
AIUI I don't want it to be NULL; I need it to be an empty stack. I need
the returned 'extra' certs so that I can work around RT#1942 on the
With OpenSSL 0.9.8n this test program segfaults the second time it tries
to parse the PKCS#12 file. It was fixed for OpenSSL 1.0.0 by this
commit: http://cvs.openssl.org/chngview?cn=17957
Starting program: /home/dwmw2/p12test .cert/certificate.p12
Enter PKCS#12 passphrase:
140737353934504:error:23
y into the http post string and i
> need to see this)
Fix this, and your problem is solved.
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com
On Wed, 2010-04-07 at 16:00 -0400, Victor Duchovni wrote:
> Can someone confirm that what we are seeing is a work-around for DJB's
> cache timing attack on AES? If so, I would guess that the timing attack
> is believed to be impractical for large blocks, so the fast path is used
> only for sufficie
isted the temptation to include AESNI scores on the graph; they'd
have screwed up the scale :)
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
__
x509_cmp.c may be relevant to you? You could iterate over
the available private keys, looking for one which matches the public key
in the certificate you get back from the server.
Or you could just keep better track of your outstanding requests? :)
--
David Woodhouse
We've seen a number of Cisco AnyConnect VPN servers which don't have the
SSL server purpose bit set in their certificate.
We have a workaround¹ but I've just received a complaint that this
workaround doesn't work correctly with older (<0.9.8k) versions of
OpenSSL.
Does the patch below make sense?
On Wed, 2009-06-03 at 17:59 -0400, Victor Duchovni wrote:
> The SSL_CTX_use_certificate_chain_file() API is a very admin friendly
> way to support installation of cert + chain and even key + cert + chain,
> as the key can also be stored in the same file (ideally mode 0600 or
> passphrase-protected)
On Wed, 2009-06-03 at 15:02 -0400, Victor Duchovni wrote:
> with SSL_CTX_use_certificate_chain_file() the entire trust chain is
> loaded from the provided file bottom-up order. The first certificate
> is the leaf and must match the private key provided.
Ah, right. Most files I've encountered have
On Tue, 2009-06-02 at 21:39 -0400, Victor Duchovni wrote:
> The CAfile is for verification, not for sending alon the trust chain
> of a given certificate.
OpenSSL currently _does_ use the CAfile for sending along the trust
chain of its client certificate. It's buggy, but it tries :)
> DO NOT app
Q: My application takes a filename for a client certificate on the
command line. What is the OpenSSL function to load and use it?
A: Well, we make this lots of fun for you -- it would be boring if there
was just one function which you could pass the filename to. You have
to write 230 line
On Mon, 2009-06-01 at 17:15 -0400, Victor Duchovni wrote:
> > I found another strange behaviour that I didn't expect -- the _order_ of
> > the certificates in the cafile seems to be important.
>
> Yes, the TLS protocol requires the trust chain to be delivered bottom-up.
That makes sense, but we'r
On Sun, 2009-05-31 at 10:13 +0100, David Woodhouse wrote:
> On Tue, 2009-05-26 at 11:21 -0400, Victor Duchovni wrote:
> > The server is unhappy with the client certificate chain, and drops the
> > connection if the client certificate trust chain does not verify. The
> > same
On Tue, 2009-05-26 at 11:21 -0400, Victor Duchovni wrote:
> The server is unhappy with the client certificate chain, and drops the
> connection if the client certificate trust chain does not verify. The
> same server is willing to accept clients with no certificates at all.
>
> The server is lame.
On Thu, 2009-05-21 at 22:44 +0100, David Woodhouse wrote:
> I'm trying to connect to an HTTPS server, and my connection is being
> rejected when I use a client certificate:
> [dw...@macbook ~]$ openssl s_client -cert $CERT -connect $SERVER:443 -crlf
> -tls1
> CONNECTED(000
I'm trying to connect to an HTTPS server, and my connection is being
rejected when I use a client certificate:
[dw...@macbook ~]$ openssl s_client -cert $CERT -connect $SERVER:443 -crlf -tls1
CONNECTED(0003)
depth=1 /C=US/O=Foo Corporation/CN=Foo Intranet Basic Issuing CA 2A
verify error:num=20
On Sat, 2009-01-24 at 23:03 +0100, Georges Le grand wrote:
> So it is alike SSL VPN with data encapsulated into HTTP Packets, but I
> don't get how does HTTP run over UDP.
Probably best explained by the code... it just uses HTTP for the initial
setup -- a CONNECT request with an HTTP cookie for au
On Sat, 2009-01-24 at 00:13 +0100, Georges Le grand wrote:
> I wonder if you could give out a reference on how to establish a VPN
> using DTLS or to tell how to do so.
We are just using Cisco's "AnyConnect" VPN, which runs over an HTTPS
'CONNECT' and will use DTLS for subsequent data transfer if i
On Thu, 2009-01-22 at 06:10 +0100, Robin Seggelmann wrote:
>
> To avoid getting into trouble with already fixed bugs you should apply
> the patches I sent to the dev list. I'll set up a website with a patch
> collection and some instructions soon.
Is there anyone who actually cares about DTLS
On Sun, 2008-09-28 at 18:56 +0100, David Woodhouse wrote:
> On Fri, 2008-09-26 at 13:46 -0700, David Woodhouse wrote:
> > At the worst, I should be able to reverse-engineer the library I
> have.
>
> The first failure seems to have been a discrepancy in epoch numbers.
And the
On Fri, 2008-09-26 at 13:46 -0700, David Woodhouse wrote:
> At the worst, I should be able to reverse-engineer the library I have.
The first failure seems to have been a discrepancy in epoch numbers.
Comparing behaviour of their library and 0.9.8e, I find that theirs is
adding '00 01 00
On Tue, 2008-09-23 at 23:12 -0700, nagendra modadugu wrote:
> Hi David, unfortunately I've been out of touch with the developments
> to DTLS for some time. I forwarded your message to Eric Rescorla
> who worked with Cisco to get their implementation working.
Thanks.
> I suspect that Cisco has pr
9
SSL_SESSION is 200 bytes
< ... lots of debugging that I added, which didn't enlighten me at all ... >
DTLS connection returned 0
12994:error:14101119:SSL routines:DTLS1_PROCESS_RECORD:decryption failed or bad
record mac:d1_pkt.c:466:
Child done.
This is the test case
/*
*
32 matches
Mail list logo
