RE: Can't recognize intermediate CA

2009-03-12 Thread Giang Nguyen
Sincerely, Giang Nguyen > Date: Fri, 13 Mar 2009 00:22:56 +0100 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: Can't recognize intermediate CA > > On Thu, Mar 12, 2009, Rene Hollan wrote: > &g

RE: Can't recognize intermediate CA

2009-03-12 Thread Giang Nguyen
>> I used openssl with the intermediate CA to sign a separate cert, which >> had a AKID keyid but no issuer, and that chain recongizes fine. >> >> Could the problem be the fact that yahoo.pem has an AKID keyid AND >> issuer? (onr or the other is sufficient, but I could find nothing that >> said th

RE: Can't recognize intermediate CA

2009-03-12 Thread Giang Nguyen
> I used openssl with the intermediate CA to sign a separate cert, which > had a AKID keyid but no issuer, and that chain recongizes fine. > > Could the problem be the fact that yahoo.pem has an AKID keyid AND > issuer? (onr or the other is sufficient, but I could find nothing that > said that bo

RE: Can't recognize intermediate CA

2009-03-12 Thread Giang Nguyen
serial numbers and the key id's. they looked ok to me. so at this point, i dont have any ideas. > > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Giang Nguyen > Sent: Thursday, March 12, 2009

RE: Can't recognize intermediate CA

2009-03-12 Thread Giang Nguyen
the cacert has pathlen:1 in its "X509v3 Basic Constraints" > Subject: Can't recognize intermediate CA > Date: Thu, 12 Mar 2009 15:00:47 -0700 > From: rene.hol...@watchguard.com > To: openssl-users@openssl.org > > I'm tearing my hair out trying to get an in

RE: Verifying private certificate before SSL connection

2009-03-07 Thread Giang Nguyen
what do you mean "private certificate"? you mean the server wants to verify its own certificate before accepting connections? or the client wants to verify its own certificate before initiating connections? (i guess it doesn't matter either way, though.) assuming you have the CA certs and the

RE: get public Key from a certificate

2009-02-24 Thread Giang Nguyen
if you have a certificate in a X509 object, the x509.h header mentions the function: EVP_PKEY *X509_get_pubkey(X509 *x); From: binome_...@hotmail.com To: openssl-users@openssl.org Subject: get public Key from a certificate Date: Tue, 24 Feb 2009 10:29:42 + hello how can i get the publ

RE: IE could not connect to a chaine-cert's ssl server

2009-02-04 Thread Giang Nguyen
i think it's because your "my-cacert.pem" is not considered a CA: it has "CA:FALSE" arch [temp]$ openssl x509 -in my-cacert.pem -BEGIN CERTIFICATE- MIIC9jCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJDQTET MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ dHkgTHRkMR

RE: Multiple CRL with same issuer

2009-01-29 Thread Giang Nguyen
gt;> type regardless. >> >> This is specified in PKIX (currently RFC 5280); in order to maintain >> standards-conformance OpenSSL cannot change this behavior. (Nor can >> it even offer an option to change it, since its job is to maintain >> security-system interoperabili

RE: Multiple CRL with same issuer

2009-01-29 Thread Giang Nguyen
> > I was under the impression that openssl allows loading multiple CRLs > > for the same issuer. But, this does not seem to be the case as is > > proved by using "openssl verify". > > > > $ ls -l ./ca/ > > total 24 > > lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 -> > > cacert.pem

RE: seeding PRNG

2009-01-28 Thread Giang Nguyen
you should try http://openssl.org/docs/crypto/RAND_add.html# _ Windows Live™: E-mail. Chat. Share. Get more ways to connect. http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009

RE: Passing parameters to openssl for CSR

2009-01-27 Thread Giang Nguyen
the "req" man page mentions: -subj arg sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as /type0=value0/type1=value1/type2=..., charac- ters may be escaped by \ (backslash), no spaces are skipped

RE: How to detect dead peers with DTLS?

2009-01-20 Thread Giang Nguyen
> I think Robin tested it, so yes it works... But you need the bugfixes > he sent to the list... > > Robin: Am I right? actually i referred to session resumptions with abbreviated handshakes. i think the "bugs/patches" comment was in the context of renegotiations with full handshakes. "> Btw, d

Re: How to detect dead peers with DTLS?

2009-01-20 Thread Giang Nguyen
> I think I will go for the hack that misuses re-negotiation as a kind of > heartbeat, keep alive or echo request. I tried to avoid this hack at > first because it is a computational burden. AFAIK re-negotiation means > restarting from scratch which means that expensive public key operations > hav

RE: Extract public key from certificate

2009-01-08 Thread Giang Nguyen
> then you can try X509_set_pubkey() (in x509.h) to obtain the "EVP_PKEY *" > object of course i meant X509_get_pubkey(). _ Windows Live™: Keep your life in sync. http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_allup_howitw

RE: Extract public key from certificate

2009-01-08 Thread Giang Nguyen
if you have the "X509 *" object (in your code), then you can try X509_set_pubkey() (in x509.h) to obtain the "EVP_PKEY *" object, then you can use the various PEM_write_..._RSAPublicKey() (in pem.h). _ Windows Live™ Hotmail®: Chat.

RE: challengePassword attribute in CSR is a sequence?

2009-01-07 Thread Giang Nguyen
> This actually addresses both the questions. In the distant past some > applications encoded certificate requests incorrectly and/or required an > incorrect encoding. That is there to tolerate and/or generate such stuff. thanks. _

RE: OpenSSL Security Advisory

2009-01-07 Thread Giang Nguyen
> Does the release of 0.9.8j also include the FIPS module support? do you mean anything other than this? http://www.mail-archive.com/openssl-users@openssl.org/msg55535.html This is the first full release of OpenSSL that can link against the validated FIPS module version 1.2

challengePassword attribute in CSR is a sequence?

2009-01-04 Thread Giang Nguyen
First, background (questions at the end): Version 2 of the pkcs 9 spec at http://www.rsa.com/rsalabs/node.asp?id=2131 (PDF: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-9-v2/pkcs-9.pdf) says in section 5.4.1: "A challenge-password attribute must have a single attribute value." At first I expected th

Re: CA generation/certificate serial number

2008-01-07 Thread Giang Nguyen
nils >Frédéric Donnat wrote: > > Hi, > > Sorry for the mistake (nothing to deal with openssl.cnf file). I was just > looking for ca.txt file. > > Is it normal behavior of openssl to be able to view a certificate without > serial number using (without any error mentioned): > openssl

RE: signature failure when certificate contains no serial number (ie, not one that equals zero)?

2008-01-07 Thread Giang Nguyen
sorry please ignore; this had been asked before: http://www.mail-archive.com/openssl-users@openssl.org/msg41502.html > From: [EMAIL PROTECTED] > To: openssl-users@openssl.org > Subject: signature failure when certificate contains no serial number (ie, > not one that equals zero)? > Date: Sat,

signature failure when certificate contains no serial number (ie, not one that equals zero)?

2008-01-07 Thread Giang Nguyen
i was messing around with (self-signed) certificate creation/signing and ran into this. the following two certificates are the same except for the serial number: "with_serial" has a serial number that is zero, and "no_serial" does not have any serial number. the "with_serial" certificate verifies