-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Donald Beck wrote:
| I am a bit new to this, so I need a little help.
|
| I created my own CA using openssl and I just want to make sure I have
| this right. I imported my signed certificate on my server from the
| request I created from my server.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
skar karthikeyan wrote:
| My requirements are(again):
|
| 1) Content should be encrypted only on the server. And public key must
| stay only on the server. No other person should have access to the
| public key.
| 2) Private key on the client machine
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
roxaz wrote:
| Hey, EVP_DecryptFinal returns 0 for me, but no data is returned to
| supplied output buffer, and returned data length is set to 0. What could
| be the issue? bdec receives some correct data tho.
|
| u32 szbdec = 0;
| u8
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vishal saraswat wrote:
| Hi all,
Hello vishal,
| I am sorry, I forgot to tell you that the final PEM I create is composed
| of key and certificate both.
|
| cat server_key.pem server server_cert.pem > server.pem
| Now I suppose that one a client is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vishal saraswat schrieb:
| Hi Serge,
Hello cishal,
| I use the following commands to start the server and the client :
|
| Server:
| openssl s_server -accept // -cert //
You do know that the server needs the private key and the certifivate to
work ?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge Fonville schrieb:
| Hi,
Hello Serge,
| I am trying to setup subjectAlNames in openssl.cnf
| I created a copy of usr_cert and named it srv_cert
| in this section I added the subjectAltNam.
| With the req I specified -reqopts srv_cert the resulti
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
deblarinteln wrote:
| Hi Goetz,
Hello deblarinteln,
| | It is called subjectAltName extension.
|
| would you mind telling me how and where I have to define the AltName(s) ?
There is the man page x509v3_config.
It should contain the info you need.
A
, owa.mydomain.tdl)
you use the subjectAltName extension.
Wildcard certificates (*.mydomain.tdl) are AFAIK deprecated.
| 2009/8/12 Goetz Babin-Ebell mailto:go...@shomitefo.de>>
|
| deblarinteln schrieb:
| | Hi,
| |
| | well I have to create a certificate for our maindomian as well as
| fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
deblarinteln schrieb:
| Hi,
|
| well I have to create a certificate for our maindomian as well as for some
| subdomains.
|
| The structure will look pretty much like this:
|
| mydomain.tld
| mail.mydomain.tld
| owa.mydomain.tld
It is called subjectAl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vichy wrote:
| Hi:
|
| 2009/8/9, Goetz Babin-Ebell :
|> vichy wrote:
|> | Dear all:
|> | I try to use d2i_PrivateKey_bio to get the RSA keys in a der file, but
|> | the binary content is written in an unsigned char array.
|> | I k
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vichy wrote:
| Dear all:
| I try to use d2i_PrivateKey_bio to get the RSA keys in a der file, but
| the binary content is written in an unsigned char array.
| I know I can write the unsigned char array as a file and then read it in.
| But I want to kn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
openssl-us...@coreland.ath.cx wrote:
| Hello.
Hello xw,
| I'm considering writing a server program (which provides mostly
| hypothetical services, for the purpose of this discussion). The server
| requires users to register an account on the server b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
dan_mit...@ymp.gov wrote:
| What is to prevent someone from forging a root CA and then creating
| intermediate certificates signed with SHA1, based on the forged root CA?
Nothing.
Now his problem is to get the users to include it into their list
of t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun wrote:
| Ok, so then, do I still need to sign the data from seal and verify
before I
| open?
Sign and verify are two different steps.
When you do sign and when encrypt depends on your needs.
Goetz
- --
DMCA: The greed of the few outweighs the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun R. wrote:
| OK, i converted over to EVP_*, the sign/verify works but now i'm
| confused about decrypt, for EVP_DecryptInit i need to tell it a CIPHER
| but i dont see RSA in the cipher listings on
| http://www.openssl.org/docs/crypto/EVP_Encrypt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun wrote:
| I'm really going to be using php to encrypt/sign (
| openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions
| from php,
Hm. There must be something wrong here.
I'm almost sure that the EVP interface is available to P
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun wrote:
| Is there another way in C to use openssl's sign/verify/encrypt/decrypt
| without using the low-level api? I got my test prog working, I guess
I need
| to figure out how to do a SHA1 hash of my data next.
Your friends are
* to sign:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aravinda babu wrote:
| Hi,
|
| Is there any openssl API to know this ?I have to use it in a C program.
Look into the data.
If it is a DER encoded X509 cert,
the first 3 bytes are 0x30,0x82,0x05
Goetz
- --
DMCA: The greed of the few outweighs the f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan Ribe wrote:
| Thanks Tom for the help.
Hello Dan,
|
| It seems that there is some problem with the private key which I am
| passing. With your key or newly generated key this logic works fine. Now
| the error which I am getting is like :
|
| OpenS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter Walker wrote:
| But the peer uses RSA_PKCS1_PADDING. Is this interchangeable with OAEP?
No, it is not.
Without further information it is impossible to tell what these 16 bytes
are.
It could be some kind of ASN1 coding indicating that the follo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan Ribe schrieb:
| I am using the private key just to authenticate the client. Once server
| has authenticated the client (by using the public key of client), it
| will give access to that client. So I will say that in this case users
| of my client
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
biswatosh chakraborty wrote:
| I dont think so. The actual content is wrapped within the headers and
| footers and
| how can your buffer contain them as well? U have to extract the main
| content out.
Why do you think that can't be done ?
everything
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
thejokester wrote:
| Hi everybody,
Hello Jokester,
| i would like to know if it's normal to be able to sign a certificate with
| one which have "anti-signing" rules : i mean basicConstraints = CA:false.
| Could you enlight me ?
Signing doesn't matte
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dhaval Thakar wrote:
| Hi list,
Hello Daval,
| i have a hosted site over internet for the branch users, which i want to
| restrict over internet,
| e.g only certain computers will be allowed to access site.
| i want to restrict it to only branch comp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kenneth Goldman wrote:
| > The decision in the case of OpenSSL was that 1.x would have a
stable API,
| > permitting shared libraries to be used interchangeably. OpenSSL
does not
| > have a stable API yet, officially.
|
| If that's the rationale, I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| (sorry that previous one looked so terrible. Here it is with plain text)
|
| Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at
| the same time? For example, if a client device has both 1024-bit and
| 2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sergio wrote:
| I think so and you're right. Signing a client cert with a server cert is
| inefficient and all my problems would solve itself if radius has ocsp
| support.
The missing support for OCSP is not your problem.
Your problem is the broken c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sergio wrote:
| Hi people,
Hello Sergio,
| client.pem are signed by
| server.pem, and server.pem are signed by ca.pem.
It is a bad bad idea to sign a client certificate with
a server certificate.
Usually server certificates don't have the extensions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard Gappmeier wrote:
| Thanks for that tip.
|
| It works now this way:
|
| UaPkiCertificateInfo UaPkiCertificate::info() const
| {
[...]
| switch ( pName->type )
| {
| case GEN_OTHERNAME:
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard Gappmeier wrote:
| Hi,
Hello Gerhard,
| I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
| For the X509_NAME entries the same procedure works,
| but this ASN1_STRING seems to be different.
That is because only in the s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tomas Neme wrote:
| The documentation's poor at best, and I don't completely get the
| general concepts. From reading examples I figure that only the
| BIO_f_ssl does encryption-decryption when written into? so what should
| I do if I want to provide
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GeraGray schrieb:
|> Yes, this is bug, in any case when key type is not recognized (not
|> RSA/DSA/EC)
|> error with information of unknown public key will be printed.
|> This should be corrected.
|> EVP_PKEY_RSA instead of SSL_FILETYPE_ASN1 shou
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Neale Pickett schrieb:
Hello Neale,
| People keep sending me ".ent" files (example at the bottom of this
| message). They look to me a lot like Privacy-Enhanced Mail (remember
| Privacy-Enhanced Mail?) files. I've got all my S/MIME stuff set up and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ian jonhson schrieb:
|> Besides certificate verification and session reconnect I don't
|> know any details what you have to retest.
|>
|
| You imply that the mechanism of X509-based certificate verification
| has been embedded in openssh mainstream
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Victor Duchovni schrieb:
| On Thu, Mar 06, 2008 at 01:15:03PM -0600,
[EMAIL PROTECTED] wrote:
|
|> So we're testing out an upgrade from OpenSSL 0.9.7e to 0.9.8g,
|> and we're mostly using the SSL network connection functionality,
|> not the crypto lib
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hou, LiangX schrieb:
| Hi, Steve,
|I used "openssl dgst -sha1". Is there anything wrong with my code?
| Is it right to get certificate object by using "X509 *cert =
ctx->cert;" in this case?
openssl dgst -sha ... reads the data in the file and gen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] schrieb:
> Hello all!!
Hello Lidia,
> I've a problem. I need to cypher a buffer of bytes with pkcs7 format but
> I can't use certificates,i need encrypt using only a key or password.
Are you really sure PKCS#7 supports encrypting of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Piotr Skwarna schrieb:
> Hi
>
> i try complie apache with my openssl
>
> ./configure --prefix=/usr/unizeto/apache22 --enable-proxy --enable-ssl
> --with-ssl=/opt/NEW/openssl/
>
> [...]
> checking for OpenSSL version... checking openssl/opensslv.h us
--On August 08, 2007 08:24:10 +0200 Piotr Skwarna <[EMAIL PROTECTED]>
wrote:
Hello
Hello Piotr,
I have problem with openssl cooperating with nCipher (nShield F3) engine
bash-2.03# uname -a
SunOS sun250 5.8 Generic_117350-35 sun4u sparc SUNW,Ultra-250
bash-2.03# ./openssl speed rsa -eng
Hello,
--On Juli 22, 2007 14:22:42 + nobody <[EMAIL PROTECTED]> wrote:
On Fri, 20 Jul 2007 21:38:47 +0200
Goetz Babin-Ebell <[EMAIL PROTECTED]> wrote:
--On Freitag, Juli 20, 2007 14:49:54 + nobody <[EMAIL PROTECTED]>
wrote:
[...]
> Then I exported it in pkcs12 f
Hello,
--On Freitag, Juli 20, 2007 14:49:54 + nobody <[EMAIL PROTECTED]> wrote:
[...]
Then I exported it in pkcs12 format and imported it into Internet
Explorer and Thunderbird. I've sent encrypted and signed mails with
Thunderbird and Outlook, they verify and decrypt fine at the other end
Hello Florian,
--On Montag, Juli 09, 2007 09:25:01 +0200 Florian MANACH <[EMAIL PROTECTED]>
wrote:
I saw that it needs PEM format... but even if I convert the certs in PEM,
links are created but my app still returns an error on verification.
Hm.
Try to store roots, intermediate certs and CR
Hello Florian,
--On Freitag, Juli 06, 2007 09:14:41 +0200 Florian MANACH <[EMAIL PROTECTED]>
wrote:
OK I see but It's always not working after
c_rehash ./root
c_rehash ./certs
c_rehash ./crls
Oups:
--On Donnerstag, Juli 05, 2007 14:55:59 +0200 Florian MANACH <[EMAIL PROTECTED]>
wrote:
Hello Florian,
--On Donnerstag, Juli 05, 2007 17:59:01 +0200 Florian MANACH <[EMAIL PROTECTED]>
wrote:
No, I didn't even know that function.
What does it do ?
It loads all certificate files (and CRL files) in the directory
and generates a short 4 byte hash from the common name of the cert.
--On Donnerstag, Juli 05, 2007 14:55:59 +0200 Florian MANACH <[EMAIL PROTECTED]>
wrote:
I have a directory where I store CA root certificates. I want my app to
check if a certificate is signed by the mentioned CA on the ISSUER field.
In order to do this, it might look on this directory and c
Hello,
--On Juli 03, 2007 13:31:27 +0530 Vishal V <[EMAIL PROTECTED]> wrote:
Many thanks for the information.
But my query is partially answered.
Here it goes
A) Doesn't client need server's self-signed certificate to validate the
transmitted certificate?
- Is Question A is true then how to
--On Juni 16, 2007 13:25:33 +0200 Alain Spineux <[EMAIL PROTECTED]> wrote:
Hello
Hello Alain,
I would like to create a individual space for all my customers, using
their own domain name.
For example
debian.org -> debian.org.example.com
linux.org -> linux.org.example.com
uk.debian.org -> uk.
--On Samstag, Juni 09, 2007 06:24:06 -0400 Richard <[EMAIL PROTECTED]> wrote:
1. I am aware the input and output will work upon binary data, this isn't
a problem for me.
OK
2. I suppose I am not entirely aware of all potential pitfalls.
Perhaps you should look into a book about cryptograph
--On Samstag, Juni 09, 2007 05:03:54 -0400 Richard <[EMAIL PROTECTED]> wrote:
Hello! My goal is to write a simple function for use in C programs of
mine that can encrypt and output strings. This would seem to be an easy
task at first, only through attempting it have I realized some
difficultie
--On Mai 15, 2007 13:56:39 +0700 Endhy Aziz <[EMAIL PROTECTED]> wrote:
Hi all,
I'm trying to compile OpenSSL-0.9.8c with debug option, but some
errors shown below occurs :
...
...
[...]
/usr/lib/gcc/i586-suse-linux/4.1.2/../../../../i586-suse-linux/bin/ld:
cannot find -lefence
^^
Hello Christopher,
--On Mai 10, 2007 11:29:25 +0200 Christopher Kunz
<[EMAIL PROTECTED]> wrote:
I have isolated the problem to the private key that seems to be
incorrectly generated.
[...]
-BEGIN RSA PRIVATE KEY-
MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q
frS
Hello Usman,
--On Mai 05, 2007 14:11:08 +0500 Usman Riaz <[EMAIL PROTECTED]> wrote:
I want to issue my customers certificate signed by my certificate
(a self-signed certificate). I want to limit the issued certificate to
not to act as a CA.
I would like to specify the cert chain
length in genra
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Usman Riaz schrieb:
>Sorry to be rude, but your post just told me what I already know
> :),
> my lack of knowledge at security, but didn't help me a bit :( (not sure if
> the
> post was meant to be helpful).
Davids post was meant in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rocky S schrieb:
> 1) I have installed openssl sources. In the certs directory,
> there are various certificates. I looked at a couple of
> them - aol1.pem & vsign1.pem.
>
> The vsign1.pem starts with
[...]
> The aol1.pem directly starts with BEGIN_C
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Usman Riaz schrieb:
> I believe with signing the
> license information (correct me if I am wrong), I have to provide the
> actually license info/data (in plain clear text) along with the data
> generated during the signing process.
Yes.
> The problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Usman,
Usman Riaz schrieb:
> Thanks for the reply Jean-Claude, appreciated! Actually the whole senario is
> like this. I have a software that I am selling to the customers. I want to
> encrypt the information (license info) with my private ke
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Suchindra Chandrahas schrieb:
> Hi All,
Hi Suchindra,
>Saw the part1 and part2. Trying to understand the stuff.
> I got some client examples given there. I have downloaded "sclient".
???
Which part1 and part2 ?
>
>if(SSL_get_verify_r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello David,
WCR wrote:
> I'm beginning to get this now, but I still have a problem :-((
>
> How do I obtain this result
> sXD2SsGQxI7DDFMwHwONxjGOaoI=
> from the data object in the soap envelope?
For that you have to study the SOAP / XMLDSIG documen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Snuggles wrote:
> Hi,
Hello Snuggles,
> I'm writing my own webserver and I want it to be able to do SSL based client
> authentication. It can already do HTTPS, but when I try to do the SSL based
> client authentication, the connection gets dropped. I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello David,
WCR wrote:
> also Goetz,
>
>> Doing digest and sign in two steps is very unusual.
>> Usually you process the digest and generate the signature
>> in one step.
>
> Unfortunately, I think I do need both the digest and the signature to stu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello David,
WCR wrote:
> Julius
>
> You're probably pointing me in the right direction.
Not really.
> I tried "openssl dgst -sha224" and yes I got a 56byte hex string / 28byte
> character string. My problem now is I can't use it in my xml message b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Julius Davies wrote:
> RSA keypair, right? If so, compare that the modulus of both the
> certificate and the private key is equal. These two commands do the
> trick:
>
> openssl x509 -in cert.pem -modulus -noout
>
> openssl rsa -in rsa.pem -modulus
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
domi wrote:
> Hello all together,
Hello Domi,
> I’m not quite sure where to post my question because I wasn’t able to locate
> my fault. So I’ll post my question in the OpenSSL-user forum and in the
> Apache http server-users forum. A similar post in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bertram Scharpf wrote:
> Hi Goetz,
Hi Bertram,
> Am Samstag, 03. Feb 2007, 16:05:46 +0100 schrieb Goetz Babin-Ebell:
>> Bertram Scharpf wrote:
>>> $ wc -c xxx
>>> 118 xxx
>>> $ openssl rsautl -encrypt -cer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bertram Scharpf wrote:
> Hi,
Hello Bertram,
> $ wc -c xxx
> 118 xxx
> $ openssl rsautl -encrypt -certinRSA operation error
> 5747:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too
> large for key size:rsa_pk1.c:151:
>
> W
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi domi,
domi wrote:
> After one day pending-status I'll post this message again.
?? At least your message never reached me...
> domi wrote:
>> Just some last explanations: Of course my scenario is just fictional and I
>> won’t try to set up a comm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
domi wrote:
> Goetz wrote:
>
> I think your security model is broken.
> A CRL and with that the server clients can download it from is part of
> the chain of security of the CA.
> So theses servers must be on (best case) dedicated servers that are
> s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Domi,
domi wrote:
> which is helpful but not exactly what I had in mind ;) You couldn’t know
> this because I forgot to mention my aims. I’m trying to realise the
> following scenario:
> The CRL shall be kept on the server of the SSL-website and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Covington schrieb:
> Hi all,
Hello Chris,
> Suppose one wants to secure a server application which accepts
> incoming HTTPS connections from anywhere. We'll call this Server A.
> This server application is intended to only accept connections fr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Clem Taylor schrieb:
> Hi,
Hello Clem,
> Firefox seems to accept the subjectAltName extension, but I'm having
> troubles getting firefox to trust the additional level of certificate
> hierarchy.
[...]
> Root CA cert (self signed) [added to trust stor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Clem Taylor schrieb:
> Hi,
Hello Clem,
> It seems silly that the browser is putting so much trust
> into DNS or an IP address. I'm hoping someone knows of a better
> solution to this problem.
No the other way around:
It assumes the user want to acces
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mouse schrieb:
> Traditionally the term "self-signed" applied to certificates that are NOT
> signed by anybody but the owner of the given key pair. With all the relevant
> security implications.
>
> What is the purpose of checking for "self-signed cer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ambarish Mitra schrieb:
Hello Ambarish,
> On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote:
>
>> openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem
>> should return:
>> self_signed_cert.pem: OK
>
> Maestr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Vincenzo Sciarra schrieb:
> Hi,
Hello Vincenzo,
> just check if issuer and holder are the same!
or do it the correct way:
openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem
should return:
self_signed_cert.pem: OK
> 2006/10/25, Bhat,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Jason,
edf green schrieb:
> Very straight forward and well documented? You gotta be kidding.
> Perhaps for a long time openssl developer, but not for your run of the
> mill C developer. I spent all last night going through the example
> provid
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] schrieb:
> PKI newbie in need of help.
Hello Steward,
> When I sign a SSL cert with my CA, the certification path only lists the
> web server. Not my SubCA or the Windows Root CA.
???
Which certification path do you mean ?
The c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marten Lehmann schrieb:
> Hello,
Hello Marten,
> I recently read, that it is possible the have more than one ssl-host per
> ip-address. This shall be possible with two special requirements:
>
> - all ssl-hosts share the same key
> - all certs for the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
david kine schrieb:
Hello David,
> One more question: how do I, using the CA.pl script, generate a
> certificate with a subjectAltName extension of type dNSName? The ones I
> have already generated do not have this field set.
> I suppose there is a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Simon schrieb:
Hello Simon,
> What I'm looking for is a way to get a PDF file or something like
> that, so I can ask the printer to print 2-pages per page +
> recto/verso, this way I can kill 75% less trees! ;)
> That's what I was talking about when
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Phil Dibowitz schrieb:
Hello Phil,
> In some cases I see serial numbers as octet strings, i.e.:
>
> Serial Number:
> ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
>
> And other cases as an integer, i.e.:
>
> Serial Nu
Lee Colclough schrieb:
Hello Lee,
> I couldn't get this to work either. I think that something is either
> wrong with my cnf file, or my command line batch file I use generate and
> sign certificates is wrong.
Your config file is wrong.
> Is anyone willing to have a look at them? I know it's a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Lee Colclough schrieb:
> Hi,
Hello Lee,
> I have created a client/server app that talks via SOAP using SSL.
>
> Generating the certificates is fine provided the commonName is just for
> the machine on which a particular server is running. I would l
Tom Horstmann schrieb:
>> It would help if you posted the certificate request or at
>> least tried this:
>>
>> openssl req -in req.pem -noout -subject -nameopt multiline,show_type
>
> ah, clear now. Thank you. Output as follows:
>
> countryName = PRINTABLESTRING:DE
> organi
[EMAIL PROTECTED] schrieb:
> Pretty much confirm what I thought. The OPENSSL API is so rich and I
> havn't touch it (web server) in a while, I figured it wouldn't hurt to ask.
An alternative would be one host certificate with multiple
subject alt names.
This way you can issue a certificate that
Hallo Alberto,
Alberto Alonso schrieb:
> I personally don't know why pipes are even in use in the openssl
> internals (though I bet there is a good reason for it :-)
OpenSSL doesn't use pipes.
You get a SIGPIPE if you write to a socket for that
the other end is closed.
I prefer using send() with
Folkert van Heusden wrote:
What would be the way to obtain the fingerprint of the peer to which my
program connects? I looked in the sources of fetchmail but there a
call-back is used and I would like to implement it without a callback
function.
X509 * SSL_get_peer_certificate(const SSL *s);
o
Mark wrote:
Hello Mark,
You are still using 0.9.6 ?
I strongly recommend that you update OpenSSL to a newer version.
3 year old software is almost like back to stone age...
Indeed I have already recommended this too. However we will be
using OpenSSL on OpenVMS 7.3-1 and HP's implementation fo
Mark wrote:
I do things pretty much as you described except for the following:
* On server:
* if your server cert is signed by the root,
you can turn off sending of the root to the cert by
SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN)
I can't find this option (or similar) in the
Mark wrote:
Our application is a client/server application for which we (i.e. the
server)
need to authenticate the client (users) and hence we are the only CA
allowed.
This is not a public application so the server and all the client certs
are
signed by us. Client authorisation is very importan
Mark wrote:
Hi Fred,
Hello Mark,
I have read the manual page ;-) However I don't understand the full
implications of using or not using this function in a server. If I
use it what does the client do with it? Does the client still need
a copy of the root certificate or is this provided automa
Mark wrote:
cat /*.pem >ca.pem
openssl verify -CAfile ca.pem cert_to_check
works, there is something really strange with your system ...
Same error:
error 20 at 0 depth lookup:unable to get local issuer certificate
This indicates that your CA certificate is not in any of the *.pem
files in you
Mark wrote:
Hi Goetz,
But since you are using an own program, this doesn't matter.
Could you do an
c_rehash
openssl verify -CApath cert_to_check
error 20 at 0 depth lookup:unable to get local issuer certificate
If this doesn't work, but a
cat /*.pem >ca.pem
openssl verify -CAfile ca.pem
Mark wrote:
Hi Goetz,
Hello Mark,
You point at it in the context before the handshake. You can either
point at a dir full of digest named ones or a specific
root cert file.
Strangely I tried the former which did not work. The latter method
appears to work fine (it connected and exchanged d
.domain2,...
line in the section containing the extensions.
But this doesn't work with stone age (broken) browsers.
On 11/23/05, *Goetz Babin-Ebell* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Farid Izem wrote:
> I d'like to generate a Sefl Signed SSL C
Mark wrote:
You point at it in the context before the handshake. You can either
point at a dir full of digest named ones or a specific root cert file.
Strangely I tried the former which did not work. The latter method
appears to work fine (it connected and exchanged data anyway).
did you a
Mark wrote:
in OPENSSL_DIR/ssl/misc is a demo script that does something like
a very small and dump CA...
I don't seem to have this directory.
Replace OPENSSL_DIR with the installation path of your openssl
version...
Bye
Goetz
--
DMCA: The greed of the few outweighs the freedom of the many
Farid Izem wrote:
Hi all,
New to this mailling lists. Hope you can help me in compelting my task.
I d'like to generate a Sefl Signed SSL Certificates which will be serve for
multi hosted sites on the same server.
Can someone tell me how to that please ?
subjectAltName=DNS:host1.domain1,DNS:ho
Mark wrote:
Hi,
Hello,
# openssl req -newkey rsa:1024 -keyout nuckey.pem
-keyform PEM -out nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for. I guess that the
nuckey.pem is a private key (does this need loading with
SSL_CTX_use_certifi
Mark wrote:
Hi,
The following command seems to create a new public and private key:
# openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out
nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for. I guess that the
nuckey.pem
is
Gerd Schering wrote:
Hi,
Hello Gerd,
in the template config file that came with 0.9.8, I found that
subjectAltName=email:copy
subjectAltName=email:move
are both possible, but what is the difference?
it's obvious you never bothered to try it or apply
a little bit of syntactical reasoning.
1 - 100 of 164 matches
Mail list logo
