Test failures with compiled OpenSSL 3.0.3 on Debian 11, 64 bit

2022-05-27 Thread Tom Browder
I used the following config input for openssl 3.0.3 based on my previous successes with 1.1.1m (and earlier versions) and Ivan Ristic's latest configuration: config \ --prefix=/opt/openssl-3.0.3 \ --openssldir=/opt/openssl-3.0.3 \ no-shared

Re: Need some help signing a certificate request

2021-08-21 Thread Tom Browder
On Sat, Aug 21, 2021 at 09:21 wrote ... > When I type ‘openssl ca -config .\openssl.cnf -in ../server/req.pem -out > I don't do wndows, but your directory separators are not consistent--not sure of the effect. -Tom

Re: Compiling OpenSSL without compabitlity with for OpenSSL 1.0

2020-09-10 Thread Tom Browder
On Thu, Sep 10, 2020 at 06:58 Bjoern Bidar wrote: > It was version 1.1.1g. What OS? I had to to some fiddling with packages and options for Debian 10 Buster to get a good compile. I have documented my journey if you're interested. Best regards, -Tom

Re: Private CA client cert file for iPad for a website

2020-06-25 Thread Tom Browder
On Thu, Jun 25, 2020 at 10:18 Dirk-Willem van Gulik wrote: > On 25 Jun 2020, at 17:14, Tom Browder wrote ... > > Can anyone tell me how to generate an acceptable client cert for an iPad? ... > Have a play with https://interop.redwax.eu/rs/scep/ Thanks, Dw, that looks like exac

Private CA client cert file for iPad for a website

2020-06-25 Thread Tom Browder
Can anyone tell me how to generate an acceptable client cert for an iPad? I have so far been unable to find out the file format needed. I generated client cert files for my classmates over seven years ago in p12 format and they still work fine on Linux, Mac, and Windows devices but I want to (1)

Re: [openssl-users] Personal CA: are cert serial numbers critical?

2017-08-16 Thread Tom Browder
On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > ➢ So, in summary, do I need to ensure cert serial numbers are unique for > my CA? > > Why would you not? The specifications require it, but those > specifications are for interoperability. If nobody i

Re: [openssl-users] Personal CA: are cert serial numbers critical?

2017-08-16 Thread Tom Browder
On Wed, Aug 16, 2017 at 08:32 Michael Ströder wrote: > Tom Browder wrote: ... > > So, in summary, do I need to ensure cert serial numbers are unique for my > > CA? > > Yes, serial numbers should be unique per issuer-DN because the 2-tuple > (issuer-DN, cert serial no.)

[openssl-users] Personal CA: are cert serial numbers critical?

2017-08-16 Thread Tom Browder
Many years ago I started a CA for one group I manage for a private website, and now I want to update members' client certs for the stricter requirements for browsers. My original cert generation was entirely automated including the following: + CN for each is an e-mail address for the member + t

Re: [openssl-users] OpenSSl functions ("apps"): Is arg order significant?

2017-08-06 Thread Tom Browder
On Sun, Aug 6, 2017 at 16:56 Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > > Looking at the man page for dsa it doesn't seem that the order of > arguments is critical ... > You mean flags and values, like "-foo" and "-bar asdf" ? Yes, the order > of flags does not matter, e

[openssl-users] OpenSSl functions ("apps"): Is arg order significant?

2017-08-05 Thread Tom Browder
Looking at the man page for dsa it doesn't seem that the order of arguments is critical as long, of course, as each arg that takes a value has an approriate entry. If that is true for dsa, is it true for similar functions such as rsa, x509, etc.? Thanks. Best regards, -Tom -- openssl-users mai

Re: [openssl-users] [ssllabs-discuss] Apache configuration

2017-07-20 Thread Tom Browder
On Thu, Jul 20, 2017 at 2:14 PM, Reindl Harald wrote: ... > before having the cluster 2015 in VMware EVC mathcing sandybridge i thought > "well, the hardware is capable" but VMware filtered out AVX instrcutions and > everything using openssl crashed with "illegal cpu instuction" which proved > the

Re: [openssl-users] [ssllabs-discuss] Apache configuration

2017-07-20 Thread Tom Browder
On Thu, Jul 20, 2017 at 1:57 PM, Reindl Harald wrote: >>> Am 20.07.2017 um 18:02 schrieb Tom Browder >>>> On Thu, Jul 20, 2017 at 10:54 AM, Reindl Harald >>>> wrote ... >> P.S. Of course the other part of my motivation in the past has been >> to see

Re: [openssl-users] FW: Website changing this weekend

2015-08-21 Thread Tom Browder
On Thu, Aug 20, 2015 at 4:54 PM, Salz, Rich wrote: > >> I'm curious why the new download page lists version 1.01p before version >> 1.02d? >> Is it suggesting that users download the 1.01 branch instead of the later >> one? > > They're listed in time-order, not alpha order. Should perhaps fix t

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-21 Thread Tom Browder
On Tue, Jul 21, 2015 at 2:16 PM, Matt Caswell wrote: > On 21/07/15 15:33, Tom Browder wrote: >> On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder wrote: >> I lied. After rebuilding gcc 5.2.0 and rechecking I get the following >> warnings from building 1.0.2d: >>

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-21 Thread Tom Browder
On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder wrote: > On Thu, Jul 9, 2015 at 12:00 PM, Viktor Dukhovni >> That surely means that you're compiling some patched version or >> not even 1.0.2d. > > No, it's the correct version. > > But just now, after build

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-19 Thread Tom Browder
On Thu, Jul 9, 2015 at 12:00 PM, Viktor Dukhovni wrote: > On Thu, Jul 09, 2015 at 11:50:25AM -0500, Tom Browder wrote: >> On Thu, Jul 9, 2015 at 10:22 AM, Viktor Dukhovni >> wrote: >> > On Thu, Jul 09, 2015 at 09:47:00AM -0500, Tom Browder wrote: >> Yes, and y

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-09 Thread Tom Browder
On Thu, Jul 9, 2015 at 10:25 AM, Matt Caswell wrote: > > > On 09/07/15 15:47, Tom Browder wrote: >> I get the following warnings from compiling the latest openssl with gcc >> 4.7.2: >> >> ec_key.c: In function 'EC_KEY_set_public_key_affine_coordinates&#

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-09 Thread Tom Browder
On Thu, Jul 9, 2015 at 10:22 AM, Viktor Dukhovni wrote: > On Thu, Jul 09, 2015 at 09:47:00AM -0500, Tom Browder wrote: ... >> ecp_nistp224.c: In function 'batch_mul': >> ecp_nistp224.c:1105:29: warning: array subscript is above array bounds ... > In my copy of 1.0.2d,

[openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-09 Thread Tom Browder
I get the following warnings from compiling the latest openssl with gcc 4.7.2: ec_key.c: In function 'EC_KEY_set_public_key_affine_coordinates': ec_key.c:369:26: warning: variable 'is_char_two' set but not used [-Wunused-but-set-variable] ecp_nistp224.c: In function 'batch_mul': ecp_nistp224.c:11

Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

2014-04-16 Thread Tom Browder
On Wed, Apr 16, 2014 at 5:38 AM, Hanno Böck wrote: > On Wed, 16 Apr 2014 05:25:58 -0500 > Tom Browder wrote: > >> Is OpenSSL participating in the Coverity free scanning program for >> open source software? ... Thanks for the link, H

Coverity Scan: Would/DId It Catch the Heartbleed Defect?

2014-04-16 Thread Tom Browder
Is OpenSSL participating in the Coverity free scanning program for open source software? If not, it might have caught the Heartbleed bug. If so, why did it miss it? See this link for the latest report on open source statistics: http://softwareintegrity.coverity.com/register-for-scan-report-20

Re: Why doees an SSL client cert have a private/public key embedded?

2012-10-21 Thread Tom Browder
On Sun, Oct 21, 2012 at 2:34 PM, "Martin v. Löwis" wrote: > Am 21.10.12 19:25, schrieb Tom Browder: > >> I have successfully generated SSL client certificates for my Apache >> web site users, and we have successfully tested them using it to >> access my restrict

Why doees an SSL client cert have a private/public key embedded?

2012-10-21 Thread Tom Browder
I have successfully generated SSL client certificates for my Apache web site users, and we have successfully tested them using it to access my restricted areas on my web site. One thing I'm not sure of is why there is a private/public key pair in the client certs. Hopefully it's not the same priv

Re: Mac OS X and SSL Client Certitficates [UPDATE]

2012-10-14 Thread Tom Browder
On Fri, Oct 12, 2012 at 8:59 AM, Tom Browder wrote: > I have successfully generated SSL client certs (generated with openssl > 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus > IE 9 on Windows, but I cannot get successful access with either Safari > or Firefox

Re: Mac OS X and SSL Client Certitficates

2012-10-12 Thread Tom Browder
On Fri, Oct 12, 2012 at 9:10 AM, Graham Leggett wrote: > On 12 Oct 2012, at 3:59 PM, Tom Browder wrote: > >> I have successfully generated SSL client certs (generated with openssl >> 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus >> IE 9 on W

Mac OS X and SSL Client Certitficates

2012-10-12 Thread Tom Browder
I have successfully generated SSL client certs (generated with openssl 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus IE 9 on Windows, but I cannot get successful access with either Safari or Firefox on Mac OS X. When I try on Mac/Safari I get the error: The server did no

Re: Client cert, unverified in Firefox BUT trusted in Chrome

2012-07-30 Thread Tom Browder
On Mon, Jul 30, 2012 at 12:17 AM, Saurabh Pandya wrote: > You need to Add Root CA of your client certificate to BOTH, Chrome > anf Firefox Saurabh, thanks. The strange thing is, both browsers do have the Root CA. I am still trying to fiddle with details of the CSR and signing of the certs. Per

Re: OpenSSl v1.0.1c and Apache httpd v2.2.22

2012-07-28 Thread Tom Browder
On Fri, Jul 27, 2012 at 3:03 PM, Ruiyuan Jiang wrote: > Hi, > > I am trying to use openssl v1.0.1c or 1openssl v1.0.1c.0.0j with Apache > v.2.2.22 but failed. I can use v1.0.0g no problem. It I get a good configure with openssl v1.0.1c and apache v2.4.2. I have not tried 2.2. Any reason not to

Client cert, unverified in Firefox BUT trusted in Chrome

2012-07-28 Thread Tom Browder
I have almost succeeded in creating a client SSL factory with a local CA starting with a StartSSL free server certificate. I just created a client cert. and imported it into my Chrome and Firefox browsers. Chrome shows the cert. as trusted (implied because it doesn't show it as untrusted as it do

Configuration files always required?

2012-07-27 Thread Tom Browder
I am working on a Perl programmatic solution (i.e., no user responses needed) to a local CA and wonder if I need any configuration files at all? So far, all the man pages I've looked at seem to have command args to handle almost everything that seems important (i.e., required). The one exception

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: )

2012-07-26 Thread Tom Browder
On Thu, Jul 26, 2012 at 7:56 AM, Ted Byers wrote: > On Thu, Jul 26, 2012 at 7:20 AM, Florian Rüchel > wrote: >> >> Also make sure to check out OpenXPKI (http://www.openxpki.org/) And I just found http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ which looks very promising. It is well documen

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: )

2012-07-26 Thread Tom Browder
On Thu, Jul 26, 2012 at 6:20 AM, Florian Rüchel wrote: ... > Also make sure to check out OpenXPKI (http://www.openxpki.org/) Now that looks much better! Best regards, -Tom __ OpenSSL Project http

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: )

2012-07-26 Thread Tom Browder
On Thu, Jul 26, 2012 at 5:57 AM, Tom Browder wrote: > On Thu, Jul 26, 2012 at 3:45 AM, Marco Molteni (mmolteni) > wrote: >> Hi, >> >> there are two open source CA systems I am aware of, although I haven't tried >> them out. >> >> I think the

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: )

2012-07-26 Thread Tom Browder
On Thu, Jul 26, 2012 at 3:45 AM, Marco Molteni (mmolteni) wrote: > Hi, > > there are two open source CA systems I am aware of, although I haven't tried > them out. > > I think they can be a good starting point instead of doing everything from > scratch :-) > > http://pki.fedoraproject.org/wiki/P

Re: (no subject): SSL Configuration

2012-07-25 Thread Tom Browder
On Wed, Jul 25, 2012 at 4:15 PM, Tom Browder wrote: > On Wed, Jul 25, 2012 at 3:40 PM, Ted Byers wrote: >> On Wed, Jul 25, 2012 at 4:03 PM, Tom Browder wrote: ... >> Thanks. Let me know when I can take a look at yor script. I'd also like to >> hear about how you hard

Re: (no subject): SSL Configuration

2012-07-25 Thread Tom Browder
On Wed, Jul 25, 2012 at 3:40 PM, Ted Byers wrote: ... > On Wed, Jul 25, 2012 at 4:03 PM, Tom Browder wrote: ... >> I will provide the user passwords for the client certs. to my >> intermediate helpers via the USPO and the individual client >> certificates via e-mail. The us

Re: (no subject): SSL Configuration

2012-07-25 Thread Tom Browder
On Wed, Jul 25, 2012 at 12:49 PM, Ted Byers wrote: > Hi All Hi, Ted. I, too, have been looking for something like you have. I am in the process of creating a Perl program that may be able to help you (for at least part of your requirements), but I first can point you to one of the most current

Error generating a self-signed CA certificate with openssl-1.0.1c

2012-07-25 Thread Tom Browder
I am using the following command inside a Perl program: $ /opt/openssl/bin/openssl req -passout stdin < /tmp/6I0ZLcltuD \ -config CA-default.org/ca-ssl.conf -out CA-default.org/certs/cacert.pem \ -outform PEM -newkey rsa -x509 -batch -verbose and get the following response, quote: Using con