On 9/3/18 9:05 PM, Thomás Inskip wrote:
> Does anyone know how I can specify that a specific shared library (in
> this case an engine) is dependent on a system-installed shared library
> (i.e. not built along with openssl)?. Basically the equivalent of
> LDFLAGS += -lsomelib
The GNU runtime dynami
It does (and that's the whole point of it)
On 13-08-18 05:31, Short, Todd via openssl-users wrote:
>
> That site can’t be reached… (at least by me, unless it requires TLSv1.3…)
>
>
>
> --
>
> -Todd Short
>
> // tsh...@akamai.com
>
> // "One if by land, two if by sea, three if by the Internet."
Please contact the support channels of whoever set up that server. If
that was you, try to remember how you configured things when you set
them up, and copy that configuration, including the relevant files.
There are a million ways to implement a PKI service, and the details of
where you need to d
This type of error message is shown when the error strings haven't been
loaded. You can fix that by way of the ERR_load_crypto_strings() call.
On 08-03-18 14:14, binod kumar via openssl-users wrote:
> Hello openssl users,
>
> Need you help understanding the openssl error
> "*error:140760FC:lib(20
Hi Dmitry,
On 15-02-18 09:00, Dmitry Belyavsky wrote:
> Hello,
>
> I get problems building and installing OpenSSL 1.1.0g from source. I
> use Debian Wheezy (oldstable).
>
> After running ./config; make; make test; sudo make install
>
> I call /usr/local/bin/openssl
>
> I get an error
>
> /usr/
On 14/01/2018 12:07, pratyush parimal wrote:
> Hi everyone,
>
> I read from several sources that the serial number of a cert MUST be
> unique within a CA. But could someone explain what would happen if the
> serial number was not unique?
The certificate itself will continue to work (the signature
On 31-10-17 17:47, Matt Caswell wrote:
>
>
> On 31/10/17 16:42, Wouter Verhelst wrote:
>> On 31-10-17 17:26, Matt Caswell wrote:
>>> I agree its not a great name for it. Unfortunately we are stuck with it
>>> for compatibility reasons. If we renamed it we
t might be too much of an effort for too little gain, though.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
estion.
Might I suggest that this flag be renamed somehow, to something that
makes it more clear what exactly it does?
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> X509_CRL_verify. And yes, looking through to find the serial# is what you
> have to do.
That's 1.1-specific, correct?
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
an obvious alternative thing that I
should be doing, rather than manually parsing the CRL?
Thanks,
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ore difficult to reason
about and to avoid bugs with, however (and for thread pools, you just
use a library -- e.g., GThreadPool from libglib).
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
"base64" is commonly known as "PEM" :-)
You can get it to parse binary, but to do so you need to specify
"-inform der".
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 26-09-17 17:26, Stuart Marsden wrote:
> [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm
So which message digest algorithm is the client trying to use?
--
Wouter Verhelst
--
openssl-users mailing l
trust store. For firefox, you do that by going to Preferences ->
Advanced -> View Certificates -> Authorities -> Import..., and then
pointing to the .crt file.
Note that while it is allowed, it is absolutely not necessary that your
server certificate and client certificate are from
e "Permanently store this exception" option is checked,
and hit "Confirm security exception". You will need to do this on every
machine that wants to connect to your server, for every certificate that
you create in this way, which may be a lot of work; if you don't want
that, see a
session.
> So, in summary, do I need to ensure cert serial numbers are unique for
> my CA?
Since CRLs expect that your serial numbers are unique, yes, you do need
to ensure that.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
thing (don't recall the details) as
weak spots and then sent loads of certificate requests to the CA to
effecively brute-force it.
(Of course, CAs are now required to randomize their serial number, so
since that particular attack isn't possible anymore, I agree that for
the time being it&#
On 02-06-17 03:18, Viktor Dukhovni wrote:
>
>> On Jun 1, 2017, at 10:54 AM, Wouter Verhelst
>> wrote:
>>
>> It might be useful to make that point at the start of the CHANGES file,
>> then. Currently, it just says "Changes between X.Y.Zx and X.Y.Zy
>
ord
"CHANGES" invokes the idea of a changelog, which should be complete --
and this file is not. If it's not meant to be, fine -- but then it
doesn't hurt to say so, and it would alleviate some confusion.
Thanks,
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 31-05-17 17:11, PGNet Dev wrote:
> On 5/31/17 3:16 AM, Wouter Verhelst wrote:
>> On 30-05-17 18:12, PGNet Dev wrote:
>> [...]
>>> with lots of apps still not at all v110
>>> compatible, or at best broken in their attempts, having local builds of
>>>
7;t need
it, and it's generally a bad idea.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
16206f9944f85aa102
$ openssl sha224 .bash_history
SHA224(.bash_history)=
a13d7f83a0dc0dcfb6032cb3cd7c4669958a2fb0e01dbb72c95e1d02
etc.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
don't want to use that system-default one -- but why would you want to
do that? Security updates are a good thing, usually.
RPATH support is nice for corner cases, but it should not be the
default, ever.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 27-04-17 13:01, Wouter Verhelst wrote:
> On 27-04-17 12:56, mahesh gs wrote:
>> Hi,
>>
>> We are using Openssl for establish a secure communications for both
>> TCP/SCTP connections.
>>
>> In our application it is possible that remote end forcefully di
socket to nonblocking:
flags = fcntl(socket, F_GETFL, 0);
flags |= O_NONBLOCK
fcntl(socket, F_SETFL, flags);
(You'll need to add error checking for the fcntl() calls)
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
#x27;re going down the
PHP "addslashes" pitfall, which won't help you nor anyone else.
Regards,
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
s the encrypted text for an RSA
message would allow you to more easily guess the RSA key, then the RSA
algorithm would be seriously flawed.
There is no known attack against RSA for which this is true, however, as
Rich pointed out.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe:
On 09-02-17 10:58, PM Extra wrote:
Should I remove expired certificates from CRL?
No. The date of the revocation, which can be found in the CRL, is still
relevant for checking when older certificates were revoked, in case you
ever need to check signatures on older messages.
--
Wouter
keep the two in sync is bound to make things break.
For more information, see
<https://www.akkadia.org/drepper/dsohowto.pdf>, §3.3.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
issue on Debian stable, haven't tried much else yet.
I've been trying to figure out why my OpenSSL fails to parse the CRL,
whereas others do not,. Any hints would be greatly appreciated.
Thanks,
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.or
nternal elections, and in doing so would be able
to exert influence over SPI's decisions.
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
how can I figure out which hashing algorithm was used for a given
X.509 certificate?
Thanks,
--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
s (e.g., using CRLs), even though the *certs argument really is
superfluous (OCSP_basic_verify could just as easily pluck those
certificates out of the *bs argument).
- The "X509_STORE *st" argument indeed allows me to limit the root
certificates allowed for valid
r does not).
--
Wouter Verhelst
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
man page starts with:
S_CLIENT(1SSL)OpenSSL S_CLIENT(1SSL)
NAME
s_client - SSL/TLS client program
So, I'd guess it stands for "SSL". What else? ;-)
--
Wouter Verhelst
___
openssl-users maili
ng I can think of is that
maybe it should contain the issuer certificate that I used for the original request, but then why is it a STACK_OF(X509)* and not
just an X509*? What am I missing?
Thanks for any help,
Ping. Anyone?
If this is documented somewhere, feel free to point me to the
docum
37 matches
Mail list logo
