Hi,
Also, if openssl s_client IS doing a reverse DNS lookup, is there a way
(command line parameter) to disable that from happening?
Thanks again,
Jim
oh...@cox.net wrote:
> Hi,
>
> I was kind of curious about 'why?' would openssl s_client be trying to do the
> reverse DNS lookup?
>
>
Hi,
I was kind of curious about 'why?' would openssl s_client be trying to do the
reverse DNS lookup?
In other words, when you do an:
openssl s_client -connect xx.xx.xx.xx:443...
why does openssl try to do a reverse DNS lookup on the xx.xx.xx.xx IP address,
and why does it do that BEFORE (app
Hi,
We think that we found the problem.
The server end had a timeout, and apparently, openssl tries to do a reverse DNS
lookup after establishing the connection to the server, but before sending the
client HELLO, That reverse DNS lookup was failing, but taking awhile to fail,
so the server
Hi,
I wanted to mention one other piece of information. Apparently, the server
certificate in this case has the IP address of the server, rather than a
hostname/FQDN, in the subject (i.e., CN=xx.xx.xx.xx,...). The server end is
not our under our control, so we can't change that.
Jim
---
Hi,
We are trying to use "openssl s_client" to test a server-authenticated (1-way
SSL) connection.
The openssl s_client command is being run (on a Redhat machine) using the IP
address of the SSL-enabled server, i.e., something like:
openssl s_client -connect xx.xx.xx.xx:443
The problem w
Hécber and Lou,
Oops. I missed the part in the original post about this being for SSL-enabled
VirtualHosts :(...
Sorry for any confusion...
Jim
"Hécber Córdova" wrote:
> Hi *,
>
> Certainly you can configure Apache to use virtualHosts based on domain
> names,
> and this
Hi,
Unless I'm misunderstanding things, you *can*, by using ServerName inside each
of the sections:
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Jim
Lou Picciano wrote:
> I didn't think it possible to server multiple virtual SSL domains from one
> Apache instance (on the s
oh...@cox.net wrote:
> Hi,
>
> We're having problems connecting to an FTP server using FTPS (not sftp), and
> to diagnose the problem, we've been using cURL with openssl. The server is
> IBM Z/OS FTP server.
>
> When we test with cURL, we are getting:
>
> Info SSLV3, TLS handshake, Cl
Hi,
We're having problems connecting to an FTP server using FTPS (not sftp), and to
diagnose the problem, we've been using cURL with openssl. The server is IBM
Z/OS FTP server.
When we test with cURL, we are getting:
Info SSLV3, TLS handshake, Client hello (1) Send SSL Data, 95 bytes (0x5f)
oh...@cox.net wrote:
>
> oh...@cox.net wrote:
> > Hi,
> >
> > I want to preface this by first saying that I know that this question is
> > probably pretty broad, but I'm hoping that someon on this list might be
> > able to help.
> >
> > We are working with web services our SOAP me
Hi,
The certificate you got from the CA probably has a URL distribution point set
in it.
You didn't say what kind of cert you got (client or server?), or what is using
the cert (browser? or server?), but, for example, if it's a client cert, and
you're using it (for example) in a browser, then
oh...@cox.net wrote:
> Hi,
>
> I want to preface this by first saying that I know that this question is
> probably pretty broad, but I'm hoping that someon on this list might be able
> to help.
>
> We are working with web services our SOAP messages have SAML assertions that
> are digita
Hi,
I want to preface this by first saying that I know that this question is
probably pretty broad, but I'm hoping that someon on this list might be able to
help.
We are working with web services our SOAP messages have SAML assertions that
are digitally signed.
So, on the web service "client"
Hi,
I think that the same needs to be said for the private key associated with the
server cert. That needs to be kept securely, and not distributed, right?
Jim
Kyle Hamilton wrote:
> Only if they have the CA's private key, or if the CA is using MD5 and
> is otherwise subject to a "prei
Hi,
For the record, I was able to figure out my original (non-openssl-related)
problem. It was that I was getting some extra whitespace or non-visible
characters in the message, which was causing the signature verification to fail.
Jim
oh...@cox.net wrote:
> Hi Kyle,
>
> I also have t
Hi Kyle,
I also have the hash (it's in the DigestValue of the assertion).
I've been having some problem with some code that I've been working on, and so
I was hoping that there was a way to take the signature string and somehow put
it into a file that would "look" like it was a S/MIME message,
Hi,
I have the signature string from a signed SAML assertion. I also have the
private key file and cert file. I'm trying to decrypt the signature string, so
that I can try to see how it compares to the digest in the assertion.
I think that "openssl smime" should be able to do this, using some
Dawn Keenan wrote:
>
> > I am trying to build Apache with SSL support, and so I compiled OpenSSL
> > 0.9.7g using gcc 2.95.3 on a Solaris 9 system.
> ...
> > However, when I try to run Apache (either ./apachectl start or ./httpd
> > -), I am getting an error, something like:
> >
> > "Ca
quot; part).
>
> -Joe
>
> On Apr 25, 2005, at 11:36 PM, ohaya wrote:
>
> > I set the LD_LIBRARY_PATH to "/usr/local/openssl:$LD_LIBRARY_PATH"
> > before doing the Apache build, and used:
__
Ope
Hi,
I am trying to build Apache with SSL support, and so I compiled OpenSSL
0.9.7g using gcc 2.95.3 on a Solaris 9 system.
The config I used was:
./config -fPIC shared -prefix=/usr/local/openssl
-openssldir=/usr/local/openssl
The OpenSSL compile/build seemed like it went ok (no errors), and the
Erwann,
Thanks for all the detailed comments!!
Jim
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
Erwann and Steve,
Thanks for all the comments. Here're a new set of certs where I think
that I've taken care of the points raised by both of you. I'd
appreciate your review.
This is the self-signed root CA cert. It is now V3, and has the AKI and
SKI. It still has "Digital Signature", as I wa
> > Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has
> > "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate
> > Sign, CRL Sign".
> >
>
> I can't recall saying the CA certificate needed "digital signature". It
> doesn't but if you sign with user certific
> The standards don't actually say much about the root CA at present. However it
> should really have those extensions. It is also a V1 and not a V3 certificate.
> This might be because you are following one of the old or inaccurate guides or
> even the odd book that gives incorrect instructions.
Hi,
This is a followup to an earlier inquiry regarding CA certificates in a
certificate chain.
I got a test configuration, where I have a root CA and a subroot CA by
first creating two self-signed CAs (ATEST4 and ATEST5), and then getting
the ATEST4 CA to re-sign the ATEST5 CA's cert.
It seems
Ray,
I've enabled LDAPS on AD before, but only using MS Certificate Services
configured as an Enterprise CA, so I haven't tried this myself, but
here's an article that might be useful:
http://support.microsoft.com/?id=321051
Jim
___
> That's one problem although Netscape Cert Type is largely obsolete some
> clients use it.
>
> The other problem is:
>
> X509v3 Key Usage: critical
> Key Encipherment, Data Encipherment, Key Agreement
>
> "Key Agreement" makes no sense for an RSA certificate since
>
> The certificate you have might not be certified for client authentication or
> the root CA might not be trusted for client authentication.
>
> See what happens when you do:
>
> openssl x509 -in clcert.pem -text -noout
>
> Steve.
Steve,
Thanks for replying. Here's what I got from one of
Hi,
I've figured out how to get the "openssl s_client" to display the list
of CAs:
1) Run: openssl s_client -connect host:port -prexit
2) When it pauses, type in a "GET": GET / HTTP/1.0
So I am now able to see the list of CAs that the webserver is sending,
and here's an excerpt:
.
.
/C=US/O=
Hi,
I have been trying to use openssl and, in particular, "openssl s_client"
to try to diagnose some problems that I have been having working with
some (server and client) certificates that I think were created using an
RSA product (Keon, I think).
The original problem that started all of this is
Liam Escario wrote:
>
> Hey Jim,
>
> Thanks for the clarification there. That's how I thought it should
> behave =)
>
> Now if only I could get to figure out how to read my client certificate in
> Java. I'm always getting null... I've tried using both,
>
> String cipherSuite = (String)
>
Liam Escario wrote:
>
> Hi Peter,
>
> You mentioned:
>
> >So, when the PKI client in my (for example) web browser connects to your
> >IIS server, my web browser's PKI client will connect to the Certifying
> >Authority URL that you specified when you created your SSL certificate
>
> what do yo
ohaya wrote:
>
> Hi,
>
> I'm having a problem getting one particular certificate request for a
> server certificate accepted by a CA. The CA is using Netscape
> Certificate Manager, I believe, and I'm submitting my request by pasting
> my request into a b
Ohaya wrote:
>
> "Dr. Stephen Henson" wrote:
> >
> > On Sat, Mar 27, 2004, Ohaya wrote:
> >
> > > Hi,
> > >
> > > BTW, I just tried asn1parse, and that worked, and didn't indicate any
> > > problems, so I'm confused
"Dr. Stephen Henson" wrote:
>
> On Sat, Mar 27, 2004, Ohaya wrote:
>
> > Hi,
> >
> > BTW, I just tried asn1parse, and that worked, and didn't indicate any
> > problems, so I'm confused as to why I'm getting those errors wit
Hi,
BTW, I just tried asn1parse, and that worked, and didn't indicate any
problems, so I'm confused as to why I'm getting those errors with x509:
openssl asn1parse -in myca.cer -inform der
Jim
Ohaya wrote:
>
> Hi,
>
> I'm trying to work with getting a CA c
Hi,
I'm trying to work with getting a CA cert installed.
I downloaded it using IE, and ended up with a .CER file, but in Windows,
when I click on the .CER file, I get an error box "Invalid Public Key
Security Object File"/"This is an invalid Security Certificate".
I tried to display the content
Hi,
Thanks. Can you (or anyone else) tell me under what conditions or what
determines which of these cases "happens"?
In other words, what "decides" to use, say, one certificates only
(presumably the root CA cert) vs. certificate chains?
takamichi saito wrote:
>
> > Hi,
> >
> > I've been
Hi,
I've been reading the subject book, by Eric Rescorla, and ran across the
following passage on page 110 (Chapter 4, under "CertificateRequest"):
"It is important to note that IF certificate chains are being used, then
the CA name specified in the CertificateRequest message need not refer
to th
39 matches
Mail list logo
