How to build for python on Windows 10

Hi, I have experience with python but absolutely none with c/c++ so any help would be greatly appreciated! I am running python 3.9.1 for windows 10 (x64). I have noticed the openssl dll files shipped with python (libcrypto-1_1.dll & libssl-1_1.dll) are only version 1.1.7. I would therefore like to

Re: Failing unit tests after adding public key check to pkey_ec_derive()

ale private key was left over that didn't match the public key that was retrieved from the server. Applying this change to the OpenSSL 1.1.1 codebase fixed the ec_key_simple_check_key:invalid private key issue. I'm still a bit baffled by the issue in test_evp. Patrick On Tue, Dec 29

Failing unit tests after adding public key check to pkey_ec_derive()

to be changed? I'm particularly concerned about the TLS 1.3 HRR tests as I want to make sure I haven't somehow broken the TLS protocol. FWIW, I see a similar check to the one I added in the DH shared secret derivation codepath. Thank you for any

Re: OpenSSL compliance with Linux distributions

But be careful!  You probably want to have the original system .deb files for its openssl in an origopenssl dir so you can reinstall them with 'sudo dpkg -i origopenssl/*.deb' when this breaks. - Dan On Wed, Aug 5, 2020 at 1:28 PM Patrick Mooc <mailto:patrick.m...@gmail.com>

Re: OpenSSL compliance with Linux distributions

Hello Hubert, Thank you for your answser. I already did this test, but also without success. Best Regards, Le 07/08/2020 à 18:18, Hubert Kario a écrit : On Thursday, 6 August 2020 21:24:32 CEST, Patrick Mooc wrote: Thank you Ben for your answer. I had a look today for this point, but I

Re: OpenSSL compliance with Linux distributions

Le 05/08/2020 à 22:46, Benjamin Kaduk a écrit : On Wed, Aug 05, 2020 at 10:28:26PM +0200, Patrick Mooc wrote: Thank you very much Kyle for your quick and clear answer. The reason why I want to upgrade OpenSSL version, is that I encounter a problem with 1 frame exchange between client and s

Re: Software that uses OpenSSL

cts, sorry for not making that clear. To give some examples: node.js crypto https://nodejs.org/api/crypto.html python https://cryptography.io/en/latest/ ... I thought someone may already have put together a list with projects hat have an OpenSSL plugin or even use it as default. Best, Patrick

Software that uses OpenSSL

Hi, is there a list of projects that use OpenSSL (for TLS or crypto in general) or that can be configured to use OpenSSL as a backend ? Best, Patrick

Re: OpenSSL compliance with Linux distributions

(in order to limit risks as much as possible) ? Thank you in advance. Best Regards, Le 05/08/2020 à 22:19, Skip Carter a écrit : Patrick, I am also supporting servers running very old Linux systems and I can tell you that YES you can upgrade from source. I have built openssl-1.1.1 from

Re: OpenSSL compliance with Linux distributions

ectly by openssl.org <http://openssl.org> can be compiled to meet it without source code modification.) -Kyle H On Wed, Aug 5, 2020, 14:49 Patrick Mooc <mailto:patrick.m...@gmail.com>> wrote: Hello, I'm using an old version of OpenSSL (0.9.8g) on an old Linux Deb

OpenSSL compliance with Linux distributions

Hello, I'm using an old version of OpenSSL (0.9.8g) on an old Linux Debian distribution (Lenny). Is it possible to upgrade OpenSSL version without upgrading Linux Debian distribution ? If yes, up to which version of OpenSSL ? Are all versions of OpenSSL compliant with all Linux Debian distr

Re: Problems porting Openssl 1.1.1d to zos.

On 3/4/20 5:31 PM, Salz, Rich via openssl-users wrote: Perhaps someone should writeup and submit a "NOTES.zos" file to add? I could put the contents of my previous mail in a NOTES.zos file, if that would be considered helpful, knowing it works for us at the moment and might not to the trick for

Re: Problems porting Openssl 1.1.1d to zos.

Regarding perl, this is the version which works for us : > perl -v This is perl 5, version 24, subversion 0 (v5.24.0) built for os390 Copyright 1987-2016, Larry Wall MVS (OS390) port by Mortice Kern Systems, 1997-1999 Perl may be copied only under the terms of either the Artistic License or t

Re: Problems porting Openssl 1.1.1d to zos.

ny of you aware of zOS specific OpenSSL development branches that I have yet to find? Or is this mainly done in private repositories/branches and not offered for PRs to the OpenSSL repository? We are working on porting OpenSSL for z/OS internally right now and will share the work in progress (via a PR to the OpenSSL repo) as soon as it makes sense, probably in the near future. Best, Patrick

Re: Resetting DTLS server

On Tue, Nov 12, 2019 at 9:07 AM Michael Richardson wrote: > > so you are showing me your server code, correct, and this is for DTLS, > right? > Do you call DTLSv1_accept()? Yes, DTLS. There is no DTLSv1_accept. SSL_accept should work because it is based on 'method' and underlying BIO. I left s

Re: Resetting DTLS server

On Tue, Nov 12, 2019 at 3:00 AM Michael Richardson wrote: > On 2019-11-12 7:38 a.m., Patrick Herbst wrote: > > If i setup a DTLS server, the client can connect once and send > > messages find. but if the client restarts and tries to send data, the > > server hangs on SSL_

Re: Problems porting Openssl 1.1.1d to zos.

ithub.com/openssl/openssl/pull/10417 Patrick

Resetting DTLS server

If i setup a DTLS server, the client can connect once and send messages find. but if the client restarts and tries to send data, the server hangs on SSL_read. I'm assuming the server does not like a clienthello message when it is expecting application data. How can the server be made to recover

Re: New to the list and one question ;-)

Thanks Matt, adding a call to SSL_CTX_set_ecdh_auto()  on the server side actually did the trick. Problem solved!!! /Patrick  Contrary to what you said in your original post the chrome session is NOT selecting 0xc02f. Instead it is selecting 0x002f which is TLS_RSA_WITH_AES_128_CBC_SHA (aka

Re: New to the list and one question ;-)

As requested here are two captures attached: one successfully handshakes with the server (chrome)  and one fails the handshake (firefox). I would be very grateful if anyone could shed some light on this. the openssl version which is linked to my server/relay program is 1.0.2s Thanks /Patrick

New to the list and one question ;-)

Hello all,  Hello all,  Presently writing a server/relay dealing with an h264 stream. one of the threads' job is to establish a handshake with the browser requesting the stream in order to feed the libsrtp2 with keys and salts and start encrypting the h264 stream towards the browser. all is well

Re: bn_sqr8x_internal function consumes a lot of CPU time

Its an x86_64 assembly subroutine of bn_mul_mont which implements montgomery modular multiplication. Its heavily used in rsa comutations. Just set a breakpoint in the debugger and have a look at the callstack.

Re: [openssl-users] possible C bugs in ecp_nistp521

ed to satisfy some stricter entry condition than stated in the above comment (such that there is no overflow) things might be alright. I didnt look at your other examples but id expect something similar. Best Regards, Patrick Steuer -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_dane_tlsa_add function signature

P. Best Regards, Patrick -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL_dane_tlsa_add function signature

opy of the data? Thanks a lot in advance, Patrick -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL version 1.0.2l published

Qint Software GmbH Marlene-Dietrich-Str.59 80636 München +49 172 8910563 Sitz: München HRB 117326 Geschäftsführer: Patrick Mayweg. > On 25.05.2017, at 15:57, OpenSSL wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > OpenSSL ve

Re: [openssl-users] Why no peer certificate available.

On 26 mai 2015, at 05:17, Jerry OELoo wrote: > Hi. > I found there is a website which has https support. > https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp > and browser can show its certificate chain. > but when I use openssl to connect website, it returns fail. Openssl works great here:

[openssl-users] compared performances on Mac OS X 10.6.8

Hello, I've compiled OpenSSL 1.0.2a on Mac OS X 10.6.8, and used `openssl speed` to compare performances with stock OpenSSL (0.9.8). In many tests, 1.0.2a is a bit faster, or as fast as 0.9.8y, but on the 6 AES tests, the old one is almost twice as fast as the new one: OpenSSL 1.0.2a 19 Mar 20

[openssl-users] upgrade system's OpenSSL and libs on Mac OS X 10.6.8

Hi, Disclaimer: I'm not a developer. I would like to upgrade openssl, libssl and libcrypto on my Mac OS X 10.6.8 system. The purpose is to allow system and softwares to use the new libs (for example ssh, sshd, Mail...). Do you think it's possible? I can already install openssl and libs somewhe

RE: Verification of a certificate chain

Afterwards you can start issueing certificates that are trusted by all parties with updated truststores. HTH, Patrick Eisenacher :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

RE: CRL & default_crl_days

valid, the more revoked certificates will slip through the check. Plus, the client has no need to update the crl as long as it is valid. This problem is inherent to crls. As such, you want to make your crls as short running as possible and usable in your environment. HTH, Patrick Eisenacher

RE: Free StartSSL certificate not trusted

diate Server CA > --- Your server sends only an end entity certificate, whose issuer is not trusted by your client. You need to add the issuer's certificate to your client's truststore. HTH, Patrick Eisenacher :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

RE: OpenSSL Security Advisory

cripts/blob/master/check-ssl-heartbleed.pl > Also, could the security keys we bought have been compromised? Certainly yes. You should replace them. I read today that some CAs offer free replacements. HTH, Patrick Eisenacher :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

RE: A small note on Windows 8 GetVersion() depreciation

27;t have my CE documentation handy at the moment. I suspect that the previously linked 'Version Information Functions' are not quite as suited to what you want to do since I think you'd need to check the version of a particular file rather than the OS itself. Should this th

Re: Verisign Problem with smtp tls

51:4a:6a:d8:69:cf: 84:57:76:a4:90:eb:b0:cc:13:e5:da:1f:1c:75:b2:26:27:94: 1e:a8:e1:6e You will notice that the "Not After" line does, in fact, indicate that their cert is expired. And not only expired, but expired a long time ago. Why does no-one else notice?

Re: ECDSA - OpenSSL Implementation using the modulus (N) instead of field size (q)?

m(const EC_GROUP *group, BIGNUM *p, BIGNUM >> *a, BIGNUM *b, BN_CTX *ctx); >> >> as appropriate dependent on the type of curve that you have. >> >> >>> On Thu, Dec 19, 2013 at 9:54 AM, Patrick McCorry >>> wrote: >>>>>>> From

Re: ECDSA - OpenSSL Implementation using the modulus (N) instead of field size (q)?

Thank you Billy for the clarification - is there a way to retrieve the value for "p" that is used under the hood? I assume the p value does not change (unless the curve is changed). Sent from my iPhone > On 19 Dec 2013, at 17:35, Billy Brumley wrote: > > http://en.wikipedia.org/wiki/Elliptic

Suggestions for minimizing compiled code size

-rc5 no-idea no-cast no-whirlpool no-camellia no-seed no-md2 no-md4 no-ripemd no-mdc2 no-krb5 no-hw no-gmp no-jpake no-srp no-ssl2 no-sctp Patrick Watson, CISSP Software Engineer Data Security & Electronic Payment Systems NCR Retail ___

RE: connecting to (openssl-) server in SSL or clear text

ommunicate securely. (See http://en.wikipedia.org/wiki/STARTTLS) Patrick Watson, CISSP Software Engineer Data Security & Electronic Payment Systems NCR Retail 770.299.6713 | patrick.wat...@ncr.com | www.ncr.com -Original Message- From: owner-openssl-us...@openssl.org [mailto:ow

Re: OpenSSL and DH parameters

org/doc/draft-gutmann-tls-eccsuites/ Is this true? And why? It doesn't seem like it should work that way. --Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List

RE: Certificate extensions

Peter, > -Original Message- > From: Peter Sylvester > > On 09/18/2013 09:53 AM, Eisenacher, Patrick wrote: > >> -Please also note that adding extensions to a certificate request > usually doesn't make any sense, as those get added to the certificat

RE: Certificate extensions

adding extensions to a certificate request usually doesn't make any sense, as those get added to the certificate solely by the certificate issuer's grace. HTH, Patrick Eisenacher

RE: multi-byte subject DN display

th UTF8String encoded RDNs: $ openssl x509 -subject -noout -nameopt esc_2253 -nameopt esc_ctrl -nameopt utf8 -nameopt dump_nostr -nameopt dump_unknown -nameopt dump_der -nameopt sname -nameopt sep_comma_plus -in HTH, Patrick Eisenacher

RE: Openssl 1.0.1x build using VS 2012

might access FILEs or the console, like ERR_print_errors_fp. I’m not sure why you are only seeing it in VS2012; maybe you added logging code so you diagnose issues in the new DLL? Patrick Watson, CISSP Software Engineer Data Security & Electronic Payment Systems NCR Retail From: owner-openss

RE: CA hierarchy / pathlen:0

The RFC 5280 is for path building and validation when certificates are being used. It is not meant for validation during certificate creation. As Rich indicated OpenSSL will sign anything you present. With kind regards, Patrick Tronnier Principal Security Architect & Sr. Director of Qua

Re: not fork-safe if pids wrap

o perform the output redirections and then exec the program I really wanted to run. Ugly! --Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing Listopens

Re: not fork-safe if pids wrap

ks a grandchild. In an incredibly rare and unlucky case, the grandchild could have the same pid as the original parent, and then the grandchild wouldn't detect it had forked. --Patrick __ OpenSSL Project

Re: not fork-safe if pids wrap (was Re: DLL hell)

On 8/21/13 12:19 AM, Patrick Pelletier wrote: Nikolay Elenkov wrote a proof-of-concept that shows the pid-wrapping bug on Android, and then I took it one step further and wrote a proof-of-concept using OpenSSL in C, demonstrating that this is an underlying OpenSSL bug: https://gist.github.com

not fork-safe if pids wrap (was Re: DLL hell)

On 8/15/13 11:51 PM, Patrick Pelletier wrote: On Aug 15, 2013, at 10:38 PM, Nico Williams wrote: Hmm, I've only read the article linked from there: http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html Yeah, that's the only place I've seen it, and

Re: DLL hell

these rough spots and provide a "batteries included" approach to people who want it, without having to convince the OpenSSL project to change the core library, which I think would be an uphill battle at best. --Patrick ___

Re: DLL hell

SL" for a while, but haven't gotten around to it yet.) Still though, I'd love it if it could be solved officially and we didn't need an unofficial companion library. What fixes might be welcomed? Would patches to automatically initialize the PRNG on first use (and so on) be w

RE: OCSP and self signed

> -Original Message- > From: Walter H. >> Eisenacher, Patrick wrote: > >> -Original Message- > >> From: Jakob Bohm >> > > As I said before, there's no pki-inherent mechanism to revoke a self signed >> certificate other than to

RE: OCSP and self signed

> -Original Message- > From: Jakob Bohm > > On 31-07-2013 11:02, Eisenacher, Patrick wrote: > >> -Original Message- > >> From: Jakob Bohm > >> > >> On 30-07-2013 20:53, Walter H. wrote: > >>> On 30.07.2013 19:51, E

RE: OCSP and self signed

> -Original Message- > From: Jakob Bohm > > On 30-07-2013 20:53, Walter H. wrote: > > On 30.07.2013 19:51, Eisenacher, Patrick wrote: > > In Boolean logic, we have the following possibilities: > > - Root is trusted, so the revocation is valid, so the root

RE: OCSP and self signed

derstood why some root-cas put a crldp extension into their own certs. Patrick Eisenacher

Re: OSCP server does not update status

Hi Steve, On 2013-07-23, at 6:13 PM, Steven Madwin wrote: > Hi Patrick, > > Both you and Dr. Henson have made it clear that the OCSP server > implementation is only to be used for testing. With that in mind, the server > implementation does act as a server and responds to inbou

Re: Crash in a multithreaded environment

Hi Michael, Can you post the backtrace, as well as any relevant source? Trying to help you from the given data would be a little problematic. Cheers, Patrick. On 2013-07-21, at 7:55 AM, Michael wrote: > > Good day all, > > I have a crash of our proprietary server, which is happ

Re: OSCP server does not update status

oses. Have fun. Patrick. On 2013-07-18, at 12:19 PM, redpath wrote: > I am testing some simple scenarios for the OSCP server. > I have to stop and start the Server to know I revoked a cert. > Here is my scenario. > > *I start the OSCP server* > > ocsp -index ./

Re: Creating certificates

appropriately directed at the OpenLDAP mailing list, and any Certificate issues at the Mozilla LibNSS mailing list. Best Regards, Patrick. On 2013-06-19, at 5:58 PM, Rodney Simioni wrote: > Hi, > > There was an email earlier yesterday about LDAP/SSL/TLS but I'm going to &g

RE: sslv3 alert bad certificate

> From: Mithun Kumar > > Any pointers why below error is thrown by openssl? > > error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate:s3_pkt.c:1193:SSL alert number 42 Your peer didn't like your certificate and sent you a fatal bad certificate alert

Re: Encoding arbitrary AKI value.

Hi Stefan, On 2013-05-08, at 5:58 AM, Stefan H. Holek wrote: > Hi Patrick, > > The 'keyid' keyword in this case means 'copy from signing cert'. To add > arbitrary values to certificate extensions, you must use the 'arbitrary > extension format

Encoding arbitrary AKI value.

d_aki [ bad_aki ] keyid = DER:01:02:03:04:05:06:07:08:09:0A However, when I try this, it appears that I can't override the default behaviour of copying the SKI from the Signing CA Certificate. Any thoughts? --- Patrick Patterson Chief PKI Architect Carillon Information Security

Getting different/incompatible RSA Signatures

Mi=..| 0040 Thanks in advance!! Patrick Herbst __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

Getting different/incompatible RSA Signatures

Mi=..| 0040 Thanks in advance!! Patrick Herbst __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

RE: Why Openssl "s_server" is allowing Session Reuse on the same tcp connection

e this is in the server's responsibility, but the mechanism is the same for client and server. HTH, Patrick Eisenacher

RE: Why Openssl "s_server" is allowing Session Reuse on the same tcp connection

t ssl session. If your client doesn't want to resume any ssl session, but start a new one and thus undergo a full handshake, then simply make it not send an ssl session id. HTH, Patrick Eisenacher

RE: handling of expired certificates

e the connection's SSL parameters. Alternatively, it can close down the current connection and establish a new one. Both ways cause a new handshake to be started. HTH, Patrick Eisenacher

RE: Use TLS over UDP connection

> -Original Message- > From: saurav barik > > Can I use > TLS over a UDP connection(I understand DTLS can be used but my project > needs TLS)? No, you can't. You need a reliable transport protocol, i.e. TCP. See RFC 5246. It's right there in the first paragra

RE: Failed SSL/HTTP connections via Apache(2.4.3)SSL when going from 1.0.1c to 1.0.1e

output. But as Dave has already pointed out, your client's write to the socket fails, because the underlying connection was closed down and you should enable maximum lovlevel in your server and check its logfile for any hints. HTH, Patrick Eisenacher :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

RE: Failed SSL/HTTP connections via Apache(2.4.3)SSL when going from 1.0.1c to 1.0.1e

xt at the end. > 1.0.1c does not show this error. Looks like your client doesn't trust the server's root CA certificate. Try to invoke s_client with either the -CApath or the -CAfile option. $ man s_client is your friend. HTH, Patrick Eisenacher :��I"Ϯ��r�m (Z+�K�+���

RE: [openssl-users] problem with private extension definitions via oid_section

Hi Erwann, > -Original Message- > From: Erwann Abalea > > "oid_section = new_oids" must be in the top level, not in [ca], [myca], > or whatever. Just move that declaration to the top. Thank you. This works like a charm. Patrick Eisenacher

problem with private extension definitions via oid_section

mand I use to issue the cert is: $ openssl ca \ -config ca.conf \ -batch \ -subj $SUBJECT_NAME \ -startdate $CERT_VALID_FROM \ -enddate $CERT_VALID_TO \ - in $REQUEST_FILE This is with openssl v1.0.0-beta3 on SLES11. Thanks for any insight, Patrick Eisenacher ca.conf Description: ca.conf

RE: OpenSSL version 1.0.1e released

> -Original Message- > From: OpenSSL > >The OpenSSL project team is pleased to announce the release of >version 1.0.1e of our open source toolkit for SSL/TLS. This new >OpenSSL version is a new feature release. For a complete >list of changes, please see > >http://

Re: OpenSSL wikibook

of contents. (Again, this man-page style format isn't quite what I'm looking for in the long term, but I'm quite happy to have it for now!) Thanks so much for contributing, --Patrick

OpenSSL wikibook

been documented. --Patrick

Re: Displaying cert content

Hi Robert: On 2012-12-20, at 8:05 PM, Robert Moskowitz wrote: > OK. I am swamped. What is the command to display the cert content? > openssl x509 -in cert.pem -text -noout. Have fun. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.caril

Re: Openssl default_ca values while using HSM - LunaCA3

Hello Simon, The correct way is to have a "key pointer" file that you can use 'sautil' to create. Your SafeNet representative should be able to point you in the right direction. Best Regards, Patrick. On 2012-12-13, at 1:40 PM, simon charles wrote: > > Dr. Step

RE: Passing TLS sessions between programs

. Once you have the SSL_SESSION, convert it to ASN1 (via i2d_SSL_SESSION) and dump it to a file. Read that file in with your second program and convert it back from ASN1 to SSL_SESSION(via d2i_SSL_SESSION) and add it to the SSL_SESSION cache of the SSL_CTX (via SSL_CTX_add_session). HTH, Patrick Eisenacher

Re: Cross compiling openssl + openssl-FIPS for mips-openwrt-linux-uclibc

o get a change letter, and in that change, you can ask for the compiler line tweak. Have fun! Patrick. On 2012-07-24, at 5:25 PM, majoh...@rockwellcollins.com wrote: > Hey, > >I'm trying to get a FIPS certified openssl, and after > > When I compile normally (&q

Re: Is Sha2 supported for signing certs?

Hi Pushkar, Don't use the -md option - just use -sha256 directly. Have fun. Patrick. On 2012-06-13, at 2:11 PM, Pushkar Pathak wrote: > Hi All, > > I am trying to sign a certificate with SHA2. I have my own CA certificate > and want to sign an end entity certificate wi

Re: What is the difference between green and yellow address bars in browser for certificate's fields?

how to code an application to recognise EVSSL Certs. More general questions like this probably belong at the SSL Observatory, or some similar mailing list. Have fun. Patrick. On 2012-06-13, at 12:57 PM, Vladimir Belov wrote: > Hello. > > Many public CAs suggest Extended Validation for c

RE: peer not authenticated

s you that the server doesn't like your client cert chain. As such, it sends a bad certificate alert. You should check the server's log for any details. HTH, Patrick Eisenacher :��I"Ϯ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

RE: [openssl-users] How does openSSL handle the pathlen constraint?

> -Original Message- > From: Erwann Abalea > > Le 22/05/2012 10:57, Eisenacher, Patrick a écrit : > >> -Original Message- > >> From: Erwann Abalea > >> > >> Bonjour, > >> > >> Le 21/05/2012 14:10, Serge Emantayev a

RE: [openssl-users] How does openSSL handle the pathlen constraint?

em any certificate as trusted and thereby making it its trust anchor. Nevertheless the verification process needs to take into account the extensions of the trust anchor and I don't see any reason to exclude basicConstraints. Can you please cite the relevant part of the validation algorithm

RE: subjectAltName requirements

t this is 6 years ago, and my memory could be at fault... HTH, Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@ope

RE: Re: Verify intermediate certificate

wing the root-CA. If I remember correctly, there is work going on to enable such functionality in an upcoming release. Perhaps Steve can shed some light on its status. Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org

Problem with OpenSSL getpid() on RHEL 5.5

We do have a serious problem with OpenSSL on RHEL 5.5. The installed version is 0.9.7 . Our application calls the function getpid() or whatever and this leads the application to crash. We've contacted our software vendor and they told us the root cause of the problem lies within the OpenSSL librari

RE: ASN.1 encoding question

Ok, found the answer shortly after posting my message to the list. Here's the answer for the archive: > -Original Message- > From: Eisenacher, Patrick > > I'm using asn1parse -genconf to der encode the following asn1 > structure: > > URLs ::= SEQUENC

ASN.1 encoding question

hanks for your help, Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Ma

RE: Revocation with a renewed/rekeyed Root CA

to me and according to my understanding of PKI this doesn't make sense, because there is no trust relationship between any self signed keys, so I can't trust that key 2 has any relationship to key 1, specially not to issue its CRLs. Patrick Eisenacher __

RE: How I can find URI for this ca certificate?

y server. Also application protocols usually provide means for adding all the certificates necessary to verify a signature to said signature. HTH, Patrick Eisenacher __ OpenSSL Project

RE: Possibility to create CRL without the CA key

y issuing that instance a certifiate with the key usage cRLSign. You can read up the details on that in RFC5280, chapter "CRL and CRL Extensions Profile". HTH Patrick Eisenacher __ OpenSSL Proje

Re: PKCS12 - Why Encrypted?

which was 1996; and though it was updated in 2001, that was still a long time ago now. I wonder to what degree the material will be outdated, or to what degree modern day material will be completely missing. -Patrick On Apr 21, 2011, at 8:55 AM, Michel (PAYBOX) wrote: > I believe this

PKCS12 - Why Encrypted?

7;s that I don't understand why it needs to be encrypted in principle. Many thanks in advance for any help in clearing up a newbie's confusion, -Patrick P.S. If there are any de facto standard books to read on the subjecst of RSA and PKI, I would be curious to hear a tip. I'm not ne

Re: Extracting X509 Policies that are searchable

atch on OID values, and not on any other part of the certificatePolicy extension. Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ Open

Re: Need Help with Programmatic Downloading+Checking of CRLs

and complex path resolution, in case that is interesting to you. Best Regards, Patrick. On 2011-03-15, at 9:19 AM, Jeff Saremi wrote: > I seriously need help with this piece. I searched the forum and I could > not find what i was looking for. > During an SSL handshake, I need to b

Re: convert x509 cert into string and store certs in cache

best way to store > certificate with string format ? PEM of course. > 4) is a bad idea to handle everywhere certificates in string format ? > VERY, VERY bad... Have fun! --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __

Re: HELP!!!! mod_tsa:could not load X.509 certificate

Hi Yessica: That error is fairly straightforward - it's can't load the cert (meaning, it can't even load the file). Have you made sure that the permissions are correct? Are you absolutely sure that you have the right cert in the right location? Have fun. Patrick. On 2011-02

RE: [FWD] Intermediate certificate chain not included when exporting as pkcs12

key.pem -name mylabel -chain -CAfile ca_path.pem -out archive.p12 -passout pass:mypassphrase ca_path.pem contains the concatenated CA certificates of cert.pem's certificate chain, encoded in PEM-format. So obviously what you pass in via -CAfile has the wrong format. Also make sure that all

RE: ASN.1 encoding a private structure

> -Original Message- > From: Peter Sylvester > > On 02/14/2011 01:11 PM, Eisenacher, Patrick wrote: > > I want to encode a private asn1 structure, say something > like the following: > > > > SEQUENCE > >true_false BOOLEAN > >certificat

  1   2   3   4   5   >