but that seems to be fixed. code is in routine c2i_ibuf in
crypto/asn1/a_int.c
0301xx look what ossl_c2i_ASN1_BIT_STRING in a_bitstr.c Don't test for bits
when length is 1
Best
Peter
On 01/04/2021 16:21, Michael Wojcik wrote:
Thanks to everyone who responded. You've confirmed my impression:
- There doesn't appear to be any applicable standard which requires or forbids
including the root, or even endorses or discourages it).
rfc8446 page 65:
The sender's certifi
Even with sound this would not be BER. i:-) Integers can have 9 or more leading
zero bits in BERnot
ISO/IEC 8825-1:2008 (E) ITU-T Rec. X.690 (11/2008)
7 8.3 Encoding of an integer value
8.3.1The encoding of an integer value shall be primitive. The contents octets shall consist of one
or more
re like:
Error C3861 'HMAC_CTX_init': identifier not found
Error C3861 'HMAC_CTX_cleanup': identifier not found
and more related to some struct def difference.
But as I imagine, it should not happen, right ?
Peter
On Mon, Sep 16, 2019 at 11:17 AM Michael Wojcik <
michael.woj...@micr
nctions in my application should still work,
right? But it does not work. And as I imagine, in the openssl header
files(after a successful build), it should have some "#if defines
OPENSSL_USE_DEPRECATED"
like statement, but I don't see it anywhere, can you tell me how it works?
Thanks!
ere is no difference.
The command I used is:
perl Configure VC-WIN32 enable-deprecated
--prefix=T:\openssl-%OPENSSL_VERSION%-32bit-release-DLL-VS2015
nmake
Thank you inadvance!
Peter Sui
I've commented on the PR, mostly about not understanding the commit
message RFC-references and indentation error.
Overall the PR looks good to me, but I'd like someone who is more
familiar with implementation have a look at it.
Best Regards
Eine Kleine Blau Fisch
On Tue, Feb 19, 2019 at 2:10 PM
root:root, chmod 400. And ideally your Root CA files should not be
hosted on your web server, otherwise a server compromise also
compromises your root authority.
https://redmine.lighttpd.net/projects/1/wiki/docs_ssl
Permissions
Be careful to keep your .pem file private! Lighttpd reads all pemfiles
You can find a number of SM2 implementations on github, etc.
https://github.com/openssl/openssl/blob/9453b196343db579c590130adc63d35d2ff87188/crypto/sm2/sm2_crypt.c
https://github.com/ARMmbed/mbedtls/blob/3ea8c4cb2a03724ba15c915e02d83255e1884859/library/ecdsa.c
https://github.com/developerworks/sm
at 10:13 AM Richard Levitte wrote:
>
> In message
> on Tue,
> 16 Oct 2018 10:34:31 +0200, Peter Magnusson
> said:
>
> > Sorry, I am an idiot =)
>
> No you're not.
>
> > Problem resolved, user error. -key was the problem and should not be
> &
ng to try and figure out what pass phrased was
> passed and where it came from. I'm afraid that's a debugging session.
>
> Cheers,
> Richard
>
> In message
> on Tue,
> 16 Oct 2018 09:54:08 +0200, Peter Magnusson
> said:
>
> > The error can be worka
The error can be workaround by entering PIN = "..." into [pkcs11_section].
pkcs11 engine version is libp11-0.4.9.
Anyone know if this a 1) libp11 issue or 2) openssl issue or 3) me
doing something wrong?
On Mon, Oct 15, 2018 at 5:40 PM Peter Magnusson
wrote:
>
> Hi,
>
> I&
Hi,
I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
login pin. Version is openssl-1.1.1.
openssl req works as I would expect, prompting for PIN:
YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
local-build/bin/openssl \
req -config yubihsm2-openssl.conf -new \
-engine pkcs11 -
You would be better off with AES-CCM or such for your backup, that
gives you the integrity check.
i.e. you would be reasonably sure what you decrypt is encrypted with your key.
So the fist question would be why even consider AES-CBC? Somewhere in
the decision process you ought to go "Is the major
b87046bcd7581f9ba9cb2baf3
> Does that address your concerns?
I think so! I'll integrate it into my tests and try to do Q/A on the
change, see if I can figure out any other edge case.
Best Regards
//P
On Mon, Oct 8, 2018 at 6:15 PM Viktor Dukhovni
wrote:
>
> > On Oct 8, 2018, at
=true, max_pathlen=0
key usage : Key Cert Sign, CRL Sign
! The certificate is not correctly signed by the trusted CA
The handshake fails after this error, mbedtls_ssl_handshake returned -9984.
On Mon, Oct 8, 2018 at 2:51 PM Peter Magnusson
wrote:
>
> sorry, typo on the verify line
sorry, typo on the verify line, this was what I should have written:
VERIFY(max_path_length>0) error upon preparing transition from i=2
(EvilCA) to i=2 (EvilServer).
On Mon, Oct 8, 2018 at 2:47 PM Peter Magnusson
wrote:
>
> That is not correct behaviour as far as I can understand.
&g
interpretation that 0 pathlen on the root self signed meant
> infinite.
> The pathlen only applies on the certs between root and the leaf (which
> obviously can be 0, and CA true or not, but bad form to say true I'd imagine.)
>
> On Mon, Oct 8, 2018 at 1:57 AM Peter Magnus
One more logic confusion in the OpenSSL Path Length Constraint check.
Any Path Length Constraint set by Root (or any other Self-Issued
Certificate) is ignored.
Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly
applied to the checker (i.e. the checker and the calculation logic
have b
Thanks, I provided some input regarding off by one calculation of plen
still present in the patch.
You are very much correct on the definition of self-issued; rfc5280,
"A certificate is self-issued if the same DN appears in the subject
and issuer fields (the two DNs are the same if they match acco
ier:
keyid:17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0
On Thu, Oct 4, 2018 at 12:26 PM Viktor Dukhovni
wrote:
>
> On Wed, Oct 03, 2018 at 07:16:51PM +0200, Peter Magnusson wrote:
>
> > The following test case attempts to validates evilserver.pem, issued
> >
Is this expected? (plen > (x->ex_pathlen + proxy_path_length + 1))
evaluates to false (constraint not violated) when checking constraint
0 against plen=1 (constraint violated as far as I can understand?).
Doesn't make much sense to me. Is there something I haven't understood
about how the constra
asic"
X509v3 Basic Constraints: critical
CA:TRUE
openssl verify -verbose -CAfile root.pem -untrusted untrusted.pem evilserver.pem
evilserver.pem: OK
On Wed, Oct 3, 2018 at 4:51 PM Viktor Dukhovni
wrote:
>
> On Wed, Oct 03, 2018 at 02:51:57PM +0200, Peter Mag
Hi,
It is my understanding "openssl verify" should raise
X509_V_ERR_PATH_LENGTH_EXCEEDED should be raised if pathlen=0
intermediate issues a new CA, but that does not seem to occur when I
test with a couple pf openssl versions.
I am not sure due to limited understanding of the code, but I am
wonde
4_skey.o",
rc5_asm_src => "rc5_enc.c",
rc5_obj => "rc5_enc.o",
rmd160_asm_src => "",
rmd160_obj => "",
sha1_asm_src => "sha1-armv4-large.S sha256-armv4.S sha512-armv4.S",
sha1_obj => "sha1-armv4-l
On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote:
> On Thu, Aug 17, 2017, Robert Moskowitz wrote:
>
>> In the [ ca ] section I have:
>>
>> prompt = no
>>
>> If I leave the = out I get an error, so I am assuming I got the
>> format of this right.
>>
>> Then I have
>>
>> [ req ]
>> distinguished_na
s using openssl
standard encryption like GCM can use? Each application will have to get self
declared?
On Thu, Dec 1, 2016 at 12:12 PM, Peter Sylvester Edelweb
mailto:peter.sylves...@edelweb.fr>> wrote:
Hi
There are news since about a year.
https://www.ssi.gouv.fr/administration/re
in a product.
It may be as simple as "to hash passwords we use the SHAnnn functions as
implemented by openssl".
I used to make such declarations about 15 years ago.
Peter
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
p the
X509_verify_cert check.
Thanks,
Peter
#!/usr/bin/env ruby
# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file
Jakob Bohm writes:
>
> In 1.0.2 and later, most of the files in ${BUILD_DIR}/include/openssl
> are supposed to be copies/symlinks to file of the same name elsewhere
> in the OpenSSL source, for instance the ones you mentions should be
> links to files in subdirectories under ${BUILD_DIR}/crypt.
Hi Wim,
I'll give this a shot, thank you for the suggestion!
-Peter
On Wed, Nov 11, 2015 at 5:05 PM, Wim Lewis wrote:
>
> On Nov 9, 2015, at 3:46 PM, Peter P. wrote:
> > I'm writing an application using Openssl 1.0.2d where I am trying to
> take a DER encoded unsigne
Hi Dr. Henson,
Thank you for your reply. To work around this issue in my application, I
have considered attempting to re-sign an already signed CSR. Is this
possible with OpenSSL?
Thank you again,
Peter
On Tue, Nov 10, 2015 at 9:18 AM, Dr. Stephen Henson
wrote:
> On Mon, Nov 09, 2015, Pe
re is any
other way to read in an unsigned CSR into an X509_REQ data structure.
Thank you,
Peter
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
use the backup and
restore commands with OpenSSL encryption and no tape drive, but backing up to a
different directory and restoring from there, there are no errors during the
restore. The errors only happen when restoring from tape.
Any thoughts you have on this are appreciated.
Peter M K
Hi All
Please let me know if I am posting to the correct list. I set up a reverse
proxy for my website using nginx and I had to export the certificate from
my web server to put on the proxy. On windows I exported the certs to a
.pfx file. On my Unix box, I used the command below to export all the c
https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html
Load names of CAs from file and use it as a client CA list:
SSL_CTX *ctx;
STACK_OF(X509_NAME) *cert_names;
...
cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
if (cert_names != NULL)
SSL_CTX_set_client_CA_list(
Thanks Dave,
I have approached the server operator about the security shortcomings that
you pointed out. In the interim I used your suggestion and altered the
cipher list to SSL_cipher_list DEFAULT:!ECDH.
This has sorted the problem. I am very grateful for your assistance.
Peter.
On 21
");
my $response = $userAgent->request($request);
if($response->code == 200) {
print $response->as_string;
}
else {
print "zs"
}
Can anyone shed some light on what is happening here or what I can do to
remedy the problem?
Thanks,
Peter.
or others, at best a surprise when policy and practice documents do not even
mention
these behaviours.
Peter Sylvester
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
into specified file:
openssl x509 -in Root_Key_SCert.pem -out Root_Key_SCert.txt -text (text is
displayed on screen but not redirected to file, worked with release 0.9.8h)
Peter
Verification of pathlen is for relying parties.
If you own the key of a "CA" (the quotes are intended
On 08/09/2013 11:17 AM, Florian Weimer wrote:
Qt installs a verification callback like this
|// Register a custom callback to get all verification errors.
|X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
It is not recommended to access to members in the way above, but ra
Please note that s_client is used for debugging connections not certs
and might connect EVEN IF the server certificate is not good.
http://www.openssl.org/docs/apps/s_client.html#item__verify
"Currently the verify operation continues after errors so all the
problems with a certificate chain can be
e for -loop instead?
best regards
Peter
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Ma
On 22 March 2013 00:19, barcaroller wrote:
>
> When the openssl s_server program is unable to verify a client
certificate, it prints out the following error message:
>
>verify error:num=21:unable to verify the first certificate
>verify return:1
>
> but then continues running as if nothing
We've found that upstream-tracker.org was a good place to start.
Unfortunately, it only performs comparisons from one release to the
next, so what we did was download one of the tools that makes up
upstream-tracker and ran it against the specific release we were using
and the release to which w
for those who don't read openssl-dev
Original Message
Subject:[openssl.org #3016] openssl ts fix
Date: Wed, 13 Mar 2013 16:13:31 +0100
From: Peter Sylvester via RT
Reply-To: openssl-...@openssl.org
CC: openssl-...@openssl.org
Hi,
I have "we
On 03/12/2013 09:30 AM, kap...@mizera.cz wrote:
RFC 3161 is written badly. The whole text was a joke anyway.
The requester SHALL verify that the
TimeStampToken contains the correct certificate identifier of the TSA
One may conclude that openssl should simply not validate anything els
some trust anchor, but then?
what authorisation is supposed to be checked? that the
tsa is allowed to issue certs for a particular policy? (don't
yes, maybe).
if the TSKlient is able to do something non stadardized special
verification, use that o
On 03/11/2013 10:31 PM, kap...@mizera.cz wrote:
Dne 11.3.2013 21:42, Peter Sylvester napsal(a):
the second ess certid says
SEQUENCE {
OCTET STRING
52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78
EB 6C D7 AC
On 03/11/2013 08:01 PM, kap...@mizera.cz wrote:
Of course YES.
Timestamp reply is nothing else as CMS SignedData structure.
not quite but ts -reply -tokenout converts it to such a thing
__
OpenSSL Project
the second ess certid says
SEQUENCE {
OCTET STRING
52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78
EB 6C D7 AC
}
by 3721926ea67e877df5f4e35dd3c87397eef33d4f
is the hash of the der version of te intermediate
On 03/11/2013 06:43 PM, kap...@mizera.cz wrote:
Hello,
...
As I know, the attr. certs are not very necessary => that is why I mean, that temporary solution
would be to ignore them in verification process. At least in TS it would solve the problem.
Just for info: converting te stuff to pk
*
<http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations#Protocol_Support>
BR
Peter
2013/3/7 Arashad Ahamad
> Hi,
>
> is there any idea that openssl support TLSv1.2?
>
>
>
> Regards
> Arashad Ahamad
>
>
> *Arashad Ahamad/India/IBM*
>
&g
Ording is important. unfortunately the default order shown in the textual
form is not the same as for ldap tools. using openssl asn1parse shows
the encoding, country code should come first.
__
OpenSSL Project
On 01/17/2013 12:10 PM, A G wrote:
Hi
Here
http://marc.info/?l=openssl-users&m=124386218929227
It states that
"...This is why it is very important to understand that any possible forward
progress on any port (and a write operation that returns WANT_READ may have made forward
progress!) require
On 12/11/2012 09:45 PM, Michael Mueller wrote:
Could I get a nudge. I'd like to get the SANs to show up in my certs.
in my request:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiati
On 12/07/2012 11:05 AM, LN wrote:
> I have a feeling it does so because I tried to save that returned
> EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it
> back from the same file with PEM_read_bio_PrivateKey.
> Saving worked, but loading failed (with some decoding error
nable to load Public Key.
Error in rsautl"
Could you give me some examples of how you would use CMS or, just use these
utilities properly, to achieve what I'm trying to do.
I really appreciate your help.
Thanks,
Peter
On Tue, Nov 20, 2012 at 10:17 PM, Dave Thompson wrote:
> >F
On 11/07/2012 06:52 PM, Graham Leggett wrote:
On 07 Nov 2012, at 4:50 PM, Ted Byers wrote:
Why does it need to be something in openssl?
Ideally because it needs to be as secure as openssl.
I'm after an accurate time duration between two ASN1_TIME values, that is not
dependent on local condi
The way how common names are verified in
The Most Dangerous Code in the World:
Validating SSL Certificates in Non-Browser Software
is not correct.
It gives a false match when there is more than one common name ava
__
OpenSSL Pr
On 10/27/2012 02:51 PM, Graham Leggett wrote:
Section 4.1 says:
Encoding considerations: will be none for 8-bit transports and most
likely Base64 for SMTP or other 7-bit transports
What I'm after is how to interpret section 4.1 in the context of HTTP content
negotiation.
Regards,
Graham
On 08/09/2012 12:57 PM, int0...@safe-mail.net wrote:
Hi
...
After that I generated a CRL (I own the CA) which then contained the
certificate with the serial 0x06.
My question now is, would that be a proper workaround or is there a better
solution? Since the CRL
only contains the serial numb
You can take the code in apps/req.c and extract the pieces you need.
On 07/20/2012 10:17 AM, Abyss Lingvo wrote:
Hi all!
How to create certificate request programmatically via OpenSSL API?
This is the solution for command line utility:
openssl genrsa -out server_key.pem -passout pass:$passwd
On 07/10/2012 02:38 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Sandro Tosi
Sent: Monday, 09 July, 2012 10:15
/usr/bin/openssl ts -verify -sha256 -untrusted -CAfile
-data -in
and the output we get is:
140119872083624:error:2F06D064:time stamp
routines:TS_VER
Hrm, I've worked out why this was failing with 1.0.1c; the symlink for the
VeriSign Class 3 G5 root was missing from that repo's CApath. This doesn't
entirely explain why the same exact sequence of commands verifies
successfully on a machine with openssl 0.9.8o...
On 9 July 20
.0.1c, it gives:
# twitter.com.results_1.pem: C = US, O = "VeriSign, Inc.", OU = VeriSign
Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN
= VeriSign Class 3 Extended Validation SSL CA
# error 20 at 1 depth lookup:unable to get local issuer certificate
--
Peter
I am out of the office until 07/16/2012.
I'm out of the office until July 16th, 2012. I will have limited network
access but will likely be checking for urgent emails daily. If you have
questions about any of the following projects, please contact those listed
below. For all other questions
On 07/02/2012 10:34 AM, Johannes Bauer wrote:
Hi list,
I have a rather simple question regarding X.509 subjects that is not
entirely clear to me and for which I cannot find the appropriate
reference (pointers greatly appreciated). The trouble starts when trying
to compare two subjects of *differ
On 06/29/2012 09:29 PM, Sukalp Bhople wrote:
Hello,
I am trying to measure server performance for client certificate verification.
However, there is no significant difference in the server performance when I send one certificate
and condition when I send chain of 10 certificates.
I am aware
On 06/05/2012 07:14 PM, DRings wrote:
I've spent too much time trying to figure out something that is probably well
know here.
I have a restricted community application that seems a perfect fit for using
openssl to self-generate our own CA, and self-sign it, and self-generate our
own web client
some new line -> CRLF conversion may have hit.
On 06/04/2012 04:29 PM, Ken Goldman wrote:
A typical openssl user error is treating binary data as text. Random
numbers are not text until you convert them with -hex.
My guess is that Windows is treating some binary character specially,
and this
Are you combining version 1.0.1 and 1.0.0 ?
> From: salatiel.fi...@gmail.com
> Subject: Can not enable via padlock
> Date: Wed, 30 May 2012 20:26:45 -0300
> To: openssl-users@openssl.org
>
> I am trying to test via padlock using 'openssl speed -engine padl
On 05/18/2012 06:03 AM, kthiru...@inautix.co.in wrote:
Team,
Had a query in the certs that we load,
The CA's provide our certs in .p12 format, which we need to convert to a .pem and load to SSL
structure during initialization.
On converting to .pem, it is in the following format, "Private Key
On 05/14/2012 02:59 PM, marek.marc...@malkom.pl wrote:
Hello,
$ openssl version
OpenSSL 1.0.0 29 Mar 2010
$ openssl ciphers -V
For SRP one should use the 1.0.1 version.
openssl version
OpenSSL 1.0.1 14 Mar 2012
openssl ciphers SRP
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CB
Yes, it can probably be parsed by any ASN.1 parser. But the OID is
private - only the organization knows how to interpret it (or what to
do with it).
private/public in this context refers to governance/ownership
not to "visibility". if the organisation documents the any interested
party can int
ike step-by-step instructions).
... instead of ln -s you can create a copy ...
for more detailed instruction, I'll can charge you 100EUR per line. :-)
...
... Just put all the CA certificates into one file and remove the
SSLCACertificatePath
and just keep the
SSLCACertificateFile
Thank
On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
I don't see this as an Apache issue. The site has required client certs for
years now and Apache was configured to require client certificates.
I have intermediate DOD certs on the server but OpenSSL sees my DoD Root
certificate as un-trusted self
s file with a newer version from
openssl-1.0.1-stable-SNAP-20120420.tar.gz (or a later snapshot).
--
Peter Heimann
__
OpenSSL Project http://www.openssl.org
User Support Mailin
On 04/04/2012 02:51 PM, brajan wrote:
I am using openssl 0.9.8g version .
i convert the PEM certificate file to X509 format and try to read the key
usage value .
Keyuage =lCertificate->ex_kusage ;
Some time the keyusage = 128
Some time Keyusage is 0 for the same certificate . why this problem o
penssl is not charged to read files, make network
requests or whatever.
Peter
TIA
-- Christian Weber
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
try beta3, should work better.
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Isn't it the client after the serverhello response?
you might want to add -debug and -msg to see
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
127.0.0.1 is not a valid serverna
On 02/23/2012 10:49 AM, Ashok C wrote:
Hi,
What would be the most efficient and easiest way to distinguish a CA certificate from an actual
server/client(end entity) certificate?
We were thinking of identifying the CA with the "CA:TRUE" constraint from the text display, but
again this check doe
years ago and the contents replaced by the
domain name reseller. Since the original author, Jeremy Mates, placed the
documents in the public domain, they are available online again in one
collection at this new site.
cheers,
Peter N. Steinmetz
ot;non-ambiguous".
besides that, I would also investigate your need for a custom extension,
if you use it for 'identity', then use a subjectAltname for example
if you use it for some kind of attribute based authorisation, well,
scapi/RSASignature.html)
Is there any way to do that with openssl?
--
Peter
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Ma
an excerpt from rfc 5054 paragraph 3.3
If an attacker learns a user's SRP verifier (e.g., by gaining access
to a server's password file), the attacker can masquerade as the real
server to that user, and can also attempt a dictionary attack to
recover that user's password.
An atta
oes that help?
btw: if your server needs non blocking behaviour (even if no),
and you need time to lookup a credential (a verifier) in a database,
you can indicate in your callback to interrupt the accept call
(in blocking and non blocking mode) and repeat the accept as
soon as the data are th
On 01/07/2012 02:01 AM, Ken Adler wrote:
I use echo GET | openssl s_client -connect www.google.com:443 -state to
troubleshoot https handshakes.
Is there a way to get it to return the Serial number (or thumbprint) of the
server certificate?
openssl s_client -connect www.google.com:443 2>&1|
On 12/14/2011 01:33 PM, rey sebastien wrote:
Hello users :)
I have some problem with nested subdomain and wildcard openssl certificate.. perhaps this is
because the subdomain type is : site1.parisgeo.cnrs.fr, or site2.parisgeo.cnrs.fr, or other
subdomain like .parisgeo.cnrs.fr
When i cr
I know. that's why i'm looking for a way, where I can provide it in some
way other than needing to interact with system.
2011/11/29 Curt Sampson
> On 2011-11-29 04:15 +0100 (Tue), Peter wrote:
>
> > It generally works, but after the command above is sent, i have to typ
yfile ca.key -cert ca.pem -revoke 04.pem
It generally works, but after the command above is sent, i have to type in
pass phrase manually. I need it to be done automatically. Is there any way
to achieve this? I looked through manual but didn't find any information on
how and if this could be done.
Regards,
Peter
On 11/10/2011 12:47 PM, Rajib Karmakar wrote:
Hi,
I am using OpenSSL version 1.0.0e and want to create a certificate
store using DER and PKCS12 formatted certificates.
I have to read and convert DER and PKCS12 certificates into X509
object and add them into X509_STORE.
But if PEM, DER and
On 10/25/2011 05:15 AM, Norm Green wrote:
Hello Experts,
I'm new to OpenSSL so please bear with me.
I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1
snapshot to create secure connection using SRP without using any certificates.
I am aware 1.0.1 is not yet released, b
On 09/19/2011 04:29 PM, ubuntuv wrote:
Thanks Jacob.
Output of
#less evalRootCertificate.cer
-BEGIN CERTIFICATE-
MIICBDCC.MVWn1dH/IzvUWbQ==
-END CERTIFICATE-
I even tried removing the following file lines
-BEGIN CERTIFICATE-
-END CERTIFICATE-
# ope
nssl system
wide (prefix=/usr) but still no luck. Could you help me to understand
what am I doing wrong? Is there any way to debug what openssl loads from
configuration file and how it parses that?
Thank you in advance for any pointers,
--
Peter.
HOME= .
RANDFILE
On 09/08/2011 04:31 PM, Dominik Oepen wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 08.09.2011 11:49, schrieb Peter Sylvester:
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
On Wed, Sep 07, 2011, Dominik Oepen wrote:
Are these OIDs are by chance the ones described in ticket
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
On Wed, Sep 07, 2011, Dominik Oepen wrote:
Are these OIDs are by chance the ones described in ticket 1794?
__
OpenSSL Project http://www.openssl
you might want to read the description of the -extfile parameter of the x509
command
an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at
curl.haxx.se
$OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key
-out $PREFIX-sv.csr
$OPENSSL rsa -in $
1 - 100 of 439 matches
Mail list logo
