Re: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Jeffrey Walton
On Wed, Jul 30, 2014 at 5:54 PM, dave paxton wrote: > ... > They were thinking that the problem from the recent random number issue > is a real problem in older 32 bit systems. ... One suggestion is they > used a get milli command to fill the 64 bits. I thought that was > silly. So I thought I

Re: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread dave paxton
Thanks Steve, I have been having a discussion with some friends of mine on this. They were thinking that the problem from the recent random number issue is a real problem in older 32 bit systems. I was thinking it is not as bad as they are thinking. Since I was looking into this with the old

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Jason Schultz
the crl, but I loop through every .pem file in the /etc/ssl/crls directory and read in each one(successfullly). > Date: Wed, 30 Jul 2014 23:44:45 +0200 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: Can't get my CRL to work on my OpenSSL client > >

Re: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Dr. Stephen Henson
On Wed, Jul 30, 2014, Jason Schultz wrote: > OK. So as far as you're aware, there's not a way to avoid the requirement of > the combined root cert/CRL file when checking for revoked certificates? I > would prefer to just have to deal with the CRL in PEM format, but the CRL > file must always be th

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Salz, Rich
Yes, but "as far as I'm aware" doesn't go very far into that part of the code. See what happens when other devs (in timezones closer to GMT) reply. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Jason Schultz
r as I can tell. Thanks for your prompt responses, by the way. From: rs...@akamai.com To: openssl-users@openssl.org Date: Wed, 30 Jul 2014 16:02:56 -0400 Subject: RE: Can't get my CRL to work on my OpenSSL client No, I was confused; when you said “append to the root cert” I thought you me

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Salz, Rich
No, I was confused; when you said "append to the root cert" I thought you meant copying it into the local directory. You meant literally appending it to the cert. I suppose you could create a new file with a "similar" name... -- Principal Security Engineer Akamai Technologies, Cambridge MA IM:

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Jason Schultz
400 Subject: RE: Can't get my CRL to work on my OpenSSL client No, I’m saying that putting the CRL’s into the local directory is okay, and OpenSSL will parse them. How you get them there is your issue J -- Principal Security EngineerAkamai Technologies, Cambridge MAIM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Salz, Rich
No, I'm saying that putting the CRL's into the local directory is okay, and OpenSSL will parse them. How you get them there is your issue :) -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Jason Schultz
.com > To: openssl-users@openssl.org > Date: Wed, 30 Jul 2014 15:15:51 -0400 > Subject: RE: Can't get my CRL to work on my OpenSSL client > > > However, I do have a question. Is there any way around this requirement? > > The requirement of apending the root certificate an

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Salz, Rich
> However, I do have a question. Is there any way around this requirement? The > requirement of apending the  root certificate and  CRL files on the client  > machine in /etc/ssl/crls? It totally depends on the client program that you are using. So, which client? The validation code won't, on

RE: Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Jason Schultz
question. Is there any way around this requirement? The requirement of apending the root certificate and CRL files on the client machine in /etc/ssl/crls? From: jetso...@hotmail.com To: openssl-users@openssl.org Subject: Can't get my CRL to work on my OpenSSL client Date: Wed, 30 Jul 2014 18:

Can't get my CRL to work on my OpenSSL client

2014-07-30 Thread Jason Schultz
I'm having trouble figuring out how to get a CRL I created working. I'll start from the beginning, apologies for length. First, I created my own CA with OpenSSL (1.0.1h) on my server machine, consisting of 3 certificates: root -> serverCA -> serverI successfully opened connections from my clien