ssl-users
> wrote:
>
> From: James <mailto:openssl-us...@natsuki.co.uk>
> To: mailto:openssl-users@openssl.org
> Subject: Re: Certificate verification with cross signed CAs
> Message-ID: <mailto:c457519e-e386-4df8-84ec-9efb7a0f9...@natsuki.co.uk>
> Content-Type: t
From: James <mailto:openssl-us...@natsuki.co.uk>
To: mailto:openssl-users@openssl.org
Subject: Re: Certificate verification with cross signed CAs
Message-ID: <mailto:c457519e-e386-4df8-84ec-9efb7a0f9...@natsuki.co.uk>
Content-Type: text/plain; charset="utf-8"
> The certif
The certificates are attached below.The use case is client A only has ta_primary_cert.pem and client B only has ta_secondary_cert.pemI’m trying to build a chain that the server can use (in the server hello) so that both client A and client B can successfully connect.Since openssl verify -trusted ta
On Mon, Jul 01, 2024 at 03:54:46PM +0100, James Chapman wrote:
> I’ve been using openssl verify to check some certificate chains:
>
> server -> ca -> roota
> server -> alt_ca-> rootb
>
> Certificates ca and alt_ca have the same subject and public key and different
> issuers.
>
> openssl veri
I’ve been using openssl verify to check some certificate chains:
server -> ca -> roota
server -> alt_ca-> rootb
Certificates ca and alt_ca have the same subject and public key and different
issuers.
openssl verify -trusted roota.pem -untrusted ca.pem server.pem
openssl verify -trusted rootb.pe
Hi,
Which header file I need to include for X509 OCSP Certificate Verification. I
am getting compilation error for different structures and macros. Although, I
am including following files-
// #include
#include
#include
#include
#include
// #include
#include
) and the like as mentioned in
X509_STORE_add_cert man page or something else ?
Regards,
Michel
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Viktor Dukhovni
Envoyé : lundi 30 mars 2020 23:19
À : openssl-users@openssl.org
Objet : Re: Peer certific
s again,
Jason
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Monday, March 30, 2020 9:19 PM
To: openssl-users@openssl.org
Subject: Re: Peer certificate verification in verify_callback
On Mon, Mar 30, 2020 at 09:02:47PM +, Jason Schultz wrote:
> I won't get
On Mon, Mar 30, 2020 at 09:02:47PM +, Jason Schultz wrote:
> I won't get into the details of my application as it's complex, but it
> can act as a client or a server. The case we are worried about is
> obviously when it's acting as a client. I thought the standard way of
> dealing with these t
a.
Thanks.
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Monday, March 30, 2020 6:17 PM
To: openssl-users@openssl.org
Subject: Re: Peer certificate verification in verify_callback
On Thu, Mar 05, 2020 at 02:04:27PM +, Jason Schultz wrote:
>
tion errors in a verify callback, if you
have a certificate store that is not directly supported by OpenSSL, you
need to implement your own custom X509_STORE type, associate that store
with the SSL_CTX and have OpenSSL's built-in certificate verification
search that store for you.
If you also
On 30/03/2020 17:01, Jason Schultz wrote:
> For example, if my client application is presented a self-signed certificate
> in the handshake, verify_callback() is called with an error, for which
> X509_STORE_CTX_get_error() returns 18/X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT.
> In this case, my app
l.org
Subject: Peer certificate verification in verify_callback
I have some questions about my application’s verify_callback() function and how
I handle some of the OpenSSL errors.
For example, if my client application is presented a self-signed certificate in
the handshake, verify_callback
I have some questions about my application’s verify_callback() function and how
I handle some of the OpenSSL errors.
For example, if my client application is presented a self-signed certificate in
the handshake, verify_callback() is called with an error, for which
X509_STORE_CTX_get_error() r
On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the beha
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the behavior it also gives the same error,
> but
Hi,
can you please tell me more about
1) How to verify a self signed (.crt) key in OpenSSL 1.1.1?
2) Is key generated by OpenSSL 1.0.2 can be used to connect with OpenSSL
1.1.1 and vice versa?
Thanks and regards
Shivakumar
On Mon, Mar 2, 2020 at 2:36 PM Dmitry Belyavsky wrote:
> First, I recomm
First, I recommend you not to hurry up :)
Second, the validation procedures have changed between 1.0.2 and 1.1.1,
1.1.1 checks more strictly.
E.g., a self-signed certificate without "CA:TRUE" will be treated as valid
CA cert in 1.0.2 but not valid in 1.1.1
On Mon, Mar 2, 2020 at 12:01 PM shiva
Hi,
Please help me, is this an expected behavior?
On Mon, Mar 2, 2020 at 1:48 PM shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the beha
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the behavior it also gives the same error,
but instead of OK it gives different error as "*ca.crt: verification faile
> On Dec 18, 2019, at 11:10 AM, Jan Just Keijser wrote:
>
> the short answer is no, it does not; the openssl library will let you load
> expired/invalid certificates if you do not do any explicit checks. Use a
> verify_callback and call X509_verify_cert() to check the validity.
The verify cal
On 18/12/19 09:54, Mody, Darshan Arvindkumar (Darshan) wrote:
Hi
We are using SSL_CTX_use_certificate and
SSL_CTX_use_certificate_chain_file APIs to load the certificates.
My query is when we are loading the certificate in the Context does
openssl verify the certificates for e.g. whether th
Hi
We are using SSL_CTX_use_certificate and SSL_CTX_use_certificate_chain_file
APIs to load the certificates.
My query is when we are loading the certificate in the Context does openssl
verify the certificates for e.g. whether the certificate is expired already etc.
Thanks and Regards
Darshan
> On Jul 25, 2018, at 4:50 PM, Ken Goldman wrote:
>
> For background, this is the TPM 1.2 endorsement key certificate. I.e., this
> is a real application with millions of certificates issued. The key is an
> RSA-2048 key.
>
> The TCG (for a while) specified
>
> Public Key Algorithm:
On 7/25/2018 4:27 PM, Viktor Dukhovni wrote:
Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change. Should security level zero succeed even with unsupported
EE keys (which somehow get used with some other software???).
For background, this is the TPM 1.2
> On Jul 25, 2018, at 3:00 PM, Ken Goldman wrote:
>
>
> If you're suggesting that altering the above code to do the level check
> before the call to get pkey, I think that would fix my problem.
Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change. Sho
On 7/25/2018 10:47 AM, Viktor Dukhovni wrote:
On Jul 25, 2018, at 10:05 AM, Ken Goldman wrote:
I have a certificate with a non-standard public key algorithm -rsaesOaep. See
snippet #2.
With openssl 1.0, I can validate the certificate chain. With openssl 1.1 it
fails with the error X509
> On Jul 25, 2018, at 10:05 AM, Ken Goldman wrote:
>
> I have a certificate with a non-standard public key algorithm -rsaesOaep.
> See snippet #2.
>
> With openssl 1.0, I can validate the certificate chain. With openssl 1.1 it
> fails with the error X509_V_ERR_EE_KEY_TOO_SMALL. See dump
Seeking advice.
I have a certificate with a non-standard public key algorithm
-rsaesOaep. See snippet #2.
With openssl 1.0, I can validate the certificate chain. With openssl
1.1 it fails with the error X509_V_ERR_EE_KEY_TOO_SMALL. See dump #1.
I believe that this is due to new 1.1 code
I understand that the trusted store must include Intermediate CA 1 or
remove Intermediate CA 2 and just have the Root CA in it. I was trying
things out to understand how client authentication works.
Regards,
Sudarshan
On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan <
sudarshan.t.ragha...@gma
This is the CA - Leaf hierarchy I am testing with
Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf
Trusted certificates configured: Root CA and Intermediate CA 2
Client authenticates itself with this chain: Leaf > Intermediate CA 2 >
Intermediate CA 1
I am using openssl 1.1.0f. This clien
-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jan
Just Keijser
Sent: Wednesday, February 03, 2016 8:17 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate verification failure
Yan, Bob wrote:
> Thanks Jan,
>
> When I am using the CApath, I do
nssl-users] Certificate verification failure
Yan, Bob wrote:
Dear Sir/Madam,
I have an application which acting as SSL server. When the application
loads the root and intermediate CA files from a CA path, the handshake
between my application and openssl client was failed at the point when
my appli
to:openssl-users-boun...@openssl.org] On Behalf Of Jan
Just Keijser
Sent: Monday, February 01, 2016 1:04 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate verification failure
Yan, Bob wrote:
>
> Dear Sir/Madam,
>
> I have an application which acting as SSL server
Yan, Bob wrote:
Dear Sir/Madam,
I have an application which acting as SSL server. When the application
loads the root and intermediate CA files from a CA path, the handshake
between my application and openssl client was failed at the point when
my application was authenticating the client’s
Dear Sir/Madam,
I have an application which acting as SSL server. When the application loads
the root and intermediate CA files from a CA path, the handshake between my
application and openssl client was failed at the point when my application was
authenticating the client's certificate. But wh
Summary of thread so far: The latest security update enforces
that any inherently unsigned BIGNUM must be encoded as a non-
negative DER INTEGER (which has a leading 0 byte if the most
significant bit of the first byte would otherwise be set).
It is a well known historic bug that some other ASN.1
Hi Steve,
thanks a lot for your quick response and for the clarification.
> Von: "Dr. Stephen Henson"
> The MSB is effectively a sign bit but the explanation in the standard
isn't
> very clear. If you take your example of GTS001.pem and do:
>
> openssl asn1parse -in GTS001.pem -strparse 367
On Tue, Feb 03, 2015, jan.w...@ptb.de wrote:
>
> This check fails for some of our certificates and the reason is that
> openssl adds a padding byte for BIGNUMs in crypto/asn1/x_bignum.c if the
> MSB is set. Our encoding does not contain these padding bytes and,
> consequently, the re-encoded v
Hi,
we have noticed that with the latest Debian wheezy-security update of the
libssl1.0.0 package sudenly the verification of some of our ECDSA-signed
certificates failed.
I've looked into this and I've traced it down to the following patch
https://github.com/openssl/openssl/commit/684400ce192
On 10/31/2014 03:24 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
>> Sent: Thursday, October 30, 2014 14:50
>
>> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
>> I would expect the two to form a valid chain. And indeed,
> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
> Sent: Thursday, October 30, 2014 14:50
> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
> I would expect the two to form a valid chain. And indeed,
> verification succeeds:
> ... openssl verify -CAf
Hi,
trying to build a valid certificate chain, I came across the following
problem:
I have two certificates. The first one, contained in file root_ca.pem,
is a self-signed root CA, intended to sign intermediate CA's with. The
second
one, contained in host_ca.pem, is such an intermediate CA, it
Hi,
We are switching to our own CA for in house networking. To test I've
used it to sign a server certificate and a client certificate. The
subject and issuer output for all three certificates is...
...CA:
$ openssl x509 -subject -issuer -noout -in gandalf_cacert.pem
subject=
/O=myCompany/ema
previoulsy available fingerprint?RegardsManoj
--
View this message in context:
http://openssl.6102.n7.nabble.com/Server-Certificate-verification-against-available-fingerprint-tp46781.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
el
+1 214.770.1896 / Mobile
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Friday, July 19, 2013 4:32 PM
To: openssl-users@openssl.org
Subject: RE: SSL_connect:error in SSLv3 flush data - Certif
> From: owner-openssl-us...@openssl.org On Behalf Of Michel, Audrey
> Sent: Friday, 19 July, 2013 11:41
> Thanks for the reply and good information as it helped clear
> up some misunderstanding I had. Here is some additional
> information based on your responses.
>
> -The two servers have diffe
flush data - Certificate Verification:
Error (20) when setting up replacement server
> From: owner-openssl-us...@openssl.org On Behalf Of Michel, Audrey
> Sent: Thursday, 18 July, 2013 15:24
> Subject: SSL_connect:error in SSLv3 flush data - Certificate
> Verification: Error (20) when
> From: owner-openssl-us...@openssl.org On Behalf Of Michel, Audrey
> Sent: Thursday, 18 July, 2013 15:24
> Subject: SSL_connect:error in SSLv3 flush data - Certificate
> Verification: Error (20) when setting up replacement server
Aside: the error isn't really in flush-data;
ct:error in SSLv3 flush data
write:errno=10053
..
At the end of the appache log I see the following error (all other tags are
[debug]:
[Thu Jul 18 08:07:07 2013] [error] Certificate Verification: Error (20): unable
to get local issuer certificate
[Thu Jul 18 08:07:07 2013] [debug] ssl_engine_kerne
: openssl-users@openssl.org
Subject: RE: server certificate verification fails
The certificate is for a client and is self signed.
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on
behalf of Dave Thompson [dthomp...@prinpay.com]
Sent
: server certificate verification fails
>From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah
>Sent: Friday, 24 May, 2013 19:48
>I add the server certificate in PEM format to the SSL store using []
>X509_STORE_add_cert(SSL_CTX_get_cert_store(pctx), x509cert);
I assume you
>From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah
>Sent: Friday, 24 May, 2013 19:48
>I add the server certificate in PEM format to the SSL store using []
>X509_STORE_add_cert(SSL_CTX_get_cert_store(pctx), x509cert);
I assume you mean to the truststore of the (or a) client, since
th
I add the server certificate in PEM format to the SSL store using the following
call.
X509_STORE_add_cert(SSL_CTX_get_cert_store(pctx), x509cert);
The SSL_get_verify_result(SSL handle); always seems to return
error code 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
Has anyone been able to g
Thanks Dave for the response.
On Wed, May 15, 2013 at 11:29 PM, Dave Thompson wrote:
> >From: owner-openssl-us...@openssl.org On Behalf Of isshed
> >Sent: Wednesday, 15 May, 2013 08:25
>
> >I have a self-signed certificate installed on a server with
> >the following extensions fields.
> >Key Usa
>From: owner-openssl-us...@openssl.org On Behalf Of isshed
>Sent: Wednesday, 15 May, 2013 08:25
>I have a self-signed certificate installed on a server with
>the following extensions fields.
>Key Usage:Digital Signature, Key Encipherment (a0)
>Basic Constraints : Subject Type=End En
Hi all,
I have a self-signed certificate installed on a server with the following
extensions fields.
=
Key Usage:Digital Signature, Key Encipherment (a0)
---
to the associated
development schedule.
This sounds like a well-defined small problem that could benefit from it
though; are there any examples around of the capi engine used to retrieve
certificates "as required" from a windows certificate store to do this kind of
certificate verificati
> From: owner-openssl-us...@openssl.org On Behalf Of Nou Dadoun
> Sent: Friday, 21 September, 2012 15:29
> Just wanted to confirm an assumption, I've got 3 x509 certificates:
>
> Root --> intermediate --> leaf
>
> I load the intermediate certificate (but not the Root
> certificate) into the x5
Just wanted to confirm an assumption, I've got 3 x509 certificates:
Root --> intermediate --> leaf
I load the intermediate certificate (but not the Root certificate) into the
x509_store and set up the verify_ctx to verify the leaf certificate.
I then use the "X509_verify_cert(verify_ctx)" func
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 19:37
>Following is the code I used at server side program.
>while (1) {
>SSL *ssl = SSL_new(ctx);
>SSL_set_fd(ssl, clientserver[1]);
> if (SSL_accept(ssl) != 1)
> break;
>result
unter code at client side. Do
you see my conclusions right?
On Fri, Jun 29, 2012 at 11:10 PM, Dave Thompson wrote:
> >From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
> >Sent: Friday, 29 June, 2012 15:30
>
> >I am trying to measure server performance for
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 15:30
>I am trying to measure server performance for client certificate
verification.
>However, there is no significant difference in the server performance
>when I send one certificat
On 06/29/2012 09:29 PM, Sukalp Bhople wrote:
Hello,
I am trying to measure server performance for client certificate verification.
However, there is no significant difference in the server performance when I send one certificate
and condition when I send chain of 10 certificates.
I am aware
On 3/7/2012 2:06 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Edward Ned Harvey
Sent: Tuesday, 06 March, 2012 13:18
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Mr.Rout
1) what is intermediate certificate validation
> From: owner-openssl-us...@openssl.org On Behalf Of Edward Ned Harvey
> Sent: Tuesday, 06 March, 2012 13:18
> > From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> > us...@openssl.org] On Behalf Of Mr.Rout
> >
> > 1) what is intermediate certificate validation ?
>
> When you generate
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Mr.Rout
>
> 1) what is intermediate certificate validation ?
When you generate a CSR, the CA can sign it directly, or they can sign it
via an intermediate. I'm not quite sure what's the point of the
.
Best Regards,
Mr. Rout
--
View this message in context:
http://old.nabble.com/Please-Clarify.Intermediate-certificate-verification---tp33452742p33452742.html
Sent from the OpenSSL - User mailing list archive at Nabble.com
Hi
I am using OpenSSL and writing a TLS client opening a TLS Socket. How i can
ensure that this TLS Socket also is checking the CRL for the peer
certificate. Pls let me know the API for the same and also how the path of
CRL can be indicated to the TLS socket.
Thanks in advance.
Sushil
Please can anybody help? This is kind of priority issue for me.
I have following set of certificates with X509 extensions defined for code
signing in PKCS7 format.
Root CA - Key usage (critical): Certificate Sign, CRL Sign
CVC Sub-CA - Key usage (critical): Certificate Sign, CRL Sign
CVC cert
On Mon, Aug 30, 2010, Toms Tormo wrote:
>
> Finally, I checked the Authority Key Identifier of the EE certificate but
> it looks good to me...
>
> /[amsterdam:/test]# openssl x509 -in admesigna.cer -text
>
> keyid:B2:D2:89:54:6C:14:8E:84:CC:F4:DA:26:6A:45:9C:27:A9:5C:02:CF
>
Hodie III Kal. Sep. MMX, Tomás Tormo scripsit:
[...]
>[amsterdam:/morralla/ttormo/ACIndenova]# openssl x509 -in acindenova.cer
>-text
[...]
> Not Before: Dec 8 08:31:12 2006 GMT
> Not After : Dec 5 08:41:12 2016 GMT
[...]
>[amsterdam:/test]# openssl x509
Greetings
I have another problem with certificate verification. I get the same
error as always with a testing CA we created... we have issued a
certificate signed by this CA but we get the same error:
*error 20 at 0 depth lookup:unable to get local issuer certificate*
After checking if
Bonjour Peter Sylvester,
>>Extensions are ignored in the root.
>>Without telling what critical extensions you have, it is difficult to help.
I had some extensions set to critical in my Sub CA certificates, i have re
generated all the sub CA certificates and now it works fine. Thats rite that
Regards
Scott Thomas
Diarmuid Curtin-- Diarmuid Curtin wrote :
Hi,
I am running the following test:
openssl 0.9.8b
Mod_SSL 2.0.58
I am using mod_ssl for client authentication, however, when the client
presents the certificate, the following error appears
[error] Certificate Verification: Error (34):
> I'm currently trying to integrate wpa_supplicant and OpenSSL 0.9.8k to
> authenticate to a wireless network using EAP-TLS. It seems
> like I'm failing
> on verifying the server certificate. Can anybody interpret
> the error for me
>
> error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unkno
anks!
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 7 (certificate signature
failure) depth 2 for '/CN=WiMAX Forum(R) Server Root-CA/O=WiMAX
Forum(R)/C=US'
SSL: (where=0x4008 ret=0x233)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decry
Hi All
I am using SSL_CTX_set_cert_verify_callback(ctx, callback, (void *)arg)
API to register the callback function for certificate verification.
However I need to set the mode (SSL_VERIFY_PEER) for SSL Context.
I am using below code to set mode and callback function. Is it right way
of doing
To close out this issue in the hopes that this will be of use to someone
in the future, Dr. Henson greatly helped in tracking the problem down to
a PHP extension that was calling EVP_cleanup().
"When you have a shared library using OpenSSL and multiple applications
things like algorithm tables
can duplicate the issue in a 32 bit environment.
Server log failed:
[Wed Jul 08 08:42:20 2009] [debug] ssl_engine_kernel.c(1190):
Certificate Verification: depth: 1, subject:
[Wed Jul 08 08:42:20 2009] [debug] ssl_engine_kernel.c(1190):
Certificate Verification: depth: 0, subject:
[Wed Jul 08
09] [error] Certificate Verification: Error (7):
certificate signature failure
[Tue Jul 07 15:12:27 2009] [info] [client 10.10.10.4] SSL library error 1 in
handshake (server 10.10.10.4:443)
[Tue Jul 07 15:12:27 2009] [info] SSL Library Error: 218910881
error:0D0C50A1:lib(13):func(197):reason(161)
[Tue Jul 0
09] [error] Certificate Verification: Error (7):
certificate signature failure
[Tue Jul 07 15:12:27 2009] [info] [client 10.10.10.4] SSL library error
1 in handshake (server 10.10.10.4:443)
[Tue Jul 07 15:12:27 2009] [info] SSL Library Error: 218910881
error:0D0C50A1:lib(13):func(197):reason(161)
[Tue Jul 0
: Wednesday, April 15, 2009 2:40 AM
To: Vijay Kothamasu (vikotham)
Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati
(jmynampa); Uma Sankar Panda (upanda)
Subject: Re: Query on OpenSSL for Certificate verification
I'd be happy to, if you engage me as a contractor.
On Wed, Apr 15, 2009, Vijay Kothamasu (vikotham) wrote:
> Hi Kyle,
>
> Thanks for your valuable inputs, find my response inline.
>
>
> Then don't return from the original SSL_CTX_set_verify callback until you
> either:
> a) receive a valid OCSP response that says it's okay,
> b) receive a val
riginal Message-
From: Kyle Hamilton [mailto:aerow...@gmail.com]
Sent: Tuesday, April 14, 2009 7:57 AM
To: Vijay Kothamasu (vikotham)
Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati
(jmynampa); Uma Sankar Panda (upanda)
Subject: Re: Query on OpenSSL for Certific
On Mon, Apr 06, 2009 at 11:56:15PM -0700, Kyle Hamilton wrote:
> Third, the
> entire point of X.509 is to allow for clients to have all the
> information they need to verify certificates in the absence of an
> online authority.
This said, it is now widely understood that this particular "entire p
.
>
> Regards
> Vijay
>
> -Original Message-
> From: Kyle Hamilton [mailto:aerow...@gmail.com]
> Sent: Tuesday, April 14, 2009 7:57 AM
> To: Vijay Kothamasu (vikotham)
> Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish
> Mynampati (jmynamp
[mailto:aerow...@gmail.com]
Sent: Tuesday, April 07, 2009 12:26 PM
To: openssl-users@openssl.org
Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham)
Subject: Re: Query on OpenSSL for Certificate verification
This is a protocol called OCSP, with its "designated resp
12:26 PM
> To: openssl-users@openssl.org
> Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham)
> Subject: Re: Query on OpenSSL for Certificate verification
>
> This is a protocol called OCSP, with its "designated responder" mechanism.
>
> If you want
This is a protocol called OCSP, with its "designated responder" mechanism.
If you want to implement it, call the OCSP functions with the DR
address and the fields that OCSP needs during the SSL_CTX_set_verify()
callback invocation; if you really need to, create two separate
SSL_CTX contexts, one o
Hi,
I am just wondering if there is a way to realize the following scenario
with the help of OpenSSL libraries, here is the brief explanation in
this regard.
-
I have a client and Server who need to setup a secure connection using
TLS/SSL. But as part of handshak
Hi all,
I've already asked here about similar thing before, but as things got
a little clearer now (I've read through a load of docs and code...), I
guess I can formulate my question a little better now.
My problem is, roughly, this:
- I got some CA certificates loaded in the memory (say, in STAC
c/ssl/cacert.pem , after this i'm still getting these
> warnings in mail.log:
>
> > Jan 10 00:41:58 mail postfix/smtp[10404]: certificate verification failed
> > for smtp.myisp[111.222.222.999]:587: untrusted issuer
> > /C=NO/O=MyISP/CN=MyISP Certification Authority/e
postfix configuration i have:
smtpd_tls_CApath = /etc/postfix/CA/
and i have my selfsigned CA cert on itself in
/etc/postfic/ssl/cacert.pem , after this i'm still getting these
warnings in mail.log:
> Jan 10 00:41:58 mail postfix/smtp[10404]: certificate verification failed for
>
On Fri, Dec 12, 2008, Raphael wrote:
> Hi all,
>
>
>
> I am setting up a CA and a reverse proxy https with Squid filtering access
> to the backend web site.
>
> I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3)
> servers. I manage to verify the sha256 protected certificate
Hi all,
I am setting up a CA and a reverse proxy https with Squid filtering access
to the backend web site.
I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3)
servers. I manage to verify the sha256 protected certificate on both
computers using :
openssl verify -CAFile /ro
Hi all,
Actually we have one CA certificate is provided by service server (That is
root certificate in .pem format and .crt format). I used that certicate to
verify the peer. I got unknown CA. I saw that certificate was coming from
service server having thawte CA and having issuer and subject i
On Mon, Oct 20, 2008, Matthew Franglen wrote:
> Issue:
>
> The openssl s_client utility is unable to display the server certificate if
> the server certificate fails verification. Since the server certificate may
> be desired irrespective of the verification status it should be possible to
> di
Dear Sir,
I am not sure that this is the correct place to post this, but I can
find no official bug mailing list, and my searches of your archive do
not reveal a solution to this issue.
Issue:
The openssl s_client utility is unable to display the server certificate
if the server certificate
Hi People,
I am using a trusted-roots file with Digital Certificates for various
servers.
But I am unable to connect to one of these servers.
The error I see is:
X509_V_ERR_CERT_UNTRUSTED
Any ideas on what could be wrong?
regards,
Sugandh
1 - 100 of 210 matches
Mail list logo
