On 8/16/2019 9:34 AM, Erwann Abalea via openssl-users wrote:
> Remove the 2 Netscape extensions, they're way obsolete (don't know why
> OpenSSL keeps them by default).
>
Is there a preferred alternative to the "Netscape Comment"? That seems
like a useful attribute, and I don't find anything more
On 8/16/19 12:34 PM, Erwann Abalea wrote:
Bonjour,
Having a critical extension adds 3 octets (the BOOLEAN tag, length=1,
value=0xff). It may, as a side effect, enlarge the number of octets necessary
to encode some structure size.
Remove the 2 Netscape extensions, they're way obsolete (don'
Bonjour,
Having a critical extension adds 3 octets (the BOOLEAN tag, length=1,
value=0xff). It may, as a side effect, enlarge the number of octets necessary
to encode some structure size.
Remove the 2 Netscape extensions, they're way obsolete (don't know why OpenSSL
keeps them by default).
If
Viktor,
On 8/16/19 8:41 AM, Viktor Dukhovni wrote:
On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users
wrote:
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark
subjectAltName as non-critical"
This is wrong. When the subject DN is empty, the subjectAl
> On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users
> wrote:
>
> subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD
> mark subjectAltName as non-critical"
This is wrong. When the subject DN is empty, the subjectAltName should be
marked as critical. IIRC s
On 8/16/19 7:58 AM, Salz, Rich wrote:
In the same paragraph, the sentence before the one you're quoting says "If the
subject field contains an empty sequence, then the issuing CA MUST include a
subjectAltName extension that is marked as critical."
I will run another test today an
>In the same paragraph, the sentence before the one you're quoting says "If
> the subject field contains an empty sequence, then the issuing CA MUST
> include a subjectAltName extension that is marked as critical."
>It's not possible to have a missing subject name in a certificate, t
Bonjour,
In the same paragraph, the sentence before the one you're quoting says "If the
subject field contains an empty sequence, then the issuing CA MUST include a
subjectAltName extension that is marked as critical."
It's not possible to have a missing subject name in a certificate, the field
On 8/15/19 4:13 PM, Salz, Rich wrote:
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark
subjectAltName as non-critical"
Fine with me.
I can believe that OpenSSL doesn't support empty subjectName's. An empty one,
with no relative disintuished name compone
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD
mark subjectAltName as non-critical"
I can believe that OpenSSL doesn't support empty subjectName's. An empty one,
with no relative disintuished name components, is not the same as not present.
There are a number of things I am not clear on, and so far my searching
and reading is coming up short.
If there is no subjectName, only subjectAltName, is the subjectName
still present in the cert only empty or is it totally gone.
I have found that if I put
-subj /
in the openssl req, I en
Hello,
I inherited the code for web-server like server that i need to
maintain. It is setup that when you request a certain URL, the server
will renegotiate and request a client certificate. They said it worked
when they use OpenSSL 0.9.8, but we are seeing issues with 1.0.2l. When
it does
Hi,
Ok, thanks!
Jim
On Wed, 5/4/16, Salz, Rich wrote:
Subject: RE: [openssl-users] Problems with ""sequencing" of FakeBasicAuth vs.
Require using client certs for Authentication
To: "o haya" , "openssl-users@openss
> [My apologies for this cross-post, but I think that I realized after I posted
> this
> on the Apache mailing list that it might be more appropriate here, as
> "SSLOptions +FakeBasicAuth" is under mod_ssl...]
The apache mailing list(s) are probably a better forum
--
Senior Architect, Akamai T
Hi Dave,
Thanks for your ideas and response. Especially the explanation of CApath;
very informative.
You're right, I'm on version 'g' not 'n'. I'd say it was a typo, but I
really thought I was on 'n'. ;)
-Chris
On Fri, Feb 3, 2012 at 4:48 PM, Dave Thompson wrote:
> > From: owner-open
> From: owner-openssl-us...@openssl.org On Behalf Of Chris
Satterthwaite
> Sent: Friday, 03 February, 2012 15:55
> I am using OpenSSL to run through a sizable number of web server
> connections (~500), and tell me which certs are getting ready to expire.
> My utility has worked
I love this toolset; definitely value-add for the community!
I am using OpenSSL to run through a sizable number of web server
connections (~500), and tell me which certs are getting ready to expire. My
utility has worked for a while (a couple years?) on 1.0.0 Beta3, and I
recently upgraded to 1.0.
Thanks for the help guys ...the last thing that was missing was
actually an infrastructure problem :)
So - working now :)
cheers
--
Torsten
__
OpenSSL Project http://www.openssl.org
User Support M
On Mon, Nov 27, 2006, Torsten Curdt wrote:
> >> ssl_err = SSL_connect(hr->ssl);
> >> if (ssl_err < 0)
> >> {
> >> error_printf("Hard error %d on SSL_connect for fd %d\n",
> >> ssl_err, event->fd);
> >>
> >> I always get a -1 return code and the password callback is not ge
Try SSL_CTX_use_PrivateKey_file() to load private key
(and I suggest SSL_CTX_check_private_key() to check
private key to certificate compatibility).
Well, I thought for PEM SSL_CTX_use_certificate_chain_file() would
also load the private key (thought I read that somewhere) ...anway.
When I use
Hello,
> I am trying to add client certificate support to Daquiri which is
> using openssl for https connections already.
>
> http://omniti.com/~jesus/projects/
>
> So before creating the SSL with SSL_new I am loading our client
> certificate CA's certificate chain into the context with:
>
>
Hi there,
I am trying to add client certificate support to Daquiri which is
using openssl for https connections already.
http://omniti.com/~jesus/projects/
So before creating the SSL with SSL_new I am loading our client
certificate CA's certificate chain into the context with:
int load_client
On Sat, Nov 15, 2003 at 06:40:26PM -0500, David wrote:
> What kind of voodoo is required to get a client to send a cert?
>
> Both client and server are calling SSL_CTX_use_certificate_file() and
> SSL_CTX_use_PrivateKey_file(), and the server is calling
> SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NUL
Message-
From: theoharis tsenis [mailto:[EMAIL PROTECTED]
Sent: 22 July 2003 21:26
To: [EMAIL PROTECTED]
Subject: Client certs
Hi,
i am trying to use openssl under mysql. I finally compile everything
and they looks ok. At the PC of the mysql-server i create a
signed-certificate for the server
Hi,
i am trying to use openssl under mysql. I finally compile everything and they looks
ok. At the PC of the mysql-server i create a signed-certificate for the server and a
signed-certificate for a client. When i connect to the mysql from the console of the
PC everything works fine. But when
Chandrasekhar R S wrote:
Dear Ebell & All,
Indeed what you said is true.
I copied the newly created self signed cert to the bundle of CA lists the
server would accept, and the connection goes through fine.
Now, then I am to make my own private CA and then create a certificate
signed by my pri
done.
Thanks again
rsr.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Gotz Babin-Ebell
Sent: Wednesday, February 12, 2003 10:38 PM
To: [EMAIL PROTECTED]
Subject: Re: are server certs different from client certs
Hello,
Chandrasekhar R S wrote:
>
Hello,
Chandrasekhar R S wrote:
Hi all,
I have created a certificate using the following sequence of calls :
X509_new()
RSA_generate_key()
X509_set_version(cert,3)
ASN1_INTEGER_set(X509_get_serialNumber(cert),0)
X509_gmtime_adj(X509_get_notBefore(cert),0);
X509_gmt
Hi all,
I have created a certificate using the following sequence of calls :
X509_new()
RSA_generate_key()
X509_set_version(cert,3)
ASN1_INTEGER_set(X509_get_serialNumber(cert),0)
X509_gmtime_adj(X509_get_notBefore(cert),0);
X509_gmti
On Mon, Feb 10, 2003, Chandrasekhar R S wrote:
> It seems I have not explained myself ably.
>
> I completly understand that Private Keys should and would never be sent
> across.
>
> But assume that you are going through a proxy using SSL. And the proxy has
> no capability to verify the certs.
ween proxy and the backend server.
>
> thanks to all of you,
> rsr.
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Helm
> Sent: Monday, February 10, 2003 1:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Tunne
d the backend server.
thanks to all of you,
rsr.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael Helm
Sent: Monday, February 10, 2003 1:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Tunneling Client Certs
> > I have the followi
On Mon, Feb 10, 2003 at 02:25:31AM +0100, Dr. Stephen Henson wrote:
> Well for S/MIME enveloped data you can add additional certificates whose owner
> (i.e. the entity with access to the private key) can decrypt. Many S/MIME
> clients automatically make the message readable by the recpient (its sil
On Mon, Feb 10, 2003, Jason Haar wrote:
> All this talk about trying to gateway client certs has got me thinking
> about something I saw last week in the PGP-8.0 docs.
>
> They have this concept of "additional decryption keys". Apparently you
> can configure PGP so tha
All this talk about trying to gateway client certs has got me thinking
about something I saw last week in the PGP-8.0 docs.
They have this concept of "additional decryption keys". Apparently you
can configure PGP so that even though you are the only one with your
key-pair, when you
> > I have the following scenario -
> >
> > Client Cert -- Tunnel Server - Tunnel Client -- Backend server.
> >
> > The requirement is to pass the Client Cert to the Backend server.
> If you could do that then anyone who had access to a certificate
> (for example the recipent of signed emai
On Sat, Feb 08, 2003, Chandrasekhar R S wrote:
> I have posted a similar message earlier. Hoping to convey self better and
> get some help this time around.
>
> I have the following scenario -
>
> Client Cert -- Tunnel Server - Tunnel Client -- Backend server.
>
> The requirement is to pa
* Chandrasekhar R S ([EMAIL PROTECTED]) wrote:
>
> My question is, "Is it possible to just give a Cert for an SSL connection
> (like giving SSL_use_certificate()) without a corresponding
> SSL_use_PrivateKey(..) call made, and expect SSL to somehow generate its own
> keys but take our certificate?
I have posted a similar message earlier. Hoping to convey self better and
get some help this time around.
I have the following scenario -
Client Cert -- Tunnel Server - Tunnel Client -- Backend server.
The requirement is to pass the Client Cert to the Backend server.
I could extract the C
On Wed, Jan 22, 2003 at 02:36:16PM +0530, Chandrasekhar R S wrote:
> Hello Vadim,
>
> > Localized Scenario : Proxy Client -- Backend Server
> > 5. The requirement is, Proxy Client should be presenting
> >"CLIENT CERT" to the backend server.
>
> Yes, it can
Hello Vadim,
> Localized Scenario : Proxy Client -- Backend Server
> 5. The requirement is, Proxy Client should be presenting
>"CLIENT CERT" to the backend server.
Yes, it can "present" it somehow
RSR : I am in search of this "somehow".
Could it b
he confusion. I hope, I had been clearer than earlier.
>
> with thanks and regards,
> rsr.
best wishes,
Vadim Fedukovich
consulting and software development
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Vadim Fedukovich
> Sen
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Vadim Fedukovich
Sent: Monday, January 20, 2003 2:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Proxy'ing client certs
On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote:
> I have already posted the following on
On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote:
> I have already posted the following on the lists under "Proxy'ing client
> certs" thread.
> Could not see the posting, hence re-posting.
> -
I have already posted the following on the lists under "Proxy'ing client
certs" thread.
Could not see the posting, hence re-posting.
-
My understanding had been the following :
Client Proxy Server -
On Fri, Jan 10, 2003 at 02:57:12PM +0530, Chandrasekhar R S wrote:
> I have the following scenario -
>
> client-Proxy - server.
> SSLClient - SSLServer | SSLClient - SSL Server.
>
> It is my intent to pass on the clients c
I have the following scenario -
client-Proxy - server.
SSLClient - SSLServer | SSLClient - SSL Server.
It is my intent to pass on the clients certificate to the server for
verification and acceptance.
Since, the connect
an [mailto:eweitzman@;acm.org]
Sent: Sunday, October 27, 2002 09:09
To: [EMAIL PROTECTED]
Subject: IIS5 client certs
Does anyone know (or know where to find) the characteristics that a client
certificate should have so that IIS5 will verify the cli
Does anyone know (or know where to find) the characteristics that a client
certificate should have so that IIS5 will verify the client?
Thanks,
- Eric
__
OpenSSL Project http://www.openssl.org
Use
ring in the
"req_distinguished_name" section of my cfg file, SSL barfs.
So,
How do I specify my
own private extension names for client certs?
Thanks for your
help
--Noel
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Sarath Chandra M
Sent: Thursday, March 21, 2002 6:38 PM
To: [EMAIL PROTECTED]
Subject: reg. CA expiry/renewal and effect on Client certs
Hi,
We hav a CA certificate and Client certificates
Hi,
We hav a CA certificate and Client certificates generated using
openssl. All configurations are default ones. My doubt is if/when the CA
expires and I renew/extend its life, will the Client certificates get
affected in anyway. In our case, the Client certificates are stored in
hardware
Hi,
I am using Activestate Perl ( 5.006001).
I have openssl 0.9.6b (not properly installed, but files copied as directed in the
installation readme for win32 environment - and openssl works).
I have installed Crypt::SSLeay 0.17.1 using PPM .
I need to write a code to connect to a secure web s
A; both must be available to verify the chain, if memory
serves me correctly.
/s.
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 06, 2000 1:43 PM
Subject: Self Signed Company CA Root --signs--> Project CA --signs-> Server
a
[EMAIL PROTECTED] wrote:
>
> I'm having a bitch of a time getting client verification to work to work.
>
> I've got the root CA cert, project CA cert, and server and client certs (keys
> with passphrase removed) all in pem encoded format. I've done the following
I'm having a bitch of a time getting client verification to work to work.
I've got the root CA cert, project CA cert, and server and client certs (keys
with passphrase removed) all in pem encoded format. I've done the following.
1.Created a new mod_ssl instance of apache
2.Set
Hi,
Thanks for your help. Pls excuse my poor English.
What I want do is to use openssl to sign certs that can be accepted
correctly both by netscape and IE.
The usual routines of my tests are as follows:
1.use openssl ca to sign a PKCS req or sign a SPKAC file.
2.use some S/MIME to load the gene
modssl maybe, yeah I think that will do it :)
> -Original Message-
> From: Yuji Shinozaki [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 12, 2000 3:17 PM
> To: [EMAIL PROTECTED]
> Subject: Apache mod to require client certs?
>
>
>
> I know one can do t
I know one can do this via a cgi-bin, but does anyone know of an
apache module that authenticates via client certs?
yuji
Yuji Shinozaki Computer Systems Senior Engineer
[EMAIL PROTECTED] Advanced Technologies Group
(804)924-7171
Hello,
Does anyone knew what is the mime type entry for the apache´s
mime.types file? and in what format must be the certs pkcs12, der,
pem?
The entry for CA cert is
'application/x-x509-ca-cert cct cert der', some
time ago I saw that for clients what something similar but ending in '...
David Peele wrote:
>
> We have a very perplexing problem...
>
> Everything is fine so far ... BUT, when they visit the site which requires
> client certificates, Netscape crashes. Looking at the apache/mod_ssl trace
> logs it appears that the initial SSL handshake completes. The server then
>
We have a very perplexing problem...
We are implementing a CA (using OpenSSL 0.9.4, apache 1.3.9, and
mod_ssl-2.4.10-1.3.9) and our users are using Netscape 4.51 (no upgrade
option currently exists for them). They can successfully generate a
certificate request which is delivered to our CA which
Bill Price wrote:
>
> I ran into this same problem under a slightly different scenario. I had a
> key pair and cert that were issued from a NS cert server. The cert had a
> short validity period and expired. Rather than generate new keys I reissued
> a certificate using the CA. I too found out th
Steve,
Many thanks for your informed (as usual!) reply. Indeed we
are using Xenroll.
Since we store the Client CertReqs, we just thought it would
be neat to be able to re-issue the client certs on the spot in
case we needed to replace the root CA cert.
As I said, this stuff works with NS
just create one on a PC and have the
client import it. Will that even work??? Is there another way to
create client certs with IE other than xenroll?
Shawn K. Tagseth
BBM Bureau Of Measurement
(416)445-9800x2075
__
OpenSSL Pr
I am having problems importing certificates into Netscape running on
Windows, eventhough the certificate is will import fine with the same
version of Netscape running on X. Any ideas? (Actually it doesn't import
into IE either, but I figure one problem at a time)
Currently I have nsCertType com
66 matches
Mail list logo
