Re: Can't get my CRL to work on my OpenSSL client

On Wed, Jul 30, 2014 at 5:54 PM, dave paxton wrote: > ... > They were thinking that the problem from the recent random number issue > is a real problem in older 32 bit systems. ... One suggestion is they > used a get milli command to fill the 64 bits. I thought that was > silly. So I thought I

Re: Can't get my CRL to work on my OpenSSL client

Thanks Steve, I have been having a discussion with some friends of mine on this. They were thinking that the problem from the recent random number issue is a real problem in older 32 bit systems. I was thinking it is not as bad as they are thinking. Since I was looking into this with the old

RE: Can't get my CRL to work on my OpenSSL client

the crl, but I loop through every .pem file in the /etc/ssl/crls directory and read in each one(successfullly). > Date: Wed, 30 Jul 2014 23:44:45 +0200 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: Can't get my CRL to work on my OpenSSL client > >

Re: Can't get my CRL to work on my OpenSSL client

On Wed, Jul 30, 2014, Jason Schultz wrote: > OK. So as far as you're aware, there's not a way to avoid the requirement of > the combined root cert/CRL file when checking for revoked certificates? I > would prefer to just have to deal with the CRL in PEM format, but the CRL > file must always be th

RE: Can't get my CRL to work on my OpenSSL client

Yes, but "as far as I'm aware" doesn't go very far into that part of the code. See what happens when other devs (in timezones closer to GMT) reply. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

r as I can tell. Thanks for your prompt responses, by the way. From: rs...@akamai.com To: openssl-users@openssl.org Date: Wed, 30 Jul 2014 16:02:56 -0400 Subject: RE: Can't get my CRL to work on my OpenSSL client No, I was confused; when you said “append to the root cert” I thought you me

RE: Can't get my CRL to work on my OpenSSL client

No, I was confused; when you said "append to the root cert" I thought you meant copying it into the local directory. You meant literally appending it to the cert. I suppose you could create a new file with a "similar" name... -- Principal Security Engineer Akamai Technologies, Cambridge MA IM:

RE: Can't get my CRL to work on my OpenSSL client

400 Subject: RE: Can't get my CRL to work on my OpenSSL client No, I’m saying that putting the CRL’s into the local directory is okay, and OpenSSL will parse them. How you get them there is your issue J -- Principal Security EngineerAkamai Technologies, Cambridge MAIM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

No, I'm saying that putting the CRL's into the local directory is okay, and OpenSSL will parse them. How you get them there is your issue :) -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

.com > To: openssl-users@openssl.org > Date: Wed, 30 Jul 2014 15:15:51 -0400 > Subject: RE: Can't get my CRL to work on my OpenSSL client > > > However, I do have a question. Is there any way around this requirement? > > The requirement of apending the root certificate an

RE: Can't get my CRL to work on my OpenSSL client

> However, I do have a question. Is there any way around this requirement? The > requirement of apending the  root certificate and  CRL files on the client  > machine in /etc/ssl/crls? It totally depends on the client program that you are using. So, which client? The validation code won't, on

RE: Can't get my CRL to work on my OpenSSL client

It appears this is resolved already, sort of. It appears the one thing I did not try after revoking the serverCA certificate with my root was to concatenate the new CRL to the root cert on the client machine. When I did that, my client got a certificate revoked error. However, I do have a questi