Hi,
On 30/06/21 15:22, Paulo Wollny wrote:
Hi,
thank you for the answer.
can you please point the right direction for solution, please?
try
http://httpd.apache.org/userslist.html
Regarding the "look suspicious - it means your client is connecting
from 127.0.0.1 and your server is also li
Hi,
thank you for the answer.
can you please point the right direction for solution, please?
Regarding the "look suspicious - it means your client is connecting from
127.0.0.1 and your server is also listening on 127.0.0.1 ; is this
really what you have in mind? " i'm testin on my local syst
Hi,
On 30/06/21 00:23, Paulo Wollny wrote:
Dear @ll
My environment:
OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when pr
Hmm ok I get it.
So, to be able to get the fingerprint for the used certificates during a
TLS handshake is possible by using the SSL_set_verify callbacks in the
application or is the mentioned postfix useful for this purpose?
_
On Mon, Mar 15, 2021 at 12:23:54PM +0100, Robert Ionescu wrote:
> I already found the callbacks for the verification process and I am
> still trying to figure it out if it is possible to change them in a
> way that they will print some certificate information to determine
> which certificate was u
I already found the callbacks for the verification process and I am still
trying to figure it out if it is possible to change them in a way that they
will print some certificate information to determine which certificate was
used?
On Fri, Mar 12, 2021 at 09:06:57AM +0100, Robert Ionescu wrote:
> With "wrong" certificate I meant "invalid certificate". So the idea
> was in a bigger environment with a lot of certificates, to make the
> invalid certificate debugging easier by getting more information from
> openssl to identify
Thu, Mar 11, 2021 at 8:40 PM Michael Wojcik <
michael.woj...@microfocus.com> wrote:
> > From: openssl-users On Behalf Of
> Viktor
> > Dukhovni
> > Sent: Thursday, 11 March, 2021 10:39
> > To: openssl-users@openssl.org
> > Subject: Re: Client certificate a
> From: openssl-users On Behalf Of Viktor
> Dukhovni
> Sent: Thursday, 11 March, 2021 10:39
> To: openssl-users@openssl.org
> Subject: Re: Client certificate authentication
>
> > On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
> >
> > I am searchi
If he's trying to muck with the library, he's probably struggling with a
precompiled binary he doesn't have the source code to.
-Kyle H
On Thu, Mar 11, 2021, 11:48 Viktor Dukhovni
wrote:
> > On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
> >
> > I am searching for the functions in openss
> On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
>
> I am searching for the functions in openssl used to verify the clients
> certificate when using mutual authentication.
The same code verifies peer certificate chains, whether client or server.
> My intention is to find a way to log a w
> From: Vincent Truchsess - rockenstein AG
> Sent: Friday, 4 December, 2020 08:59
>
> That would be the the ideal solution. The problem is that the customer's
> security-policy demands dedicated hardware performing IDS/IPS functionality
> at the point of TLS-termination. The devices at hand do not
> From: openssl-users On Behalf Of Vincent
> Truchsess - rockenstein AG
> Sent: Friday, 4 December, 2020 04:27
>
> The organization legally responsible for the application maintains a
> blocklist of certificate serials they consider to be invalidated. Also, this
> organization does not bother to g
I managed to solve my problem.
I just needed to add path to crl file into my squid config
(crlfile=/root/sslCA/crls/crl.pem) and now when connecting with revoked
certificate I get a message that certificate was revoked and no connection
to backend server is established.
Yuriy
KoloboK wrote:
>
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 19:37
>Following is the code I used at server side program.
>while (1) {
>SSL *ssl = SSL_new(ctx);
>SSL_set_fd(ssl, clientserver[1]);
> if (SSL_accept(ssl) != 1)
> break;
>result
Hi Dave,
Thank you very much for the detailed reply.
Following is the code I used at server side program.
while (1) {
SSL *ssl = SSL_new(ctx);
SSL_set_fd(ssl, clientserver[1]);
if (SSL_accept(ssl) != 1)
break;
result.handshakes++;
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN);
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 15:30
>I am trying to measure server performance for client certificate
verification.
>However, there is no significant difference in the server performance
>when I send one certificate and condition
On 06/29/2012 09:29 PM, Sukalp Bhople wrote:
Hello,
I am trying to measure server performance for client certificate verification.
However, there is no significant difference in the server performance when I send one certificate
and condition when I send chain of 10 certificates.
I am aware
> From: owner-openssl-us...@openssl.org On Behalf Of plot.lost
> Sent: Tuesday, 22 March, 2011 02:12
> On 22/03/2011 09:24, Crypto Sal wrote:
> > Me thinks they don't understand Client Authentication/Digital
> > Certificates. The server doesn't typically need to verify up to the
> > root, they p
On 22/03/2011 09:24, Crypto Sal wrote:
Me thinks they don't understand Client Authentication/Digital
Certificates. The server doesn't typically need to verify up to the
root, they provide a list of acceptable client CA names during the
handshake.
I'm using a CAfile that has all of the certifi
On 03/22/2011 12:09 AM, plot.lost wrote:
Or do you simply mean you looked manually at the x509 output
(probably -text) and it looks correct to you?
Yes, using -text to manually check the chain.
Have you confirmed this alert is in response to your cert?
You can use s_client with -debug, or r
On 22/03/2011 08:09, plot.lost wrote:
Or do you simply mean you looked manually at the x509 output
(probably -text) and it looks correct to you?
Yes, using -text to manually check the chain.
Have you confirmed this alert is in response to your cert?
You can use s_client with -debug, or run
Or do you simply mean you looked manually at the x509 output
(probably -text) and it looks correct to you?
Yes, using -text to manually check the chain.
Have you confirmed this alert is in response to your cert?
You can use s_client with -debug, or run a network monitor
(I recommend www.wire
> From: owner-openssl-us...@openssl.org On Behalf Of plot.lost
> Sent: Monday, 21 March, 2011 11:44
> I am having problems connecting to a system that requires a client
> certificate. Generated the csr using the relevant openssl commands and
> sent that to the required authority for signing. Tha
Hi Stephen,
Dr. Stephen Henson wrote:
>
> Servers can renegotate an SSL connection and request a client certificate
> later. This might be due to a script or clcking on a "login" link for example.
>
Oh, I didn't remember this! Thanks for your quick help.
Jan
signature.asc
Description: Open
On Thu, Jun 14, 2007, Jan F. Schnellbaecher wrote:
> Hello,
>
> When I use my browser to go to https://creditportal.bankofamerica.com/ I am
> redirected to a page telling me that there is something wrong with my client
> certificate (the fact is that I don't have one).
>
> But when I am looking
[EMAIL PROTECTED] wrote:
Is there a (reasonable) way to authenticate a client (browser)
certificate from a CGI without having to modify the web server
configuration.
What we are up against is that we produce a package that is supported
on a variety of platforms and web servers. We have been inf
Ben - all client cert details are available to the servers that you
present your certificate to.
This is a dump of some of the standard details presented to the server
in your client cert:
Client Certificate
--
SSL_CLIENT_A_KEYrsaEncryption
SSL_CLIENT_A_SIGmd5With
Sharkey, Aoife wrote:
> Thanks for your response.
> You are correct the server is not set up for client authentication.
>
> It is server only authentication. What do I need to do on the client to get
> this to work?
Install Apache? ;-) Owing to limited time and a determination to enjoy
life,
t: Re: Client certificate verification
Sharkey, Aoife wrote:
> Hi
>
> I am having aproblem where the server is unable to verify the client
> certificate I created.
> The Server is running IIS and is listening on port 443 for SSL traffic.
>
>
>>here is an example o
Michael Sierchio wrote:
>
> Sharkey, Aoife wrote:
> > Hi
> >
> > I am having aproblem where the server is unable to verify the client
> > certificate I created.
> > The Server is running IIS and is listening on port 443 for SSL traffic.
> >
> >
> >>here is an example of the ssldump file
>
> I di
Sharkey, Aoife wrote:
> Hi
>
> I am having aproblem where the server is unable to verify the client
> certificate I created.
> The Server is running IIS and is listening on port 443 for SSL traffic.
>
>
>>here is an example of the ssldump file
I didn't see anything here that suggests that the
Hi again.
Thanks for your tip.
As you recommended, I took a look at the s_server code, and I found out that
SSL_CTX_set_client_CA_list() function call was missing from my server code.
So I added it, and it worked beautifully.
I really appreciate your help.
Have a great weekend. (Thanks to you, I c
Sejin Choi wrote:
>
> Ah, this is just a sample code just to see if it's working. This is not the
> full version of application code. :)
> While making the sample code, I think I made a mistake to put exit code there.
>
> You're right, it shouldn't.
> But my problem is how to generate/verify the
Ah, this is just a sample code just to see if it's working. This is not the
full version of application code. :)
While making the sample code, I think I made a mistake to put exit code there.
You're right, it shouldn't.
But my problem is how to generate/verify the client certificate if there's an
Sejin Choi wrote:
>
> Hi, all.
> Thanks for all the advices you all gave me on my previous question
> regarding client certficate question.
> I've attached simple client/server code I've been using to establish SSL
> connection between TCP/IP client/server application program.
> Client side verif
On Fri, Mar 16, 2001 at 05:40:41PM +, Filipe Contente wrote:
> Hi!!
>
> I'm with problems when my server wants to verify the client certificate.
>
> The code that i use is attached to this mail...
>
> When i call the ssl_accept() method the ssl->session->peer returns NULL,
> so
> when i c
It's under Security, Navigator. Default is Ask Every Time.
David Price wrote:
> This looks to me like a small problem but after a day and a half of
> searching I have not found many references nor a solution. I would
> appreciate if anybody could point me in the right direction.
>
> I am attemp
elps..
Baj
-Original Message-
From: Sandipan Gangopadhyay [mailto:[EMAIL PROTECTED]]
Sent: 13 March 2001 11:16
To: [EMAIL PROTECTED]
Subject: Re: Client Certificate Presentation
Thanks for the pointer.
I had put the directory of the ssl.crt (crt store) in the
SSLCACertificatePath origin
nday, March 12, 2001 6:39 PM
Subject: Re: Client Certificate Presentation
> > 3. However, Internet Explorer 5.5 shows a dialogue box saying the server
is
> > requesting Client Authentication and asking me to select a certificate
to
> > use when connecting. The problem
> 3. However, Internet Explorer 5.5 shows a dialogue box saying the server is
> requesting Client Authentication and asking me to select a certificate to
> use when connecting. The problem is that the list is EMPTY !!! While the
> certificate and private key are clearly visible in the Options | Ce
From: ,,8000"Sandipan Gangopadhyay"
<<[EMAIL PROTECTED]>
To:
,,8000<<[EMAIL PROTECTED]>
Subject: ,,8000Client Certificate
Presentation
Date sent: ,,8000Sun, 11 Mar 2001 10:38:57
+0530
Send reply to:
> Zhong Chen wrote:
>
> Is there any SSL_CTX_* function to force the client sending
> certificate after server sends "Server Hello"? It's an optional step
> in SSL handshake, and I want to make it mandatory (doable?). It will
> be very helpful if you can point me to an example. Thanks.
>
That w
Try SSL_CTX_set_verify() with the mode parameter set to
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
The documentation is at
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#
Greg Stark, [EMAIL PROTECTED]
Ethentica, Inc.
www.ethentica.com
- Original Message -
From: Zhong Ch
"Fisher, James" wrote:
>
> That would be great. Could you give me Tobias's email, website etc
>
> JF
>
Here's his mail:
Original Message ----
Subject: Re: Client certificate question relating to Crypt::SSLeay
Date: Wed, 10 Jan 2001 16:16:
Howdy also,
Sure go ahead and give me the download location or send me an email...
Regards,
JF
-Original Message-
From: Tobias Manthey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 10, 2001 10:16 AM
To: [EMAIL PROTECTED]
Subject: Re: Client certificate question relating to Crypt
That would be great. Could you give me Tobias's email, website etc
JF
-Original Message-
From: Joshua Chamas [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 10, 2001 12:35 PM
To: Fisher, James; [EMAIL PROTECTED]
Subject: Re: Client certificate question relating to Crypt::S
t: Tuesday, January 09, 2001 12:18 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Client certificate question relating to Crypt::SSLeay
>
> I was sent a patch for this, but have not had time yet to
> integrate it, if you would like it, I can send it on to you.
>
> --Josh
>
&g
Howdy,
I wrote a patch for Crypt::SSLeay 0.17 which includes proxy and basic
client-cert support. I can also supply an adopted version of Josh's net_ssl_test
script which illustrates its usage.
Regards
Tobias
> I was sent a patch for this, but have not had time yet to
> integrate it, if you wou
[EMAIL PROTECTED] dijo:
> I have tried moving the location of the web pages around, changing
> ownership
> on the directory, and im really pulling my hair out!!!, i need a
> solution by
> the end of today, i really hope someone knows why this is happening, i
> have
> also noticed something to do w
Moved to [EMAIL PROTECTED]!
On Wed, Dec 13, 2000 at 03:15:04PM +, Filipe Contente wrote:
> I'm a new member, and i don't understand how ssl certificates very well.
>
> i'm using this function to get the client certificate:
>
> And it returns NULL!!
>
> The s variable (SSL type), isn't NULL
> This is all wrong. It doesn't matter if the proxy machine is a
> trusted OS or not if you are using end to end SSL connections. The
> authentication of the end box via verification of its certificate will
> ensure that there is no man in the middle.
>
> If the proxy is on a Trusted OS, that
> > This is a really bad model. You are putting all of the client's
> > secret keys in a place where they will be vulnerable to attack.
> >
> > Why does the connection between the Client and the CGI Proxy have to
> > be protected by SSL such that the CGI Proxy can view the data?
>
>
> This is
> This is a really bad model. You are putting all of the client's
> secret keys in a place where they will be vulnerable to attack.
>
> Why does the connection between the Client and the CGI Proxy have to
> be protected by SSL such that the CGI Proxy can view the data?
This is a bad mode, I thi
The answer to your question is 'yes'. The proxy service if designed
this way would require access to the client's private key.Why not
do what every other proxy service does, just proxy the raw bytes and
let the SSL/TLS connection be end to end through the proxy service.
> hello everyone.
>
hello everyone.
Sorry.
I noticed that this question was FAQ.
I should have used s_client.c and s_server.c sample codes.
then, I have one more question.
I am developping SSL proxy program.
This proxy has following functions.
1) proxy receives client certificate from client (browser).
2) with thi
The following two links may be somewhat useful. The first one is shows how
to create the client cert + keys as a PKCS12 file and then import it into
IE (or Netscape). The second one is about how to do it via cert download.
http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
http://msdn.micros
Benjamin Grosman <[EMAIL PROTECTED]>:
> I am able to fetch the issue and subject details of the client certificate
> from inside the server, but how do I know that someone hasn't simply
> generated their own certificate with the same details?
If you initialize the verification settings with abou
What is special about version 4.04,
and how can I fix things for other versions?
One difference may be that 4.04 has a different set of built-in
Verisign roots than later versions. The later browsers have newer
roots. If your client certs are in a chain signed by Verisign, it
co
> installed. I have tried SSLeay 0.90 and Openssl 0.92b, have used ca-fix,
you shouldn't need ca-fix if you're working with openssl 0.9.2b
> have tried commenting out nscerttype, or changing to the nscerttype
set it to:
nsCerttype = client, email
> switch for client certs. What is special abou
60 matches
Mail list logo
