Re: How to read encrypted PKCS#8 format key file

On Thu, Nov 24, 2022 at 09:48:42AM +0530, Satyam Mehrotra wrote: > I have encrypted pkcs#8 key file . Is there any openssl command buy which I > can view the algorithm used to encrypt it ( i mean aes or des3 ) Removing blank lines and passing to "asn1parse" you get: $ openssl asn1parse -in /

Re: How to upgrade openssl from 3.0.2 to 3.0.7

On 11/2/22 23:08, Anupam Dutta via openssl-users wrote: I want to upgrade the openssl version from 3.0.2 to 3.0.7. My OS version is Ubuntu 22.04.1 LTS (Jammy Jellyfish). Please help .It is urgent Ubuntu has already dealt with the new vulnerabilities.  If you do the normal package upgrade proce

Re: How to handle TLS alerts

On 26/10/2022 18:33, pepone.onrez wrote: Hi, I'm trying to understand how to handle TLS alerts, I have set up a callback with SSL_CTX_set_info_callback(_ctx, ssl_info_callback); And I can see alerts sent by the peer, does the application need to call SSL_shutdown upon receiving a fatal

Re: How to figure out if .P12 is RSA or ECC crypted

On Thu, Jun 09, 2022 at 10:16:24AM +, Beilharz, Michael wrote: > I retrieve .P12 certificates, they can be RSA or ECC crypted PKCS#12 objects are encrypted with a *symmetric* password: 3DES, AES, ... Perhaps you're confusing the public key algorithm in the certificate (or corresponding priva

Re: How to reject a certificate with access_denied?

On 07/06/2022 15:02, Matt Caswell wrote: > > > On 07/06/2022 13:46, Michael Richardson wrote: >> Matt Caswell wrote: >> > On 06/06/2022 18:08, Christian Schmidt wrote: >> >> Hi, >> >> I am building a server application that allows a user to log >> in by >> >> providing a cert

Re: How to reject a certificate with access_denied?

On 07/06/2022 13:46, Michael Richardson wrote: Matt Caswell wrote: > On 06/06/2022 18:08, Christian Schmidt wrote: >> Hi, >> I am building a server application that allows a user to log in by >> providing a certificate. In order to do custom checks, I have added a >>

Re: How to reject a certificate with access_denied?

Matt Caswell wrote: > On 06/06/2022 18:08, Christian Schmidt wrote: >> Hi, >> I am building a server application that allows a user to log in by >> providing a certificate. In order to do custom checks, I have added a >> verify callback to my code to check the certificate on to

Re: How to reject a certificate with access_denied?

On 06/06/2022 18:08, Christian Schmidt wrote: Hi, I am building a server application that allows a user to log in by providing a certificate. In order to do custom checks, I have added a verify callback to my code to check the certificate on top of its cryptographic features (CA Valid, etc).

Re: How to convert .P12 Certificate (ECC crypted) to .PEMs

Hi Michael, openssl pkcs12 -in "inCert.p12" -out "out.pem" -passin pass: -nodes is sufficient to convert all credentials in the PKCS#12 file to a single PEM file with the key being stored unencrypted. Since OpenSSL 3.0, the outdated -nodes option has been deprecated; so there better use -noenc.

RE: How to convert .P12 Certificate (ECC crypted) to .PEMs

Try adding the following command line arguments: -outform pem From: openssl-users On Behalf Of Beilharz, Michael Sent: Wednesday, May 25, 2022 3:10 AM To: 'openssl-users@openssl.org' Subject: How to convert .P12 Certificate (ECC crypted) to .PEMs CAUTION: Email originated externally. Do no

Re: How to create a SAN certificate

Since OpenSSL 3.0, one can use the -copy_extensions` option of openssl req to copy over any SANs contained in the CSR to the cert being created or use -addext to directly specify extensions without the need to use a config file, or simply use the -x509 and -subj options to build a cert from scratch

Re: How to create a SAN certificate

Henning Svane wrote: > I am using OpenSSL 1.1.1f Is there a way to make a SAN certificate > based on the CSR I have created in Exchange. I need a self-signed > certificate for testing. I'm not exactly sure what you think a SAN certificate is. I guess one with a SubjectAltName extens

RE: How does a client get the server's SAN/DNS strings

l.org Objet : Re: How does a client get the server's SAN/DNS strings > On 17 Apr 2022, at 11:29 am, Michel wrote: > > What a beautiful source code ! > If only all software could be written like this ! The Postfix project aims for code quality, security and backwards compatibility

Re: How does a client get the server's SAN/DNS strings

> On 17 Apr 2022, at 11:29 am, Michel wrote: > > What a beautiful source code ! > If only all software could be written like this ! The Postfix project aims for code quality, security and backwards compatibility over hastily deployed shiny new features. You'll find many examples of careful/corr

RE: How does a client get the server's SAN/DNS strings

Waouh, waouh, waouh !!! What a beautiful source code ! If only all software could be written like this ! Thanks for the example Viktor. > https://github.com/vdukhovni/postfix/blob/postfix-3.5/postfix/src/tls/tls_cl ient.c#L756-L794 -- Viktor.

Re: How does a client get the server's SAN/DNS strings

On Sat, Apr 16, 2022 at 03:02:16PM -0700, Hal Murray wrote: > openssl-us...@dukhovni.org said: > > Can you explain *why* you want the list of DNS names? > > Is this just for logging.. > > Yes, just for logging. https://github.com/vdukhovni/postfix/blob/postfix-3.5/postfix/src/tls/tls_client.

RE: How does a client get the server's SAN/DNS strings

ope it helps, it is very late in the night here. Michel. -Message d'origine- De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de Hal Murray Envoyé : dimanche 17 avril 2022 00:02 À : openssl-users@openssl.org Objet : Re: How does a client get the server's

Re: How does a client get the server's SAN/DNS strings

openssl-us...@dukhovni.org said: > Can you explain *why* you want the list of DNS names? > Is this just for logging.. Yes, just for logging. -- These are my opinions. I hate spam.

Re: How does a client get the server's SAN/DNS strings

On Sat, Apr 16, 2022 at 01:18:57PM -0700, Hal Murray wrote: > I can get the subject and issuer with > X509_get_subject_name and X509_get_issuer_name > > I'm looking for something similar to get the SAN/DNS strings used to verify > that this certificate is valid for the hostname provided via SS

RE: How does a client get the server's SAN/DNS strings

Hi Hal, Might be simpler to use the 'X509_VERIFY_PARAM...' interface. Did you see : https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set1_host.html Hope it helps, Regards, Michel. -Message d'origine- De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part

RE: RE: How to create indirect CRL using openssl ca command

> From: edr > Sent: Friday, 11 March, 2022 03:59 > > On 10.03.2022 20:27, Michael Wojcik wrote: > > Personally, I'd be leery of using openssl ca for anything other than > dev/test purposes, in which case frequent CRL generation seems unlikely to > be a requirement. AIUI, openssl ca isn't really i

Aw: RE: How to create indirect CRL using openssl ca command

On 10.03.2022 20:17, Michael Ströder via openssl-users wrote: > > Are you 100% sure all the software used by your relying participants is > capable of handling the X509v3 extensions involved? > > In practice I saw software miserably fail validating such certs and CRLs. Or > also CAs failed to gen

RE: How to create indirect CRL using openssl ca command

> From: openssl-users On Behalf Of > Michael Ströder via openssl-users > Sent: Thursday, 10 March, 2022 12:17 > > On 3/10/22 14:06, edr dr wrote: > > At the same time, I do not want to store passwords used for > > certificate creation in cleartext anywhere. Personally, I'd be leery of using open

Re: How to create indirect CRL using openssl ca command

On 3/10/22 14:06, edr dr wrote: I would like to be able to automate the process of updating CRLs in order to be able to keep the CRL validity time short. Understandable. At the same time, I do not want to store passwords used for certificate creation in cleartext anywhere. It's a pity that the

Re: How OpenSSL connections work

On Sun, Mar 06, 2022 at 02:39:55AM +, loic nicolas wrote: > Hello, > > I can't figure out how OpenSSL connections work. > > I would like to use 2 bios (rbio, wbio) which will be shared for all my > connections. I'm not sure why you would want to do this. Why would you allocate one BIO and

RE: How run the specific test case //答复: How to run a simple test case

The problem lies with the Perl script, not the C program. The perl script generates the file 17-renegotiate.cnf.default from the template file 17-renegotiate.cnf.in. The environment variable “${ENV::TEST_CERTS_DIR}” should have been replaced by Perl. Please open an issue on GitHub, it’s easier

RE: How run the specific test case //答复: How to run a simple test case

Ah ok, maybe I slightly misunderstood your question. From your transcript I infer that the testsuite ran the perl script `generate_ssl_tests.pl`, which generated some test files an then ran the binary `ssl_test` as follows: ./test/ssl_test ./test-runs/test_ssl_new/17-renegotiate.cnf.default If

RE: How to run a simple test case

The README file in the test directory contains a detailed explanation. https://github.com/openssl/openssl/blob/master/test/README.md In a nutshell, you run `make test`, passing `V=1` to turn on verbose output and `TESTS=...` to select one or more tests: make V=1 TESTS= test HTH, Matthias

自动回复: Re: How to distinguish between encrypted/unencrypted key in a PEM file

您好，您的邮件我已收到，我会尽快阅读，谢谢！

Re: How to distinguish between encrypted/unencrypted key in a PEM file

> On 26 Jan 2022, at 9:14 am, Bartlomiej wrote: > > I have a PEM file on the device which can contain an encrypted/non-encrypted > private key. When it's encrypted, it's using PBES/PBKDF. The file is accessed > from a C++ application which uses the OpenSSL library. If the key is > encrypted, t

Re: how to enable DHE ciphers on openssl for using on command line

"openssl ciphers" will show you the correct names which in this case is DHE-RSA-AES128-GCM-SHA256 On Wed, 2021-11-17 at 16:25 +0800, M K Saravanan wrote: > Hi, > > Do I need to do any config to enable DHE based ciphers in openssl for > command line usage? > > $ openssl s_client -cipher 'DHE_RSA_

Re: how to enable DHE ciphers on openssl for using on command line

> I am extremely for making such a basic stupid mistake. I am extremely sorry. On Wed, 17 Nov 2021 at 21:19, M K Saravanan wrote: > > Thanks Matt. > > I am extremely for making such a basic stupid mistake. > > On Wed, 17 Nov 2021 at 18:33, Matt Caswell wrote: > > > > > > > > On 17/11/2021 08:25

Re: how to enable DHE ciphers on openssl for using on command line

Thanks Matt. I am extremely for making such a basic stupid mistake. On Wed, 17 Nov 2021 at 18:33, Matt Caswell wrote: > > > > On 17/11/2021 08:25, M K Saravanan wrote: > > Hi, > > > > Do I need to do any config to enable DHE based ciphers in openssl for > > command line usage? > > > > $ openssl

Re: how to enable DHE ciphers on openssl for using on command line

On 17/11/2021 08:25, M K Saravanan wrote: Hi, Do I need to do any config to enable DHE based ciphers in openssl for command line usage? $ openssl s_client -cipher 'DHE_RSA_WITH_AES_128_GCM_SHA256' -connect 10.10.16.100:443 You have the wrong name for this ciphersuite. OpenSSL uses its own

Re: How to get rsa-private key in plain text format?

Thank you very much Regards, Shariful Alam On Fri, Sep 3, 2021 at 10:29 AM Matt Caswell wrote: > > > On 03/09/2021 17:24, Shariful Alam wrote: > > Thank you very much. > > So the output of "*openssl rsa -in mykey.pem -text -noout*" is a base64 > > hex format? > > It's a hex format. "base64 hex"

Re: How to get rsa-private key in plain text format?

> > > >

Re: How to get rsa-private key in plain text format?

On 03/09/2021 17:24, Shariful Alam wrote: Thank you very much. So the output of "*openssl rsa -in mykey.pem -text -noout*" is a base64 hex format? It's a hex format. "base64 hex" makes no sense. base64 is not hex, and vice versa. Matt Regards, Shariful On Fri, Sep 3, 2021 at 7:55 AM

Re: How to get rsa-private key in plain text format?

Thank you very much. So the output of "*openssl rsa -in mykey.pem -text -noout*" is a base64 hex format? Regards, Shariful On Fri, Sep 3, 2021 at 7:55 AM Matt Caswell wrote: > > > On 03/09/2021 14:49, Billy Brumley wrote: > >>> Hello, > >>> Is there any command-line tool to get the plain text r

Re: How to get rsa-private key in plain text format?

On 03/09/2021 14:49, Billy Brumley wrote: Hello, Is there any command-line tool to get the plain text rsa private key like the following format from .pem file? openssl rsa -in mykey.pem -noout -text It would in fact be much more educational to advocate pkey, which is cryptosystem agnostic

Re: How to get rsa-private key in plain text format?

> > Hello, > > Is there any command-line tool to get the plain text rsa private key > > like the following format from .pem file? > > openssl rsa -in mykey.pem -noout -text It would in fact be much more educational to advocate pkey, which is cryptosystem agnostic openssl pkey -in mykey.pem -noout

Re: How to get rsa-private key in plain text format?

On 03/09/2021 00:21, Shariful Alam wrote: Hello, Is there any command-line tool to get the plain text rsa private key like the following format from .pem file? openssl rsa -in mykey.pem -noout -text Matt

Re: How to get rsa-private key in plain text format?

On Thu, Sep 02, 2021 at 05:21:22PM -0600, Shariful Alam wrote: > Is there any command-line tool to get the plain text rsa private key like > the following format from .pem file? Yes, if you're willing to tolerate slightly different labels and ":" every two nibbles.With slightly different labels a

Re: How to get "EVP_PKEY *dhpkey" from NID_X9_62_prime256v1.

On 27/08/2021 08:47, Kumar Mishra, Sanjeev wrote: Hi All, I am upgrading the code from OpenSSL 1.0.1 to OpenSSL 3.0. I am getting compilation errors for deprecated functions and structure like "EC_KEY_new_by_curve_name()" , "SSL_CTX_set_tmp_ecdh()" and "EC_KEY"..etc. The code is like f

RE: How to debug ssl library in OpenSSL 1.1.1a? Thanks in advance.

If you add the `--debug` argument to your configure command and rebuild OpenSSL, you will get a library with debug information and without optimization. https://github.com/openssl/openssl/blob/master/INSTALL.md#build-type HTH, Matthias From: openssl-users On Behalf Of Ma Zhenhua Sent: Saturday

Re: How to simulate "TLS 1.3 Session Resumption" through OpenSSL tools?

Hi Matt, Got it! Thanks very much for your reply! Best Regards Nan Xiao On Fri, Jul 2, 2021 at 5:46 PM Matt Caswell wrote: > > > > On 02/07/2021 10:09, Nan Xiao wrote: > > Hi OpenSSL users, > > > > Greetings from me! From this article > > (https://www.qacafe.com/resources/examples-of-tls-1-3/)

Re: How to simulate "TLS 1.3 Session Resumption" through OpenSSL tools?

On 02/07/2021 10:09, Nan Xiao wrote: Hi OpenSSL users, Greetings from me! From this article (https://www.qacafe.com/resources/examples-of-tls-1-3/) and pcap file (https://www.cloudshark.org/captures/64d433b1585a), I know we can use s_server and s_client to simulate "TLS 1.3 Session Resumption

Re: How did I break this signature library?

Hello, I recently resubscribed so I'm unsure if this post was emailed back out to members. If you saw it and the question was bad, please let me know what I can simplify or clarify. Thank you. On 6/27/21 11:44 PM, Sage Gerard wrote: > Hi all, > > Context: https://github.com/zyrolasting/xiden/bl

Re: How to query current settings/policies?

On Tue, Jun 22, 2021 at 02:53:07PM +0200, Tomas Mraz wrote: > On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote: > > Hi, > > > > with OpenSSL 3 defaulting to TLS security level 1, applications > > trying > > to make a TLSv1/1.1 connection will fail. > > > > I wonder if there is a prope

Re: How to query current settings/policies?

On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote: > Hi, > > with OpenSSL 3 defaulting to TLS security level 1, applications > trying > to make a TLSv1/1.1 connection will fail. > > I wonder if there is a proper way to detect current security level. > > I.e. how about test suites whic

Re: How to set the different parameters of X509_STORE_CTX structure.

Hi, On 26/05/21 10:15, Kumar Mishra, Sanjeev wrote: Hi, I am upgrading the code of OpenSSL 1.0 to 3.0. I am not getting some API for setting some parameter of X509_STORE_CTX structure as it is opaque in 3.0. For example the code is like - X509_STORE_CTX  *ctx; ctx->curren

Re: How to access different fields of structure SSL in OpenSSL 3.0

On Tue, 2021-05-11 at 05:22 +, Kumar Mishra, Sanjeev wrote: > Hi, > How to access different fields of structure SSL in OpenSSL 3.0 ? For > example the code is like this - > > SSL *ssl; > .. > ... > SSL_CTX_set_tlsext_status_cb(ssl->ctx, NULL); > MRM_LOG_INFO("SSL_free ref %d ", ssl->re

RE: How to switch between OpenSSL 1.0.2 and 1.1 in compilation loading and linking a C code.

You may need to rename the libraries on your system or use LD_PRELOAD when launching your application. Another option is to specify the full path to the specific libraries you want when you link with, instead of the -l. For example: gcc -I /sonus/p4/ws/shared/cmn_thirdparty.main/openssl/distrib

Re: How to access different fields of typedef struct evp_pkey_st EVP_PKEY.

On Tue, 2021-04-20 at 10:45 +, Kumar Mishra, Sanjeev wrote: > Hi, > I am not getting different functions in OpenSSL 3.0 for accessing > different fields of typedef struct evp_pkey_st EVP_PKEY. For Example > - code is like this - > EVP_PKEY * privKey; > - > - > if ( BN_cmp(privKey->pkey.

Re: How to access different fields of typedef struct evp_pkey_st EVP_PKEY.

On 20/04/2021 11:45, Kumar Mishra, Sanjeev wrote: Hi, I am not getting different functions in OpenSSL 3.0 for accessing different fields of typedef struct evp_pkey_st EVP_PKEY. For Example - code is like this - EVP_PKEY * privKey; - - if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.r

Re: How to dump all certificates from a file?

I also had this problem several years back but did not find the nifty though counter-intuitive workaround using cr2pkcs7 given below. Since then I've been using a Perl script like this: > #!/usr/bin/perl > $/ = '-END CERTIFICATE-'; > while(<>) { > if(m|$/|s) { > print STDERR "

Re: How to dump all certificates from a file?

Hi Viktor, > By "a file" you clearly mean a "PEM file" with one or more certificates exclosed in "-BEGIN ...".."-END ..." delimiters. Yes, this is what I mean. > openssl crl2pkcs7 -nocrl -certfile somefile.pem | opessl pkcs7 -print_certs -text Works like a charm! Thanks very muc

Re: How to dump all certificates from a file?

On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote: > Greetings from me! By default openssl-x509 can only dump one > certificate from the file: By "a file" you clearly mean a "PEM file" with one or more certificates exclosed in "-BEGIN ...".."-END ..." delimiters. With that proviso

Re: How to establish a connection with self signed certificate

Hello, As you control both the server keypair and client, I'd suggest you to use the openssl s_server/s_client application to debug the connection. On Sun, Mar 28, 2021 at 9:41 AM preethi teekaraman wrote: > Hi > > I'm using latest version 1.1.1i 8 Dec 2020 openssl version to create self > sign

Re: How to store openSSL EVP_MD and EVP_MD_CTX in local buffers

Structures are opaque after OpenSSL 1.0.  There is no way to do what you want. The recommended path is to call EVP_MD_CTX_dup() to create a copy of the context and use that the second time around. Pauli On 24/3/21 2:03 pm, Vuthur Pavankumar wrote: Hi All, I was implementing SHA3 multi-ca

Re: How to set amount of salt for PBKDF2/PKCS8 keys?

On 08/01/2021 00:59, Mathias Ricken wrote: > How do I sell openssl to use more salt when generating the private key? Unfortunately the pkcs8 tool does not support setting a custom salt length and always uses the default length of 64 bits. The best I can offer you is a hack of the tool to chang

Re: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

@Michael Wojcik Thanks for your reply! It makes sense more that you said, the RFC pages are indeed hard to read... @David von Oheimb thanks for the clarification! Sorry for my misunderstanding, also thanks for your fix, I will follow up on that too. BTW, OpenSSL is such a friendly community.

Re: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

On 01.01.21 08:07, 定平袁 wrote: > @David von Oheimb > Thank you so much for your deep investigation! My pleasure! > With subjectKeyIdentifier and authorityKeyIdentifier extensions, it > works like a charm! Good to hear. I've meanwhile submitted a pull request that fixed the be

RE: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

> From: openssl-users On Behalf Of ??? > Sent: Friday, 1 January, 2021 00:08 > How to pick up cert from trust store(or cert container as you say) > is decided by different implementation themselves, do I understand correctly? Yes, in some cases under partial or complete control by the applicatio

Re: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

@David von Oheimb Thank you so much for your deep investigation! With subjectKeyIdentifier and authorityKeyIdentifier extensions, it works like a charm! So, the former statements I found on this page only applies to C

Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

On 25.12.20 00:35, 定平袁 wrote: > @David von Oheimb I will update to a new version > and try again. Good. Ideally try also a current 3.0.0 alpha release because there have been some changes to cert chain building and verification recently. > To append cert is to make sure new

Re: How to rotate cert when only first matching cert been verified

Re post my code here, since I send it alone to Michael. Below is the error message: ``` Traceback (most recent call last): File "test.py", line 6, in r = s.get(' https://nsxmanager.pks.vmware.local/api/v1/spec/vmware/types/Tag', verify='./ca.pem') File "/home/kubo/.local/lib/python2.7/si

Re: How to rotate cert when only first matching cert been verified

Thanks a lot for your reply! Merry Christmas! @Michael WojcikApologies. I clicked the wrong reply button. @David von Oheimb I will update to a new version and try again. To append cert is to make sure new cert and old cert both exist in trust store, thus when server switches cert, it can be

Re: How to rotate cert when only first matching cert been verified

On 23.12.20 23:56, openssl-users-requ...@openssl.org digested: > Message: 4 > Date: Wed, 23 Dec 2020 23:56:44 +0100 > From: David von Oheimb [...] > Yet since both your old and new server cert are not expired and have the > same subject, keyIdentifier, and serial number, > and you appended the new

Re: How to rotate cert when only first matching cert been verified

定平袁 you are welcome. The OpenSSL version you are using is way too old! Do not use version 1.1.0, 1.0.x, and anything older - those versions are unsupported and must be considered insecure. Yet since both your old and new server cert are not expired and have the same subject, keyIdentifier, and se

RE: How to rotate cert when only first matching cert been verified

> From: 定平袁 > Sent: Tuesday, 22 December, 2020 20:08 > To: Michael Wojcik Please do not send messages regarding OpenSSL to me directly. Send them to the openss-users list. That is where the discussion belongs. > > Why are you appending it to the file containing the existing certificate? > I a

Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?

In openssl 1.1.1, I see that this bn_mod_exp function is called from "rsa_ossl_public_decrypt" : 566 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 567rsa->_method_mod_n)) { 568 goto err; 569 } so we are doing "f^(rsa->e)mod(rsa->n)" , this

Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?

On Tue, Dec 22, 2020 at 3:45 AM prudvi raj wrote: > > Hello all, > > We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( > bn_mod_exp). I am trying to rewrite that logic for openssl 1.1.1. Code > snippet of custom bn_mod_exp function: > -- > if(rr->d) > { > OPENS

RE: How to rotate cert when only first matching cert been verified

> From: openssl-users On Behalf Of ??? > Sent: Saturday, 19 December, 2020 17:59 > 1. Generate a new cert, and append it to the cert file Why are you appending it to the file containing the existing certificate? > (at this point, there are 2 certs in the file, first is old cert, second is > new

Re: How to rotate cert when only first matching cert been verified

the exact behavior: When looking up CA certificates, the OpenSSL library will first search the certificates in *CAfile*, then those in *CApath*. Certificate matching is done based on the subject name, the key identifier (if present), and the serial number as taken from the certificate to be verifi

Re: How to make ocsp responder busy

On 2020-11-09 09:58, Venkata Mallikarjunarao Kosuri via openssl-users wrote: Hi We are trying to work scenario to openssl OCSP responder busy, but we are not sure how to make OCSP responder busy could please throw some pointer to work on. Ref https://www.openssl.org/docs/man1.0.2/man1/ocsp.

Re: How is the TLS Record Layer Version Selected?

On 29/10/2020 03:52, Thomas Antonio via openssl-users wrote: > Hello, how does openSSL determine the Record Layer Version used to > initiate a ClientHello message to the server? I believe the > determination is made at this level. > > When testing using multiple implementations (Python Requests

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Wow! I was unattentive :( The leading minus before enable-weak-ssl-ciphers was the problem. Many thanks Satyam! On Mon, Oct 26, 2020 at 8:41 PM Satyam Mehrotra wrote: > I think i have resolved it . if you use the following option and then do a > make , the openssl binary don't crash > > ./conf

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Dear Satyam, It looks like a compiler bug for me. When configured via ./config -ggdb -O0 -enable-weak-ssl-ciphers, I get the code working. The same happens when -O1 is in use. When I either omit optimization (which implies -O3) or specify -O2, I get a segfault. On Mon, Oct 26, 2020 at 8:09 PM Sa

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Dear Dmitry, The below is the process i have followed - Downloaded the openssl-1.1.1h from the official OpenSSL site - ./config -ggdb -enable-weak-ssl-ciphers - make - make install - Execute openSSL command ( Looks like any openSSL command the binary is crashing

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Dear Satyam, Do I correctly understand that - you built openssl-1.1.1h from scratch with -enable-weak-ssl-ciphers - installed it -run some command? Which one(s)? Initially, you were speaking about 'ciphers', but the stack trace is from the 'ca'. On Mon, Oct 26, 2020 at 7:26 PM Satyam Mehrotra wr

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Segmentation fault is not seen if i don't compile* ./config with* *-enable-weak-ssl-ciphers.* Is it something I am missing or some more options needs to be provided to ./config ? Thanks Satyam On Mon, 26 Oct 2020 at 20:21, Dmitry Belyavsky wrote: > It has nothing to do with the ciphers command

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

It has nothing to do with the ciphers command... On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra wrote: > Dear Dmitry, > > >>Are the /usr/local/lib64/libssl.so.1.1 and > /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? > Yes, they are same > > gdb openssl core.50178 >

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Dear Dmitry, >>Are the /usr/local/lib64/libssl.so.1.1 and /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? Yes, they are same gdb openssl core.50178 GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Are the /usr/local/lib64/libssl.so.1.1 and /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? If yes, you should try running via gdb to get a backtrace. On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra wrote: > Dear Dmitry, > > As suggested i have build the openssl with

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Dear Dmitry, As suggested i have build the openssl with -ggdb ( ./config -ggdb -enable-weak-ssl-ciphers ) and after building i did make install as well. The strace output is as below == *strace ./openssl* execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Dear Satyam, First of all, I'll suggest checking whether the libcrypto/libssl are those you've built. It can be done, e.g., via running strace. I also suggest building openssl with -ggdb (./config -ggdb should do the trick). On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra wrote: > Hi Dmitry,

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Hi Dmitry, >>If you have just built the openssl, try to set the LD_LIBRARY_PATH environment variable pointing to freshly built libcrypto/libssl I try setting the LD_LIBRARY_PATH but it is still crashing *which openssl* * /usr/local/bin/openssl* *export LD_LIBRARY_PATH=/usr/lo

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

If you have just built the openssl, try to set the LD_LIBRARY_PATH environment variable pointing to freshly built libcrypto/libssl On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra wrote: > Hello, > > Any Suggestions on how this can be done ? > why openssl binary is crashing if i am compiling it w

Re: How to Enable Weak Ciphers OpenSSL 1.1.1h installation

Hello, Any Suggestions on how this can be done ? why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers ,* also what is the location of the crash file. Thanks Satyam On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra wrote: > Hello Everyone, > > I have just joined the op

Re: How to plug an external encryption to CMS_SignerInfo signing?

Dear Francesco, I think this link is relevant: https://github.com/OpenSC/libp11/blob/master/src/eng_front.c On Sat, Oct 24, 2020 at 1:45 PM Francesco Pretto wrote: > Hi Dmitry, > > thank you for the prompt answer. Are you able to provide me with a > link to an example of creating such engines t

Re: How to plug an external encryption to CMS_SignerInfo signing?

Hi Dmitry, thank you for the prompt answer. Are you able to provide me with a link to an example of creating such engines that will fit this use case? On my searches I was able to find staff like EVP_PKEY_METHOD[1] but I wasn't able to use them for my purpose. Not assuming how stuff works today, i

Re: How to plug an external encryption to CMS_SignerInfo signing?

Dear Francesco, On Sat, Oct 24, 2020 at 1:06 PM Francesco Pretto wrote: > Hello, > > I'm trying to create a CMS context for subsequent export using > CMS_sign(). I add a signer using CMS_add1_signer() that allows me to > specify a X509 certificate and a hash function. I would like the CMS > cont

Re: How to help with getting KTLS patches merged

On 23/07/2020 23:06, John Baldwin wrote: > On 6/10/20 3:48 PM, John Baldwin wrote: >> On 6/8/20 4:12 AM, Kurt Roeckx wrote: >>> On Thu, Jun 04, 2020 at 09:00:08AM -0700, John Baldwin wrote: At the moment there are 3 open PRs related to Kernel TLS offload support that I'm aware of:

Re: How to help with getting KTLS patches merged

On 6/10/20 3:48 PM, John Baldwin wrote: > On 6/8/20 4:12 AM, Kurt Roeckx wrote: >> On Thu, Jun 04, 2020 at 09:00:08AM -0700, John Baldwin wrote: >>> At the moment there are 3 open PRs related to Kernel TLS offload >>> support that I'm aware of: >>> >>> - 11589 adds TLS1.3 for Linux, has one approva

Re: How can I tell if a name for a cipher/digest is implemented?

On Thu, 18 Jun 2020 09:39:11 +0200, Hal Murray wrote: > I think that checking for NULL from EVP_get_ciphername() works in 1.1.1 > but that changed for 3.0.0 > > Is there anything better/cleaner than actually calling EVP_CipherInit() or > such? For 3.0 and on, the better way is to find the cipher

Re: How to help with getting KTLS patches merged

On 6/8/20 4:12 AM, Kurt Roeckx wrote: > On Thu, Jun 04, 2020 at 09:00:08AM -0700, John Baldwin wrote: >> At the moment there are 3 open PRs related to Kernel TLS offload >> support that I'm aware of: >> >> - 11589 adds TLS1.3 for Linux, has one approval from Matt Caswell >> - 10626 adds TLS1.3 for

Re: How to help with getting KTLS patches merged

On Thu, Jun 04, 2020 at 09:00:08AM -0700, John Baldwin wrote: > At the moment there are 3 open PRs related to Kernel TLS offload > support that I'm aware of: > > - 11589 adds TLS1.3 for Linux, has one approval from Matt Caswell > - 10626 adds TLS1.3 for FreeBSD, from which 11589 is derived, but wi

Re: How to get all certs into a .der file.

As far as I know, CURL (app and library) is perfectly happy to use a text file comprised of concatenated PEM certificates. I really wonder if there’s a real use case. On May 22, 2020, at 18:49, Salz, Rich via openssl-users wrote:  application/pkix-pkipath Defined in RFC4366 (section 8) and

Re: How to get all certs into a .der file.

* application/pkix-pkipath * Defined in RFC4366 (section 8) and RFC6066 (section 10.1) I doubt that it is worth doing this. First, because OpenSSL doesn’t support it now, then CURL (what the original poster was talking about) can’t use it when using OpenSSL. Instead, as others have po

Re: How to get all certs into a .der file.

On Fri, May 22, 2020 at 04:31:02PM -0500, Kyle Hamilton wrote: > application/pkix-pkipath > Defined in RFC4366 (section 8) and RFC6066 (section 10.1) > > PkiPath ::= SEQUENCE OF Certificate > > Within the sequence, the order of certificates is such that the subject of > the first certificate is

  1   2   3   4   5   6   7   8   9   10   >