On Wed, 2009-06-03 at 17:59 -0400, Victor Duchovni wrote:
> The SSL_CTX_use_certificate_chain_file() API is a very admin friendly
> way to support installation of cert + chain and even key + cert + chain,
> as the key can also be stored in the same file (ideally mode 0600 or
> passphrase-protected)
On Wed, Jun 03, 2009 at 10:24:47PM +0100, David Woodhouse wrote:
> On Wed, 2009-06-03 at 15:02 -0400, Victor Duchovni wrote:
> > with SSL_CTX_use_certificate_chain_file() the entire trust chain is
> > loaded from the provided file bottom-up order. The first certificate
> > is the leaf and must mat
On Wed, 2009-06-03 at 15:02 -0400, Victor Duchovni wrote:
> with SSL_CTX_use_certificate_chain_file() the entire trust chain is
> loaded from the provided file bottom-up order. The first certificate
> is the leaf and must match the private key provided.
Ah, right. Most files I've encountered have
On Wed, Jun 03, 2009 at 07:27:00PM +0100, David Woodhouse wrote:
> On Tue, 2009-06-02 at 21:39 -0400, Victor Duchovni wrote:
> > The CAfile is for verification, not for sending alon the trust chain
> > of a given certificate.
>
> OpenSSL currently _does_ use the CAfile for sending along the trus
On Tue, 2009-06-02 at 21:39 -0400, Victor Duchovni wrote:
> The CAfile is for verification, not for sending alon the trust chain
> of a given certificate.
OpenSSL currently _does_ use the CAfile for sending along the trust
chain of its client certificate. It's buggy, but it tries :)
> DO NOT app
On Tue, Jun 02, 2009 at 01:25:32PM +0100, David Woodhouse wrote:
> On Mon, 2009-06-01 at 17:15 -0400, Victor Duchovni wrote:
> > > I found another strange behaviour that I didn't expect -- the _order_ of
> > > the certificates in the cafile seems to be important.
> >
> > Yes, the TLS protocol req
On Mon, 2009-06-01 at 17:15 -0400, Victor Duchovni wrote:
> > I found another strange behaviour that I didn't expect -- the _order_ of
> > the certificates in the cafile seems to be important.
>
> Yes, the TLS protocol requires the trust chain to be delivered bottom-up.
That makes sense, but we'r
On Sun, May 31, 2009 at 10:13:59AM +0100, David Woodhouse wrote:
> That makes a certain amount of sense; thanks. Forgive my ignorance -- is
> there a way to ensure that the full trust chain is included in the
> certificate itself, rather than having to provide the -CAfile option to
> openssl(1) se
On Sun, 2009-05-31 at 10:13 +0100, David Woodhouse wrote:
> On Tue, 2009-05-26 at 11:21 -0400, Victor Duchovni wrote:
> > The server is unhappy with the client certificate chain, and drops the
> > connection if the client certificate trust chain does not verify. The
> > same server is willing to ac
On Tue, 2009-05-26 at 11:21 -0400, Victor Duchovni wrote:
> The server is unhappy with the client certificate chain, and drops the
> connection if the client certificate trust chain does not verify. The
> same server is willing to accept clients with no certificates at all.
>
> The server is lame.
On Mon, May 25, 2009 at 08:41:29PM -0400, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of David Woodhouse
> > Sent: Friday, 22 May, 2009 05:49
> > To: openssl-users@openssl.org
> > Subject: Re: TLS compatibility problem -- can connect to
>
> From: owner-openssl-us...@openssl.org On Behalf Of David Woodhouse
> Sent: Friday, 22 May, 2009 05:49
> To: openssl-users@openssl.org
> Subject: Re: TLS compatibility problem -- can connect to
> server with NSS but not OpenSSL.
>
> On Thu, 2009-05-21 at 22:44 +0100,
On Thu, 2009-05-21 at 22:44 +0100, David Woodhouse wrote:
> I'm trying to connect to an HTTPS server, and my connection is being
> rejected when I use a client certificate:
> [dw...@macbook ~]$ openssl s_client -cert $CERT -connect $SERVER:443 -crlf
> -tls1
> CONNECTED(0003)
> depth=1 /C=US/O=
I'm trying to connect to an HTTPS server, and my connection is being
rejected when I use a client certificate:
[dw...@macbook ~]$ openssl s_client -cert $CERT -connect $SERVER:443 -crlf -tls1
CONNECTED(0003)
depth=1 /C=US/O=Foo Corporation/CN=Foo Intranet Basic Issuing CA 2A
verify error:num=20
14 matches
Mail list logo
