Re: Deleted client certificate trust expectations

Thanks for the help. This got me on the right track. -Dan From: openssl-users Date: Wednesday, November 11, 2020 at 12:02 PM To: openssl-users@openssl.org Subject: Re: Deleted client certificate trust expectations External Mail. Careful of links / attachments. Submit Helpdesk if unsure. On

Re: Deleted client certificate trust expectations

rocess. The built-in trust stores (code behind CAfile and CApath) are caching stores. They use an in memory cache of trusted certificates that is pre-loaded in the case of CAfile, and demand-loaded on a cache miss in the case of CApath. Once a certificate is loaded, it remains in the cache. The c

Re: Deleted client certificate trust expectations

What you observe is indeed reality; we ran into it too.  (Though we ran into it in the context of a long-running client verifying server certificates.) My assumption is that it's for performance, and that's sensible, but it would sure be nice to figure out how to detect those changes.  If a stat()

Re: Deleted client certificate trust expectations

Sorry I realized I didn't include the OpenSSL version I was using. This is with OpenSSL 1.1.1d 10 Sep 2019. -Dan From: openssl-users Date: Wednesday, November 11, 2020 at 10:29 AM To: openssl-users@openssl.org Subject: Deleted client certificate trust expectations External Mail. Caref

Deleted client certificate trust expectations

t connects with a client cert and the service verifies that certificate, then the trusted client cert is removed from /trusted_clients, then the client connects again - the client cert will still verify. The client cert will continue to verify until I restart the server. An strace of the

Re: [openssl-users] renegotiation expected to fail when trust configuration has changed.

On 22/11/2018 15:58, Pfluegl, Andreas wrote: > > I expect server_parse_cb() returning 0 to cause the interruption of the > connection. > > Can you confirm this? Yes. According to the docs: "If the B considers the extension data acceptable it must return 1. If it returns 0 or a negative valu

[openssl-users] renegotiation expected to fail when trust configuration has changed.

Hi, We have a C++ client application and a C++ server application using OpenSSL 1.1.0f to encrypt the TCP/IP communication. We enforce mutual authentication (also the server requests certificates from the clients and verifies if they are issued by a CA it trusts). We are able to update certif

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

Hi Victor, A... that is why :D I wrongly assumed that the newly created parameters would hold the same initialization. This approach works! Thanks again! Cheers, Max On 12/11/17 5:45 PM, Viktor Dukhovni wrote: On Dec 11, 2017, at 7:35 PM, Dr. Pala wrote: Perhaps you ended up creati

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

> On Dec 11, 2017, at 7:41 PM, Dr. Pala wrote: > > Does it matter that we are not in the TLS case? No, the issue is not TLS-specific. > IMHO, the correct (or, better, the expected) behavior (from a developer's > standpoint) would be to trust keys in the trusted c

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

> On Dec 11, 2017, at 7:35 PM, Dr. Pala wrote: > >> Perhaps you ended up creating a parameter structure with a >> depth limit that's too small. Just configuring partial >> chains will never yield a chain that is longer than it >> otherwise would be. In fact you generally get shorter >> chains

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

Hi Victor, does it matter that we are not in the TLS case (maybe the code is different in the SSL_CTX ) ? I am just trying to validate the chain with the TA set to the SubCA... :D IMHO, the correct (or, better, the expected) behavior (from a developer's standpoint) would be to trust ke

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

Hi Victor, On 12/11/17 4:18 PM, Viktor Dukhovni wrote: [...] Perhaps you ended up creating a parameter structure with a depth limit that's too small.  Just configuring partial chains will never yield a chain that is longer than it otherwise would be.  In fact you generally get shorter chains. 

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

> On Dec 11, 2017, at 6:27 PM, Michael Richardson wrote: > > I believe that I ran into a similar problem where by I could not pin > ('trust') an intermediate certificate (which was not self-signed) for the > purposes of verifying a CMS/PKCS7 object. > > I don&#

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

> On Dec 11, 2017, at 6:20 PM, J Decker wrote: > > I'm pretty sure you need the root also, not just the intermedia ca... The purpose of X509_V_FLAG_PARTIAL_CHAIN is to make it possible to make do with just the intermediate certificate in the trust store. So, no, the root

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

I believe that I ran into a similar problem where by I could not pin ('trust') an intermediate certificate (which was not self-signed) for the purposes of verifying a CMS/PKCS7 object. I don't have a solution, and I believe that work is required. Dr. Pala wrote: > I am

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

issing some other configs / setting I should have done for > the verify param ? > > Cheers, > Max > > > On 12/11/17 3:18 PM, Viktor Dukhovni wrote: > >> >> On Dec 11, 2017, at 5:06 PM, Dr. Pala wrote: >>> >>> Hi all, >>> >>&g

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

> On Dec 11, 2017, at 6:03 PM, Dr. Pala wrote: > > thanks :D I just tried to set it and I get a different error now : 22 > (certificate chain too long)... I suspect it is a side effect of using the > X509_V_FLAG_PARTIAL_CHAIN flag... ? (no chain restrictions are set in the > certificates th

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

, I am trying to verify a certificate and provide the possibility to directly trust an intermediate CA's certificate (not self-signed). After setting up the STORE and STORE_CTX and add the intermediate CA to the trusted certificates, when I use the "X509_verify_cert(ctx)" I get th

Re: [openssl-users] Certificate Verify and non-root Trust Anchors

> On Dec 11, 2017, at 5:06 PM, Dr. Pala wrote: > > Hi all, > > I am trying to verify a certificate and provide the possibility to directly > trust an intermediate CA's certificate (not self-signed). After setting up > the STORE and STORE_CTX and add the inte

[openssl-users] Certificate Verify and non-root Trust Anchors

Hi all, I am trying to verify a certificate and provide the possibility to directly trust an intermediate CA's certificate (not self-signed). After setting up the STORE and STORE_CTX and add the intermediate CA to the trusted certificates, when I use the "X509_verify_cert(ctx)&

[openssl-users] [PATCH] apps: when -purpose is passed, set matching trust param

UST_SSL_SERVER. This matches the behaviour of actual SSL client code (e.g. 's_client') more closely. This is a follow-up to my last couple of mails where I worked all this stuff out; it turns out it's actually (seemingly) pretty trivial to go ahead and hook up the appropriate trust para

RE: Does CMPv2 version 0.9.8g support trust chain

>I need to know if CMPv2 stack version 0.9.8g supports Configuration of Trusted >Chain of Vendor Certificates. How can I find this out? Can I get pointers to >some documentation that I can refer for any version of CMPv2 stack? 0.9.8g ??? You'll have to dig through the code yourself. -- Princ

Does CMPv2 version 0.9.8g support trust chain

Hi, I need to know if CMPv2 stack version 0.9.8g supports Configuration of Trusted Chain of Vendor Certificates. How can I find this out? Can I get pointers to some documentation that I can refer for any version of CMPv2 stack? -Rakshesh

Re: Server trust evaluation in openssl

5:17 PM, Jeffrey Walton wrote: > On Mon, Aug 18, 2014 at 5:47 PM, dhanesh ov > wrote: > > Hi, > > > > Can anyone tell how the server trust evaluation can be customized in > > openssl? We are using openssl in iOS and need to customize the server > trust > >

Re: Server trust evaluation in openssl

On Mon, Aug 18, 2014 at 5:47 PM, dhanesh ov wrote: > Hi, > > Can anyone tell how the server trust evaluation can be customized in > openssl? We are using openssl in iOS and need to customize the server trust > evaluation in openssl using self signed certificate. I believe you ar

Server trust evaluation in openssl

Hi, Can anyone tell how the server trust evaluation can be customized in openssl? We are using openssl in iOS and need to customize the server trust evaluation in openssl using self signed certificate. Thanks.

Re: Using TLS to establish SSH-like key based trust model

ing to use OpenSSL to provide SSH-like trust model, by using TLS. That means that the two peers have an RSA key pair stored, no certificate. They have also exchanged their public keys in a secure manner. Here is the way I do it, I would appreciate all opinions on this: * During initialisa

Using TLS to establish SSH-like key based trust model

Hello list, I am trying to use OpenSSL to provide SSH-like trust model, by using TLS. That means that the two peers have an RSA key pair stored, no certificate. They have also exchanged their public keys in a secure manner. Here is the way I do it, I would appreciate all opinions on this

Re: Trust *only* certs signed by intermediate CA

out the details yet. Yes, SSL_CTX_set_verify() or SSL_set_verify() allow you to validate the trust chain yourself. Note: Contrary to documentation the callback order is not necessarily from the root down to the leaf in a single pass, rather this is only the final list of callbacks. Prior callback

Re: Trust *only* certs signed by intermediate CA

On 03/09/2013 10:40 AM, Kyle Hamilton wrote: > Create a new self-signed client CA certificate with the same key and > Subject, setting the Issuer to the Subject of the client CA, and signed > with the client CA private key. Use this as your client-authenticatior > "root". Well yes. I know I coul

Re: Trust *only* certs signed by intermediate CA

n I configure a (server) SSL_CTX to > accept connections *only* from clients which present a certificate > signed by the Client CA? > > As is well documented, I cannot simply trust the Client CA. > SSL_accept() will fail, because it cannot form a certificate chain all > the way to t

Trust *only* certs signed by intermediate CA

|| Client CA | +---++---+ Given the above CA hierarchy, how can I configure a (server) SSL_CTX to accept connections *only* from clients which present a certificate signed by the Client CA? As is well documented, I cannot simply trust the Client CA. SSL_accept() will

draw a trust chain tree

Hi, I have a file which contains multiple certificates. I created it with cat command in linux. These certificates are related to each other I mean some of them are issuers of others, also there are some self signed CA certificate in there. Now i want to extract relation between these certificat

Re: trust chain building for X509_verify_cert

milar. --- From: Dave Thompson Sent: Thursday, June 07, 2012 5:43 AM To: openssl-users@openssl.org Cc: 'Alexander Kirschner' Subject: RE: trust chain building for X509_verify_cert From: owner-openssl-us...@openssl.org On Behalf Of Arth

RE: trust chain building for X509_verify_cert

working on a small piece of code that is supposed to >do the same from C++ using the X509_verify_cert function. >The problem is: The verification always fails with error code 7 ("signature invalid"). I already tried three different attempts >(documented in the attached cpp file)

Re: trust chain building for X509_verify_cert

Arthur Spitzer writes: [...] > The problem is: The verification always fails with error code 7 > (“signature invalid”). I already tried three different attempts > (documented in the attached cpp file) to build the trust chain, with > the same result. > > The relevant source

Re: trust chain building for X509_verify_cert

(); -- From: Arthur Spitzer Sent: Tuesday, June 05, 2012 12:48 PM To: openssl-users@openssl.org Cc: Alexander Kirschner Subject: trust chain building for X509_verify_cert Hi, I need to verify a X.509 certificate

trust chain building for X509_verify_cert

trust chain, with the same result. The relevant source code (certificates as char arrays included in the cpp) and both certificates are attached. I would be very grateful if you could give me a hint. Right now I am a little lost. Thanks in advance & Best regards, Ar

RE: How to trust a 'root' certificate

They are not test certificates. No- I cannot send them. Sorry. Curtis From: Sergio NNX [mailto:sfhac...@hotmail.com] Sent: Thursday, April 26, 2012 14:07 To: Tammany, Curtis Subject: RE: How to trust a 'root' certificate > Running openssl version -d returns "OPENSSLDIR: c:

RE: How to trust a 'root' certificate

FICATE- and end with -END CERTIFICATE- How is removing the SSLCACertificatePath going to get OpenSSL to verify/trust the root cert? SSLCACertificateFile conf/certs/DOD_EMAILCerts.crt The full path would be C:\Apache\conf\certs Running openssl version -d returns "OPENSSLDIR: c:/open

Re: How to trust a 'root' certificate

do I get OpenSSL to recognize/verify a certificate? Put the file that contains the certificate you’d like to trust into the certs directory discussed above. Then create the hash-based symlink. Here’s a little script that’ll do just that. #!/bin/sh # # usage: certlink.sh filename [filename ...] for

RE: How to trust a 'root' certificate

" How do I get OpenSSL to recognize/verify a certificate? Put the file that contains the certificate you’d like to trust into the certs directory discussed above. Then create the hash-based symlink. Here’s a little script that’ll do just that. #!/bin/sh # # usage: certlink.sh filename [filena

Re: How to trust a 'root' certificate

issues similar error messages: check the verify(1) program manual page for more information." How can I get OpenSSL to "trust" my DOD root certificate? In general all certificates that you have in the apache as client CAs are trusted but they need to chain up to some root which mus

Re: How to trust a 'root' certificate

imilar error messages: check the verify(1) program manual page for more information." How can I get OpenSSL to "trust" my DOD root certificate? Hmm, seems like we both are a bit wrong... :-) You have to tell Apache about the trusted CA certificates, so that Apache can tell Ope

Re: How to trust a 'root' certificate

l". That folder does not exist on my servers. I think I need to get OpenSSL to trust the self signed certificate. What steps do I take? Thank you. This is an Apache question and is only loosely connected to OpenSSL. I'll take the liberty to forward you to CAcert.org's WiKi whi

RE: How to trust a 'root' certificate

ram manual page for more information." How can I get OpenSSL to "trust" my DOD root certificate? Curtis -Original Message- From: Bernhard Fröhlich [mailto:t...@convey.de] Sent: Thursday, April 26, 2012 09:39 To: openssl-users@openssl.org; Tammany, Curtis Subject: Re

How to trust a 'root' certificate

. I think I need to get OpenSSL to trust the self signed certificate. What steps do I take? Thank you. Curtis N. Tammany Lead Web Application Developer, National Security & Defense Systems Engineering and Technology URS 16156 Dahlgren Road Dahlgren, Virginia, 22

How to trust a 'root' certificate

termediate certificates that I have on the server with the openssl verify command which returned "error 18 at 0 depth lookup:self signed certificate" Running openssl version -d returns "OPENSSLDIR: "c:/openssl-1.0.1/ssl". That folder does not exist on my servers. I think

Trust Chain Loading and signature verification of a certificate

need to validate with its intermediate CA. Intermediate certificates also can be in the P7b file but not the Root Certificate or Self Signed Certificates. pls can any one tell me how to load the Trust Chain and verify . i am not able to understand the X509_STORE and X509_STORE_CTX concepts. (i am

Re: Trust and Key management

ificant compared to the overhead of an SSL connection -- > but I have had some unpleasant surprises in my life. For certs > I'd be surprised to see anyone use something besides X.509 -- > nothing else has significant public acceptance. > > > I found a X509_TRUST_*

Re: Trust and Key management

o one > has a good reason to restrict certs or use other than X.509.) > I'd be unpleasantly surprised if the overhead of converting a key > is significant compared to the overhead of an SSL connection -- > but I have had some unpleasant surprises in my life. For certs > I'd b

RE: Trust and Key management

found a X509_TRUST_*() class of functions in the code. > What do these do? Can they simplify any of this? I don't know exactly; I don't use them. I think they add some finer trust settings to an X.509 cert, kind of like keyUsage or extendedKeyUsage but not set/confirmed/signed by

Re: Trust and Key management

wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Karthik > Ravikanti > > Sent: Tuesday, 11 January, 2011 00:44 > > > Does OpenSSL provide any API for managing a trust store and a key > store like Java? > > Not in the same way at least. >

Re: Trust and key store management with OpenSSL

Oops, I already asked this on the list... I forgot to check the reply. Please ignore. On Thu, Jan 13, 2011 at 3:16 PM, Karthik Ravikanti < karthik.ravika...@gmail.com> wrote: > Hi, > > Is there any trust store and key store API in OpenSSL? I did find a few > functions of type X

Trust and key store management with OpenSSL

Hi, Is there any trust store and key store API in OpenSSL? I did find a few functions of type X509_TRUST_* in the code, but it is not clear how to use them. Is the only way to manage trusted certificates, and keys is to put them in a certs directory or a flat PEM file? Thanks, Karthik, R.

RE: Trust and Key management

> From: owner-openssl-us...@openssl.org On Behalf Of Karthik Ravikanti > Sent: Tuesday, 11 January, 2011 00:44 > Does OpenSSL provide any API for managing a trust store and a key store like Java? Not in the same way at least. OpenSSL most easily uses certs and

Trust and Key management

Hi, Does OpenSSL provide any API for managing a trust store and a key store like Java? Thanks, karthik

Re: trust store for root/intermediate certificates

On Fri, Dec 10, 2010, Ashok Kumar wrote: > Hi All, > > I am not getting success to find the trust store location for CA > root/intermediate certificates in Netscape Browser 4.79 (pretty old). Any > one can please help me where it could be located so that I can update my > CA&#

trust store for root/intermediate certificates

Hi All, I am not getting success to find the trust store location for CA root/intermediate certificates in Netscape Browser 4.79 (pretty old). Any one can please help me where it could be located so that I can update my CA's root/intermediate certs using command line? Really appreciate

Re: trust settings on the root CA

On Tue, Nov 02, 2010, Michael Strder wrote: > Michael Ströder wrote: > > man 1ssl verify says: > > > > "The third operation is to check the trust settings on the root CA. The root > > CA should be trusted for the supplied purpose. For compatibility with > &g

Re: trust settings on the root CA

Michael Ströder wrote: > man 1ssl verify says: > > "The third operation is to check the trust settings on the root CA. The root > CA should be trusted for the supplied purpose. For compatibility with previous > versions of SSLeay and OpenSSL a certificate with no trust setting

trust settings on the root CA

man 1ssl verify says: "The third operation is to check the trust settings on the root CA. The root CA should be trusted for the supplied purpose. For compatibility with previous versions of SSLeay and OpenSSL a certificate with no trust settings is considered to be valid for all purposes

end users managing trust databases (was: Re: Wildcard certs?)

r reason. Because of this, unfortunately, end users have almost no chance to correctly perform their trust management. It is not transparent what tool uses which trust database - and it is even updated automatically. But on the other hand, most users don't even know what all this is about. Ev

Re: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set

- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 28, 2009 5:00 AM To: openssl-users@openssl.org Subject: Re: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set On Tue, Oct

Re: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set

_cb it is nigh-on > impossible for a client author to DTRT with OpenSSL because of the > limitations of the API. > Hmm... seems to be a little out of date. It is possible to add certs to the store and set them to an appropriate trust value to avoid them being acceptable as server roots

Re: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set

On Wed, Oct 28, 2009 at 06:51:02PM +0100, Dr. Stephen Henson wrote: > On Wed, Oct 28, 2009, Mourad Cherfaoui (mcherfao) wrote: > > I am not sure I understand why the client is broken? Did you mean that the > > sign bit can be omitted if the client sends the entire chain of certificates > > (except

RE: TLS trust of a chain of certificates up to a root CA. Certificate Sign extenstion not set

Hi Mourad, -Original Message- > From: On Behalf Of Mourad Cherfaoui > Sent: Wednesday, October 28, 2009 6:23 AM > To: openssl-users@openssl.org > Subject: TLS trust of a chain of certificates up to a root CA. Certificate > Sign extenstion not set > I have a chain of ce

Re: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set

On Wed, Oct 28, 2009, Mourad Cherfaoui (mcherfao) wrote: > > I am not sure I understand why the client is broken? Did you mean that the > sign bit can be omitted if the client sends the entire chain of certificates > (except maybe the root) AND the server has the certificates chain as well? > Tha

Re: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set

On October 28, 2009 12:10:16 pm Mourad Cherfaoui (mcherfao) wrote: > Thanks Steve, > > Yes, the keyUsage is present but the sign bit is not set. As a background > on this, the user does not want his CA to set the sign bit for non-root > certificates. > If the keyUsage is present and the certSign bi

RE: TLS trust of a chain of certificates up to a root CA.Certificate Sign extenstion not set

: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 28, 2009 5:00 AM To: openssl-users@openssl.org Subject: Re: TLS trust of a chain of certificates up to a root CA.Certificate Sign

Re: TLS trust of a chain of certificates up to a root CA. Certificate Sign extenstion not set

On Tue, Oct 27, 2009, Mourad Cherfaoui wrote: > > Hi,   I have a chain of certificates C->B->A->RootCA. The TLS client only > presents C during the TLS handshake. RootCA has the Certificate Sign > extension set but not B and A.   The TLS server fails the TLS handshake > because of the absence of

TLS trust of a chain of certificates up to a root CA. Certificate Sign extenstion not set

Hi,   I have a chain of certificates C->B->A->RootCA. The TLS client only presents C during the TLS handshake. RootCA has the Certificate Sign extension set but not B and A.   The TLS server fails the TLS handshake because of the absence of the Certificate Sign extension in B and A.   My first

Re: how trust self signed certificate

" hash link. Is that anyway to trust the "self signed" certificate? If I load the issuer certificate into IE browser, It appeares as root... Thanks in advance Mattew I'm not an expert but openssl builds

how trust self signed certificate

l/ssl/certResponse Verify Failure1903:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:self signed certificate in certificate chain Into /usr/local/ssl/cert I've copied the issuer certificate and created the "ln -s" hash link. Is that

Re: Direct trust in server certificate?

On Thu, Feb 14, 2008 at 10:56:53AM -0500, Cooper, Andy wrote: > Thanks. As it turns out I had enabled all digest algorithms and used > SHA256 which is probably somewhat of an overkill ... Yes, it is somewhat paranoid, but not unreasonably so. Wouldn't have brought it up it otherwise... --

RE: Direct trust in server certificate?

@openssl.org Subject: Re: Direct trust in server certificate? On Wed, Feb 13, 2008 at 05:06:35PM -0500, Cooper, Andy wrote: > Thank you. I've managed to write code that does fingerprint > verification like you suggested, and it seems to work. Cool. If you are concerned about "second pr

Re: Direct trust in server certificate?

On Wed, Feb 13, 2008 at 05:06:35PM -0500, Cooper, Andy wrote: > Thank you. I've managed to write code that does fingerprint verification > like you suggested, and it seems to work. Cool. If you are concerned about "second pre-image" attacks on md5, use sha1, if you are also concerned about sha1,

RE: Direct trust in server certificate?

users@openssl.org Subject: Re: Direct trust in server certificate? On Tue, Feb 12, 2008 at 04:33:49PM -0500, Cooper, Andy wrote: > Now, on the client I'm trying to make sure that only the certificate > I've created is valid and that any other certificate is not valid. > What I

Re: Direct trust in server certificate?

t the server > certificate as long as it has the CA certificate in its trusted > certificates file. The OpenSSL verification callbacks only (optionally) verify the certificate trust chain. Verifying that this is the right cert for a given destination is application code you have to write, as Open

Direct trust in server certificate?

I'm a relative newcomer to OpenSSL so I apologize in advance if this has been asked before. I'm trying to get an OpenSSL client to accept only a *specific* server certificate as opposed to it accepting any certificate that is issued by a given CA. I need to skip the hostname check - the client

Re: Verifying a PDF that was signed with S-Trust

On Tue, Oct 02, 2007, Benjamin Fleckenstein wrote: > Hi all, > > I'm trying to verify a PDF that was signed with S-Trust Sign-IT. Thats a > software sold by a german bank and used for qualified digital signatures. > >From a technical point of view its just an SMIME Sign

Verifying a PDF that was signed with S-Trust

Hi all, I'm trying to verify a PDF that was signed with S-Trust Sign-IT. Thats a software sold by a german bank and used for qualified digital signatures. >From a technical point of view its just an SMIME Signature. I'm running this command: [EMAIL PROTECTED]:~/test/openssl/st

IE7 doesn't trust openssl-generated certificate

One user reported problem with my https website (which uses apache/mod_ssl), telling that IE7 doesn't trust my CA certificate. Problem never happened with earilier versions of IE and with any other browsers. Since I don't have Windows machine with IE7 I cannot reproduce problem myself

Web-of-trust authentication in OpenSSL.

Dear OpenSSL community, I wrote to the OpenSSL-dev list about 6 months ago, mentioning my work developing a Web-Of-Trust Authentication System for OpenSSL connections. There was a little bit of interest, and one person who helped a bit with the code... However 6 months later, I'm basical

RE: cannot get trust between my certificates

Hi, Just a guess... One possible reason is probrably a wrong SSL_set_verify-option. With the highest security level only local stored certs are accepted, despite a given CA-relationship. Best Regards, Marcel __ OpenSSL Project

Re: Trust

key you used to sign the >server certificate with into your and your clients' browsers. >For Internet Explore do: >Tools/Internet Options/Content/Certificates/Trusted Root Certification >Authorities >and then click on the import button to import your public CA cert. >Your brows

RE: Trust

certificate with into your and your clients' browsers. For Internet Explore do: Tools/Internet Options/Content/Certificates/Trusted Root Certification Authorities and then click on the import button to import your public CA cert. Your browser will now trust all sites (servers) containing certifi

Trust

icate (in IE it will only install in the "personal" list not the "Trusted Root CA" list even though it says it was successfully imported. What do users (or I) need to do to make sure that they don't get the warning pop-up each visit to the site (assuming, of course,

Re: OpenSSL Chain Of Trust

t;Trilli, Kevin" <> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 05, 2002 12:33 PM Subject: RE: OpenSSL Chain Of Trust > Just to add one final data point to close this issue, since my private > response was posted to the list. > > Damian, > > VeriSign h

Re: OpenSSL Chain Of Trust

Woops. You are correct. I just checked, and indeed the certification part is quite different for Server ID's. I was under the assumption that there was not significant differences between certificates. Definitely extensive. Thanks though for the answers regarding the Chain of

RE: OpenSSL Chain Of Trust

]On Behalf Of [EMAIL PROTECTED] Sent: Friday, 1 March 2002 12:51 PM To: [EMAIL PROTECTED] Subject: Re: OpenSSL Chain Of Trust As I said, payment was made via wire transfer, and the email address was free, there are a lot of free sites out there. However, this was only an experiment of sorts

Re: OpenSSL Chain Of Trust

ursday, February 28, 2002 8:31 PM Subject: Re: OpenSSL Chain Of Trust > > I want to issue certs off the purchased cert so that I don't have to keep > > purchasing them. Is this possible, and, Kevin, is this Legal? > > It is possible; you can use the cert as a CA cert. > Is

Re: OpenSSL Chain Of Trust

> I want to issue certs off the purchased cert so that I don't have to keep > purchasing them. Is this possible, and, Kevin, is this Legal? It is possible; you can use the cert as a CA cert. Is it legal? Probably, it depends on what is in the agreement you have with Verisign. Will it work? No

Re: OpenSSL Chain Of Trust

essage - From: "Trilli, Kevin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 28, 2002 6:37 PM Subject: RE: OpenSSL Chain Of Trust > Dear Sir: > Would you please send me your certificate info for the certs you state that > we issued you ?

OpenSSL Chain Of Trust

ensive Verisign certificate? My hope is that the certificate I issue will establish a chain of trust back to verisign, thus, users won't get that silly popup window in their browsers saying the site is dangerous, etc etc. I don't think my certificate is dangerous just because I have not paid

RE: OpenSSL SMIME Signature Verification Chain Trust vs. Direct Trust

chain except the top root certificate would be included in the signature? This would affect the verification side's configuration. When I use chain trust mode to verify a signature with cert included, should I use the top root only, or should I always put the whole chain within -CAfile ? Thanks

Re: OpenSSL SMIME Signature Verification Chain Trust vs. Direct Trust

Kate Wang wrote: > > Hi, all, > > It seems to me that for SMIME siganture verification, ALL CA certificates > (including root and intermediate CAs) have to be included in the CA file > specified in -CAfile option. I don't really understand why this should be > enforced. In earlier version of O

OpenSSL SMIME Signature Verification Chain Trust vs. Direct Trust

Hi, all, It seems to me that for SMIME siganture verification, ALL CA certificates (including root and intermediate CAs) have to be included in the CA file specified in -CAfile option. I don't really understand why this should be enforced. In earlier version of OpenSSL there is an option -NOCH

Re: client trust mgr configuration

iphersuite = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA > + verify all peers [trust is blind!] > > Here is the stdout trace on the client side: > = > before/connect initialization > SSLv3 write client hello A > SSLv3 read server hello A > SSLv3 read server certificate A > SSL alert

client trust mgr configuration

JAVASERVER: + uses IAIK & Sun's implementation of SSL in Java + ciphersuite = "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" + mutual authentication disabled CCLIENT: + uses OpenSSL implementation of SSL in C + ciphersuite = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA + verify all peers [trust

  1   2   >