On 10/31/2014 03:24 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
>> Sent: Thursday, October 30, 2014 14:50
>
>> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
>> I would expect the two to form a valid chain. And indeed,
> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
> Sent: Thursday, October 30, 2014 14:50
> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
> I would expect the two to form a valid chain. And indeed,
> verification succeeds:
> ... openssl verify -CAf
Hi,
trying to build a valid certificate chain, I came across the following
problem:
I have two certificates. The first one, contained in file root_ca.pem,
is a self-signed root CA, intended to sign intermediate CA's with. The
second
one, contained in host_ca.pem, is such an intermediate CA, it
ime.c:312:
>
> Sincerelly,
> Kadir.
>
>
--
View this message in context:
http://www.nabble.com/OpenSSL-verification-problem-tp20111876p20127933.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
PKCS7 routines:PKCS7_signatureVerify:digest
failure:pk7_doit.c:948:
1893:error:21075069:PKCS7 routines:PKCS7_verify:signature
failure:pk7_smime.c:312:
Sincerelly,
Kadir.
--
View this message in context:
http://www.nabble.com/OpenSSL-verification-problem-tp20111876p20111876.html
Sent from the OpenSSL - User mailing
context:
http://www.nabble.com/Verification-problem-tf3714215.html#a10389714
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support
On Tue, Aug 09, 2005 at 08:54:44PM +0200, Dr. Stephen Henson wrote:
> On Tue, Aug 09, 2005, Peter BENKO,VSE IT
> Sluzby,+421-55-610-2045,+421-903-855532 wrote:
>
> > I have problem with signature verification:
> >
> > When I try to verify the SMIME signed message (hello.txt.p7m - see
> > attachm
On Tue, Aug 09, 2005, Peter BENKO,VSE IT
Sluzby,+421-55-610-2045,+421-903-855532 wrote:
> I have problem with signature verification:
>
> When I try to verify the SMIME signed message (hello.txt.p7m - see
> attachment) with the command:
> openssl smime -verify -in hello.txt.p7m -inform DER -CAfi
I have problem with signature verification:
When I try to verify the SMIME signed message (hello.txt.p7m - see
attachment) with the command:
openssl smime -verify -in hello.txt.p7m -inform DER -CAfile ca-bundle.crt -out
/dev/null
I obtain the following error message:
Verification failure
12491:e
Victor Duchovni writes:
Should we call not allowing CA certs with CA:FALSE or a Key Usage that
does not include certificate signing "less buggy", rather than "tougher"?
Sure :-).
Cheers,
Richard
-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsori
On Fri, Jul 08, 2005 at 10:52:47AM +0200, Richard Levitte wrote:
> Aleksey Sanin writes:
>
> >Thanks for quick response and explanations! You are right, the
> >second certificate in the chain did not have CA ext flag set and
> >0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem.
>
> Yu
Aleksey Sanin writes:
Thanks for quick response and explanations! You are right, the
second certificate in the chain did not have CA ext flag set and
0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem.
Yup, it's true, OpenSSL has become tougher on non-compliant CA certificates.
---
Thanks for quick response and explanations! You are right, the
second certificate in the chain did not have CA ext flag set and
0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem.
Very strange that I missed this till now :(
Thanks again,
Aleksey
Aleksey Sanin writes:
I run into "invalid CA certificate" (X509_V_ERR_INVALID_CA) error when I
was trying to
verify a third level certificates with OpenSSL 0.9.8. It seems that the
code in check_chain_extensions()
function in crypto/x509/x509_vfy.c file assumes that either certificate
must be di
I run into "invalid CA certificate" (X509_V_ERR_INVALID_CA) error when I
was trying to
verify a third level certificates with OpenSSL 0.9.8. It seems that the
code in check_chain_extensions()
function in crypto/x509/x509_vfy.c file assumes that either certificate
must be directly signed by CA
cert
On Wed, Apr 02, 2003, Howard Chan wrote:
> Actually, I found that if I use : openssl dgst -sha1 -verify
> "pubkey" -signature "signature_file" -binary "original_file"
> works.
>
> Provided that I signed with : openssl dgst -sha1 -sign "privkey" "original
> file" . This is what I did with a tes
of the signature and the "original file". In the case
of OCSP requests, the "original file" is most certainly NOT the whole binary
file!!
Does anyone have any hints for me?
Regards,
- HC
- Original Message -
From: "Nils Larsch" <[EMAIL PROTECTED]>
Howard Chan wrote:
What about using the openssl commands? ie. x509, rsautl, dgst, etc. Can I
do all that I specified below strictly using those openssl commands? If so,
how?
'openssl rsautl -pubin -verfiy ...' didn't work ?
Regards,
Nils
- Original Message -
From: "Aleix Conchillo Flaque" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 01, 2003 8:35 PM
Subject: Re: Signature Verification problem
> "Howard Chan" <[EMAIL PROTECTED]> writes:
>
> >
> > I ha
"Howard Chan" <[EMAIL PROTECTED]> writes:
>
> I have this file which used sha1 hash algorithm to obtain it's message
> digest, and subsequently the digest was encrypted (signed) using RSA
> algorithm with a private key from a X.509 certificate.
>
i don't think you can get a private key from an X5
Dear all,
I'm experimenting with openssl and I have the
following problem at hand:
I have this file which used sha1 hash algorithm to
obtain it's message digest, and subsequently the digest was encrypted
(signed) using RSA algorithm with a private key from a X.509
certificate.
Now, I h
On Thu, Jan 30, 2003, Gerd Schering wrote:
> Hi,
>
> I use the smime utility to sign a message and output it in PEM format:
>
> openssl smime -sign -in req.csr -outform PEM -out mail.pem -signer \
> mycert.pem -inkey mykey.pem
>
> When trying to verify it, I get a failure:
>
> openssl smime -
Hi,
I use the smime utility to sign a message and output it in PEM format:
openssl smime -sign -in req.csr -outform PEM -out mail.pem -signer \
mycert.pem -inkey mykey.pem
When trying to verify it, I get a failure:
openssl smime -verify -inform PEM -in mail.pem -CAfile CAstore
Verification fa
On Thu, Aug 29, 2002, Lutz Jaenicke wrote:
> On Thu, Aug 29, 2002 at 09:10:47AM -0400, Shaheed Bacchus wrote:
> > you are correct, "issuer" is not self signed (in fact it's
> > the cert that's provided by default with openssl in the
> > apps/demoCA dir). so how do i tell the verification
> >
> It would take some extensions to the certificate verification code
> to change the behaviour. I don't know how large the interest is
> in such an extension.
Pick me!
--
Harald Koch <[EMAIL PROTECTED]>
"It takes a child to raze a village."
-Michael T. Fry
__
On Thu, Aug 29, 2002 at 10:21:39AM -0400, Shaheed Bacchus wrote:
> that's the general direction i was slowly moving towards.
> i guess one question that i have is since i have to use my
> code to do the verification process anyhow, is there any
> advantage to even using the X509_verify_cert() call
that's the general direction i was slowly moving towards.
i guess one question that i have is since i have to use my
code to do the verification process anyhow, is there any
advantage to even using the X509_verify_cert() call?
thanks once again.
Lutz Jaenicke wrote:
>
> OpenSSL does not support
On Thu, Aug 29, 2002 at 09:10:47AM -0400, Shaheed Bacchus wrote:
> you are correct, "issuer" is not self signed (in fact it's
> the cert that's provided by default with openssl in the
> apps/demoCA dir). so how do i tell the verification
> routine to not walk further down the tree? ideally i
hi lutz,
you are correct, "issuer" is not self signed (in fact it's
the cert that's provided by default with openssl in the
apps/demoCA dir). so how do i tell the verification
routine to not walk further down the tree? ideally i'd
like to give it a cert that may or may not be self signed
and
On Wed, Aug 28, 2002 at 11:25:51AM -0400, Shaheed Bacchus wrote:
> Shaheed Bacchus wrote:
>
> > hi all,
> > i am having some problems getting certificate verification to
> > work. i have two certs
> >
> > X509 *client;
> > Subject: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MyTest
> > Iss
Hi, all.
It seems my last e-mail is somehow lost, so I'm resending it.
Please give me some advice. :)
Since my program is not for web site but general client/server communication
program, I'd like to add a client certificate verification from the server
side.
I couldn't find any reference on clie
31 matches
Mail list logo
