Hi,
On 30/06/21 15:22, Paulo Wollny wrote:
Hi,
thank you for the answer.
can you please point the right direction for solution, please?
try
http://httpd.apache.org/userslist.html
Regarding the "look suspicious - it means your client is connecting
from 127.0.0.1 and your server is also li
nSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when presenting my certificate:
ERR_BAD_SSL_CLIENT_AUTH_CERT
It started to
Hi,
On 30/06/21 00:23, Paulo Wollny wrote:
Dear @ll
My environment:
OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when
Dear @ll
My environment:
OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when presenting my certificate
On 3/17/21 9:48 PM, tincanteksup wrote:
On 18/03/2021 01:22, Robert Moskowitz wrote:
On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
Well, CSRs are self-signed, and X25519 does not support signing, so
you CANNOT have an X25519 CSR.
Slap myself on the forehead
Of course I know that. Bu
On 18/03/2021 01:22, Robert Moskowitz wrote:
On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
Well, CSRs are self-signed, and X25519 does not support signing, so
you CANNOT have an X25519 CSR.
Slap myself on the forehead
Of course I know that. But did not stop to think this through. :(
On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote:
I have created my X25519 pub/priv keypair with:
openssl genpkey -algorithm X25519\
-out $dir/private/$clientemail-X.key.$format
Are you sure you didn't want ed25519 instead?
On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote:
> >> I have created my X25519 pub/priv keypair with:
> >>
> >> openssl genpkey -algorithm X25519\
> >> -out $dir/private/$clientemail-X.key.$format
>
> > Are you sure you didn't want ed25519 instead? X25519 is a key agreement
On 3/17/21 7:22 PM, Viktor Dukhovni wrote:
On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote:
I have created my X25519 pub/priv keypair with:
openssl genpkey -algorithm X25519\
-out $dir/private/$clientemail-X.key.$format
Are you sure you didn't want ed25519 instead?
On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote:
> I have created my X25519 pub/priv keypair with:
>
> openssl genpkey -algorithm X25519\
> -out $dir/private/$clientemail-X.key.$format
Are you sure you didn't want ed25519 instead? X25519 is a key agreement
menthod, not a s
I have created my X25519 pub/priv keypair with:
openssl genpkey -algorithm X25519\
-out $dir/private/$clientemail-X.key.$format
And displays properly with:
openssl pkey -in $dir/private/$clientemail-X.key.$format -text -noout
So now to make the csr with:
openssl req -config $dir/openssl-
Hmm ok I get it.
So, to be able to get the fingerprint for the used certificates during a
TLS handshake is possible by using the SSL_set_verify callbacks in the
application or is the mentioned postfix useful for this purpose?
_
On Mon, Mar 15, 2021 at 12:23:54PM +0100, Robert Ionescu wrote:
> I already found the callbacks for the verification process and I am
> still trying to figure it out if it is possible to change them in a
> way that they will print some certificate information to determine
> which certificate was u
I already found the callbacks for the verification process and I am still
trying to figure it out if it is possible to change them in a way that they
will print some certificate information to determine which certificate was
used?
On Fri, Mar 12, 2021 at 09:06:57AM +0100, Robert Ionescu wrote:
> With "wrong" certificate I meant "invalid certificate". So the idea
> was in a bigger environment with a lot of certificates, to make the
> invalid certificate debugging easier by getting more information from
> openssl to identify
Thu, Mar 11, 2021 at 8:40 PM Michael Wojcik <
michael.woj...@microfocus.com> wrote:
> > From: openssl-users On Behalf Of
> Viktor
> > Dukhovni
> > Sent: Thursday, 11 March, 2021 10:39
> > To: openssl-users@openssl.org
> > Subject: Re: Client certificate a
> From: openssl-users On Behalf Of Viktor
> Dukhovni
> Sent: Thursday, 11 March, 2021 10:39
> To: openssl-users@openssl.org
> Subject: Re: Client certificate authentication
>
> > On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
> >
> > I am searchi
If he's trying to muck with the library, he's probably struggling with a
precompiled binary he doesn't have the source code to.
-Kyle H
On Thu, Mar 11, 2021, 11:48 Viktor Dukhovni
wrote:
> > On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
> >
> > I am searching for the functions in openss
> On Mar 11, 2021, at 2:16 PM, Robert Ionescu
> wrote:
>
> I am searching for the functions in openssl used to verify the clients
> certificate when using mutual authentication.
The same code verifies peer certificate chains, whether client or server.
> My intention is to find a way to log a w
Hi,
I am searching for the functions in openssl used to verify the clients
certificate when using mutual authentication.
My intention is to find a way to log a wrong user certificate directly
inside the openssl source.
Any help would be highly appreciated
_
your control, and then generated a CRL for the ones you want to exclude. Or
actually you could just cross-sign only the ones you want to allow, and made
your CA the only trust root for the TLS termination systems; that would work.
But I'm guessing modifying every client certificate is n
_
Von: openssl-users im Auftrag von Michael
Wojcik
Gesendet: Freitag, 4. Dezember 2020 15:07:02
An: openssl-users@openssl.org
Betreff: RE: Client-Certificate blocking without conrolling the issuing CA
> From: openssl-users On Behalf Of Vincent
> Truchsess - rockenstein AG
> Sent: Frid
> From: openssl-users On Behalf Of Vincent
> Truchsess - rockenstein AG
> Sent: Friday, 4 December, 2020 04:27
>
> The organization legally responsible for the application maintains a
> blocklist of certificate serials they consider to be invalidated. Also, this
> organization does not bother to g
Hi,
I am well aware that the usecase I'm going to describe is not how pki is
intended to be implemented but unfortunally, the organizational architecture of
ths particular application is out of my teach.
We are operating an application that strongly relies on client certificates as
the outer a
Thanks for the help. This got me on the right track.
-Dan
From: openssl-users
Date: Wednesday, November 11, 2020 at 12:02 PM
To: openssl-users@openssl.org
Subject: Re: Deleted client certificate trust expectations
External Mail. Careful of links / attachments. Submit Helpdesk if unsure.
On
On Wed, Nov 11, 2020 at 04:28:40PM +, Dan Freed wrote:
> I have a question/issue about how OpenSSL should handle a deleted
> client certificate. It appears that once a trusted certificate is read
> from the filesystem, it remains trusted throughout the lifespan of the
> server p
What you observe is indeed reality; we ran into it too. (Though we ran
into it in the context of a long-running client verifying server
certificates.)
My assumption is that it's for performance, and that's sensible, but it
would sure be nice to figure out how to detect those changes. If a
stat()
Sorry I realized I didn't include the OpenSSL version I was using.
This is with OpenSSL 1.1.1d 10 Sep 2019.
-Dan
From: openssl-users
Date: Wednesday, November 11, 2020 at 10:29 AM
To: openssl-users@openssl.org
Subject: Deleted client certificate trust expectations
External Mail. Caref
Hello,
I have a question/issue about how OpenSSL should handle a deleted client
certificate. It appears that once a trusted certificate is read from the
filesystem, it remains trusted throughout the lifespan of the server process.
I wrote a small SSL web service that reproduces the issue I&#
/AKID ... Presumably a check for proper KU on the client
certificate would be bypassed if the client cert is v1 - but then using a v1
certificate is another violation of RFC 5246 (7.4.2) that OpenSSL probably
should not enforce.
Yes, v1 certs would get a free ride. The reason to enforce KU
in client certs
Viktor Dukhovni wrote:
> Yes, v1 certs would get a free ride. The reason to enforce KU
> in client certs would be that client certs are not infrequently
> (though not always) optional, and it can be better to not send
> any client cert, than to send one the server will reject.
8
ck for proper KU on the
> client certificate would be bypassed if the client cert is v1 - but then
> using a v1 certificate is another violation of RFC 5246 (7.4.2) that OpenSSL
> probably should not enforce.
Yes, v1 certs would get a free ride. The reason to enforce KU
in client certs wo
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Viktor Dukhovni
> Sent: Tuesday, June 11, 2019 10:39
> A client certificate that cannot do digital signatures is not much use.
There may be existing applications which use TLS entirely within an
organiz
That said, the intention isn't to ignore all the requirements, just
some of those that are not always a good idea to enforce, and perhaps
should never have been mandated in the first place. Therefore, while
we leave enforcing the certificate signature algorithms to the peer,
enforcing keyUsa
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Jakob Bohm via openssl-users
> Sent: Tuesday, June 11, 2019 08:19
>
> On 11/06/2019 12:50, Hareesh D wrote:
> >
> > Is this behavior valid and according to RFC ?
>
> There's an overarching OpenSSL policy that certificat
On 11/06/2019 12:50, Hareesh D wrote:
TLSv12 client is sending RSA certificate even when it dont have
digitalSignature bit in keyUsage extension. But RFC5246 sectiin-7.4.6
says its MUST condition for client to send RSA certificate with
digitalSignature bit set in keyUsage extension.
1. Though
TLSv12 client is sending RSA certificate even when it dont have
digitalSignature bit in keyUsage extension. But RFC5246 sectiin-7.4.6 says
its MUST condition for client to send RSA certificate with digitalSignature
bit set in keyUsage extension.
1. Though server is rejecting such certificates, not
On Tue, Jan 31, 2017 at 08:07:16AM -0700, russellb...@gmail.com wrote:
> It was on the client side. I'm running sendmail as a client
> to relay mail that originates on my computer through gmail.
Gmail's SMTP server, correctly, does not suggest any preferred
client CAs.
> When I
> request
Quoth Mr Benjamin Kaduk:
'That's generally the default server behavior when no CAs are
configured for that purpose. But, (1) I thought you were looking at
the client side, and (2) how to configure the server depends on what
software is used on the server, so there's not much more
> On Jan 30, 2017, at 11:44 AM, russellb...@gmail.com wrote:
>
>> it is often wise to send an empty list when requesting client certificates.
>
> How does one send an empty list?
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html
Just pass a NULL stack.
--
Vikt
On 01/30/2017 10:44 AM, russellb...@gmail.com wrote:
> Quoth Mr Viktor Dukhovni, 'it is often wise to send an empty
> list when requesting client certificates.'
> How does one send an empty list?
>
That's generally the default server behavior when no CAs are configured
for that purpose
Quoth Mr Viktor Dukhovni, 'it is often wise to send an empty
list when requesting client certificates.'
How does one send an empty list?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> On Jan 29, 2017, at 11:34 AM, russellb...@gmail.com wrote:
>
> What does this message mean? That I failed to send a client
> certificate CA name? That I failed to receive one? I run
>
> $ openssl s_client -certform gmail.pem -key gmail.key \
> -CAfile cacert.
I apologize if you've answered this question before. I've
read some of the answers I've found in the archives but I don't
understand them.
What does this message mean? That I failed to send a client
certificate CA name? That I failed to receive
Alexandre Arantes wrote:
one of them asked me why did I choose not to add the client hostname to the
Client Certificate, thus making it usable only by that specific client.
There are no standardized naming rules for client certs like the TLS server
hostname check implemented at the client
> But once I showed my work to people in my company, one of them asked me why
> did I choose not to add the client hostname to the Client Certificate, thus
> making it usable only by that specific client.
You put to put the client name or ipaddr in the subjectAltName extension fiel
, testing my "proof-of-concept" has shown that if
one of the pieces is missing from the equation (CA, Server, Client
certificates), the communication ceases.
But once I showed my work to people in my company, one of them asked me why did
I choose not to add the client hostname to the Client C
. I have set my custom verify callback and now I can
verify client certificate chain in my own way.
But can I get the client certificate after handshake? Where is it
located in SSL or SSL_CTX structs? I must get this on
SSL_read/SSL_write methods level
Maybe you're lookin
verify client certificate chain
in my own way.
But can I get the client certificate after handshake? Where is it located
in SSL or SSL_CTX structs? I must get this on SSL_read/SSL_write methods
level
___
openssl-users mailing list
To unsubscribe: https
On Wed, Oct 15, 2014, Fredrik Jansson wrote:
> I just realised I can create a RSA_METHOD object and set that in my engine.
>
> But what about ECDSA_ENGINE?
>
> There is no struct definition available in the public headers, and no
> public functions to change the members of the struct, e.g. set a
I just realised I can create a RSA_METHOD object and set that in my engine.
But what about ECDSA_ENGINE?
There is no struct definition available in the public headers, and no
public functions to change the members of the struct, e.g. set a new
signing function.
Is this not possible with ECDSA?
Hi Steve!
I will try to take that path, thank you!
//Fredrik
On Mon, Oct 13, 2014 at 6:08 PM, Dr. Stephen Henson wrote:
> On Mon, Oct 13, 2014, Fredrik Jansson wrote:
>
>> Hi!
>>
>> I have a device where I cannot access the client certificate's private
>> key directly, but have access to veri
On Mon, Oct 13, 2014, Fredrik Jansson wrote:
> Hi!
>
> I have a device where I cannot access the client certificate's private
> key directly, but have access to verification and signature functions.
>
> The certificate, in DER format, is accessible.
>
> I need to use client certificates in my T
Hi!
I have a device where I cannot access the client certificate's private
key directly, but have access to verification and signature functions.
The certificate, in DER format, is accessible.
I need to use client certificates in my TLS connection and found the
SSL_CTX_set_client_cert_cb functio
Hi,
We are switching to our own CA for in house networking. To test I've
used it to sign a server certificate and a client certificate. The
subject and issuer output for all three certificates is...
...CA:
$ openssl x509 -subject -issuer -noout -in gandalf_cacert.pem
subject=
/O=myCo
client
> > didn't provide a cert.
> >
> > One way to detect this is to call SSL_get_client_CA_list() but there are
> > servers that require a client cert and don't even return a CA list, so
> this
> > is not reliable.
> >
> > How can my client detec
that require a client cert and don't even return a CA list, so this
> is not reliable.
>
> How can my client detect that a handshake failed because the server
> requires a client certificate and it didn't supply one ?
>
When a certifiate is requested and one is not alrea
n my client detect that a handshake failed because the server
requires a client certificate and it didn't supply one ?
Thanks!
k is invoked not just to verify
> the server certificate, but also when OpenSSL tries to complete the
> certificate chain before sending the client certificate. OpenSSL
> clears errors resulting from this, but it cannot roll back the
> effects of calling the callback. Are these callbac
On 08/09/2013 01:18 PM, Peter Sylvester wrote:
On 08/09/2013 11:17 AM, Florian Weimer wrote:
Qt installs a verification callback like this
|// Register a custom callback to get all verification errors.
|X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
It is not recommend
On 08/09/2013 11:17 AM, Florian Weimer wrote:
Qt installs a verification callback like this
|// Register a custom callback to get all verification errors.
|X509_STORE_set_verify_cb_func(ctx->cert_store, q_X509Callback);
It is not recommended to access to members in the way above, but ra
SSL tries to complete the
certificate chain before sending the client certificate. OpenSSL clears
errors resulting from this, but it cannot roll back the effects of
calling the callback. Are these callback invocations expected behavior?
--
Florian Weimer / Red Hat Product Security T
any way at the client?
I got a more detailed error message from the client-side and it turns out I
misunderstood which certificate was required for this particular application.
The certificate I've been using is only valid as a client certificate, not
server. I was even more confused beca
er-openssl-us...@openssl.org] on
behalf of Jeremy Bratton [yer...@gmail.com]
Sent: 08 November 2012 04:58
To: openssl-users@openssl.org
Subject: Re: Getting "OpenSSL: Exit: error in SSLv3 read client certificate A"
when client connects
I now have an ssldump of an incoming connection.
o longer able to
> connect to the server. I can see from the error message that something is
> going wrong during the SSL handshake, but I have no idea what (the actual
> server uses ruby & soap4r). I'm just getting the error message "SSL_accept
> SYSCALL returned=5 errn
Hello colleagues!
I need help with revocation of client certificate in OpenSSL (v 0.9.8n).
I have setup a CA with self-signed certificate so I can generate and sign
client certificates which are used to access squid, which in turn forwards
traffic to exchange server.
In squid.conf file there
:
>
> Hello colleagues!
>
> I need help with revocation of client certificate in OpenSSL (v 0.9.8n).
> I have setup a CA with self-signed certificate so I can generate and sign
> client certificates which are used to access squid, which in turn forwards
> traffic to exchange se
Thanks. I think I get it.
Charles
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm
Sent: Monday, August 27, 2012 10:19 AM
To: openssl-users@openssl.org
Subject: Re: Why key file in *client* certificate situation
On 8/27/2012 3:46 PM, Charles Mills wrote:
I'm just trying to understand the SSL protocol -- this is not an
alleged bug
or an "issue."
In OpenSSL s_client, or for that matter, in my client test program, an
attempt to use a *client* certificate fails unless I also specif
I'm just trying to understand the SSL protocol -- this is not an alleged bug
or an "issue."
In OpenSSL s_client, or for that matter, in my client test program, an
attempt to use a *client* certificate fails unless I also specify -key or
call SSL_CTX_use_PrivateKey_file().
Why?
> From: owner-openssl-us...@openssl.org On Behalf Of Albers, Thorsten
> Sent: Monday, 30 July, 2012 03:43
> I also debugged the openssl-server when receiving the message
> above. The server recognized the correct hash and signature
> algorithms, but while following the functions to the point
>
gt; corresponding algorithm ids in front of the signature. In Wireshark my
> Client Certificate Verify message (including the record layer header) looks
> like following:
> 16 03 03 00 88 0f 00 00 84 04 01 00 80 b4 ee c0
> 0010 8a 35 79 0d 97 7d f0 82 e6 69 3d 7d 66 a7 58 11
> 0020
rk my Client
Certificate Verify message (including the record layer header) looks like
following:
16 03 03 00 88 0f 00 00 84 04 01 00 80 b4 ee c0
0010 8a 35 79 0d 97 7d f0 82 e6 69 3d 7d 66 a7 58 11
0020 e5 9c 86 c1 9e 18 0c a0 94 37 2e 2b d2 08 9a 69
0030 0f 14 22 42 5c 66 b8 cb 8f
On Fri, Jul 27, 2012, Albers, Thorsten wrote:
> Hi,
> I have a problem with the openssl s_server (v1.0.1c) when requesting a client
> certificate. I'm developing my own TLS 1.2 implementation (for embedded
> platforms), and I'm stuck with a problem with using the
openssl-us...@openssl.org] on
behalf of Albers, Thorsten [thorsten.alb...@vector.com]
Sent: Friday, July 27, 2012 1:11 PM
To: openssl-users@openssl.org
Subject: Tls1.2 Problem with client certificate and RSA_verify
Hi,
I have a problem with the openssl s_server (v1.0.1c) when requesting a client
c
Hi,
I have a problem with the openssl s_server (v1.0.1c) when requesting a client
certificate. I'm developing my own TLS 1.2 implementation (for embedded
platforms), and I'm stuck with a problem with using the client certificate. I
already implemented TLS 1.0 earlier, so it's not
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 19:37
>Following is the code I used at server side program.
>while (1) {
>SSL *ssl = SSL_new(ctx);
>SSL_set_fd(ssl, clientserver[1]);
> if (SSL_accept(ssl) != 1)
> break;
>result
unter code at client side. Do
you see my conclusions right?
On Fri, Jun 29, 2012 at 11:10 PM, Dave Thompson wrote:
> >From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
> >Sent: Friday, 29 June, 2012 15:30
>
> >I am trying to measure server performance for
>From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
>Sent: Friday, 29 June, 2012 15:30
>I am trying to measure server performance for client certificate
verification.
>However, there is no significant difference in the server performance
>when I send one certificat
On 06/29/2012 09:29 PM, Sukalp Bhople wrote:
Hello,
I am trying to measure server performance for client certificate verification.
However, there is no significant difference in the server performance when I send one certificate
and condition when I send chain of 10 certificates.
I am aware
on
behalf of sandeep kiran p [sandeepkir...@gmail.com]
Sent: Saturday, October 01, 2011 10:19 AM
To: openssl-users@openssl.org
Subject: Re: Is certificate a CA or Client Certificate
Are you sure there is an ExtendedKeyUsage indicating a "Certificate Sign" OID?
Cert Sign AFAIK is only indic
9 AM
To: openssl-users@openssl.org
Subject: Re: Is certificate a CA or Client Certificate
Are you sure there is an ExtendedKeyUsage indicating a "Certificate Sign" OID?
Cert Sign AFAIK is only indicated in KeyUsage extension.
-Sandeep
On Sat, Oct 1, 2011 at 9:24 AM,
mailto:jb-open...@
Are you sure there is an ExtendedKeyUsage indicating a "Certificate Sign"
OID? Cert Sign AFAIK is only indicated in KeyUsage extension.
-Sandeep
On Sat, Oct 1, 2011 at 9:24 AM, wrote:
> On 01-10-2011 01:09, Dave Thompson wrote:
>
>> From: owner-openssl-users@openssl.**org On
>> Behalf Of
>>> j
On 01-10-2011 01:09, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of jb-open...@wisemo.com
Sent: Thursday, 29 September, 2011 18:46
Because the attributes mentioned are only meaningful if covered by the
digital signature on the certificate, it cannot change in any format
c
> From: owner-openssl-us...@openssl.org On Behalf Of jb-open...@wisemo.com
> Sent: Thursday, 29 September, 2011 18:46
> Because the attributes mentioned are only meaningful if covered by the
> digital signature on the certificate, it cannot change in any format
> conversion that keeps the certifi
nks.
// Harshvir
On Fri, Sep 16, 2011 at 2:33 PM, Jakob Bohm
mailto:jb-open...@wisemo.com>
<mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>>
> wrote:
On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
I al
rmat?
>> Thanks.
>> // Harshvir
>>
>> On Fri, Sep 16, 2011 at 2:33 PM, Jakob Bohm > jb-open...@wisemo.com>**> wrote:
>>
>>On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
>>
>>I already tried this command, but its not giving
ts a root certificate or a client
certificate.
- Harshvir
On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm
mailto:jb-open...@wisemo.com>
<mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>>
> wrote:
On 9/16/2011 7:
different that i need to do for p7b file format?
Thanks.
// Harshvir
On Fri, Sep 16, 2011 at 2:33 PM, Jakob Bohm wrote:
> On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
>
>> I already tried this command, but its not giving any information showing
>> wheter its a root certificate or a
Hi all
i hope someone can gives me an explanation or a solution for this problem: I
have a reverse proxy ssl on production environnement, based on apache 2.2.17
and modssl2.2.16 and openssl 0.9.8r and sslcache (shù)
Clients are auhentified by a client certificate, on the other hand my sever
is
On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
I already tried this command, but its not giving any information
showing wheter its a root certificate or a client certificate.
- Harshvir
On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm <mailto:jb-open...@wisemo.com>> wrote:
On 9/16/201
Hi Harshiv,
Try commad : openssl X509 -in 'yourcert/rootcert' -text
You are able to see human readable certificate. If the certificate is client
certificate and not self signed then 'issuer' is different from 'subject'.
And CA: flase for client certificate. yo
I already tried this command, but its not giving any information showing
wheter its a root certificate or a client certificate.
- Harshvir
On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm wrote:
> On 9/16/2011 7:58 PM, Harshvir Sidhu wrote:
>
>> Hi,
>> In openssl is there some me
On 9/16/2011 7:58 PM, Harshvir Sidhu wrote:
Hi,
In openssl is there some method using which i can find whether the
cerficiate in a file a Client Certificate or a CA/Root Certificate?
- H S
Try the following command, at look for the CA property and also see
if the certificate lists itself
Hi,
In openssl is there some method using which i can find whether the
cerficiate in a file a Client Certificate or a CA/Root Certificate?
- H S
es, they are in the usual order, with root as the final cert.
> >
-CAfile/load_verify_locations order doesn't matter.
use_certificate_chain_file, for the certs you=client
send to the server, order does or at least may matter.
> Those running the server are the ones that signed the clie
erver (one that it doesn't
directly trust and you need an appropriate hierarchy)
Those running the server are the ones that signed the client certificate
and provided the CA and Root certificates that are in use.
== Info: SSLv3, TLS handshake, Server finished (14):
<= Recv SSL data,
er that or one of them
(possibly though intermediates as above), that may be
the problem. But note that OpenSSL for one configures
the 'preferred' CA(s) separately from the "trusted" CA(s),
so a mismatch with this field isn't definitive.
I've tried generating a pkcs1
t or one of them
(possibly though intermediates as above), that may be
the problem. But note that OpenSSL for one configures
the 'preferred' CA(s) separately from the "trusted" CA(s),
so a mismatch with this field isn't definitive.
I've tried generating a pkcs12 file
termediates as above), that may be
the problem. But note that OpenSSL for one configures
the 'preferred' CA(s) separately from the "trusted" CA(s),
so a mismatch with this field isn't definitive.
I've tried generating a pkcs12 file that contained the client
certificat
1 - 100 of 350 matches
Mail list logo
