Hi all,
Anyone knows in client authentication, what are the Key Usage and Extended
Key Usage purposes we should validate?
As per the specification in [1]:
- "Extended Key Usage" is not necessary and which is configured in
addition to or in place of the basic purposes indicated
The following commit changed the behavior of checking the extended key
usage bits in a server certificate when using X509_PURPOSE_SSL_SERVER:
http://marc.info/?l=openssl-cvs&m=132759007026375&w=2
This commit was put into 1.0.2 on April 6, 2012. Therefore, 1.0.1 and
1.0.2 behave differ
com:443 < \
> /dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key
> Usage"
>
> which seems to produce a little less noise, but it's still not down to a
> single line of output. Still, it's more elegant than what I cited, I think.
>
The rema
ssl x509 -noout -text | grep -A1 "X509v3 Extended Key
Usage"
which seems to produce a little less noise, but it's still not down to
a single line of output. Still, it's more elegant than what I cited, I
think.
Cheers
On 10/08/2014 08:43 AM, Jakob Bohm wrote:
I think yo
Hi, all...
Actually, Jakob, I think it's the second one (the first one after the
pipe) which can come out, i.e.:
openssl s_client -showcerts -connect google.com:443 < \
/dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
which seems to produce a
1 "X509v3 Extended Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal
mailto:lgrosent...@2rosenthals.com>> wrote:
Hi, Akash...
On 10/08/2014 01:40 AM, Akash Jain wrote:
HI,
How can I know the "Extended Key Usage" parameters of a re
Thanks Lewis !
I also used -
openssl s_client -showcerts -connect google.com:443 < /dev/null | openssl
x509 -outform PEM | openssl x509 -noout -text | grep -A1 "X509v3 Extended
Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal <
lgrosent...@2rosenthals.com>
Hi, Akash...
On 10/08/2014 01:40 AM, Akash Jain wrote:
HI,
How can I know the "Extended Key Usage" parameters of a remote SSL
enabled site using OpenSSL ?
Does this help:
https://www.madboa.com/geek/openssl/#cert-retrieve
You could modify the one script there to something lik
HI,
How can I know the "Extended Key Usage" parameters of a remote SSL enabled
site using OpenSSL ?
Thanks,
Akash
Hi,
I want to add a specific OID to the extended key usage. How do I need to
change the openssl.conf file for this?
--
Somdas Bandyopadhyay
M.Tech(CSE) - Second year
IIT Bombay
Mob no- 09920915176
On Fri, Jul 27, 2012, Puneet Khunteta wrote:
> any Update ?
>
> regards,
> Puneet
>
> On Thu, Jul 26, 2012 at 4:27 PM, Puneet Khunteta
> wrote:
>
> > Hello Stephen,
> >
> > On using the suggestion provided by you , got the following output snippet
> >
> >
> > It shows extusage->data Empty.
> >
2012 at 4:01 PM, Dr. Stephen Henson wrote:
>
>> On Wed, Jul 25, 2012, Puneet Khunteta wrote:
>>
>> > Hello,
>> >
>> > I am an user of openssl library.
>> > I am seeking for a method to get the "Extended Key Usage" field from the
>>
gt; I am an user of openssl library.
> > I am seeking for a method to get the "Extended Key Usage" field from the
> > X509 certificate .
> > I will be grateful if you can provide me a sample code in c.
> >
>
> You can retrieve a structure representing any suppor
OF(X509_EXTENSION) *x, int nid,
> >> int lastpos)
> >> {
> >> ASN1_OBJECT *obj;
> >>
> >> obj=OBJ_nid2obj(nid);
> >> if (obj == NULL) return(-2);
> >> return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
> >> }
> >>
TACK_OF(X509_EXTENSION) *x, int nid,
>> int lastpos)
>> {
>> ASN1_OBJECT *obj;
>>
>> obj=OBJ_nid2obj(nid);
>> if (obj == NULL) return(-2);
>> return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
>> }
>>
>>
>> Hope this helps.
>>
>>
&
; On Wed, Jul 25, 2012 at 7:08 AM, Puneet Khunteta <
> khunteta.pun...@gmail.com> wrote:
>
>> Hello,
>>
>> I am an user of openssl library.
>> I am seeking for a method to get the "Extended Key Usage" field from the
>> X509 certificate .
>> I will be grateful if you can provide me a sample code in c.
>>
>> Thanks
>> Puneet K.
>>
>
>
>
> --
> Regards,
> *Sukalp Bhople.*
>
>
On Wed, Jul 25, 2012, Puneet Khunteta wrote:
> Hello,
>
> I am an user of openssl library.
> I am seeking for a method to get the "Extended Key Usage" field from the
> X509 certificate .
> I will be grateful if you can provide me a sample code in c.
>
You can re
== NULL) return(-2);
return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
}
Hope this helps.
On Wed, Jul 25, 2012 at 7:08 AM, Puneet Khunteta
wrote:
> Hello,
>
> I am an user of openssl library.
> I am seeking for a method to get the "Extended Key Usage" field from the
> X509
Hello,
I am an user of openssl library.
I am seeking for a method to get the "Extended Key Usage" field from the
X509 certificate .
I will be grateful if you can provide me a sample code in c.
Thanks
Puneet K.
certificate signed by the CA. However, I also need to add the
> Extended Key Usage field to the certificate. I used the -exfile and
> -extensions options in x509 to no avail.
> Help!
>
> Thanks,
> Karthik
>
Hi,
Using the command line tools I was able to create a CA, a certificate
request and a certificate signed by the CA. However, I also need to add the
Extended Key Usage field to the certificate. I used the -exfile and
-extensions options in x509 to no avail.
Help!
Thanks,
Karthik
Hello,
thank you for answer.
I then found RFC 3850 (e.g. on http://www.ietf.org/rfc/rfc3850.txt)
where is piece of information corresponding to your answer:
"""
4.4.4. Extended Key Usage Extension
...
The set of technical purposes for the certificate th
On Mon, Nov 09, 2009, Bene? Vladimr wrote:
> I'am afraid we cann't call no modified openssl by command line for
> verification signature with purpose verification certificate if
> certificate includes both X509v3 Key Usage and X509v3 Extended
th purpose verification certificate if certificate
includes both X509v3 Key Usage and X509v3 Extended Key Usage.
There is "Digital Signature" value on X509v3 Key Usage so imho openssl
wouldn't return error "unsupported certificate purpose" becouse this
certifica
On Fri, Dec 17, 2004, David Mattes wrote:
> Hi,
>
> I'm working with an application that seems to require an X.509 Extended
> Key Usage of "TLS Web Client Authentication". How can I get this
> extension into my OpenSSL signed certificates? What is the entry in
Hi,
I'm working with an application that seems to require an X.509 Extended
Key Usage of "TLS Web Client Authentication". How can I get this
extension into my OpenSSL signed certificates? What is the entry in the
OpenSSL config file for the Extended Key Usage parameters?
> From RFC3280 section "4.2.1.13 Extended Key Usage"
> If a certi
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED
From RFC3280 section "4.2.1.13 Extended Key Usage"
If a certificate contains both a key usage extension and an extended
key usage extension, then both extensions MUST be processed
independently and the certificate MUST only be used for a purpose
consistent with both exten
On Wed, Sep 15, 2004, Pavel wrote:
> Accorind to RFC 2459:
> If the Extended key usage field is flagged critical, the certificate MUST be used
> only for one of the purposes indicated.
> If the extension is flagged non-critical, then it indicates the intended purpose or
> purp
the software is free to ignore the extension.
If the critical bit is set, the software should reject the certificate.
But this is only for the old software, which does not know about
the particular extension. In the case you describe, the software
DOES know about the Extended Key Usage extension,
Accorind to RFC 2459:
If the Extended key usage field is flagged critical, the certificate MUST be used only
for one of the purposes indicated.
If the extension is flagged non-critical, then it indicates the intended purpose or
purposes of the key, and may be used in finding the correct key
Chandu wrote:
>
> Hi,
> Iam facing a problem regarding the extracting the Extended Key usage
> attribute.
> My requirement is to know if Extended Key Usage attribute Nid_OCSP_sign is
> present.
> I tried the following way
>
> X509 *pCert; /* The certificate */
&g
Hi,
Iam facing a problem regarding the extracting the Extended Key usage
attribute.
My requirement is to know if Extended Key Usage attribute Nid_OCSP_sign is
present.
I tried the following way
X509 *pCert; /* The certificate */
int iVal;
iVal = X509_get_ext_by_NID(pCert, NID_OCSP_sign
checking. Therefore I first have to get
> the nid of the extensions. When I do the nid checking for the Extended
> Key Usage parameter of an X509v3 certificate, I always get the nid 0
> (this means "undefined").
>
[code deleted]
Its hard to see what might be wrong without seei
extensions. When I do the nid checking for the
Extended Key Usage parameter of an X509v3 certificate, I always get the nid 0
(this means "undefined").
int validate_ssl (int ok, char *ip, char *protocol,
char *subject, char *issuer, unsigned char *cert, int length, int depth, char**
message
Dave Clark wrote:
>
> At 12:22 PM 08/18/1999 , Dr. Stephen N. Henson wrote:
> >Dave Clark wrote:
> >>
> >> Could someone describe how I would extract the OID(s) from
> >> the "extended key usage" extension? Once I get the X509_EXTENSION,
> >
36 matches
Mail list logo
