On Sat, Sep 26, 2009 at 03:49:34PM +0200, Michael Prinzinger wrote:
> Once I will have a first working prototype of the protocol, you will be able
> to check it our here:
> http://code.google.com/p/phantom/
Thanks for the offer, but I try avoid using security software written
by implementers new
Thank You for your help!
I understand now, that the client would not be able to offer a certificate
unless it owns the corresponding private key.
So it is enough to check that the certificate offered (or its fingerprint),
matches the certificate (resp. finger print) send to the server on a secure
Michael Prinzinger:
> I wrote a customized "check certificate" method, that simply compares
> the certificate the client offered during the connection build up, to
> the certificate we know it should be using. This works fine.
That works so long as you already know the certificate the client sho
On Fri, Sep 25, 2009 at 01:49:25PM +0200, Michael Prinzinger wrote:
> Dear Victor,
>
> thanks for your help.
> The problem is that I need to understand OpenSSL and its mechanisms and
No you need to understand SSL/TLS in general, and how to make use of
SSL in your protocol. The OpenSSL part will
On Fri September 25 2009, Michael Prinzinger wrote:
> Dear Victor,
>
> thanks for your help.
> The problem is that I need to understand OpenSSL and its mechanisms and
> possibilities in order to find a way to implement the design of the
> protocol.
> It would be nice if you could help a little bit
Dear Victor,
thanks for your help.
The problem is that I need to understand OpenSSL and its mechanisms and
possibilities in order to find a way to implement the design of the
protocol.
It would be nice if you could help a little bit further still, but I will
understand if you should choose not to.
sorry!
I mean BIO_do_connect()
this function automatically checks the client verificate,
so I need to overwrite the verifiction callback BIO_do_connect uses
thx
On Thu, Sep 24, 2009 at 5:13 PM, Michael Prinzinger wrote:
> Thank You very much Victor,
>
> I think I understand now how it can be don
Thank You very much Victor,
I think I understand now how it can be done.
If you could give me one last pointer, how to overwrite the verification
callback function,
that is called when executing "BIO_do_handshake", I'd be very grateful.
sorry for using misguiding vocanulary :)
Michael
On Thu, S
On Thu, Sep 24, 2009 at 04:23:03PM +0200, Michael Prinzinger wrote:
> > Are you saying that the accepting system expects X.509 client credentials
> > from the connecting system, but that the payload (encrypted to the
> > receiving node's public key) also contains the same certificate, and
> > you
Thank You again Victor for your answer,
You are right, I am not to firm with OpenSSL terminology.
I tried to find some tutorials and introduction, but found relatively few,
and thus tried to understand OpenSSL from looking at the man pages and the
code,
which makes it a little hard to get the big
On Thu, Sep 24, 2009 at 12:00:05AM +0200, Michael Prinzinger wrote:
> > "Certificates" are useless without corresponding signed messages. What
> > messages are signed by the private key of the "previous" node, that the
> > current node can forward to the next?
> >
>
> I only want to verify that t
* Victor Duchovni wrote on Wed, Sep 23, 2009 at 16:18 -0400:
> On Wed, Sep 23, 2009 at 10:04:48PM +0200, Michael Prinzinger wrote:
>
> > I have a somewhat curious setting (without CAs) about [...]
> >
> > > //check certificate
>
> This only verifies the server's *trust chain*, but not its
> i
Hope this helps.
Ashish.
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Michael Prinzinger
Sent: Wednesday, September 23, 2009 2:02 PM
To: openssl-users@openssl.org
Subject: Re: verify client certificate at a later point
Thank You Ashish for your answ
Dear Victor,
On Wed, Sep 23, 2009 at 11:33 PM, Victor Duchovni <
victor.ducho...@morganstanley.com> wrote:
> On Wed, Sep 23, 2009 at 10:43:11PM +0200, Michael Prinzinger wrote:
>
> "Certificates" are useless without corresponding signed messages. What
> messages are signed by the private key of t
On Wed, Sep 23, 2009 at 10:43:11PM +0200, Michael Prinzinger wrote:
> I am trying to establish a routing path for an anonymity protocol (
> http://en.wikipedia.org/wiki/Phantom_Anonymity_Protocol).
> This is a one way procedure: the node that wants to be anonymized selects a
> couple of other node
ix Online Division, 6500
> Hollister Ave, Goleta, CA 93117. V: +1 (805) 690 2908.
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us...@openssl.org] *On Behalf Of *Michael Prinzinger
> *Sent:* Wednesday, September 23
Thank you for your answer Victor,
I am trying to establish a routing path for an anonymity protocol (
http://en.wikipedia.org/wiki/Phantom_Anonymity_Protocol).
This is a one way procedure: the node that wants to be anonymized selects a
couple of other nodes and sends an array with setup packages (
er-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Michael Prinzinger
Sent: Wednesday, September 23, 2009 1:05 PM
To: openssl-users@openssl.org
Subject: verify client certificate at a later point
Dear OpenSSL group,
I have a somewhat curious setting (without CAs)
On Wed, Sep 23, 2009 at 10:04:48PM +0200, Michael Prinzinger wrote:
> and let the client verify the servers certificate, like this
>
> X509* x509 = SSL_get_peer_certificate(s);
> > CHECK(x509 != NULL);
> >
> > //check certificate
> > long certVerifyResults = SSL_get_verify_resul
Dear OpenSSL group,
I have a somewhat curious setting (without CAs) about routing information
along several nodes:
[1] first an unkown client establishes a connection to a known server
thus I set
SSL_CTX_set_verify(this->ctx, SSL_VERIFY_NONE, NULL);
>
and let the client verify the servers c
Title: Verify Client Certificate Error
Hello all,
I installed a apache+mod_ssl+openSSL server, but it can't verify my client certificate.
The server log is
[01/Aug/2002 15:29:21 27838] [trace] Certificate Verification: depth: 1, subject
: /CN=ChinaPay Publish System, issuer: /C=
On Tue, Sep 05, 2000 at 04:28:26PM -0400, [EMAIL PROTECTED] wrote:
>
> thanks a lot.
>
> but how to sends the certificate of the CA that issued the client
> certificate together with the client certificate.
> and I allready used the SSL_CTX_use_certificate_chain_file(ctx,CERTF);
> I used the s_
thanks a lot.
but how to sends the certificate of the CA that issued the client
certificate together with the client certificate.
and I allready used the SSL_CTX_use_certificate_chain_file(ctx,CERTF);
I used the s_client to connect to my serevr like:
OpenSSL> s_client -connect myserver:port -k
On Tue, Sep 05, 2000 at 02:35:05PM -0400, [EMAIL PROTECTED] wrote:
> but I got these message:
>
> verify error:num=20:unable to get local issuer certificate
>
> verify error:num=27:certificate not trusted
>
> verify error:num=21:unable to verify the first certificate
>
> How can I verify the c
When I use verifycallback lik this:
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
{
char buf[256];
X509 *err_cert;
int err,depth;
err_cert=X509_STORE_CTX_get_current_cert(ctx);
err=X509_STORE_CTX_get_error(ctx);
depth=
I'm curious: the SSL server code (s3_srvr.c, line 1677) sets an error of "no
certificate returned" when the client's certificate fails verification. Why
use this (rather misleading) error message? The equivalent client code
(s3_clnt.c, line 764) uses the more intuitive error of "certificate verify
26 matches
Mail list logo
