Hi,
I am having a very hard time to get the command line working.
Basically just trying to verify hostname via opoenssl command line:
openssl s_client -CApath . -CAfile ./cacert.pem -verify_hostname
example.com
All I get is "unknown option -verify_hostname
usage: s_client args"
Have tried comb
Dukhovni
wrote:
> [ External sender. Exercise caution. ]
>
> > On 3 Mar 2022, at 6:09 pm, Edward Tsang via openssl-users <
> openssl-users@openssl.org> wrote:
> >
> > openssl s_client -CApath . -CAfile ./cacert.pem -verify_hostname
> example.com
> >
> &g
-verify_hostname google.com -verify_return_error
> unknown option -verify_hostname
> usage: s_client args
>
> On Thu, Mar 3, 2022 at 4:10 PM Viktor Dukhovni
> wrote:
>
>> [ External sender. Exercise caution. ]
>>
>> > On 3 Mar 2022, at 6:09 pm, Edward Tsang
Hi
Does verify_ip supports leftmost wildcard?
I know that hostname does for SAN and CN. But ip address seems to only
support exact match including the port?
Is that observation correct?
What does it take for verify_ip to support leftmost wildcard matching just
like DNS hostname?
Thanks
link:
https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
I am trying to figure out how this example works but it does not seem to
bypass the (use the second example of X509_V_ERR_CERT_HAS_EXPIRED)
However the caller code ll
long res = SSL_get_verify_result( sslCtx ); still
t;utf-8"
>
> link:
> https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
>
> I am trying to figure out how this example works but it does not seem to
> bypass the (use the second example of X509_V_ERR_CERT_HAS_EXPIRED)
>
> However the caller code ll
> long res = SSL_get_veri
I know that we need
* ocsp responder cert for verifying the signature of ocsp response,
* CA issuer cert to generate CERTID for ocsp request
and
* ocsp requestor can choose to sign ocsp request using a signer certificate.
But instead of having users set that as 3 different settings, I am
thinking
