Browsers do not import chained certificate.

Hi! I'm trying to make a certificate chain using the following commands -- openssl genpkey -out issuer.key -algorithm rsa openssl genpkey -out intermediate.key -algorithm rsa openssl req -new -key issuer.key -out issuer.csr openssl req -new -key intermediate.key -out intermediate.csr openssl x50

[openssl-users] SSL_CTX_check_private_key:no certificate assigned

Hi! I'm trying to create a certificate using openssl library. Here is the code -- void main () { SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); char err[1000]; RSA* keypair = RSA_new(); BIGNUM *e = BN_new(); X509 *certificate = X509_new(

Re: [openssl-users] SSL_CTX_check_private_key:no certificate assigned

On 03/01/15 19:43, Dr. Stephen Henson wrote: On Sun, Mar 01, 2015, dE wrote: Hi! I'm trying to create a certificate using openssl library. Here is the code -- void main () { SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); char err

[openssl-users] SSL_read preserving message boundaries.

It appears that SSL_read does not work like a stream protocol. This is the server part of the program -- char c[] = "Hello"; SSL_write (sslconnection, &c[0], 1); SSL_write (sslconnection, &c[1], 1); SSL_write (sslconnection, &c[2], 1); SSL_write (sslconnection, &c[3], 1); SSL_write (sslconnectio

Re: [openssl-users] SSL_read preserving message boundaries.

On 03/07/15 18:46, Kurt Roeckx wrote: On Sat, Mar 07, 2015 at 11:47:12AM +, Salz, Rich wrote: So this is preserving message boundaries. How do I get the complete message just like with TCP? No, it just happened that way. TLS does not preserve message boundaries. As far as I know SSL_read

Re: [openssl-users] SSL_read preserving message boundaries.

On 03/07/15 19:43, Salz, Rich wrote: As far as I know SSL_read will only return data from 1 record. But there is no requirement that each write translates into one record. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/l

Re: [openssl-users] SSL_read preserving message boundaries.

On 03/07/15 22:33, Dr. Stephen Henson wrote: On Sat, Mar 07, 2015, dE wrote: Suppose, I write a small amount of data with SSL_write. Will openssl accumulate these writes to make a single big fragment and then send it, or will it send it the moment it receives the data, as a single fragment

[openssl-users] TLS 1.2 message hiding.

Hi! I'm using TLS 1.2 with compression and was wondering if OpenSSL implements ways to hide the exact length of the message (may be using RFC 6066). Thanks for any hints. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman

Re: [openssl-users] TLS 1.2 message hiding.

On 03/13/15 20:56, Salz, Rich wrote: > I'm using TLS 1.2 with compression and was wondering if OpenSSL implements ways to hide the exact length of the message (may be using RFC 6066). No. What in 6066 were you thinking of trying to use? ___ openss

Re: [openssl-users] TLS 1.2 message hiding.

On 03/17/15 22:29, Salz, Rich wrote: Ok, so TLS does not handle this. The current draft of the TLS 1.3 specification includes a field to pad every data record. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope

[openssl-users] Close socket without SSL_shutdown

I'm using SSL over non-blocking socket. As a result SSL_shutdown returns immediately with error code 5 (underlying socket issue), sometimes after doing this, the program crashes on SSL_CTX_free. So I was wondering about closing the socket without doing an SSL_shutdown. Is this safe? Any securi

[openssl-users] CTX_free crash

I got a program which does the following sequence of operations -- SSL_shutdown(ssl) SSL_free (ssl); SSL_CTX_free ( ctx ); close(socket) Where 'socket' is the underlying non-blocking socket the ssl connection is established over. bio is also set to non-blocking. Sometimes, the program crashes

Re: [openssl-users] CTX_free crash

On 04/20/15 00:10, Salz, Rich wrote: Sometimes, the program crashes when doing an SSL_CTX_free; before the crash, ctx is an invalid pointer, that's why I can get a valid value from SSL_CTX_get_max_cert_list (ctx), so it's not a double free problem. You mean it's a VALID pointer? We'll need a mo

Re: [openssl-users] CTX_free crash

On 04/20/15 00:10, Salz, Rich wrote: Sometimes, the program crashes when doing an SSL_CTX_free; before the crash, ctx is an invalid pointer, that's why I can get a valid value from SSL_CTX_get_max_cert_list (ctx), so it's not a double free problem. You mean it's a VALID pointer? We'll need a mo

Re: [openssl-users] CTX_free crash

On 04/21/15 15:22, dE wrote: On 04/20/15 00:10, Salz, Rich wrote: Sometimes, the program crashes when doing an SSL_CTX_free; before the crash, ctx is an invalid pointer, that's why I can get a valid value from SSL_CTX_get_max_cert_list (ctx), so it's not a double free problem. You

Re: [openssl-users] CTX_free crash

On 04/25/15 15:34, dE wrote: On 04/21/15 15:22, dE wrote: On 04/20/15 00:10, Salz, Rich wrote: Sometimes, the program crashes when doing an SSL_CTX_free; before the crash, ctx is an invalid pointer, that's why I can get a valid value from SSL_CTX_get_max_cert_list (ctx), so it's no

Encrypted Alert

Hi, This is my first mail to this Group. Consider me a novice in Openssl since I am just getting used to the API's and understanding the behavior. I am facing one problem. We have an MFP/Printer which acts as a client and is trying to connect to a server through a Secure device. When the c

Re: Open SSL API's Support For IPv6.

Hi, You can try this once. Use socket library connect() to get the connected socket. Then use BIO_new_socket() and pass the connected socket descriptor. Then, on the socket BIO you can try BIO_set_nbio() and BIO_do_connect(). With regards, Nilotpal On Thu, Sep 22, 2011 at 2:15 PM, A

Re: FIPS Openssl Key Wrap

Hi all. Why does the AES key wrap feature does not work in FIPS mode of the latest FIPS-approved OpenSSL anymore? Thank you De From: "Dr. Stephen Henson" To: openssl-users@openssl.org Date: 02/28/2014 04:26 AM Subject:Re: FIPS Openssl for Mac OSX 32 bit Sent by:

Re: What does "PEM" mean?

Bhupendra Joshi wrote: http://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail On 8/1/06, *Bo Xie* <[EMAIL PROTECTED] > wrote: I know openSSL supports .pem format. But what does "PEM" mean? Persoanl Encrypto Management? Thanks! Best Regards,

Problems with installing openssl in ubuntu

Hi people! I'm new to the group and the openssl issue, I need to install openssl with support for TSS on a machine with ubuntu 10.10. I downloaded the source code http://www.openssl.org/source/, version openssl-fips-1.2.2 but when you make I get the following error: Unable to find / usr/local/ssl

mod_tsa:could not load X.509 certificate

hello! I'm installing mod_tsa over apache2, i follow the configuration but show me the error: [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:database driver is set to: None [Wed Feb 16 19:51:54 2011] [warn] module tsa_module is already loaded, skipping [Wed Feb 16 19:51:54 2011] [warn] module tsa_mod

HELP!!!! mod_tsa:could not load X.509 certificate

Hello! I have days trying to install the timestamp service with openTSA, but I have troubles with Step 14: Generate a private key and a certificate Including the critical TimeStamping X.509v3 extended key usage extension for the TSA and set-up options in the configuration mod_tsa httpd.conf, see th

Re: HELP!!!! mod_tsa:could not load X.509 certificate

Hi TSA certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 8d:0b:98:ba:f3:e4:5d:4c Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, L=caracas, O=suscerte, OU=ac, CN=acraiz/emailAddress=a...@dom.com

Re: HELP!!!! mod_tsa:could not load X.509 certificate

69:43:7e:d1:1f:5c:5f:60:58:f0:ea:37:b5:b0:0e: ad:6d:f6:bd:2b:15:2a:bc:b8:16:53:2f:5c:25:ee: 9d:5f:99:ad:04:a0:d2:e7:73:2f:f0:f5:87:97:de: 3f:a5:79:13:9f:0e:f8:c4:be:bf:ef:76:64:39:d2: 4b:fd:5c:3e:4d:33:a6:8c:c1:05:23:9

Re: HELP!!!! mod_tsa:could not load X.509 certificate

te you posted has critical mark on "X509v3 Subject Alternative > Name" which is completely wrong in this case. It is "Time Stamping" that has > to be marked as critical. > > > -- > Kind Regards / S pozdravom > > Jaroslav Imrich > http://www.jariq.sk > -- Saludos! Yessica De Ascencao 0426-7142582

Re: HELP!!!! mod_tsa:could not load X.509 certificate

Subject Alternative Name: email:t...@company.com X509v3 Extended Key Usage: critical Time Stamping Signature Algorithm: sha1WithRSAEncryption 02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43: 52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c

Re: HELP!!!! mod_tsa:could not load X.509 certificate

le). > > Have you made sure that the permissions are correct? Are you absolutely > sure that you have the right cert in the right location? > > Have fun. > > Patrick. > > On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote: > > > Hi! > > This is the new c

Re: HELP!!!! mod_tsa:could not load X.509 certificate

:93:62:d7:2c:29:87:cc:9c:72:97:19: 1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8: 50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1: 19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6: b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a: 04:66

Re: HELP!!!! mod_tsa:could not load X.509 certificate

u see if it is working for you? > > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 2/22/2011 3:11 PM, Yessica De Ascencao wrote: > >> Hi Mounir IDRASSI! >> I generated the certificate with ONLY Digital Signature, Non Repudia

Re: HELP!!!! mod_tsa:could not load X.509 certificate

ure". > > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 2/23/2011 3:32 PM, Yessica De Ascencao wrote: > >> Hello! >> Thanks for your help and monitoring. >> Yes, I get the same error, I also throws the same when tested with the

ts -reply

Hi people! I installed the service for time stamping with opentsa, now I want to try the service for time stamping. I generate a query with the following command: . /openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey / root / tssKey.pem-out-token_out responde.tsr And I get t

SSL_accept error, but I don't know is wrong exactly

Hello everybody, I am searching for answers and solutions for the connection issue described in the attached text log. I got this response from Wietse from postfix: > Code fragment: > sts = tls_bio_accept(vstream_fileno(props->stream), props->timeout, > TLScontext);

SSL_accept error, but I don't know is wrong exactly

Hello everybody, I am searching for answers and solutions for the connection issue described in the attached text log. I got this response from Wietse from postfix: > Code fragment: > sts = tls_bio_accept(vstream_fileno(props->stream), props->timeout, > TLScontext);

Re: SSL_accept error, but I don't know is wrong exactly

Jelle de Jong wrote: > Hello everybody, > > I am searching for answers and solutions for the connection issue > described in the attached text log. > > I got this response from Wietse from postfix: > >> Code fragment: >> sts = tls_bio_accept(vstream_file

Re: SSL_accept error, but I don't know is wrong exactly

Victor Duchovni wrote: > On Wed, Jun 17, 2009 at 02:51:10PM -0700, Kyle Hamilton wrote: > >> This isn't really an OpenSSL issue, and I'd suggest asking for help >> from people who are more familiar with postfix. However... > > That's what I told him on the Postfix-users list, but he chose > to c

Re: One CA for many clients (a silly question)

On Thu, 2009-07-16 at 13:50 -0700, Kyle Hamilton wrote: > Create sub-CAs for each purpose, and have each device only > authenticate its own CA's stuff (by making that subCA the CAfile). > The root is a convenience at that point to be able to authenticate the > entire chain of anything produced by i

Geode on-chip AES 128-bit crypto accelerations but OpenSSL doesn't use it

Hello everybody, The AMD Geode LX800 CPU has an on-chip AES 128-bit crypto accelerations block and a true random number generator, but OpenSSL is not using it. Please see the below link for test reports and openssl outputs http://debian.pastebin.com/faeff2a3 Is there anybody that know what is

Re: Geode on-chip AES 128-bit crypto accelerations but OpenSSL doesn't use it

On 09/27/09 22:36, Alan Buxey wrote: The AMD Geode LX800 CPU has an on-chip AES 128-bit crypto accelerations block and a true random number generator, but OpenSSL is not using it. Please see the below link for test reports and openssl outputs http://debian.pastebin.com/faeff2a3 Is there anybody

1.0.0o no fallback to SSLv2?

nsion: NONE - --- For some reason on systems with 0.9.8 this works. But fails for me, it works for me if I manually specify -ssl2. The site will have a downtime in the next 6 hours (some sort of daily backup window), but I wonder if anyone can help me from the above log pasted. Yours Sincerely,

Re: 1.0.0o no fallback to SSLv2?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Steve, Op 15-08-10 01:52, Dr. Stephen Henson schreef: > OpenSSL 1.0.0 doesn't include any SSLv2 cipersuites by default and new logic > means it doesn't send out an SSLv2 compatible client hello if it will never > use SSLv2. That effectively dis

openssl_x509_export_to_file and openssl_pkey_export_to_file are not working

Hello, I am using openssl with XAMPP and the "selfsigned" code from http://www.novell.com/communities/node/3488/create-self-signed-certificate-online __ OpenSSL Project http://www.openssl.org Use

Re: X509 V1 version info

The version field is offset by one. So, 0=v1, 1=v2, 2=v3 Frans. On Thu, 2008-08-28 at 12:21 +0530, Madhusudhan reddy wrote: > Hi All, > > I am newbie to OpenSSL. I am facing problem verifying root > certificate version X509V1. While debugging found the signature > verification is not

Need to change the hostname of our CA

We need to change the hostname of our CA. Actually, we'll be moving from CentOS 3.9 to Windows 2003, from built-in OpenSSL to XAMPP's OpenSSL. But it seems to me that the only difference that SSL clients will notice is the new hostname. Anyone know how to do this? -- Thanks, Chri

Re: Need to change the hostname of our CA

So am I correct in assuming I can just shut down the old CA and start up a new one? I'll add the new CA cert to the list of trusted root CAs through Active Directory. -- Thanks, Chris de Vidal You're a good person? Prove it and win

Re: Need to change the hostname of our CA

x27;s what I needed, you guys are great! -- Thanks, Chris de Vidal You're a good person? Prove it and win: TenThousandDollarOffer.com __ OpenSSL Project http

One certificate for both hostname and IP

Hi, running my own CA on a Debian Etch machine (openssl 0.9.8c) I need to create a certificate for a private mailserver, which must be reachable both using its hostname and its IP address. So the certificate needs to contain both, to prevent warnings at the client side. The mail clients us

Re: One certificate for both hostname and IP

Il giorno 24/gen/09, alle ore 16:54, Dr. Stephen Henson ha scritto: You don't say which give a warning. If you use the IP version in subjectAltname do you get a warning for the hostname or the IP address? If the hostname but not IP address try adding a second value, DNS:whatever.com If I

Re: One certificate for both hostname and IP

Il giorno 26/gen/09, alle ore 05:14, Crypto Sal ha scritto: Do any other clients (s_client, web browser, etc) exhibit the same behavior or an error message? If yes, what's the error response? Well, I currently do not know how to apply that certificate to an HTTP server to test it with brows

Re: One certificate for both hostname and IP

Il giorno 27/gen/09, alle ore 06:01, Crypto Sal ha scritto: settings and things should be alright and you'll see if browsers choke too or its M$ products. I would also try Thunderbird and other email clients on the email server side of things. Indeed, I now tried with Thunderbird and it hap

Re: I want you to do my homework for me.

On Sat, 2009-05-02 at 07:19 -0700, Miguel Ghobangieno wrote: > I'd like to do some crypto homework. It entails rebuilding the openssl > library on windows 8 (C###). I'd like you to deatail the _EXACT_ > procedure for rebuilding/recoding/synergising the openssl library in > windows 8's C###. You hav

Re: Goodbye

t zo Q: Oh, Just like reading a book backwards Q: Oh, net als een boek achterstevoren lezen A: Because it upsets the natural flow of a story A: Omdat het de natuurlijke gang uit het verhaal haalt Q: Why is top-posting annoying? Q: Waarom is Top-posting zo irritant?

ICC and printers

the latter program? Anybody experience with it? Regards, Frans. -- A: Yes, just like thatA: Ja, net zo Q: Oh, Just like reading a book backwards Q: Oh, net als een boek achterstevoren lezen A: Because it upsets the natural flow of a story A: Omdat het de natuurl

Re: ICC and printers - wrong list

On 6/25/21 8:08 PM, Frans de Boer wrote: LS, I keep getting the message " You need Gnome Color Management installed in order to calibrate devices" when I select Color Management in the System Setting under KDE. The thing is, colord as well as the gnome-color-manager are both ins

Re: graphic arts help needed

Maybe there can be multiple entries, and have Nokia, you or the mailing list decide which they like. Kind regards, Jeroen de Neef 2014-05-08 17:17 GMT+02:00 Steve Marquess : > On 05/08/2014 11:04 AM, Stacy Devino wrote: > > I would be happy to do so and I sure there are several o

Re: graphic arts help needed

for the chosen logo. Kind regards, Jeroen de Neef -- pgp/gpg key: https://jeroendeneef.eu/publickeys/pubkey.4B074162EC3601F7.Jeroen_de_Neef.asc 2014-05-08 17:21 GMT+02:00 Jeroen de Neef : > Maybe there can be multiple entries, and have Nokia, you or the mailing > list decide which the

Re: graphic arts help needed

I would do it for free if I could work with photoshop, because it would feel like an honor to do it, but sadly I can't. Kind regards, Jeroen de Neef -- pgp/gpg key: https://jeroendeneef.eu/publickeys/pubkey.4B074162EC3601F7.Jeroen_de_Neef.asc 2014-05-08 18:43 GMT+02:00 Mauricio Ta

Re: graphic arts help needed

I had the same idea, what about designing a new logo with this new sponsor? To begin a new era for OpenSSL, one where people donate more and OpenSSL will have more full time devs. Kind regards, Jeroen de Neef -- pgp/gpg key: https://jeroendeneef.eu/publickeys/pubkey.4B074162EC3601F7

Re: graphic arts help needed

Man, I really like to look at all these logos. Phong, can you make the images bigger? Because the resolution is quite small. Kind regards, Jeroen de Neef -- pgp/gpg key: https://jeroendeneef.eu/publickeys/pubkey.4B074162EC3601F7.Jeroen_de_Neef.asc 2014-05-09 4:38 GMT+02:00 Phong Long

Re: Platinum Sponsorship by Huawei

On 05/28/2014 10:05 PM, Steve Marquess wrote: Please accept our thanks as you have saved us a lot of time and money Yes, quite an understatement :\ Now a state sponsored company is sponsoring openssl.org? The bigger the country, the higher the stakes and thus also the measures to safeguard th

Re: Platinum Sponsorship by Huawei

On 05/29/2014 02:52 AM, Salz, Rich wrote: Please don't feed the troll -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz Being cynical is equal to being a troll? The initial remarks made by an openssl representative was that that most con

Re: Platinum Sponsorship by Huawei

On 05/29/2014 09:52 PM, Jeremy Gray wrote: government of North Korea... Even if no strings, it would damage the perception people have of OpenSSL just being associated with that entity. So, just be mindful of people's perceptions when accepting anything. +1. Dennis Rodman goes

Re: CVE-2014-0224

I am also quite curious. Also, how long has this exploit been around, and could hackers have exploited this already? 2014-06-05 22:46 GMT+02:00 Jeffrey Walton : > CVE-2014-0224 looks like an interesting issue > (https://www.openssl.org/news/secadv_20140605.txt): > > An attacker using a caref

Re: On 2K keys and SHA-256

I think that 3K-RSA is the next step after 2K-RSA, and I am sure that the computational costs of a 4K-RSA certificate is much of an obstruction with current hardware and I think that it isn't a problem at all a couple years in the future. 2014-09-09 14:18 GMT+02:00 Salz, Rich : > > May I suggest

Re: Value of DEFAULT cipher suite

I can see RC4 going in the list of low security ciphers within a couple of years anyways, so we can better discourage the usage right now. 2014-09-09 18:14 GMT+02:00 Salz, Rich : > We disagree. I've got two IETF WG's coming to the same conclusion so > making post-1.0.2 follow IETF practices seem

Re: On 2K keys and SHA-256

5PM +0200, Jeroen de Neef wrote: > > > I think that 3K-RSA is the next step after 2K-RSA, and I am sure that the > > computational costs of a 4K-RSA certificate is much of an obstruction > with > > current hardware and I think that it isn't a problem at all a couple > ye

[openssl-users] Grub troubles

Hi, I have a server running 12.3 and want to install on a different partition the newer 13.2 distribution. Alas, after installation I can't boot 12.3 anymore because of wrong references. Every time I install a fresh kernel I have to manually edit the grub.cfg files to get 12.3 booted again.

Re: [openssl-users] Grub troubles CANCEL

On 02/20/2015 11:42 AM, Frans de Boer wrote: Hi, I have a server running 12.3 and want to install on a different partition the newer 13.2 distribution. Alas, after installation I can't boot 12.3 anymore because of wrong references. Every time I install a fresh kernel I have to manually edi

[openssl-users] Error signing document

Dear Openssl, I have the following case: I am trying to sign a file with a private key from an CA. I converted the pfx file to a pem file using the following command openssl pkcs12 -in CustKeyIcBD001.pfx -out CustKeyIcBD001.pem -nodes After this I trying to sign a file using this key with the fo

Re: [openssl-users] Error signing document

Great Dave this did the trick. Thanks, Mark Van: openssl-users [openssl-users-boun...@openssl.org] namens Dave Thompson [dthomp...@prinpay.com] Verzonden: vrijdag 1 mei 2015 6:59 Aan: openssl-users@openssl.org Onderwerp: Re: [openssl-users] Error signing d

[openssl-users] New kernel and Dracut

OK, I compiled a new kernel for the 13.2 release and was installing it. I have to manually copy bzImage and System.map because I do not use the make install which requires the perl-Bootloader to be available. Before I just did mkinitrd -B and the initrd file was made. Now that is part of dracu

[openssl-users] using openssl to validate an external AES program

e same. where am i wrong ? best regards and thnaks for your kind support. Abel Artiste en herbe,musicien , informaticien, roliste , tout et son contraire Blog Perso karel-de-ma...@wanadoo.fr ___ openssl-users mailing list To unsubscribe: https:

OpenSSL 1.1.1 RPM for CentOS 7

Hi, I'm searching on the internet for an OpenSSL version 1.1.1. RPM package for CentOS 7. However, I cannot find this. Perhaps one of the users in the mailing list has this package already available. Thanks

Re: books about ssl handshake?

Hello, I have this one: http://www.opensslbook.com/ It's quite good, with a lot of programming examples etc... Joeri On 9/10/07, Koza <[EMAIL PROTECTED]> wrote: > > Hi, > > Can you recommend any book about secure connections, ssl, handshake and the > things alike? Would be nice if it has some r

Re: SSL handshake problem.

Unless someone recognizes the text, it might be helpful if you tell a little more about the server and client side. frans. On Wed, 2007-10-10 at 00:09 +0200, Alessandro Baggi wrote: > I'm trying to make a client/server application with ssl connection but > the handshake doesn't work. > > Readin

Various questions

n this matter. But I really have the urge to do it right this time. Being my own CA, having my own services etc. Any suggestions? Okay, I hope to see some positive feedback Kind regards, Frans de Boer. __

caRepository

Hello, anybody there who can verify that the access method caRepository used with the subjectInfoAccess extension is NOT available in openssl? Frans de Boer FloraHolland Information Security Officer FloraHolland Naaldwijk Postbus 220, 2670 AE Naaldwijk T 0174 - 63 42 07 F 0174 - 63 20

Re: caRepository

= caRepository;URI:http://etc generates a syntax error Kind regards, Frans. On Thu, 2007-11-22 at 17:43 +0100, Dr. Stephen Henson wrote: > On Thu, Nov 22, 2007, Boer, F.A. de wrote: > > > Hello, anybody there who can verify that the access method caRepository used > > with the

Re: caRepository

. RFC3280 is already dated, why has openssl not implemented this? I am not the first one to ask, but the first to get a workable answer. for that, many thanks. KR, Frans. On Thu, 2007-11-22 at 22:11 +0100, Dr. Stephen Henson wrote: > On Thu, Nov 22, 2007, Frans de Boer wrote: > > > Okay,

Re: caRepository

oes not include deprecated objects like nsComment etc. Tomorrow, I will try the OID you have given before. Again, thanks for the effort, Frans. On Thu, 2007-11-22 at 23:40 +0100, Dr. Stephen Henson wrote: > On Thu, Nov 22, 2007, Frans de Boer wrote: > > > > > RFC3280 is a

Re: caRepository

message stated "syntax error", why not missing or unknown OID? It now does suggests that the subjectInfoAccess was at fault. So I was looking in the wrong places to start with. Kind regards, Frans. On Fri, 2007-11-23 at 00:50 +0100, Dr. Stephen Henson wrote: > On Thu, Nov 22, 2007,

Re: caRepository

Hello Steve, I will come back on that subject soon. My bedtime is long overdue, so I will respond this weekend or sooner if I have time. KR, Frans. On Fri, 2007-11-23 at 01:50 +0100, Dr. Stephen Henson wrote: > On Fri, Nov 23, 2007, Frans de Boer wrote: > > > > > One last q

openssl.cnf - two questions

Dear people, 1. I seem to remember that you could place an "include" statement in de openssl.cnf file. I wonder if I am mistaken, since that does not work. 2. Secondly, is there a proper description of the contents of the openssl.cnf file, especiall

openssl.cnf - two questions

Dear people, 1. I seem to remember that you could place an "include" statement in de openssl.cnf file. I wonder if I am mistaken, since that does not work. 2. Secondly, is there a proper description of the contents of the openssl.cnf file, especiall

OpenSSL + windows + asynch callbacks not being posted

Hi all found this one out the hard way. Had been having a problem with OpenSSL "losing" callbacks, specifically FD_READ notifications. Turned out to be fairly simple, but non-intuitive. Many windows sockets apps rely on the OS to send an FD_READ notification to tell the app when to read dat

cURL, CERT and PEM

Hello, I have just generated a self-signed certificate as follows: openssl x509 -req -days 365 -in my.domain.csr -signkey my.domain.key -out my.domain.cert What format is my.domain.cert now in? I am asking this because I am trying to use this certificate with curl as in curl --cert my.dom

Decryption with RSA public keys not possible?

this in Python (sorry, wasn't my choice :-( ), so I can't use the RSA_public_decrypt() subroutine which, judging from internet comments, *can* actually decrypt data with an RSA public key... Any comments are welcome. Thanks in advance. Kind regards,

Re: Decryption with RSA public keys not possible?

desirable. So I just want to use public/private keys, no certificates for this. Steve. Kind regards, Simon de Hartog __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: Decryption with RSA public keys not possible?

bear in mind that the software user has control over the smartcard but not over the software owner's public key. So, is this safe? Any comments? Thanks in advance :-) Kind regards, Simon de Hartog __ OpenSSL Proj

callback function specified in SSL_CTX_set_verify

Newbie questions about callback function specified in SSL_CTX_set_verify. 1) With the function SSL_CTX_set_verify we can specifies a callback function to be used. If this callback function is called with 'preverify_ok=1', does it mean that the certification chain succeed completely? Thus does it

Re: Where is GPG key for OpenSSL.org?

tp.zedz.net/pub/crypto/redhat/SRPMS/gnupg-rsa-1.0-2.src.rpm This is what i got $ gpg --verify openssl-0.9.5.tar.gz.asc gpg: Attention : utilisation de la mémoire non sûre ! gpg: Signature faite lun 28 fév 2000 18:13:09 CET avec une clé RSA ID 5A6A9B85 gpg: Bonne signature de "Bodo Moell

Re: Where is GPG key for OpenSSL.org?

file or a rpm at ftp://ftp.zedz.net/pub/crypto/redhat/SRPMS/gnupg-rsaref-1.0-2.src.rpm I didn't try those codes though. Some not too old (ie >=5) us pgp freeware might also do what you want. -- Marcel de Riedmatten _

chain of certificate

hi, Sorry for asking this kind of question again but I've checked the archive and didn't find a working answer for me :( I'd like to create a chain certificate using Linux. Please correct me if I'm wrong in the following : Steve said : "First the root certificate : openssl req -x509 -new -key

exit codes

hi, On the web page for openssl, s/mime utility gives exit codes explanations. 1.the operation was completely successfully. 2.an error occurred parsing the command options. 3.one of the input files could not be read. 4.an error occurred creating the PKCS#7 file or

IIS 5, W2K and Client certificate

sufficient rights to access the page (to be sure I have tested the page with no SSL client authentication allowed). On IIS4 and NT4, the same configuration worked fine Pierre De Boeck Sr System Engineer Mission Critical (Belgium) Phone: +32 2 757 10 15 Fax: +32 2 759 276 0 ema

exit codes

hi, On the web page for openssl, s/mime utility gives exit codes explanations. 1.the operation was completely successfully. 2.an error occurred parsing the command options. 3.one of the input files could not be read. 4.an error occurred creating the PKCS#7 file or

attachments

hi, Thanks for answers about the exit codes. On the web page for openssl, s/mime utility gives an example for sending an email with sendmail : openssl smime -sign -in in.txt -text -signer mycert.pem -from [EMAIL PROTECTED] -to someone@somewhere -subject "Signed me

viewing added oid

hi, How can I be sure that oid I'm trying to add to my certificate, are actually added ? What's the openssl command to use ? Will my added oids appear somewhere in these lines : ** subject=/C=FR/ST=Nord/O=Org/CN=mycn/Email=myemail issuer= /C=FR/ST=Nord/O=Orgi/CN=root

Réf. : viewing added oid

hi, Now I have this in my pkcs12 info : *** subject=/C=FR/ST=Nord/O=Certi/CN=dsfdsfqfds/Email=sqdfdqsfqdsfdsqf/1.6= *** I'd like (for instance) to have "EXT" instead of "1.6". How can I do that since when I change my [ new_oids ] section, openssl say : *

RE: PKCS support vs. PEM

And I have no problem to import these objects in external PKI apps like Netscape or CryptoApi. Pierre De Boeck Sr System Engineer Mission Critical (Belgium) Phone: +32 2 757 10 15 Fax: +32 2 759 276 0 email: [EMAIL PROTECTED

  1   2   3   >