On 01/09/2022 18:15, Matt Caswell wrote:
On 01/09/2022 13:21, Dave Coombs via openssl-users wrote:
So! Is it possible to work around these, using ASN1_MACRO trickery or
what-have-you? It's pretty clear I should end up with an empty bit-
string and integer value 0x42, so is there a way to
On 01/04/2021 16:21, Michael Wojcik wrote:
Thanks to everyone who responded. You've confirmed my impression:
- There doesn't appear to be any applicable standard which requires or forbids
including the root, or even endorses or discourages it).
rfc8446 page 65:
The sender's
Even with sound this would not be BER. i:-) Integers can have 9 or more leading
zero bits in BERnot
ISO/IEC 8825-1:2008 (E) ITU-T Rec. X.690 (11/2008)
7 8.3 Encoding of an integer value
8.3.1The encoding of an integer value shall be primitive. The contents octets shall consist of one
or more
On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote:
> On Thu, Aug 17, 2017, Robert Moskowitz wrote:
>
>> In the [ ca ] section I have:
>>
>> prompt = no
>>
>> If I leave the = out I get an error, so I am assuming I got the
>> format of this right.
>>
>> Then I have
>>
>> [ req ]
>>
ng openssl
standard encryption like GCM can use? Each application will have to get self
declared?
On Thu, Dec 1, 2016 at 12:12 PM, Peter Sylvester Edelweb
<peter.sylves...@edelweb.fr<mailto:peter.sylves...@edelweb.fr>> wrote:
Hi
There are news since about a year.
https://www.ssi.
Hi
There are news since about a year.
https://www.ssi.gouv.fr/administration/reglementation/controle-reglementaire-sur-la-cryptographie/
There is a downloadable editable PDF to prepare the declaration.
Anyway, you normally do not declare all functionality of the openssl library if
you use it
https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html
Load names of CAs from file and use it as a client CA list:
SSL_CTX *ctx;
STACK_OF(X509_NAME) *cert_names;
...
cert_names = SSL_load_client_CA_file(/path/to/CAfile.pem);
if (cert_names != NULL)
a surprise when policy and practice documents do not even
mention
these behaviours.
Peter Sylvester
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
On 08/22/2013 01:29 PM, Peter1234 wrote:
Hi Walter,
I started with release 0.9.8h and just updated to release 1.0.1e (both on MS
Windows). The update to release 1.0.1e didn't change anything unless that
the new release does not redirect certificates converted from PEM format to
text format into
On 08/09/2013 11:17 AM, Florian Weimer wrote:
Qt installs a verification callback like this
|// Register a custom callback to get all verification errors.
|X509_STORE_set_verify_cb_func(ctx-cert_store, q_X509Callback);
It is not recommended to access to members in the way above, but
for those who don't read openssl-dev
Original Message
Subject:[openssl.org #3016] openssl ts fix
Date: Wed, 13 Mar 2013 16:13:31 +0100
From: Peter Sylvester via RT r...@openssl.org
Reply-To: openssl-...@openssl.org
CC: openssl-...@openssl.org
Hi,
I
On 03/11/2013 11:17 PM, kap...@mizera.cz wrote:
That is what we talk about here.
Try to check previous posts in this thread.
rfc 3126 tells
This document mandates the presence of this attribute as a signed CMS
attribute, and the sequence must not be empty. The certificate used
to
On 03/12/2013 09:30 AM, kap...@mizera.cz wrote:
RFC 3161 is written badly. The whole text was a joke anyway.
The requester SHALL verify that the
TimeStampToken contains the correct certificate identifier of the TSA
One may conclude that openssl should simply not validate anything
On 03/11/2013 06:43 PM, kap...@mizera.cz wrote:
Hello,
...
As I know, the attr. certs are not very necessary = that is why I mean, that temporary solution
would be to ignore them in verification process. At least in TS it would solve the problem.
Just for info: converting te stuff to
the second ess certid says
SEQUENCE {
OCTET STRING
52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78
EB 6C D7 AC
}
by 3721926ea67e877df5f4e35dd3c87397eef33d4f
is the hash of the der version of te
On 03/11/2013 08:01 PM, kap...@mizera.cz wrote:
Of course YES.
Timestamp reply is nothing else as CMS SignedData structure.
not quite but ts -reply -tokenout converts it to such a thing
__
OpenSSL Project
On 03/11/2013 10:31 PM, kap...@mizera.cz wrote:
Dne 11.3.2013 21:42, Peter Sylvester napsal(a):
the second ess certid says
SEQUENCE {
OCTET STRING
52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78
EB 6C D7 AC
Ording is important. unfortunately the default order shown in the textual
form is not the same as for ldap tools. using openssl asn1parse shows
the encoding, country code should come first.
__
OpenSSL Project
On 01/17/2013 12:10 PM, A G wrote:
Hi
Here
http://marc.info/?l=openssl-usersm=124386218929227
It states that
...This is why it is very important to understand that any possible forward
progress on any port (and a write operation that returns WANT_READ may have made forward
progress!) requires
On 12/11/2012 09:45 PM, Michael Mueller wrote:
Could I get a nudge. I'd like to get the SANs to show up in my certs.
in my request:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non
On 12/07/2012 11:05 AM, LN wrote:
I have a feeling it does so because I tried to save that returned
EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it
back from the same file with PEM_read_bio_PrivateKey.
Saving worked, but loading failed (with some decoding error
On 11/07/2012 06:52 PM, Graham Leggett wrote:
On 07 Nov 2012, at 4:50 PM, Ted Byers r.ted.by...@gmail.com wrote:
Why does it need to be something in openssl?
Ideally because it needs to be as secure as openssl.
I'm after an accurate time duration between two ASN1_TIME values, that is not
On 10/27/2012 02:51 PM, Graham Leggett wrote:
Section 4.1 says:
Encoding considerations: will be none for 8-bit transports and most
likely Base64 for SMTP or other 7-bit transports
What I'm after is how to interpret section 4.1 in the context of HTTP content
negotiation.
Regards,
Graham
The way how common names are verified in
The Most Dangerous Code in the World:
Validating SSL Certificates in Non-Browser Software
is not correct.
It gives a false match when there is more than one common name ava
__
OpenSSL
On 08/09/2012 12:57 PM, int0...@safe-mail.net wrote:
Hi
...
After that I generated a CRL (I own the CA) which then contained the
certificate with the serial 0x06.
My question now is, would that be a proper workaround or is there a better
solution? Since the CRL
only contains the serial
You can take the code in apps/req.c and extract the pieces you need.
On 07/20/2012 10:17 AM, Abyss Lingvo wrote:
Hi all!
How to create certificate request programmatically via OpenSSL API?
This is the solution for command line utility:
openssl genrsa -out server_key.pem -passout
On 07/10/2012 02:38 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Sandro Tosi
Sent: Monday, 09 July, 2012 10:15
/usr/bin/openssl ts -verify -sha256 -untrusted CERT -CAfile
CA -data FILE TO MARK -in TSA REPLY
and the output we get is:
On 07/02/2012 10:34 AM, Johannes Bauer wrote:
Hi list,
I have a rather simple question regarding X.509 subjects that is not
entirely clear to me and for which I cannot find the appropriate
reference (pointers greatly appreciated). The trouble starts when trying
to compare two subjects of
On 06/29/2012 09:29 PM, Sukalp Bhople wrote:
Hello,
I am trying to measure server performance for client certificate verification.
However, there is no significant difference in the server performance when I send one certificate
and condition when I send chain of 10 certificates.
I am aware
On 06/05/2012 07:14 PM, DRings wrote:
I've spent too much time trying to figure out something that is probably well
know here.
I have a restricted community application that seems a perfect fit for using
openssl to self-generate our own CA, and self-sign it, and self-generate our
own web client
some new line - CRLF conversion may have hit.
On 06/04/2012 04:29 PM, Ken Goldman wrote:
A typical openssl user error is treating binary data as text. Random
numbers are not text until you convert them with -hex.
My guess is that Windows is treating some binary character specially,
and this
On 05/18/2012 06:03 AM, kthiru...@inautix.co.in wrote:
Team,
Had a query in the certs that we load,
The CA's provide our certs in .p12 format, which we need to convert to a .pem and load to SSL
structure during initialization.
On converting to .pem, it is in the following format, Private
On 05/14/2012 02:59 PM, marek.marc...@malkom.pl wrote:
Hello,
$ openssl version
OpenSSL 1.0.0 29 Mar 2010
$ openssl ciphers -V
For SRP one should use the 1.0.1 version.
openssl version
OpenSSL 1.0.1 14 Mar 2012
openssl ciphers SRP
Yes, it can probably be parsed by any ASN.1 parser. But the OID is
private - only the organization knows how to interpret it (or what to
do with it).
private/public in this context refers to governance/ownership
not to visibility. if the organisation documents the any interested
party can
On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
I don't see this as an Apache issue. The site has required client certs for
years now and Apache was configured to require client certificates.
I have intermediate DOD certs on the server but OpenSSL sees my DoD Root
certificate as un-trusted
put all the CA certificates into one file and remove the
SSLCACertificatePath
and just keep the
SSLCACertificateFile
Thanks.
Curtis
-Original Message-
From: Peter Sylvester [mailto:peter.sylves...@edelweb.fr]
Sent: Thursday, April 26, 2012 10:40
To: openssl-users@openssl.org
Cc
On 04/04/2012 11:01 AM, Christian Weber wrote:
Dear users and developers,
we just read through some of the code examples for SRP usage.
Concerning the necessary callbacks we wonder why in
s_server.c the verifier parametrization is being delayed.
Within apps/s_server.c we can find the comment:
On 04/04/2012 02:51 PM, brajan wrote:
I am using openssl 0.9.8g version .
i convert the PEM certificate file to X509 format and try to read the key
usage value .
Keyuage =lCertificate-ex_kusage ;
Some time the keyusage = 128
Some time Keyusage is 0 for the same certificate . why this problem
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Isn't it the client after the serverhello response?
you might want to add -debug and -msg to see
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
try beta3, should work better.
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
127.0.0.1 is not a valid
On 02/23/2012 10:49 AM, Ashok C wrote:
Hi,
What would be the most efficient and easiest way to distinguish a CA certificate from an actual
server/client(end entity) certificate?
We were thinking of identifying the CA with the CA:TRUE constraint from the text display, but
again this check does
On 02/06/2012 09:41 AM, Curt Sampson wrote:
If I were to create a custom X.509 certificate extension for use within
my enterprise and with others outside who wanted to write or modify
their own software to interoperate with it, I'd need to assign an OID
for this extension, right? And for that,
blocking behaviour (even if no),
and you need time to lookup a credential (a verifier) in a database,
you can indicate in your callback to interrupt the accept call
(in blocking and non blocking mode) and repeat the accept as
soon as the data are there.
Norm Green
VMware, Inc.
Peter Sylvester
an excerpt from rfc 5054 paragraph 3.3
If an attacker learns a user's SRP verifier (e.g., by gaining access
to a server's password file), the attacker can masquerade as the real
server to that user, and can also attempt a dictionary attack to
recover that user's password.
An
On 01/07/2012 02:01 AM, Ken Adler wrote:
I use echo GET | openssl s_client -connect www.google.com:443 -state to
troubleshoot https handshakes.
Is there a way to get it to return the Serial number (or thumbprint) of the
server certificate?
openssl s_client -connect www.google.com:443
On 12/14/2011 01:33 PM, rey sebastien wrote:
Hello users :)
I have some problem with nested subdomain and wildcard openssl certificate.. perhaps this is
because the subdomain type is : site1.parisgeo.cnrs.fr, or site2.parisgeo.cnrs.fr, or other
subdomain like .parisgeo.cnrs.fr
When i
On 11/10/2011 12:47 PM, Rajib Karmakar wrote:
Hi,
I am using OpenSSL version 1.0.0e and want to create a certificate
store using DER and PKCS12 formatted certificates.
I have to read and convert DER and PKCS12 certificates into X509
object and add them into X509_STORE.
But if PEM, DER and
On 10/25/2011 05:15 AM, Norm Green wrote:
Hello Experts,
I'm new to OpenSSL so please bear with me.
I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1
snapshot to create secure connection using SRP without using any certificates.
I am aware 1.0.1 is not yet released,
On 09/19/2011 04:29 PM, ubuntuv wrote:
Thanks Jacob.
Output of
#less evalRootCertificate.cer
-BEGIN CERTIFICATE-
MIICBDCC.MVWn1dH/IzvUWbQ==
-END CERTIFICATE-
I even tried removing the following file lines
-BEGIN CERTIFICATE-
-END CERTIFICATE-
#
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
On Wed, Sep 07, 2011, Dominik Oepen wrote:
Are these OIDs are by chance the ones described in ticket 1794?
__
OpenSSL Project
On 09/08/2011 04:31 PM, Dominik Oepen wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 08.09.2011 11:49, schrieb Peter Sylvester:
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote:
On Wed, Sep 07, 2011, Dominik Oepen wrote:
Are these OIDs are by chance the ones described in ticket
you might want to read the description of the -extfile parameter of the x509
command
an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at
curl.haxx.se
$OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key
-out $PREFIX-sv.csr
$OPENSSL rsa -in
Many places including the DN comparision algorithm description of RFC3280.
Sorry can you point me to the exact paragraph, I read 4.1.2.4 and 5.1.2.3 but the comparision
seems to happen on the contents of the issuer field and not the order,
thanks
Nicola
near the end of page 95 of rfc
On 06/30/2011 07:29 PM, derleader mail wrote:
Hi,
I'm looking for complete examples of implementing OpenSSL code - server and client. Can you
give a link?
Best wishes
Peter
the source code of s_client and s_server
or ssl_use.c of curl for a client part or mod_ssl of apache for a
The problem with this scheme is that it doesn't deal well with
parallel certificate signatures. You have one shared information that
must be incremented in an atomic way. But for a Junk CA (that's how
I call the set of scripts I use), that's not a problem.
another approach is to take the
On 05/19/2011 06:20 PM, Tim Watts wrote:
On 19/05/11 16:46, Peter Sylvester wrote:
The problem with this scheme is that it doesn't deal well with
parallel certificate signatures. You have one shared information that
must be incremented in an atomic way. But for a Junk CA (that's how
I call
On 03/11/2011 11:57 AM, ikuzar wrote:
Ok.
In the doc, I think |i2d_X509() |is adequate to encode X509 *cert; The doc says
:
int i2d_X509(X509 *x, unsigned char **out);
|i2d_X509()| encodes the structure pointed to by *x* into DER format. If *out*
is not *NULL* is writes the DER encoded data
On 02/14/2011 01:11 PM, Eisenacher, Patrick wrote:
I want to encode a private asn1 structure, say something like the following:
SEQUENCE
true_false BOOLEAN
certificate Certificate
I checked the asn1parse command and was able to specify my outer sequence and
the inner boolean in the
In addition to the adding the IP address to the cert with
subjectAltName=IP:10.0.0.1; I added the IP address twice (probably didn't
need to), using subjectAltName=IP:10.0.0.1,DNS:10.0.0.1
You might want to add DNS:host.mydomain.com
On 01/11/2011 05:50 PM, Dominique Lohez wrote:
Fredrik Strömberg a écrit :
Hello,
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
by using the command x509 and not ca for example.
you can use a serial number based on a date
On 09/17/2010 04:40 PM, Tom Cocagne wrote:
Greetings,
I've been searching for a way to set up an encrypted SSL connection
that doesn't require the use of certificates. Ideally, I'd like to use
SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly
available, I'd like to fall back to
Since webmail, imap, smtp(s) all operate on different ports, and
you have different listeners, the correct way to me seems to
use three certificates with the desired hostnames etc.
Having the same IP address doesn't matter in this particular case.
Nit: redundant leading 00 (or FF) in an INTEGER is VALID *B*ER
but INVALID *D*ER. And signed things like certs are *D*ER
for exactly this reason, so a reconstructed encoding is
bit for bit identical and hashes and signatures etc. work.
BER is already 'distinguished concerning the content
The encoding is invalid BER.
The openssl is tolerant but also destructive in copy.
whenever you use openssl x509 -in -out ... you remove one leading 0 octet.
IMHO openssl should reject the cert because of invalid encoding.
On 08/29/2010 04:17 AM, Mounir IDRASSI wrote:
Hi,
The problem you
On 08/29/2010 01:20 PM, Mounir IDRASSI wrote:
Hi Peter,
Although the certificate's encoding of the serial number field breaks the
BER specification about the minimal bytes representation, it is known that
many CA's and libraries treat this field as a blob and usually encode it
on a fixed length
On 08/29/2010 07:38 PM, Mounir IDRASSI wrote:
Hi Peter,
Thank you for your comments.
As I said, this kind of debates can be very heated and going down this
road don't lead usually to any results.
The debate may be whether and how something should be
done in openssl, I admit I had started
You can use environment variables in the config file like
extensions = x509v3
[ x509v3 ]
subjectAltName = @subjectAltName
keyUsage= critical,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = $ENV::CRLDP
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
[
try rehash the certs
I am loading the certificate stores from /etc/ssl/certs which
contains the stores that mozilla, chrome, and the like all verify
from, but no matter what I do I can't get a single certificate to verify.
On 08/06/2010 10:54 AM, Manjunath1847 wrote:
I am using SSL_CTX_set_verify() function to set my static C callback verify
function. During HTTPS transaction, my callback is also getting called with
first parameter 0 or 1 (depending upon of the certificate verification is
success or failure). But
On 06/03/2010 06:11 PM, Dr. Stephen Henson wrote:
On Thu, Jun 03, 2010, jeff wrote:
I have an example, detailed below, that specifies permitted and excluded
subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate
requests adhering to and violating the name constraints
I'm trying to install a CA cert on my Android phone, to use my
university WiFi account, via http://www.realmb.com/droidCert/ I would
need to install the GTE CyberTrust Root cert, but it is getting
registered as a client cert, not a CA one. If I try to install one
with CA:TRUE, then it's working
On 05/10/2010 08:43 PM, Chris Bare wrote:
Is there a way get have X509_verify_cert retry it's path building after it
gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT?
My idea is to implement a verify callback that uses the AIA information to
download the issuer cert and add it to the stack of
Sad Clouds wrote:
Hi, is there any sort of documentation on how to use SNI with OpenSSL?
As far as I know, only the source in s_client and s_server.c
It depends on what side you are, and what do you want to test.
As a client, if you want to start a session to a server, and
if you somehow
Wasn't there a pb with a great number of CA names? There are 16K already?
The pb was in apache ad some of my three neurons seem to agree.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46952
/PS
__
OpenSSL Project
We have in apps/
in x509.c
print_name(STDout, issuer= ,
X509_get_issuer_name(x), nmflag);
in crl.c
print_name(bio_out, issuer=, X509_CRL_get_issuer(x),
nmflag);
In order to make a fair change that will potentially hurt everyone, I
propose
A better question is to match a given hostname
against a certificate and determine whether it
obeys the https rules.
There can be multiple hostnames and wild cards.
The code implemented by curl is a complete way to do this.
/PS
It does not support subjectAltName extensions.
SubjectAltName extension is supported since an eternity,
more than 5 years ???
__
OpenSSL Project http://www.openssl.org
User Support Mailing
I think the desired function is X509_STORE_add_cert
SSL_CTX_use_certificate is to select you own certificate.
Francois Dupressoir wrote:
Hello Ram,
You may be interested in the d2i_X509_fp() function
[http://openssl.org/docs/crypto/d2i_X509.html#] in conjunction with
well, if one takes the standard configuration of openssl,
it sets the authoritykey_identifier both the hash and
issuer serial, no exception for the root. comment says
that pkix recommends that.
I do not see this recommandation in the rfcs.
at least there is a length paragraph for roots
to have
OK, then how do I re-issue my root CA certificate with my already
existing ca.key ?
If I could have a sample commande line for openssl it would help me .
something like
OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm -days
$DURATION -CA $CAPREFIX-ca.cacert -CAkey
Jehan PROCACCIA wrote:
Le 26/08/2009 12:17, Peter Sylvester a écrit :
OK, then how do I re-issue my root CA certificate with my already
existing ca.key ?
If I could have a sample commande line for openssl it would help me .
something like
OPENSSL x509 -set_serial $SERIAL -clrext -extfile
Second, I doubt your organisation is
authoritative for the OID arc 1.1.1.1.1 - from what documentation I can find,
the 1.1 arc is used for examples, and shouldn't be used in production. You
should have your organisation register with IANA to be issued its own correct
OID arc (or, I think
Roger No-Spam wrote:
Recently there has been some discussion on the Internet regarding so
called null-prefix attacks, see
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl
vulnerable to this attack?.
The attack is not an attack against SSL/TLS, but against
implementation
see http://www.rtfm.com/ssldump/
Ivan Ristic wrote:
I am investigating whether it is possible to use OpenSSL to passively
decrypt an SSL conversation (with access to a server's private RSA
key, of course).
Does OpenSSL provide any support for this mode of operation?
If there isn't explicit
Victor Duchovni wrote:
On Fri, Jul 10, 2009 at 10:04:45PM +0200, Akos Vandra wrote:
Hello!
I need to issue a few certificates with custom fields, with the
customers more thoroughly identified, including Full name, Address,
Telephone number, blablabla, and even a picture of the poor guy.
There is also CER.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
Selon Kyle Hamilton aerow...@gmail.com:
On Thu, May 21, 2009 at 11:55 PM, loody milo...@gmail.com wrote:
Hi:
thanks for your help.
By your explanation, in der form, the leading 00 seems like a padding byte.
( Is there spec which says it must put 00 here?)
from my example, the number
what is the X series mean?
guess where the X in X509 comes from.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
Victor B. Wagner wrote:
On 2009.05.20 at 18:28:42 +0200, Peter Sylvester wrote:
IMO a good approach is also to simple read and understand apps/x509.c
Unfortunately, it wouldn't help much. x509 utility does work only with
certificates in files (or stdin), so it uses d2i_X509_bio
IMO a good approach is also to simple read and understand apps/x509.c
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List
Kyle Hamilton wrote:
X.509 refers to the certificate version. 0 == version 1, 1 == version
2, 2 == version 3.
Version 1 certificates have no means for any extensions.
Version 2 certificates are CRLs.
CRLs use the asn1 type Version. CRLs with extensions have Version 2,
but this has nothing
openssl is VERY tolerant concerning the encoding/decoding of an INTEGER
value.
Other decoders may not like such things as length 0 etc.
When converting such a beast from DER to PEM or the other way, you might
have a surprise.
From X.690:
8.3 Encoding of an integer value
8.3.1 The encoding
I hope this information helps.
-Kyle H
Thank you for your response and information about the proxies.
I now have a feeling that to write a verification callback function, I will
need to
retrieve the information stored in the certificate that the peer has sent
to me.
If you want
Kyle Hamilton wrote:
The ITU X.509v1? The X.509v3? The Internet Public Key Infrastructure
Certificate Profile? Perhaps the Attribute Certificate profile? Or the
Proxy Certificate profile? Or some other profile?
excerpt from the 2000 version. Since this is the one that I have online.
Kyle Hamilton wrote:
I have never heard of issuerUniqueID and subjectUniqueID. If you can
point to where you're learning about it, it would be possible for me
to figure it out.
X.509, where else?
smime.p7s
Description: S/MIME Cryptographic Signature
The load verify location has to be done before you make the connection.
Christian Graf wrote:
Hi all,
I try to check a server's certificate on the client like this, using an
operating system whose name contains an o:
GC_SSL_Error retVal = GC_SSL_NO_ERROR;
X509* x509cert =
Daniel Diaz Sanchez wrote:
Hello to everybody,
I have a problem when implementing a simple structure using OpenSSL
Asn1. This is the problem:
When I try to implement this data structure:
A ::= SEQUENCE {
b
CHOICE {
b1
Bernhard Froehlich wrote:
Chong Peng wrote:
guys:
how to tell a root certificate from a non-root certificate? i sthere
a field in x509 structure for us to tell? thanks.
Root certificates are self signed, that is the issuer equals the
subject in the certificate.
AND the signature can be
[EMAIL PROTECTED] wrote:
I found this in the OpenCA-Users mailinglist.
Any ideas or suggestions?
use the 'openssl ca' command with an empty index.txt file for each new
certificate.
and then manages the files differently, i.e. copy the content into a
database.
Or don't use the ca at all
1 - 100 of 185 matches
Mail list logo
