Thanks for the explanation. I figured I was headed down a dead end. This will
at least help me figure out how to handle things appropriately.
Zeke Evans
On 01/09/2021 16:36, Zeke Evans wrote:
Is there any way to check the status of client authentication sent in a
TLS 1.3 handshake after SSL_connect returns? With TLS 1.2 SSL_connect
seems to always capture the status and return an error code if it failed
but not TLS 1.3. I haven’t been
On Wed, Sep 01, 2021 at 03:36:36PM +, Zeke Evans wrote:
> Hi,
>
> Is there any way to check the status of client authentication sent in a TLS
> 1.3 handshake after SSL_connect returns? With TLS 1.2 SSL_connect seems to
> always capture the status and return an error co
Hi,
Is there any way to check the status of client authentication sent in a TLS 1.3
handshake after SSL_connect returns? With TLS 1.2 SSL_connect seems to always
capture the status and return an error code if it failed but not TLS 1.3. I
haven't been able to find a good way to do this after
Hi Ferenc,
On 23/11/20 13:03, Ferenc Gerlits via openssl-users wrote:
Hi,
I am trying to use openssl to implement a client-side TLS connection
with Client Authentication on Windows, using a non-exportable private
key stored in the Windows Certificate Store. Currently, our code can
use
Hi,
I am trying to use openssl to implement a client-side TLS connection with
Client Authentication on Windows, using a non-exportable private key stored
in the Windows Certificate Store. Currently, our code can use a private
key stored in a local file, and if the key in the Windows store
Hi all,
Anyone knows in client authentication, what are the Key Usage and Extended
Key Usage purposes we should validate?
As per the specification in [1]:
- "Extended Key Usage" is not necessary and which is configured in
addition to or in place of the basic purposes indicated
I understand that the trusted store must include Intermediate CA 1 or
remove Intermediate CA 2 and just have the Root CA in it. I was trying
things out to understand how client authentication works.
Regards,
Sudarshan
On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan <
sudarshan.t.ra
openssl 1.1.0f. This client authentication attempt is flagged as
failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it
passes. I was trying to understand why the partial chain flag is needed
when the verification chain from Leaf to Root CA can be constructed using
both the chain sen
Commands Used:
x86_server:
openssl s_server -cert sercert8192.pem -key serverkey8192 -Verify CAcert.pem
x86_client:
openssl s_client -cert clientcert8192.pem -key clientkey8192 -connect
: -cipher AES128-SHA -
Error log:
x86( Server):
verify error:unable to verify the first certificate
x86
Dear openssl group, could you solve this issue regarding mod_ssl?
Michele Masè
On Thu, May 23, 2013 at 10:11 AM, Michele Mase' michele.m...@gmail.com wrote:
Okay, openssl works, but mod_ssl doesn't.
Is this a real problem?
Instead try hacking mod_ssl code ...
Could I ask for a bug/improvement
Okay, openssl works, but mod_ssl doesn't.
Is this a real problem?
Instead try hacking mod_ssl code ...
Could I ask for a bug/improvement so that mod_ssl could finally work?
Michele MAsè
On Thu, May 23, 2013 at 1:22 AM, Dave Thompson dthomp...@prinpay.comwrote:
From:
From: owner-openssl-us...@openssl.org On Behalf Of Michele Mase'
Sent: Tuesday, 21 May, 2013 04:16
I was wrong!
Does it work with client=Firefox using client certs under both CAs?
I would expect at least one to fail. Note that s_server -verify
doesn't *require* client cert, it only *allows* it;
If these are the roots you attached -- with names that differ only
in case of one letter -- they should have gotten the same hashvalue
(with suffixes .0 and .1); did they?
yes
Does it work with client=Firefox using client certs under both CAs?
I would expect at least one to fail. Note that
:28 AM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of Michele Mase'
Sent: Monday, 13 May, 2013 05:33
I'm testing a client authentication using [Apache with 1.0.0-fips]
I have 2 CA's x509 pem files, bundled.
CA1 signs client1 certificate files
From: owner-openssl-us...@openssl.org On Behalf Of Michele Mase'
Sent: Friday, 17 May, 2013 10:04
What I did:
openssl:
Commandline for the openssl s_server (sorry for my typo)
before starting www server:
c_rehash /some/path #where I've put 2 pem encoded CA's certificates
If these are
From: owner-openssl-us...@openssl.org On Behalf Of Michele Mase'
Sent: Monday, 13 May, 2013 05:33
I'm testing a client authentication using [Apache with 1.0.0-fips]
I have 2 CA's x509 pem files, bundled.
CA1 signs client1 certificate files
CA2 signs client2 certificate files
I should use two
I'm testing a client authentication using:
SSLCACertificateFile /path/to/pemfile.pem
LocationMatch /test
SSLVerifyClient require
SSLVerifyDepth 2
/LocationMatch
My env:
CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3
(Unix) - Server built: Feb 7 2013
On Mon, Oct 01, 2012, Thulasi wrote:
Hello all,
I've a problem with TLS 1.2 client authentication where client has 512-bit
RSA key and certificate and signature hash is of sha512.
This is reproducible with openssl-1.0.1c and many prior versions which
support TLS 1.2 client authentication
I have an existing server application in QNX using OpenSSL 0.9.8m.
With a client application in Windows 7 using .NET 4 SSLStreams.
I've generated my own certificates using openssl for server and client.
Everything is working as it did before the modifications.
I'm using extended fields into the
authentication using ECDH
certificates.
Will OpenSSL add support for DTLS client authentication using ECDH
certificate?
Also does anyone know why my DTLS EC server authentication failed?
TLS EC Server Authentication
openssl s_server -accept 9001 -cert certs/secp256r1TestServer.pem -key
private
found a comment in the code that
For now, we do not support client authentication using ECDH
certificates.
Will OpenSSL add support for DTLS client authentication using ECDH
certificate?
Also does anyone know why my DTLS EC server authentication failed?
TLS EC Server Authentication
openssl
, but apache reports:
[error] Unable to configure verify locations for client authentication
If I comment out that directive in httpd.conf the server starts fine and the
site works ok for some newer browsers but older browsers (including FF3.6.8)
report that the CA is unknown.
Searching Google
*only* place the certificates that are
necessary to chain up to a presumably-known-to-the-client CA.
If you are not using client authentication, then you don't need any CAs set up
for Client Verification. If you are, you need to set up a separate list of CAs
from which you will accept
.
Again, I am not using client authentication.
Thanks,
--
Bill Moseley
mose...@hank.org
]
And with SSLCertificateFile and SSLCertificateChainFile set I still have the
same issue that some browsers report:
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
In Firefox, but Chrome accepts it fine.
Again, I am not using client authentication.
Thanks
Dear sirs,
I have a trouble with OpenSSL with Apache web server.
With client authentication, web browsers cannot connect to web server.
Apache log file of logs/erro_log shows as follows:
[Fri May 14 11:45:05 2010] [info] [client 192.168.220.169] Connection to
child 1 established (server
Peter Gubis wrote:
On 13. 3. 2010 0:37, John R Pierce wrote:
our security auditors yanked the token out, and the client continues
to work, ..
you'll probably need to listen for token removal event and destroy this
ssl session after that.
It is working for us in this way. Session should be
On 13. 3. 2010 0:37, John R Pierce wrote:
we have a client-server application pair (ok, the server side is
tomcat), the client is using an Aladdin eToken w/ openssl and
engine_pkcs11 and aladdin's driver. thats all fine and working now.
the client application has long running persistence,
we have a client-server application pair (ok, the server side is
tomcat), the client is using an Aladdin eToken w/ openssl and
engine_pkcs11 and aladdin's driver. thats all fine and working now.
the client application has long running persistence, eg, once its
running, it stays up for
I am trying to open an SSL connection with Client Authentication
using Crypt::SSLeay.
What works fine is specifying environment variables
HTTPS_CERT_FILE and HTTPS_KEY_FILE. Unfortunately
the keyfile has to be unencrypted (there seems to
be no no password mechanism for HTTPS_KEY_FILE).
When I
Hi all,
there was a little cut-n-paste error in my previous mail,
I forgot one line in the script. The error remains the
same...
Olaf Gellert wrote:
$file=$ENV{HTTPS_PKCS12_FILE};
$pass=$ENV{HTTPS_PKCS12_PASSWORD};
$ctx-use_pkcs12_file($file ,$pass) || die(failed to load $file: $!);
Cheers,
Hi all,
I am trying to get the client authentication working in my embedded
application. The SSL implementation in my device is a openssl porting.
The server application does not implement SSL, so I am using the stunnel.
When I set the verify level to 2 (which the server should ask
Hello,
I have installed OpenSSL on Windows and I want to create a CRT certificate
for client authentication purposes. I want specific clients to authenticate
against a Windows 2003 web server.
Windows 2003 CA does not allow me to create a CRT certificate but only CER.
The customer is using
Hi there;
On June 3, 2008 11:37:19 am staggerwing wrote:
Hello,
I have installed OpenSSL on Windows and I want to create a CRT certificate
for client authentication purposes. I want specific clients to
authenticate against a Windows 2003 web server.
Windows 2003 CA does not allow me
Hi All,
If client authentication requested by the server, is it MUST to send the
certificate chain along with client certificate? Does RFC mandates sending
certificate chain?
Regards
Jaya
__
OpenSSL Project
Hi Ma'm,
I am a faculty in an Engg. College, AP.
I need to teach my students abt OpenSSL. Can u help me with appropriate
material and simple C programs to work on Windows.
regards,
kalyan
On 3/13/08, Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED] wrote:
Hi All,
If client authentication
Hi!
I have found that when I run openssl s_server with client authentication:
./openssl s_server -accept 443 -cert m.cer -key mkey.pem -no_dhe -www
-CAfile ca.cer -tls1 -verify 1
and then without -verify 1, I see that transmission time are the same (I use
Ethereal). How can it be explained
, TLSv1)
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client
authentication
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C
] Configuring server for SSL protocol
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(405): Creating new SSL
context (protocols: SSLv3, TLSv1)
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client
authentication
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113
] ssl_engine_init.c(405): Creating new SSL
context (protocols: SSLv3, TLSv1)
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client
authentication
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19
Hi,
I'm writing my own webserver and I want it to be able to do SSL based client
authentication. It can already do HTTPS, but when I try to do the SSL based
client authentication, the connection gets dropped. I use the following
routine to bind a SSL socket.
SSL_CTX *ssl_binding(char *keyfile
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Snuggles wrote:
Hi,
Hello Snuggles,
I'm writing my own webserver and I want it to be able to do SSL based client
authentication. It can already do HTTPS, but when I try to do the SSL based
client authentication, the connection gets dropped. I use
Hi,
I'm writing my own webserver and I want it to be able to do SSL based client
authentication. It can already do HTTPS, but when I try to do the SSL based
client authentication, the connection gets dropped. I use the following
routine to bind a SSL socket.
SSL_CTX *ssl_binding(char *keyfile
Hello,
I'm trying to automate a test against a server with client authentication.
I created a self signed certificate, put it into the servers key database and
imported it into a browsers key store (e.g. M$IE cert store). Everything's
fine
- I'm able to sign on against the server.
So
Hi all,
Im testing an SSL server with s_client.
I want to implement client authentication.
The problem is even if I include the
certificate and key file in my client call, SSL_get_peer_certificate()
returns NULL
I tried the following calls,
a) S_client -connect ip:port
b) s_client -connect
my last mail seem to be lost somewhere..
Hi all,
Im testing an SSL server with s_client.
I want to implement client authentication.
The problem is even if I include the
certificate and key file in my client call, SSL_get_peer_certificate()
returns NULL
I tried the following calls
my last mail seem to be lost somewhere..
I got it!
Hi all,
Im testing an SSL server with s_client. I want to implement
client authentication.
The problem is even if I include the certificate and key file
in my client call, SSL_get_peer_certificate()
returns NULL
I tried
PROTECTED]
10.01.2006 14:12
Please respond to
openssl-users@openssl.org
To
openssl-users@openssl.org
cc
Subject
RE: problem in client authentication
Classification
my last mail seem to be lost somewhere..
I got it!
Hi all,
Im testing an SSL server with s_client. I want
Sent: 10 January 2006 14:53
To: openssl-users@openssl.org
Subject: problem in client authentication -no luck
hi ..
now i created a CA and a certificate signed by it.
my client call is now,
s_client -connect ip:port -cert clientcert.pem -key clientPrivKey.pem
-CAfile cakey.pem
still
Samy Thiyagarajan wrote:
hi ..
now i created a CA and a certificate signed by it.
my client call is now,
s_client -connect ip:port -cert clientcert.pem -key
clientPrivKey.pem -CAfile cakey.pem
still no development
can someone look into this issue please...?
The CAfile for tjhe
Thanks for ur response..
the error messages of client and server
are follows..
client :
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca:s3_pkt.c:1052:SSL alert number 48
server:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned : s3_srvr.c:2015
PROTECTED] Behalf Of am0ykam0te (sent by
Nabble.com)
Sent: Thursday, December 08, 2005 10:42 AM
To: openssl-users@openssl.org
Subject: Enable Client Authentication using [ Openssl s_server ]
I am currently testing the ssl client i developed. I need to test it when
it connects to a server which
I am currently testing the ssl client i developed. I need to test it when it connects to a server which requires client authentication. However i do not know how to enable it in openssl's command line server (s_server). How do i enable client authentication in openssl s_server?
Sent from
I am currently testing the ssl client i developed. I need to test it when it connects to a server which requires client authentication. However i do not know how to enable it in openssl's command line server (s_server). How do i enable client authentication in openssl s_server?
Sent from
Frans Gunawan wrote:
Hello,
How to test client auth with the openssl s_server and openssl s_client
to show that the authentication is using the client auth.
Thank you,
Frans
Quoted from s_server-manpage
(http://www.openssl.org/docs/apps/s_server.html):
*
**-verify depth*, *-Verify
Hello,How to
test client auth with the "openssl s_server" and "openssl s_client"to show
that the authentication is using the client auth.
Thank
you,Frans
Hi Again.,
This is what I found from the log file you sent..is this pointing to the
same CA cert itcilo-ca.crt, I put it in ssl.crt ?
debug] ssl_engine_init.c(1112): CA certificate:
/C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
CA/[EMAIL PROTECTED]
[Wed Jul 13 11:48:34 2005] [debug]
Hey can you try setting verify depth to Zero and not pointing to any CA cert
i.e SSLCACertificatePath pointing to null?
Thanks
--Gayathri
Hi Again.,
This is what I found from the log file you sent..is this pointing to the
same CA cert itcilo-ca.crt, I put it in ssl.crt ?
debug]
The above indicates that. Make sure client cert
processing is done correctly on the server side. If it
is a program failure, then you need to get the
programmer to debug the program.
Thank you for your answer. I'm not sure what you intend with program
failure: the pages served by this
Hi.
Have you imported the CA of the client cert on the server side?
A verify depth of 1 has been set, which could mean that the client
cert is self signed? Can you set it to some higher value and try?
Also can you check whether the option SSL_VERIFY_FAIL_IF_NO_PEER_CERT?
It looks to me a
Hi all,
I'm trying to configure client authentication for one of my sites
(SuSe 9.0, apache 2.0.48, openssl-0.9.7b-133 distribution's rpm).
You will find below the steps I'm following, the problem I have is
that, when I go to the page, it first asks me to accept the server's
certificate, then ask
Looks to me that client authentication failed. And
this is most likely due to client cert processing on
the server side:
[notice] child pid 9192 exit signal Segmentation fault
(11)
The above indicates that. Make sure client cert
processing is done correctly on the server side
for the site, the first check should be made
using the certificates. If the certificate is not present in the clients
machine, the Access denied page must pop up.
The questions is how do I do client authentication
Requesting your assistance.
Regards Thanks
Mahesh S Kudva
requests for the site, the first check
should be made using the certificates. If the certificate is not
present in the clients machine, the Access denied page must pop up.
The questions is how do I do client authentication
Requesting your assistance.
Regards Thanks
Mahesh S Kudva
Hi
Apart from Mac clients I also windows users.
Regards and Thanks
Mahesh S Kudva
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
On the Mac, you'll load your client certificate into your users'
keychains. On Windows, you'll load it into the certificate store. In
either case, simply having the user double-click on the certificate
file will launch the appropriate tool.
On Apr 18, 2005, at 9:17 PM, [EMAIL PROTECTED] wrote:
Hi,
I am creating a webservice in C++ using gSOAP 2.6.2
with OpenSSL-v0.9.7e.
Client authentication is enabled.
The first request works and command executes
successfully, but the second request(and subsequent)
fails with the following errors
Client side
SOAP FAULT: SOAP-ENV:Client
As I understand it, the client signs data sent from the server in
order to authenticate itself. Therefore yes it does need its private
key.
On Tue, 18 Jan 2005 11:17:01 +, Shaun Lipscombe
[EMAIL PROTECTED] wrote:
If the client sends the server its certificate (public key) and the
server
Intuitively, you have to know that the client needs it's private key
for something. Since the public key certificate is public, it alone
can't prove that the client is you. Anyone can send your certificate
to a server, right?
In practice, the server walks the certificate chain, which proves
HI,
I have a p12 file that I need to use for authenticating myself as a
client to access a secured site. I am talking about Trans Union site.
Has anyone done anything in this area ?
How can this be done.
Regards,
Kushal.
__
Hi all,
Is it possible for a Windows client using IE5.0 to authenticate itself
in order to connect to a SSL server?
My server works fine with many clients, but not with this one...
The great tool ssldump dumps that:
18 5 0.1324 (0.0295) CSV3.0(273) Handshake
Certificate
routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned:s3_srvr.c:2010.
Running a server with the openssl command line tool gets the certificate
from my client so the mistake ought to be in the server`s code.
Any ideas? Or, even better, some example code of an working client
authentication.
btw: Im using OpenSSL
My mozilla browser (version 1.6) returns the error.
When I install the client certificate in iexplorer
(version 6.0) I get a pop-up window asking me to
select a client certificate from an empty list.
By the way I just tried to make the certificates as
explained in the ssl cookbook on
On Tue, Feb 24, 2004, Bo Boe wrote:
My mozilla browser (version 1.6) returns the error.
When I install the client certificate in iexplorer
(version 6.0) I get a pop-up window asking me to
select a client certificate from an empty list.
By the way I just tried to make the certificates as
Oeps there we do have some kind of a problem
the response to:
openssl s_client -connect www.bliek.org:443 -prexit
Looks like:
CONNECTED(0003)
depth=0
/C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL
PROTECTED]
verify error:num=18:self signed certificate
ES-SE wrote:
[...]
Hi Ted,
thanx for your answer, but that doesn`t be the problem. If I uninstall the
root certificate of verisign, I also kann connect and IE presents the verisign
client certificate. My own root certificate, with which I signed the client
certificate is valid till 2010 and
...
-Original Message-
From: Ohaya [mailto:[EMAIL PROTECTED]
Sent: 05 September 2003 01:26
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Long - Some questions about SSL, Client Authentication...
Hi,
I'm new here, and have been experimenting with SSL and client
authentication and certificates. My
the GlobalSign client cert?
It does send the client a list of CAs it considers acceptable when it performs
client authentication. You can use the OpenSSL s_client tool to see the list.
What's probably happening is that the GlobalSign CA isn't included in the
list.
There are ways to add
hi,
i'm trying to use OpenSSL s_client with OpenSC PKCS#15 engine. the
engine works for operations such as key generation and PKCS#1
signatures. i've modified the s_client code to be able to use a private
key on the smartcard via the OpenSC engine. i'm running into some
problems with
-0.9.7b.
As the OpenSC padding code has been changed recently please try
a more recent OpenSC snapshot. Note: I've successfully tested
client authentication using Mozilla with the OpenSC pkcs11 lib.
Nils
__
OpenSSL Project
On Tue, Jan 28, 2003 at 11:38:25AM +0530, Chandrasekhar R S wrote:
In my server program, I use SSL_CTX_set_verity(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0) to mandate that client cert should be
present.
If present, I use SSL_get_peer_certificate(ssl) to retrieve the client
I am to authenticate a client using his certificate.
In my server program, I use SSL_CTX_set_verity(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0) to mandate that client cert should be
present.
If present, I use SSL_get_peer_certificate(ssl) to retrieve the client cert.
In my client
I have configured all the SSL parameters and
when i start the Apache,
i am getting "Unable to configure verify
locations for client authentication".
PS: I am using opensa.
Thanks and have a nice time.
Vijay
Vangara
(SeeBeyond
Consultant)
Misys Healthcare
Systems
Ph: (512
Hi All,
I have problem with client authentication. I have setup my CA using openssl
, created server certificate and client certificate both signed by the CA. I
have converted the client certificate to P12 format, imported this into IE6
and ssl communication was successful from Internet explorer
Hi to all.
Im using 0.9.6.a-engine version (I dont think that it will matter here),
and I have following problem:
Im trying to connect https site on IIS server using my applicative
OpenSSL client;
the site is defined as require SSL channel and accept client
certificate. It means that
On Tue, May 28, 2002 at 02:59:50PM +0200, Sharon Hezy wrote:
I'm trying to connect https site on IIS server using my applicative OpenSSL
client;
the site is defined as require SSL channel and accept client
certificate. It means that I
have to call the site using SSL, but I don't have to
Hi,
I'm using apache 1.13.9 with mod_ssl 0.9.6 at SuSE Linux 7.2.
The client authentication I configured between MSIE 6.0 or Netscape 4.77 as
browsers and the apache server works - but also fails.
It denies the user from protected sites (those sites that the client
authentication is configured
Eric Rescorla wrote:
Götz Babin-Ebell [EMAIL PROTECTED] writes:
And how gets he the connection IP-Address - FQDN ?
-He uses DNS.
I think you need to reread his message since that's not
what he says.
Hm:
snip
client authentication. After a successful SSL_accept() I have some
logic
Eric Rescorla wrote:
There are a number of situations where one wishes to authenticate
clients based on their DNS names:
(1) SMTP/TLS.
(2) Secure remote backup.
In such cases the clients often (though not always) have fixed IPs.
Well, I'll be happy when IPv6 is ubiquitous (coming any
Eric Rescorla wrote:
Götz Babin-Ebell [EMAIL PROTECTED] writes:
[1 text/plain; us-ascii (7bit)]
Don Zick wrote:
Hello Don,
I'm not actually using DNS at all. For the application I'm working with
the TLS clients and servers must be statically configured with a Fully
Michael Sierchio [EMAIL PROTECTED] writes:
Eric Rescorla wrote:
There are a number of situations where one wishes to authenticate
clients based on their DNS names:
(1) SMTP/TLS.
(2) Secure remote backup.
In such cases the clients often (though not always) have fixed IPs.
Götz Babin-Ebell [EMAIL PROTECTED] writes:
And how gets he the connection IP-Address - FQDN ?
-He uses DNS.
I think you need to reread his message since that's not
what he says.
If he wants to allow user XYZ presenting certificate C_XYZ to
do some things, all he has to do is look in an
On Wed, 26 Sep 2001 09:43:02 -0700, Michael Sierchio wrote:
Don Zick wrote:
I have recently started using OpenSSL. (I have found the SSL and TLS
book by Eric Rescorla to be invaluable.) I am having a problem with
client authentication. After a successful SSL_accept() I have some logic
Don Zick wrote:
Hello Don,
I'm not actually using DNS at all. For the application I'm working with
the TLS clients and servers must be statically configured with a Fully
Qualified Domain Name. I match up the statically configured FQDN for a
client with the DNS name from the client's
David Schwartz wrote:
Sufficient for what? I may not want to send my credit card information to
anyone who has a Verisign certificate, but I might be willing to send it to
someone who has a Verisign certificate for 'www.amazon.com' or has that
listed as one of the alternate names.
On Wed, 26 Sep 2001 15:21:09 -0700, Michael Sierchio wrote:
David Schwartz wrote:
Sufficient for what? I may not want to send my credit card
information to anyone who has a Verisign certificate, but I might be
willing to send it to someone who has a Verisign certificate for
On Mon, Sep 10, 2001 at 04:20:10PM -0700, Henry Yip wrote:
Hi All,
I have 2 questions.
1)
I'm trying to do client authentication from a Server using
PureTLS. On the server side, I call:
socket.sendClose()
socket.close()
when I can't verify the client's host against
Hi All,
I have 2 questions.
1)
I'm trying to do client authentication from a Server using
PureTLS. On the server side, I call:
socket.sendClose()
socket.close()
when I can't verify the client's host against the certificate chain.
Now, Should SSL_connect() return an error
Hi all,
I'm trying to write an application (an SSL server) that does client
authentication.
My application sends the certificate request using a renegotiate on an
already open connection.
When I connect to my applicatio with either an OpenSSL s_client or with
Netscape, everything wroks fine
1 - 100 of 166 matches
Mail list logo