RE: public key
Have a look at the -pubout option of the "openssl rsa" command. -Original Message- From: Satish Krishnan [SMTP:[EMAIL PROTECTED]] Sent: Monday, April 09, 2001 3:28 PM To: [EMAIL PROTECTED] Subject: public key hi i have generated a private key using rsa with openssl.how do i get the corresponding publci key so that i can publish it or dstribute it __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Creating a CA from a Certificate signed by Thwate.
Hi, first check if your existing cert is allowed to act as a CA cert. Print the cert details with "openssl x509 -text -in your cert.pem". If your cert is not yet in PEM format, add "-inform DER" to the above. In the resulting output check for lines like these: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE If you find the line "CA:FALSE" (which is most likely) then your cert can only be used as a server or client cert. You then could still use it for signing if you change openssl internaly to ignore this extension, but you would violate the x509 standard and every proper coded application would refuse to use the resulting certificates. Best Regards, Reiner. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of JeremySent: Monday, April 09, 2001 3:47 AMTo: SSL UsersSubject: Creating a CA from a Certificate signed by Thwate. I'm trying to sign newly created certificateswith a certificate already signed my thawte. However I'm having problems. I've read the FAQ at http://www.modssl.org/docs/2.8/ssl_faq.html, however there doesn't seem to be any information there that can help me. I've tried using the steps for creating my own CA and using sign.sh (modified for my system varibles, etc), but the many (too many to list here) ways I've tried have all failed. Can anyone help me out?Thanks. Using: OpenSSL 0.9.6 24 On: Redhat 6.2
RE: a question about install
You can also use the DOS "SHELL" command to increase environment space. Details can be gathered from a DOS 6.0-6.22 machine. Windoze doesn't have any information on it, AFAIK. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Jonas Jakobsson [mailto:[EMAIL PROTECTED]] Sent: 06 April 2001 01:03 To: [EMAIL PROTECTED] Subject: Re: a question about install snip before i comple the openssl,i use the vcvars32.bat in the directory D:\Program Files\Microsoft Visual Studio\VC98\Bin but it tell me that out of the environment space,what shoud i do ! /snip I had the same problem. The soultion was in my case was to cut down the size of my path variable in config.sys, restart and run the vcvars.bat in the dos box. Or, you could modify the shortcut to the dos-box to use your own modified config.sys. just my 2 cents /Jonas Jakobsson __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: S/MIME and Passwords
On Sun, Apr 08, 2001 at 05:24:35PM +0200, Christian Biesinger wrote: I have another wish: Would it be possible for the smime application to return another error if no signature can be found? This is because for a program (which knows nothing about S/MIME) a message which is encrypted looks exactly like one which is encrypted and signed. Hmm, I had a (short) look into smime.c and the PKCS7 stuff and it seems that this would need some changes to the PKCS7 API. Having this said, I never touched S/MIME, so I may be completely wrong... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 PGP signature
BIO and byte array
Hello! I'm a question about BIO. How I build a BIO from an byte array? For example, byte [] array=... BIO *pp= funcion( array); How I get an array of byte from a BIO ? byte [] array = function ( BIO ); Thanks in advance, Regards, Antonio. -- -- Antonio Ruiz Martnez Facultad de Informtica-Universidad de Murcia 30001 Murcia - Espaa (Spain) Telf: +34-968-364644 e-mail: [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: getting started with openssl
You might be interested in the EGD (Entrophy Gathering Daemon) project. It's a perl based daemon that sits in the backgroud and does what it's name suggests. Programs can communicate with it trhough unix or tcp sockets... Have a look at openssl's RAND_egd(3) manpage and EGD's homepage http://www.lothar.com/tech/crypto/ I had it working on solaris without problems. aegis wrote: Thanks Scott, Unfortunately my problem is more fundamental.. I'm trying to get the random generator set up. I installed openssl-0.9.6 and everything *seemed* to go right, but there's no sign of a /dev/random and I have no idea how to configure one from scratch. That's how bare my knowledge base is.. he says ducking his head in shame). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_accept failed : PRNG not seeded
Hello SSL-users, I'm running Apache-SSL under Solaris 2.7 and installed a second certificate / virtual ssl-server. For this server, some Browsers fail to connect to the ssl-server and the server logs say [Mon Apr 9 14:18:55 2001] [error] SSL_accept failed [Mon Apr 9 14:18:55 2001] [error] error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Mon Apr 9 14:18:55 2001] [error] error:04069003:rsa routines:RSA_generate_key:BN lib [Mon Apr 9 14:18:55 2001] [error] error:1409B444:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:error generating tmp rsa key I already tried the workarounds with egd in several ways, but it didn't work. The strange thing is, that the problem only appears with the new virtual ssl server entry in some unpredictable Browser-Client / Server combinations (reload/restart without effect) Has anybody got a similar problem / solution ? Greetings, Alex Kirsch __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Generating a cert request based on another certificate
Hi, I want to write code that, given an x509 certificate, will generate a certificate request with the exact same details (common name, organization, serial number, validity etc.), only using my public key instead of the original one. How can I do this? Thanks, Eytan Segal __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating a cert request based on another certificate
Sorry the commands would be to output as text of a certificate: openssl x509 -in cert.pem -out text.pem -text Then push the DN into a hash Make a temp config.cfg file Create a request using the config file openssl req -config config.cfg -new -keyout request.pem -out request.pem Then sign the request - Original Message - From: "Eytan Segal" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 10, 2001 12:58 AM Subject: Generating a cert request based on another certificate Hi, I want to write code that, given an x509 certificate, will generate a certificate request with the exact same details (common name, organization, serial number, validity etc.), only using my public key instead of the original one. How can I do this? Thanks, Eytan Segal __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re(2): getting started with openssl
Not to worry - I'm used to wearing a helmet and asbestos jumpsuit... :) Under Solaris, there is no /dev/random or /dev/urandom. There are a number of substitutions. The default for OpenSSL is to use a PRNG (Pseudo Random Number Generator) script. You have to edit it sine they do a poor job of specifying the paths to the OS commands. You can use EGD (Entropy Gathering Daemon) which is a Perl script that creates a socket which OpenSSL can read from. I had problems because Perl is interpreted so you always have that dependency to worry about. Another one which I like better is PRNGD which is farily recent. It too creates a socket, but since it is written in "C", you don't have the interpreter dependency. I also came upon a /dev/random emulator for Solaris, but I haven't had a chance to test it yet. I don't have the details available to me on this system though. Scott - Original Message - From: "aegis" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 09, 2001 12:50 AM Subject: Re(2): getting started with openssl Thanks Scott, Unfortunately my problem is more fundamental.. I'm trying to get the random generator set up. I installed openssl-0.9.6 and everything *seemed* to go right, but there's no sign of a /dev/random and I have no idea how to configure one from scratch. That's how bare my knowledge base is.. he says ducking his head in shame). On Sun, Apr 8, 2001, Scott Armstrong [EMAIL PROTECTED] wrote: {snip} The best place I've found is www.modssl.org Scott {/snip} -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety - Ben Franklin 1775 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating a cert request based on another certificate
A more efficient way to decode a client certificate is to setup certificate authentication on your server, use your certificate to enter it, send the variables to cgi then pull out the $ENV{'SSL_CLIENT_S_DN'} variable and create your certificate request from there. https://www.ultrasecure.com/Admin/Somthing.cgi As to how to make the request without using opensslhmm you've got me stumped. What would you use instead? - Original Message - From: "Eytan Segal" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 10, 2001 2:05 AM Subject: RE: Generating a cert request based on another certificate Thanks, but not good enough :-(. I'm after the code for performing this in one stroke (and with reasonable efficiency) - without running openssl exe and manipulating files. Eytan. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Oliver Bode Sent: Monday, April 09, 2001 4:56 PM To: [EMAIL PROTECTED] Subject: Re: Generating a cert request based on another certificate Sorry the commands would be to output as text of a certificate: openssl x509 -in cert.pem -out text.pem -text Then push the DN into a hash Make a temp config.cfg file Create a request using the config file openssl req -config config.cfg -new -keyout request.pem -out request.pem Then sign the request - Original Message - From: "Eytan Segal" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 10, 2001 12:58 AM Subject: Generating a cert request based on another certificate Hi, I want to write code that, given an x509 certificate, will generate a certificate request with the exact same details (common name, organization, serial number, validity etc.), only using my public key instead of the original one. How can I do this? Thanks, Eytan Segal __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating a cert request based on another certificate
Eytan Segal wrote: Thanks, but not good enough :-(. I'm after the code for performing this in one stroke (and with reasonable efficiency) - without running openssl exe and manipulating files. Well in outline Read the certificate into an X509 structure. Extract the DN into an X509_NAME structure using X509_get_subject_name(). Create a certificate request (X509_REQ) structure using X509_REQ_new(). Set the version using X509_REQ_set_version() Set the request subject name using X509_REQ_set_subject_name(). Set the new public key using X509_REQ_set_pubkey(). Sign the request using X509_REQ_sign(). You can also optionally copy the extensions across before you sign it. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating Key and extracting RSA key in RSA * struct.
[EMAIL PROTECTED] wrote: Hi all, I am trying to generate an RSA keys pair and extract it to an (RSA *) which will reprensent the public key and another (RSA *) for the private key part. I am doing (based on demos/eay/loadrsa.c) RSA *rsa,*pub_rsa,*priv_rsa; int len; unsigned char buf[1024],*p; rsa=RSA_generate_key(512,RSA_F4,callback,(char *)stdout); p=buf; then I would like to go in one step to have the *pub_rsa and *priv_rsa initialized... ie : pub_rsa = RSA_SOMETHINGPUBLIC(rsa); priv_rsa = RSA_SOMETHINGPRIVATE(rsa); in demos/eay/loadrsa.c you can get pub_rsa and priv_rsa by transforming into der and next into rsabut in my case I would do that in one step. Firstly you may well not need to do that. RSA_generate_key() generates an RSA private key. An RSA private key can be used as a public key. If you really want just the public components from a private key then: rsa_pub = RSAPublicKey_dup(key); will do the trick. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems generating correct SMIME
Hello, I have quite strange problem. I wrote an appication which creates SMIME encrypted mail. It is possible to read it with Netscape 4.76/4.77 on Linux, but Netscape 4.76 for Windows refuses to read it. As well as all flavours of MS Outlook [Express]. Could some one on the list help me with this issue. I can provide ASN.1 trees, DER coded SMIME, etc. Please CC me, I am not on the list. Thanks in advance. -- Sincerely Yours, Denis Perchine -- E-Mail: [EMAIL PROTECTED] HomePage: http://www.perchine.com/dyp/ FidoNet: 2:5000/120.5 -- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: getting started with openssl
You can also download the ANDIrand pkg for Solaris 2.5.1 - 2.8 SPARC as well as 2.5.1 - 2.8 x88pc. This supports /dev/random and dev/urandom. Works like a champ: Author: Andreas Maier URL: http://www.cosy.sbg.ac.at/~andi/ - Wally Winzer Jr. Michael Sierchio wrote: Scott Armstrong wrote: Not to worry - I'm used to wearing a helmet and asbestos jumpsuit... :) Under Solaris, there is no /dev/random or /dev/urandom. There are a number of substitutions. (This should be in a FAQ) SUNWski SKI 1.0 Software (User Package) installs a /dev/random for Solaris. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] S/MIME Cryptographic Signature
ROOKIE Question
Hello I have installed and configured openssl on my linux box (redhat 6.2). Everything went fine now I need to know how do I connect remotly from my NT workstation? I have seen with SSH that there is something called putty but not sure what my next step is. My goal is to be able to transfer files securly back and forth from my NT workstation to my LINUX box and vis-versa. Any help would be great __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pem/bio/evp help
Hi! I've been pouring over the online documentation somewhat, but I'm afraid that I've been running in circles and I'm hoping that someone can give me a clue or point me in the right direction. My ultimate goal is to get the openssh client to authenticate to a server using a private key (DSA format for now) stored on a smarcard, specifically the GPK8000 if anyone is interested, but this shouldn't change anything. My problem is that to give the key to the openssh client, it has to be in evp format, or I have to use the DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x, pem_password_cb *cb, void *u); function to read the key in (I retrieve it from the card in unsigned char format) and I'm having difficulty understanding what BIO *bp is, and how I can fabricate it. Would DSA *PEM_read_bio_DSA_PUBKEY(NULL, (DSA *)unsigned char *mykeyfromcard, NULL, NULL); work? How do I turn my unsigned char into a DSA or evp_pkey format otherwise? Please let me know if you can shed soem light onto any of this! Thank you, Gila. --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-- Gila Sheftel [EMAIL PROTECTED] Fearless Geek(514)732-2459 Advanced Projects Group Gemplus Software You *can* go home again. Just type "cd ~". __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pem/bio/evp help
Date sent: Mon, 09 Apr 2001 14:52:57 -0400 From: Gila Monstre [EMAIL PROTECTED] Organization: Gemplus To: [EMAIL PROTECTED] Subject:pem/bio/evp help Send reply to: [EMAIL PROTECTED] Gila Convince your company to ship our order for your product (been back ordered now for about three weeks) and I will show you how to do it. Also, I can show you how to do the verification for OpenSSH without having to export the private key from the Smart Card (which I expect is what most people would want). Also, I can send you a copy of a reply from Dr. Henson, from this group, which pointed us in the right direction. Just kidding about the request for assistance on the order. I am sure it will arrive in good time. Must be a lot of demand for Gemplus. Let me know if you want a copy of the note we got from Dr. Henson. Ken Hi! I've been pouring over the online documentation somewhat, but I'm afraid that I've been running in circles and I'm hoping that someone can give me a clue or point me in the right direction. My ultimate goal is to get the openssh client to authenticate to a server using a private key (DSA format for now) stored on a smarcard, specifically the GPK8000 if anyone is interested, but this shouldn't change anything. My problem is that to give the key to the openssh client, it has to be in evp format, or I have to use the DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x, pem_password_cb *cb, void *u); function to read the key in (I retrieve it from the card in unsigned char format) and I'm having difficulty understanding what BIO *bp is, and how I can fabricate it. Would DSA *PEM_read_bio_DSA_PUBKEY(NULL, (DSA *)unsigned char *mykeyfromcard, NULL, NULL); work? How do I turn my unsigned char into a DSA or evp_pkey format otherwise? Please let me know if you can shed soem light onto any of this! Thank you, Gila. --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-- Gila Sheftel [EMAIL PROTECTED] Fearless Geek(514)732-2459 Advanced Projects Group Gemplus Software You *can* go home again. Just type "cd ~". __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: getting started with openssl
From: Michael Sierchio [EMAIL PROTECTED] kudzu (This should be in a FAQ) kudzu kudzu SUNWski SKI 1.0 Software (User Package) installs a /dev/random for kudzu Solaris. It is :-) http://www.openssl.org/support/faq.html#USER1 -- Richard Levitte \ Spannvgen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating a CA from a Certificate signed by Thwate.
Hmmm... perhaps I'm asking the wrong question. What I want to appear in the certification path when I double click on the padlock in IE is the tree: thawte, then the certificate signed by thwate then the certificate that I've made. Do you understand what I mean? I've done this before, however it was a while ago and try as I may, I can't seem to get it working again. Thanks for all your help ---Jeremy BradleySoftware Developer 3KB.COM LIMITED - Original Message - From: Reiner Buehl To: [EMAIL PROTECTED] Sent: Monday, April 09, 2001 7:21 PM Subject: RE: Creating a CA from a Certificate signed by Thwate. Hi, first check if your existing cert is allowed to act as a CA cert. Print the cert details with "openssl x509 -text -in your cert.pem". If your cert is not yet in PEM format, add "-inform DER" to the above. In the resulting output check for lines like these: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE If you find the line "CA:FALSE" (which is most likely) then your cert can only be used as a server or client cert. You then could still use it for signing if you change openssl internaly to ignore this extension, but you would violate the x509 standard and every proper coded application would refuse to use the resulting certificates. Best Regards, Reiner. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of JeremySent: Monday, April 09, 2001 3:47 AMTo: SSL UsersSubject: Creating a CA from a Certificate signed by Thwate. I'm trying to sign newly created certificateswith a certificate already signed my thawte. However I'm having problems. I've read the FAQ at http://www.modssl.org/docs/2.8/ssl_faq.html, however there doesn't seem to be any information there that can help me. I've tried using the steps for creating my own CA and using sign.sh (modified for my system varibles, etc), but the many (too many to list here) ways I've tried have all failed. Can anyone help me out?Thanks. Using: OpenSSL 0.9.6 24 On: Redhat 6.2
DSA certificates
Hi, At the bottom of the man page for CA.pl, it mentions about DSA certificates. How is it different from the RSA certificates? Where can I find more information about it? Thanks Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Encryption, Authentification, Access control Algorithms
I am looking for the Encryption, Authentication and Access control algorithms for OpenSSL and Apache. Could you assist or point me in the direction I need to be looking. I am running RedHat but they dont seem to know what I am asking for. Thanks in Advance. WBL _ Get your FREE download of MSN Explorer at http://explorer.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DSA certificates
DSA is a signature-only encryption scheme. If you don't know all about it, then you don't need it, and can ignore it. Honestly. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to use client cert callback
Help: 1. Does someone know how to use the client certificate vefiry callback as: SSL_CTX_set_cert_verify_cb SSL_CTX_set_client_cert_cb 2. I want to use change the ssl stucture state which comes from SSL_new(ctx), where the ssl is first set as SSL_set_verify(ssl,SSL_VERIFY_PEER,verify_cb) but now i want to create a new ssl object which set as SSL_set_verify(ssl,SSL_VERIFY_NONE,NULL) or reverse but the second ssl object also takes the same verify_cb(VERIFY_PEER or VERIFY_NONE) as the first ssl object ,not change the state.Why and how to make it do as i want. Best Regards. __ === __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
make ctx or ssl refresh it's state
Help: In the communcation process with a secure web server,when the user choose to trust the server,i want to make reset the ssl's state by SSL_set_verify(ssl,SSL_VERIFY_NONE,NULL),or SSL_set_verify(ssl,SSL_VERIFY_PEER,verify_callback) but the ssl do as before,not do what i want it do reverse. or I want add a CA cert into the CTX structure , but it seems that it doesn't take any effect. or I want do delete a CA cert from the CTX stucture, and the ssl from the ctx can do what i want(the CA cert to verify it or CA cert not to verify it). Please help me. Thanks. __ === __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]