Re: v3 certificates
OK, more extensions or specific usages for certificate also, more information about the certificate, and so on... See rfc2459 for further information. Enjoy! [EMAIL PROTECTED] wrote: ok thanks:) then what sould be the avvantage of a v3 cert over a v1 one? I know that's a so primitive question but what the story in just one sentence please. thanks a lot... fatih. -Original Message- From: Averroes [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 4:20 PM To: [EMAIL PROTECTED] Subject: Re: v3 certificates Hi, You have to use extension section of openssl config file. e.g. : openssl ca ... ... ... ... -extensions myext_section Regards #- Averroes [EMAIL PROTECTED] wrote: Hi all, All the certifiactes I created are version v1? Which parameter should I use for a v3 one,v2? Thanks a lot, fatih __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP Extension Question
In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 15:37:56 +0200,
Averroes [EMAIL PROTECTED] said:
averroes Does anyone know what value should be use
averroes in an ExtendedKeyUsage extension for OCSP Responder Certificate.
averroes
averroes I use only those:
averroes
averroes extendedKeyUsage=serverAuth
averroes
averroes but the rfc2560, Chap. 4.2.2.2 Authorized Responders says:
averroes
averroes OCSP signing delagation SHALL be designated by the
averroes inclusion of id-pk-OCSPSigning in an extendedKeyUsage
averroes certificate extension included in the OCSP response signer's
averroes certificate.
averroes
averroes id-pk-OCSPSigning OBJECT IDENTIFIER ::= {id-pk 9}
averroes
averroes So...?
So, what about using this extension for your validator certificates?
extendedKeyUsage = OCSPSigning
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Why my browser can not identify the certificate!
Dear all, I have signed personal certificate and install it in the browser,Outlook Express have identify it and I can sign or encrpt the Email. But when I connect my web server which require client certificate, web browser can not identify the certificate, can somebody tell me why? Your help will be appreciated! Hao 04/22/2002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate Problem :)
Title: Certificate Problem :) Dear fellow developers, I am experiencing some problems with a product we released. We rely on a public/private key architecture. The client connects to our server and we check to see if the certificate the client had was signed by us. I do this by checking to see if I can even get a client certificate. From my understanding if the client does not have a trusted certificate signed by the same CA as the server or by a trusted CA the server will not receive the certificate ( from the applications point of view). I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
Perl Library for X509 Certificates???
Hello, Has anyone experienced any success finding and using a Perl API to interface with the OpenSSL libraries, specifically for X509 certificate creation and manipulation? I'm writing a Perl application that will be required to perform many of the functions of a certificate authority. I am currently working with the OpenCA::OpenSSL module, which seems to provide the a pretty complete set of methods for manipulating certificates. Most of the other Perl modules I've found are geared toward communicating with an SSL-enabled server, and provide a limited set of certificate examination methods. Any recommendations will be helpful. Thanks, ~brian skrab [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Problem :)
On Mon, 22 Apr 2002, Andrew Finnell wrote: Dear fellow developers, I am experiencing some problems with a product we released. We rely on a public/private key architecture. The client connects to our server and we check to see if the certificate the client had was signed by us. I do this by checking to see if I can even get a client certificate. From my understanding if the client does not have a trusted certificate signed by the same CA as the server or by a trusted CA the server will not receive the certificate ( from the applications point of view). I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. what type of connection do you speak of? https or ssh? and what platform you are running on? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -- snail-mail : Michal Bachorik Nedozerskeho 207 Nedozery 972 12 SLOVAKIA phone : +421 862 54 85 220 e-mail : [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate Problem / get_peer_certificate
I am reposting this with a different account. Hopefully my pervious email didn't get sent to a lot of people. I have no control over HTML being put in my other account's email as the Exchange server does this automatically. Sorry. Dear fellow developers, I am experiencing some problems with a product we released. We rely on a public/private key architecture. The client connects to our server and we check to see if the certificate the client had was signed by us. I do this by checking to see if I can even get a client certificate. From my understanding if the client does not have a trusted certificate signed by the same CA as the server or by a trusted CA the server will not receive the certificate ( from the applications point of view). I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate Problem :)
Michal, This is using the OpenSSL libraries through TCP/IP communications. More specifically, it is through the use of SSLIOP (CORBA). This happens on all Win32 machines - Solaris 6/7. And Win32 - Win32. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michal Bachorik Sent: Monday, April 22, 2002 12:08 PM To: Openssl ([EMAIL PROTECTED]) Subject: Re: Certificate Problem :) On Mon, 22 Apr 2002, Andrew Finnell wrote: Dear fellow developers, I am experiencing some problems with a product we released. We rely on a public/private key architecture. The client connects to our server and we check to see if the certificate the client had was signed by us. I do this by checking to see if I can even get a client certificate. From my understanding if the client does not have a trusted certificate signed by the same CA as the server or by a trusted CA the server will not receive the certificate ( from the applications point of view). I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. what type of connection do you speak of? https or ssh? and what platform you are running on? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -- snail-mail : Michal Bachorik Nedozerskeho 207 Nedozery 972 12 SLOVAKIA phone : +421 862 54 85 220 e-mail : [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Problem / get_peer_certificate
Andrew T. Finnell [EMAIL PROTECTED] writes: I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. What does ssldump say? -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate Problem / get_peer_certificate
Eric, I do not know. I do not have access to these machines they are at our client's location. I suppose we could try and get them to install ssldump and run it. Although I am not sure this is an option. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Rescorla Sent: Monday, April 22, 2002 12:25 PM To: [EMAIL PROTECTED] Subject: Re: Certificate Problem / get_peer_certificate Andrew T. Finnell [EMAIL PROTECTED] writes: I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. What does ssldump say? -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Problem / get_peer_certificate
Andrew T. Finnell [EMAIL PROTECTED] writes: I do not know. I do not have access to these machines they are at our client's location. I suppose we could try and get them to install ssldump and run it. Although I am not sure this is an option. ssldump can read data captured with 'tcpdump -s 8192 -w' if that helps at all. In general, this sort of thing is very difficult to diagnose without either ssldump traces or OpenSSL logging info. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Proftpd + TLS problem on Debian
I tried to setup Proftpd 1.2.5rc1 with the TLS patch from ftp://ftp.runestig.com/pub/proftpd-tls/on my Debian Woody box. Compiling went fine, but when I try to connect to this server using IglooFTP with SSL enabled, I only get this from IglooFTP: - 220 FTP Server ready. AUTH SSL 234 AUTH SSL successful Starting SSL/TLS negotiation ... SSL Error: The server could be requesting a certificate. Unable to establish secure connection. --- When checking the logfiles for Proftpd, I find this: --- xx.com (10.101.20.150[10.101.20.150]) - FTP session opened.xx.com (10.101.20.150[10.101.20.150]) - SSL_accept(): (1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipherxx.com (10.101.20.150[10.101.20.150]) - Failed TLS negotiation on control channel, disconnected.- I created the certificates on the server using the following commands: openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pemopenssl dsaparam -out dsap-tmp 1024openssl req -newkey dsa:dsap-tmp -x509 -days 365 -nodes -out ftpd-dsa.pem -keyout ftpd-dsa-key.pemopenssl dhparam -out ftpd-dhparam.pem 1024 I have the Debian package openssl 0.9.6c-2 installed. What am I missing here? Thanks in advance.
OpenSSL bug or my bug?
Ihave a Windows client application written in MFC (VC++ 6.0) which is receiving a file from a server. I'm using my own socket class derived from CAsyncSocket, to which I've added OpenSSL support (0.9.6c). The file transfer hangs randomly - if I run it ten times it will hang at a different point each time. The clienthangs because it stops receiving socket notifications that there is data available to read (the CAsyncSocket::OnReceive(...) callback function is not being called). If I add an AsyncSelect(FD_READ | FD_WRITE | FD_CLOSE) immediately after the SSL_read(...) call this resolves the hang. Is this an OpenSSL bug or is the AsyncSelect really required after every SSL_read(...) (it's not required after every CAsyncSocket::Receive(...) for a non-SSL socket)? Thanks Mike
Re: OCSP Extension Question
Thanks Richard and Peter
Averroes wrote:
Hi All,
Does anyone know what value should be use
in an ExtendedKeyUsage extension for OCSP Responder Certificate.
I use only those:
extendedKeyUsage=serverAuth
but the rfc2560, Chap. 4.2.2.2 Authorized Responders says:
OCSP signing delagation SHALL be designated by the
inclusion of id-pk-OCSPSigning in an extendedKeyUsage
certificate extension included in the OCSP response signer's
certificate.
id-pk-OCSPSigning OBJECT IDENTIFIER ::= {id-pk 9}
So...?
Regards
#--
Averroes
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
OCSP Response
Hi All, Here at foot a response from my OCSP Responder. I would like to know if it sufficient answer from the validator or are there anything missing... e.g. some extensions: #--- OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = FR, ST = Ile-de-France, L = Paris, O = Medracen Digital Signature Ltd., OU = Medracen OCSP Signing Authority Dept., CN = ocsp.medracen.net, Email = [EMAIL PROTECTED], 2.5.4.15 = OCSP Signing Authority, 2.5.4.16 = rue des Moines, 2.5.4.17 = FR-75017, 2.5.4.20 = N/A, 2.5.4.23 = N/A, uniqueIdentifier= OID-2.16.113.1.62 Produced At: Apr 22 17:56:05 2002 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 16FFE3F415CD0EBEE4FE23D00D2A952E4C49A827 Issuer Key Hash: 01D54789BAE94682D40506C954D2F73F68CCC1CA Serial Number: 6EA9AB1BAA0EFB9E19094440C317E21B Cert Status: good This Update: Apr 22 17:56:05 2002 GMT Next Update: Apr 23 17:56:05 2002 GMT Response Extensions: OCSP Nonce: 2E0A6CF4EF8E168780960B0BF37DECA6 Response verify OK 0x6EA9AB1BAA0EFB9E19094440C317E21B: good This Update: Apr 22 17:56:05 2002 GMT Next Update: Apr 23 17:56:05 2002 GMT #--- #- Averroes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Why my browser can not identify the certificate!
Dear all, I have signed personal certificate and install it in the browser,Outlook Express have identify it and I can sign or encrpt the Email. But when I connect my web server which require client certificate, web browser can not identify the certificate, can somebody tell me why? Your help will be appreciated! Hao 04/22/2002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Why my browser can not identify the certificate!
Just make sure that, ur client certificate signer's certificate is trusted by ur ssl/tls server and if this is not the case then whether ur client certificate has extendedKeyUsage=clientAuthentication as one of the v3 extentions (many server require this EKU to be present in client cert). Thanks Aslam -Original Message- From: shihao [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 11:19 AM To: [EMAIL PROTECTED] Subject: Why my browser can not identify the certificate! Dear all, I have signed personal certificate and install it in the browser,Outlook Express have identify it and I can sign or encrpt the Email. But when I connect my web server which require client certificate, web browser can not identify the certificate, can somebody tell me why? Your help will be appreciated! Hao 04/22/2002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: X509_vfy.c function int check_issued() BUG..
Hi, Yes u r true, that it will not select CA certificate which is not yet valid, provided the new certificate has a different serail no. Basically I generated the same certificate using same subject dn, serail no and key pair. But I should have changed the CA new certificate serial no. Thanks Aslam -Original Message- From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 3:56 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: Re: X509_vfy.c function int check_issued() BUG.. On Wed, Apr 10, 2002 at 03:22:30PM -0400, Aslam wrote: I've been doing testing for new root ca certificate issuance and openssl's chain building/cert chain validation. And if I have both root ca old cert and root ca new cert (obtained by certificate refresh, i.e. old subject and old key pair is used to get the root ca new cert for a new time period) and time is such that root ca new cert is NOT_YET_VALID and new cert is added last in X509_STORE, then chain building fails with error = CERT_NOT_YET_VALID, even though valid root ca cert (old) is there in X509_STORE. Function static int check_issued(X509_STORE_CTX* ctx, X509* x, X509* issuer) in x509_vfy.c does check for subject dist name, subject/issuer key identifier, basic constaints etc match, but cert time validation is deffered till we have a stack bottom = end entity cert and top = self_signed root cert, i.e. till static int internal_verify(X509_STORE_CTX* ctx). So cause of this root ca new cert is added to the stack, but later in the internal_verify() call it fails with CERT_NOT_YET_VALID, what should happen is cert time validity must be done during building cert chain (adding certs to stack), not after it. So in all all certs in X509_STORE must be lloked before calling internal_verify() for cert signature check. Similar behaviour is seen if old cert is added last (top of the stack in X509_STORE) and it is expired, then error = CERT_EXPIRED, provided issued cert is still valid, which is basically a wrong practice to issue certs beyond CA valid time period. I am not sure that I understand you correctly. You have issued a new CA certificate based on the old key and tried to mimic the old certificate as good as possible. Now the verification routine has problems to distinguish between these certificates. The verification routines distinguish * the DN Distinguished Name * the AKID/SKID (authority key identifier of issued certificate must match the subject key identifier of the CA) * the serial number in the authority key identifer. You therefore could assure correct behaviour by making at least one of these properties different. To be fair: I don't have the time to look around for it, but I would expect that in some RFC this would also be listed as a requirement :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL bug or my bug?
Re-posting without the HTML junk! I have a Windows client application written in MFC (VC++ 6.0) which is receiving a file from a server. I'm using my own socket class derived from CAsyncSocket, to which I've added OpenSSL support (0.9.6c). The file transfer hangs randomly - if I run it ten times it will hang at a different point each time. The client hangs because it stops receiving socket notifications that there is data available to read (the CAsyncSocket::OnReceive(...) callback function is not being called). If I add an AsyncSelect(FD_READ | FD_WRITE | FD_CLOSE) immediately after the SSL_read(...) call this resolves the hang. Is this an OpenSSL bug or is the AsyncSelect really required after every SSL_read(...) (it's not required after every CAsyncSocket::Receive(...) for a non-SSL socket)? Thanks Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
signcode for linux/unix?
Hi Everyone, Is there any version of the MS signcode utility on linux/unix? Or if anyone can point out the spec of the file format? Thanks. Fred Xia __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL PROBLEM-CRL CANNOT WORK IN WINDOWS!
Hi, I have a problem with CRLs. I have created CRL (version 1) and now I want to import them to Netscape and IE. CRL is OK. It works on Linux with Netscape (ie. the certificate is marked as revoked), but I can't download it on Windows. IE says that the import was successful, but the certificate state is still normal! So I have several question: 1. How CRL works with IE - when they check them? 2. How to download CRL to Netscape? 3. Is there a method for checking what CRLs were imported to browser? Thanks for all informations _ Do You Yahoo!? µ½ÊÀ½ç±Ö÷Ì⹫԰ÍæÒ»Í棬ӮȡÊÀ½ç±ÃÅƱÀÖÒ»ÀÖ¡£ http://cn.fifaworldcup.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL PROBLEM-CRL CANNOT WORK IN WINDOWS!
Hi, I have a problem with CRLs. I have created CRL (version 1) and now I want to import them to Netscape and IE. CRL is OK. It works on Linux with Netscape (ie. the certificate is marked as revoked), but I can't download it on Windows. IE says that the import was successful, but the certificate state is still normal! So I have several question: 1. How CRL works with IE - when they check them? 2. How to download CRL to Netscape? 3. Is there a method for checking what CRLs were imported to browser? Thanks for all informations Do You Yahoo!? µ½ÊÀ½ç±Ö÷Ì⹫԰ÍæÒ»Í棬ӮȡÊÀ½ç±ÃÅƱÀÖÒ»ÀÖ¡£ ÑÅ»¢ÖйúÍƳö 2002 FIFAÊÀ½ç±¾Û½¹£¡
Re: RE: Why my browser can not identify the certificate!
Sorry. the problem still appear. The client certificate and ssl server(IIS 5.0) certificate were signed by the same CA. The signing operation is wrong after I add extendedKeyUsage = clientAuthentication in the openssl.cnf. I think openssl don't identify this extendsion, it only identify nsCerttype = cient,email Hao - Just make sure that, ur client certificate signer's certificate is trusted by ur ssl/tls server and if this is not the case then whether ur client certificate has extendedKeyUsage=clientAuthentication as one of the v3 extentions (many server require this EKU to be present in client cert). Thanks Aslam -Original Message- From: shihao [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 11:19 AM To: [EMAIL PROTECTED] Subject: Why my browser can not identify the certificate! Dear all, I have signed personal certificate and install it in the browser,Outlook Express have identify it and I can sign or encrpt the Email. But when I connect my web server which require client certificate, web browser can not identify the certificate, can somebody tell me why? Your help will be appreciated! Hao 04/22/2002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP Response
Hi All, Here at foot a response from my OCSP Responder. I would like to know if it sufficient answer from the validator or are there anything missing... e.g. some extensions: #--- OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = FR, ST = Ile-de-France, L = Paris, O = Medracen Digital Signature Ltd., OU = Medracen OCSP Signing Authority Dept., CN = ocsp.medracen.net, Email = [EMAIL PROTECTED], 2.5.4.15 = OCSP Signing Authority, 2.5.4.16 = rue des Moines, 2.5.4.17 = FR-75017, 2.5.4.20 = N/A, 2.5.4.23 = N/A, uniqueIdentifier= OID-2.16.113.1.62 Produced At: Apr 22 17:56:05 2002 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 16FFE3F415CD0EBEE4FE23D00D2A952E4C49A827 Issuer Key Hash: 01D54789BAE94682D40506C954D2F73F68CCC1CA Serial Number: 6EA9AB1BAA0EFB9E19094440C317E21B Cert Status: good This Update: Apr 22 17:56:05 2002 GMT Next Update: Apr 23 17:56:05 2002 GMT Response Extensions: OCSP Nonce: 2E0A6CF4EF8E168780960B0BF37DECA6 Response verify OK 0x6EA9AB1BAA0EFB9E19094440C317E21B: good This Update: Apr 22 17:56:05 2002 GMT Next Update: Apr 23 17:56:05 2002 GMT #--- #- Averroes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Please Help!!!
I have been trying to figure this out on my own for the past day or so and am stumped. I have installed all of the necessary stuff for openssl to compile but I keep getting these error messages when I configure and make... ./Configure solaris-sparcv8-gcc shared no-threads JUST A SECTION OF THE ./Configure Makefile = Makefile.ssl comp.h = ../../include/openssl/comp.h [File exists] make[2]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto/comp' make[1]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto' making links in ssl... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/ssl' Makefile = Makefile.ssl ssl.h = ../include/openssl/ssl.h [File exists] ssl2.h = ../include/openssl/ssl2.h [File exists] ssl3.h = ../include/openssl/ssl3.h [File exists] ssl23.h = ../include/openssl/ssl23.h [File exists] tls1.h = ../include/openssl/tls1.h [File exists] Then when I run make JUST A SECTION + rm -f libcrypto.so.0 + rm -f libcrypto.so + rm -f libcrypto.so.0.9.6 + rm -f libssl.so.0 + rm -f libssl.so + rm -f libssl.so.0.9.6 making all in crypto... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/crypto' ( echo #ifndef MK1MF_BUILD; \ echo /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */; \ echo #define CFLAGS \gcc -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRA SPARC -DMD5_ASM\; \ echo #define PLATFORM \solaris-sparcv9-gcc\; \ echo #define DATE \`date`\; \ echo #endif ) buildinf.h gcc -I. -I../include -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -D MD5_ASM -c -o cryptlib.o cryptlib.c In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:36:27: iso/stdio_iso.h: No such file or directory In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:194: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:229: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:230: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:236: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:241: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:250: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:252: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:276: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:285: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:286: parse error before FILE /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:287: parse error before '*' token cryptlib.c:60:20: string.h: No such file or directory What is wrong with what I am doing? Any help would be a life saver! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very bad expirience with it in the past. If it is possible, try gcc 2.95.3. Aleksey Sanin Paul Mallary wrote: I have been trying to figure this out on my own for the past day or so and am stumped. I have installed all of the necessary stuff for openssl to compile but I keep getting these error messages when I configure and make... ./Configure solaris-sparcv8-gcc shared no-threads JUST A SECTION OF THE ./Configure Makefile = Makefile.ssl comp.h = ../../include/openssl/comp.h [File exists] make[2]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto/comp' make[1]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto' making links in ssl... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/ssl' Makefile = Makefile.ssl ssl.h = ../include/openssl/ssl.h [File exists] ssl2.h = ../include/openssl/ssl2.h [File exists] ssl3.h = ../include/openssl/ssl3.h [File exists] ssl23.h = ../include/openssl/ssl23.h [File exists] tls1.h = ../include/openssl/tls1.h [File exists] Then when I run make JUST A SECTION + rm -f libcrypto.so.0 + rm -f libcrypto.so + rm -f libcrypto.so.0.9.6 + rm -f libssl.so.0 + rm -f libssl.so + rm -f libssl.so.0.9.6 making all in crypto... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/crypto' ( echo #ifndef MK1MF_BUILD; \ echo /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */; \ echo #define CFLAGS \gcc -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRA SPARC -DMD5_ASM\; \ echo #define PLATFORM \solaris-sparcv9-gcc\; \ echo #define DATE \`date`\; \ echo #endif ) buildinf.h gcc -I. -I../include -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -D MD5_ASM -c -o cryptlib.o cryptlib.c In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:36:27: iso/stdio_iso.h: No such file or directory In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:194: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:229: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:230: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:236: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:241: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:250: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:252: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:276: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:285: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:286: parse error before FILE /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:287: parse error before '*' token cryptlib.c:60:20: string.h: No such file or directory What is wrong with what I am doing? Any help would be a life saver! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
