[openssl-users] Perform self tests after installation?

[Jeffrey Walton]

Is it possible to perform the self tests after an installation? If so,
how do we do it (I'm interested in both 1.0.x and 1.1.x)?

'make test' works from the build directory, and I don't recall seeing
an 'openssl test' command that could work after installation.

I'm guessing not, but I want to ensure I'm not missing something.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] lh_CONF_VALUE_new parameters?

[Matěj Cepl]

Hi,

I am trying to make M2Crypto build on Windows again
(https://gitlab.com/m2crypto/m2crypto/merge_requests/26). I have
replaced by POSIX's poll by WSAPoll( I know about
https://daniel.haxx.se/blog/2012/10/10/wsapoll-is-broken/ but we
don't play with the error values, which is a mistake, I know, so
we shouldn't be affected).

The second problem is that VC++ compiler crashes on problems
with CONF_VALUE. Originally M2Crypto had this
(https://gitlab.com/m2crypto/m2crypto/blob/master/SWIG/_x509.i#L514):

#if OPENSSL_VERSION_NUMBER >= 0x1000L
LHASH_OF(CONF_VALUE)
#else
LHASH
#endif
*x509v3_lhash() {
return lh_new(NULL, NULL); /* Should probably be lh_CONF_VALUE_new but 
won't compile. */
}

Apparently, using lh_new(NULL, NULL) is not good enough for VC++
and it crashes on it
(https://ci.appveyor.com/project/mcepl/m2crypto-nngqn/build/job/e7q2ogndlje2x2h9)

After a deep dive into lhash(3) and some examples on github,
I have created this:

/*
typedef struct
{
char *section;
char *name;
char *value;
} CONF_VALUE;

 */

unsigned long CONF_VALUE_hash(const CONF_VALUE *v) {
char *v_key, *hash_hex;

v_key = strncat(v1->section, v1->name, 1024);
v_key = strncat(v1_key, v1->value, 2048);

return *(unsigned long *) SHA256(v_key, strlen(v_key), hash_hex);
}
static IMPLEMENT_LHASH_HASH_FN(CONF_VALUE_hash, const CONF_VALUE*);

int CONF_VALUE_cmp(const CONF_VALUE *v1, const CONF_VALUE *v2) {
char *v1_key, *v2_key;

v1_key = strncat(v1->section, v1->name, 1024);
v1_key = strncat(v1_key, v1->value, 2048);

v2_key = strncat(v2->section, v2->name, 1024);
v2_key = strncat(v2_key, v2->value, 2048);

return strncmp(v1_key, v2_key, 2048);
}
static IMPLEMENT_LHASH_COMP_FN(CONF_VALUE_cmp, const CONF_VALUE*);

#if OPENSSL_VERSION_NUMBER >= 0x1000L
LHASH_OF(CONF_VALUE)
#else
LHASH
#endif
*x509v3_lhash() {
return lh_CONF_VALUE_new(CONF_VALUE_hash, CONF_VALUE_cmp);
}

but gcc still fails to compile with error:

SWIG/_x509.i:554: Error: Macro 'lh_CONF_VALUE_new' expects 
no arguments

lh_CONF_VALUE_new with arguments is however exactly what I found 
on the Internet (and in crypt/conf/conf_api.c, which seems to be 
the only use of lh_CONF_VALUE_new in OpenSSL tree).

Using openssl-1.0.1e-56.el7.x86_64 on RHEL-7.

Could anybody enlighten me, how to make lh_CONF_VALUE_new 
working, please?

Thank you,

Matěj

--
https://matej.ceplovi.cz/blog/, Jabber: mc...@ceplovi.cz
GPG Finger: 89EF 4BC6 288A BF43 1BAB  25C3 E09F EF25 D964 84AC

You either die a hero or you live long enough to see yourself become the 
villain.
  -- Harvey Dent in The Dark Knight

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CMS with Symmetric key

[Dr. Stephen Henson]

On Mon, Apr 11, 2016, Abe Racioppo wrote:

> Thank you for the responses.
> 
> I have implemented encryption that adds a secret key, and secret key id
> using:
> CMS_add0_recipient_key,
> CMS_EncryptData_encrypt,
> SMIME_write_CMS
> The output file looks correct, but I need to decrypt it back to be sure.
> 

Ah CMS_EncryptedData_encrypt() just creates the encrypted data type. If you
want to use enveloped data you use CMS_encrypt() first then
CMS_add0_recipient_key() and finally SMIME_write_CMS().

> I would like to be able to get the secret key id from the envelope data to
> then search a database for the key, and then CMS_decrypt.  I have yet to
> determine the most straightforward way of getting the key ids from the
> envelope/wrapped content of cms.
> 
> Is there a combination if I have SMIME_read the cms from a file like:
>   keyId =  cms->envelopedData->keyId?
> 
> Or do I need to handle a stack_of recipient infos in order to get the key
> id from kekri0_get_id?
> 

Yes. You need to use CMS_get0_RecipientInfos() as there can be multiple
recipients of different types.

For each recipient info you check the type with:

CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_KEY

For each match retrieve the key ID using CMS_RecipientInfo_kekri_get0_id().

If the id doesn't match a value in you database continue to the next recipient
info. If no matches return an error.

If you do get a match then call CMS_RecipientInfo_set0_key().

Finally call CMS_decrypt(): setting the key and certificate parameters to
NULL.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Are double-quotes valid characters in certifcates/keys?

[Ajay Garg]

Thanks everyone for the quick and generous help !!
I am really thankful to everyone's time.


Thanks and Regards,
Ajay

On Tue, Apr 12, 2016 at 7:08 PM, Salz, Rich  wrote:
>
>> Except when you want more people (usually everybody) access to the CRT,
>> but few people (usually one or two trusted server
>> processes) access to the private KEY.
>>
>> Then using two different files will make a lot of sense.
>
> Oh yes, absolutely!  Don't give out the private kkey :)
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 
Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Received signal SIGSEGV in CRYPTO_add_lock()

[Michael Wojcik]

Why do you think that message is relevant to your problem?

You haven't told us anything useful about the problem you're experiencing, like 
what version of OpenSSL you're using. If you want good answers, ask good 
questions.

What we can see below:

- Obviously the parameter being passed to CRYPTO_add_lock is bogus. The problem 
isn't with locks; it's with attempting to operate on garbage data. The most 
likely causes are heap or stack corruption, or use-after-free.

- The value being passed to X509_free isn't a valid pointer either.

My guess is that your application frees something when it shouldn't. Maybe 
you're calling SSL_free twice. It appears that the CERT* passed to 
ssl_cert_clear_certs contains bogus data, and a use-after-free is a likely 
cause.

Since you're running on Linux (which I only know because of the gdb module list 
- again, you haven't provided even the most basic information with your 
question), I'd suggest running the application under Valgrind.

Michael Wojcik
Technology Specialist, Micro Focus


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Vikas TM
Sent: Tuesday, April 12, 2016 10:12
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Received signal SIGSEGV in CRYPTO_add_lock()


Hi,

I am not very clear with solution provided in the following link,
http://lists.globus.org/pipermail/gt-user/2007-December/005317.html

Appreciated if you help me in resolving this issue.

Thanks & Regards,
Vikas
On 11 Apr 2016 8:20 pm, "Vikas TM" 
> wrote:

Hi,

It looks like there is issue in handling crypto locks. I encountered 
segmentation fault in CRYPTO_add_lock() function referencing NULL pointer. 
Please find GDB output below,

(gdb) run ftp://x.x.x.x:sample.txt

Starting program: /App/vikftp ftp://x.x.x.x:sample.txt

Missing separate debuginfo for /lib/ld-linux.so.2

Missing separate debuginfo for /lib/libdl.so.2

Missing separate debuginfo for /lib/libpam.so.0

Missing separate debuginfo for /lib/libm.so.6

Missing separate debuginfo for /lib/libc.so.6

Missing separate debuginfo for /lib/libaudit.so.0

process 22287 is executing new program: /App/vikftp

Missing separate debuginfo for /lib/ld-linux.so.2

Missing separate debuginfo for /lib/libdl.so.2

Missing separate debuginfo for /lib/libpam.so.0

Missing separate debuginfo for /lib/libm.so.6

Missing separate debuginfo for /lib/libc.so.6

Missing separate debuginfo for /lib/libaudit.so.0



Program received signal SIGSEGV, Segmentation fault.

0x08205766 in CRYPTO_add_lock (pointer=0x1011, amount=-1, type=3, 
file=0x85d0030 "/102d/s/tasn_utl.c", line=118)

at /102d/s/cryptlib.c:624

624 ret = *pointer + amount;

(gdb) bt

#0  0x08205766 in CRYPTO_add_lock (pointer=0x1011, amount=-1, type=3, 
file=0x85d0030 "/102d/s/tasn_utl.c", line=118)

at /102d/s/cryptlib.c:624

#1  0x08249d2a in asn1_do_lock (pval=0xff8eee90, op=-1, it=0x862cb1c) at 
/102d/s/tasn_utl.c:118

#2  0x08246ed5 in asn1_item_combine_free (pval=0xff8eee90, it=0x862cb1c, 
combine=0) at /102d/s/tasn_fre.c:146

#3  0x08246c40 in ASN1_item_free (val=0x1001, it=0x862cb1c) at 
/102d/s/tasn_fre.c:72

#4  0x0825eeea in X509_free (a=0x1001) at /102d/s/x_x509.c:143

#5  0x082ee677 in ssl_cert_clear_certs (c=0x872e4e0) at /102d/s/ssl_cert.c:431

#6  0x082ee7ed in ssl_cert_free (c=0x872e4e0) at /102d/s/ssl_cert.c:489

#7  0x0822f926 in SSL_free (s=0x872e340) at /102d/s/ssl_lib.c:627

#8  0x0816566c in closeConnection (pcx=0x86d8310, rsn=0x0, graceful=1 '\001') 
at /App/vikftp.c:10098

Please let me know if you have any solution.

Thanks & Regards,
Vikas


Click 
here
 to report this email as spam.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Received signal SIGSEGV in CRYPTO_add_lock()

[Vikas TM]

Hi,

I am not very clear with solution provided in the following link,
http://lists.globus.org/pipermail/gt-user/2007-December/005317.html

Appreciated if you help me in resolving this issue.

Thanks & Regards,
Vikas
On 11 Apr 2016 8:20 pm, "Vikas TM"  wrote:

> Hi,
>
> It looks like there is issue in handling crypto locks. I encountered
> segmentation fault in CRYPTO_add_lock() function referencing NULL pointer.
> Please find GDB output below,
>
> (gdb) run ftp://x.x.x.x:sample.txt
>
> Starting program: /App/vikftp ftp://x.x.x.x:sample.txt
>
> Missing separate debuginfo for /lib/ld-linux.so.2
>
> Missing separate debuginfo for /lib/libdl.so.2
>
> Missing separate debuginfo for /lib/libpam.so.0
>
> Missing separate debuginfo for /lib/libm.so.6
>
> Missing separate debuginfo for /lib/libc.so.6
>
> Missing separate debuginfo for /lib/libaudit.so.0
>
> process 22287 is executing new program: /App/vikftp
>
> Missing separate debuginfo for /lib/ld-linux.so.2
>
> Missing separate debuginfo for /lib/libdl.so.2
>
> Missing separate debuginfo for /lib/libpam.so.0
>
> Missing separate debuginfo for /lib/libm.so.6
>
> Missing separate debuginfo for /lib/libc.so.6
>
> Missing separate debuginfo for /lib/libaudit.so.0
>
>
>
> Program received signal SIGSEGV, Segmentation fault.
>
> 0x08205766 in CRYPTO_add_lock (pointer=0x1011, amount=-1, type=3,
> file=0x85d0030 "/102d/s/tasn_utl.c", line=118)
>
> at /102d/s/cryptlib.c:624
>
> 624 ret = *pointer + amount;
>
> (gdb) bt
>
> #0  0x08205766 in CRYPTO_add_lock (pointer=0x1011, amount=-1, type=3,
> file=0x85d0030 "/102d/s/tasn_utl.c", line=118)
>
> at /102d/s/cryptlib.c:624
>
> #1  0x08249d2a in asn1_do_lock (pval=0xff8eee90, op=-1, it=0x862cb1c) at
> /102d/s/tasn_utl.c:118
>
> #2  0x08246ed5 in asn1_item_combine_free (pval=0xff8eee90, it=0x862cb1c,
> combine=0) at /102d/s/tasn_fre.c:146
>
> #3  0x08246c40 in ASN1_item_free (val=0x1001, it=0x862cb1c) at
> /102d/s/tasn_fre.c:72
>
> #4  0x0825eeea in X509_free (a=0x1001) at /102d/s/x_x509.c:143
>
> #5  0x082ee677 in ssl_cert_clear_certs (c=0x872e4e0) at
> /102d/s/ssl_cert.c:431
>
> #6  0x082ee7ed in ssl_cert_free (c=0x872e4e0) at /102d/s/ssl_cert.c:489
>
> #7  0x0822f926 in SSL_free (s=0x872e340) at /102d/s/ssl_lib.c:627
>
> #8  0x0816566c in closeConnection (pcx=0x86d8310, rsn=0x0, graceful=1
> '\001') at /App/vikftp.c:10098
>
> Please let me know if you have any solution.
>
> Thanks & Regards,
> Vikas
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Are double-quotes valid characters in certifcates/keys?

[Salz, Rich]

> Except when you want more people (usually everybody) access to the CRT,
> but few people (usually one or two trusted server
> processes) access to the private KEY.
> 
> Then using two different files will make a lot of sense.

Oh yes, absolutely!  Don't give out the private kkey :)
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL errors connecting to some websites

[Matt Caswell]

On 12/04/16 09:45, Chris Puttick wrote:
> Hi
> 
> Our schools filtering product utilises OpenSSL with Squid; we're seeing 
> issues connecting to some sites which seem OpenSSL related. Two sites with 
> known issues are:
> 
> https://www.spellanywhere.co.uk/
> 
> https://www.mymaths.co.uk/
> 
> Connecting to either of these Squid returns the error:
> 
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: error:14077438:SSL 
> routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

It seems these servers require connections to supply SNI information.
Supplying the servername option to s_client adds it:

# openssl s_client -connect www.spellanywhere.co.uk:443 -servername
www.spellanywhere.co.uk

I am able to create successful connections to both of the sites you list
above with OpenSSL 1.0.1 using the above option.

Unfortunately I am unfamiliar with Squid configuration, so I can't
advise as to whether this is the problem with your squid setup, and if
it is - how you fix it.

Matt



> 
> Running openssl tests direct from a schools box (OpenSSL 1.0.1) gets:
> 
> # openssl s_client -connect www.spellanywhere.co.uk:443
> CONNECTED(0003)
> 3073661128:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert 
> internal error:s23_clnt.c:734:
> 
> Attempting to disable protocols for testing gets:
> 
> openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -connect 
> www.spellanywhere.co.uk:443
> CONNECTED(0003)
> 3074005192:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
> handshake failure:s23_clnt.c:734:
> 
> and eventually
> 
> openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect 
> www.spellanywhere.co.uk:443
> CONNECTED(0003)
> 3073534152:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols 
> available:s23_clnt.c:385:
> 
> While forcing dtls with 
> 
> openssl s_client -dtls1 -connect www.spellanywhere.co.uk:443
> 
> seems to establish a tunnel as expected. 
> 
> Using curl or wget on the same boxes to those sites works as expected. Tests 
> on a local box with OpenSSL 1.0.2e return similar results, although the 
> disabled protocols test returns a different error:
> 
> openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect 
> www.spellanywhere.co.uk:443
> CONNECTED(0003)
> 139735616550552:error:14077102:SSL 
> routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:735:
> 
> Is this some sort of SSL handshake fallback error? Is there anything we can 
> do in terms of configuration? Are we barking up the wrong tree?
> 
> All input/questions welcome.
> 
> Thanks
> 
> Chris
> 
> 
> ---
> Chris Puttick
> CEO & Chief Asst to the duck
> TwoTen
> http://twoten.is
> Making the Internet better. For kids.
> +44 7908 997 146
> @putt1ck
> Two Ten Web Limited, Regd Company no. 7774762 Regd office Unit 6, Southill, 
> Cornbury Park, Charlbury, Oxfordshire OX7 3EW United Kingdom
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL errors connecting to some websites

[Chris Puttick]

Hi

Our schools filtering product utilises OpenSSL with Squid; we're seeing issues 
connecting to some sites which seem OpenSSL related. Two sites with known 
issues are:

https://www.spellanywhere.co.uk/

https://www.mymaths.co.uk/

Connecting to either of these Squid returns the error:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077438:SSL 
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Running openssl tests direct from a schools box (OpenSSL 1.0.1) gets:

# openssl s_client -connect www.spellanywhere.co.uk:443
CONNECTED(0003)
3073661128:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert 
internal error:s23_clnt.c:734:

Attempting to disable protocols for testing gets:

openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -connect 
www.spellanywhere.co.uk:443
CONNECTED(0003)
3074005192:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
handshake failure:s23_clnt.c:734:

and eventually

openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect 
www.spellanywhere.co.uk:443
CONNECTED(0003)
3073534152:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols 
available:s23_clnt.c:385:

While forcing dtls with 

openssl s_client -dtls1 -connect www.spellanywhere.co.uk:443

seems to establish a tunnel as expected. 

Using curl or wget on the same boxes to those sites works as expected. Tests on 
a local box with OpenSSL 1.0.2e return similar results, although the disabled 
protocols test returns a different error:

openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect 
www.spellanywhere.co.uk:443
CONNECTED(0003)
139735616550552:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported 
protocol:s23_clnt.c:735:

Is this some sort of SSL handshake fallback error? Is there anything we can do 
in terms of configuration? Are we barking up the wrong tree?

All input/questions welcome.

Thanks

Chris


---
Chris Puttick
CEO & Chief Asst to the duck
TwoTen
http://twoten.is
Making the Internet better. For kids.
+44 7908 997 146
@putt1ck
Two Ten Web Limited, Regd Company no. 7774762 Regd office Unit 6, Southill, 
Cornbury Park, Charlbury, Oxfordshire OX7 3EW United Kingdom

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about timestamps

[Alex Samad]

Oh sorry I am new to the TS side of things and I am putting things
together piece meal.

On 12 April 2016 at 13:08, Jakob Bohm  wrote:
> My point was that the -text output would *show* you if
> the missing certs were included in the time stamp response
> somewhere, and where.
>
> If they are indeed inside the response, then the question
> would be why the "openssl ts -verify" command didn't find
> them automatically.
>
> If they are not inside the response, then the question
> would be why Symantec didn't include them like other
> tsa-s do.
>
> On 08/04/2016 22:36, Alex Samad wrote:
>
> Hi
>
> Yep I have tried the output to text. but does that verify the signature.
>
> So what I think I have now is
>
> my data to be signed
> I make a request
> send the request to the tsa
> the tsa signs it adds signature
> I have response.
>
> Now I need to verify it
>
> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>
> but it seems to fail, I presume (newbie), because I don't have the
> intermediary certs .
>
> I presume symantec have signed it with a cert thats rooted in one of
> their main CA's and I presume for me to verify I need the
> intermediaries or atleast the sign cert's ca.
>
>
> I have looked on symantecs site to no available
>
> and I am working on guess work here
>
>
>
>
>
> On 8 April 2016 at 16:26, Jakob Bohm  wrote:
>
> Try something like
>
> $OPENSSL ts -reply -in ${FL}.tsr -text -noout
>
> (Not sure if it accepts the -noout option or not).
>
>
> On 08/04/2016 08:01, Alex Samad wrote:
>
> Okay, how do I dump the intermediaries then ?
>
>
>
> On 8 April 2016 at 15:49, Jakob Bohm  wrote:
>
> On 08/04/2016 07:39, Alex Samad wrote:
>
> Hi
>
> I am trying to use a rfc3161 timestamp service to record timestamps.
>
>
> Basically I have a sha of some files and I would like to sign the file.
>
> basically I am using something like this
>
> # Generate Query and send
> $OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
> "Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
> "${FL}.tsr"
>
> $OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"
>
>
> where FL = is file.
>
> What I want to be able to do is verify the .tsr file
>
> testing that with
>
> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>
>
> where SHA.sha is the original FL
>
> but I get
>
> Verification: FAILED
> 140221656393544:error:2107C080:PKCS7
> routines:PKCS7_get0_signers:signer certificate not
> found:pk7_smime.c:476:
>
> from the text output
>cat *.txt
> Status info:
> Status: Granted.
> Status description: unspecified
> Failure info: unspecified
>
> TST info:
> Version: 1
> Policy OID: 2.16.840.1.113733.1.7.23.3
> Hash Algorithm: sha256
> Message data:
>    - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
> .m.[...WE.i.
>   0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
> z.U%..W7>\..
> Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
> Time stamp: Apr  8 04:58:08 2016 GMT
> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
> Ordering: no
> Nonce: 0x8E67A9941BCB2570
> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec SHA256 TimeStamping Signer - G1
> Extensions:
>
> I think this certificate is the end entity certificate
> for the Symantec time stamping server that responded to
> your request.
>
> If you dump the full contents of the TSR it should include
> that certificate somewhere, plus a chain leading to a
> public root which is hopefully in your list of trusted
> certificates or at least available via some other secure
> method.
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users