Re: [openssl-users] How to respond to TLS heartbeat in openssl

2017-12-21 Thread Keshava Krishna Bhat K 
Hi Jeff,

I checked in the git repo (tags/OpenSSL_1_0_2g), opnesslconf.h does not
have OPENSSL_NO_HEARTBEATS the above definition in 1.0.2g.
So I think its enabled.

Regards,
Keshava.

On Fri, Dec 22, 2017 at 12:20 PM, Jeffrey Walton  wrote:

> On Fri, Dec 22, 2017 at 1:32 AM, Keshava Krishna Bhat K
>  wrote:
> > Ok, I got to know that
> >  openssl version -a gives out the flags used while building openssl.
> > so the output of this was
> >
> > OpenSSL 1.0.2g  1 Mar 2016
> > built on: reproducible build, date unspecified
> > platform: debian-amd64
> > options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
> > compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
> > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2
> > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
> > -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro
> -Wa,--noexecstack
> > -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
> > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
> > -DGHASH_ASM -DECP_NISTZ256_ASM
> > OPENSSLDIR: "/usr/lib/ssl"
> >
> > Since the putput above does not have OPENSSL_NO_HEARTBEATS, I assume
> > heartbeats are not disabled in the build.
> > So I am back to square one :( -> how do I make the server respond to a
> TLS
> > heartbeat request ? Do I have to read the packet and write it back ?
>
> You should also check  for OPENSSL_NO_HEARTBEATS.
>
> $ cd openssl
> $ grep -B 1 -A 1 HEART include/openssl/opensslconf.h
> #endif
> #ifndef OPENSSL_NO_HEARTBEATS
> # define OPENSSL_NO_HEARTBEATS
> #endif
>
> Jeff
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to respond to TLS heartbeat in openssl

2017-12-21 Thread Jeffrey Walton 
On Fri, Dec 22, 2017 at 1:32 AM, Keshava Krishna Bhat K
 wrote:
> Ok, I got to know that
>  openssl version -a gives out the flags used while building openssl.
> so the output of this was
>
> OpenSSL 1.0.2g  1 Mar 2016
> built on: reproducible build, date unspecified
> platform: debian-amd64
> options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
> compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2
> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
> -DGHASH_ASM -DECP_NISTZ256_ASM
> OPENSSLDIR: "/usr/lib/ssl"
>
> Since the putput above does not have OPENSSL_NO_HEARTBEATS, I assume
> heartbeats are not disabled in the build.
> So I am back to square one :( -> how do I make the server respond to a TLS
> heartbeat request ? Do I have to read the packet and write it back ?

You should also check  for OPENSSL_NO_HEARTBEATS.

$ cd openssl
$ grep -B 1 -A 1 HEART include/openssl/opensslconf.h
#endif
#ifndef OPENSSL_NO_HEARTBEATS
# define OPENSSL_NO_HEARTBEATS
#endif

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to respond to TLS heartbeat in openssl

2017-12-21 Thread Keshava Krishna Bhat K 
Ok, I got to know that
 openssl version -a gives out the flags used while building openssl.
so the output of this was

OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
-Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
-DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/lib/ssl"

Since the putput above does not have OPENSSL_NO_HEARTBEATS, I assume
heartbeats are not disabled in the build.
So I am back to square one :( -> how do I make the server respond to a TLS
heartbeat request ? Do I have to read the packet and write it back ?

But code in the following file and method suggests this would done
automatically (but again I have a layman's knowledge on C, I could be wrong)
t1_lib.c tls1_process_heartbeat

Regards,
Keshava.

On Thu, Dec 21, 2017 at 11:49 AM, Keshava Krishna Bhat K <
keshavkrishn...@gmail.com> wrote:

> Hi,
>
> Is this controlled by the Makefile?
>
> Regards,
> Keshava.
>
> On Wed, Dec 20, 2017 at 6:20 PM, Keshava Krishna Bhat K <
> keshavkrishn...@gmail.com> wrote:
>
>> Hi All,
>>
>> I am writing a TLS server that responds to a incoming TLS heartbeat
>> request. I am using OpenSSL 1.0.2g .
>> But I am not able to get the server respond to a hearbeat request.
>> Any clue on what I am missing?
>> The code snippets are here https://stackoverflow.com
>> /questions/47902283/how-to-respond-to-tls-heartbeat-in-openssl .
>>
>> I also got a clue that the version of openssl I am using might have
>> hearbeats disabled. But how do I check if heartbeats are enabled in OpenSSL
>> 1.0.2g?
>>
>> Regards,
>> Keshava.
>>
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

2017-12-21 Thread Sands, Daniel 
I'm a fellow SSL-USER and not an expert, but my verification flow goes
as follows:

X509_STORE_CTX_new()
X509_STORE_CTX_init(ctx,NULL,cert,NULL) <-- The certificate to verify
X509_STORE_CTX_trusted_stack(ctx,CACertificateStack) <-- Perhaps this
is the difference?
X509_verify_cert(ctx)


On Thu, 2017-12-21 at 12:42 +0100, Manuel Wagesreither wrote:
> Dear all,
> 
> I'm struggling with programatically verifying a certificate which is
> solely stored in memory, i. e. not on the file system. The
> certificate and the CA seem to be fine though, because when I extract
> them from memory and store them as a file, and use the `openssl
> verify`, verification is successful. Hence I suspect my code is
> faulty.
> 
> Unfortunately, I'm under the impression that validating certificates
> which exist solely in memory is a niche application. I was yet not
> able to find a comprehensive tutorial or even a code sample on the
> internet. Hence, I hope you can help me.
> 
> Below I'm posting my sample code. (I have stripped the certificate
> and CA raw data, tough.) It can be compiled an run under a GNU/Linux
> system.
> When this code is run, OpenSSL emits a "certificate signature
> failure" with an error depth of 0.
> 
> Thanks a lot!
> Manuel
> 
> 
> 
> #include 
> #include 
> #include 
> 
> unsigned char g_authority[] = {   0x30, 0x82, 0x03, 0x00 /* and
> so on */ };
> unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };
> 
> int main(int, char**)
> {
>   // This holds the return codes and gets reused for most
> function calls
>   int rc = 0;
> 
>   // Make a new store
>   X509_STORE *x509_store = X509_STORE_new();
>   if (x509_store == NULL) {
>   throw std::runtime_error("X509_STORE_new() failed");
>   }
> 
>   // Load and convert the authoritys certificate to a compatible
> form
>   X509 *auth_cert = NULL;
>   {
>   const unsigned char* auth_cert_ptr = g_authority;
>   auth_cert = d2i_X509(NULL, _cert_ptr,
> sizeof(g_authority));
>   if (auth_cert == nullptr) {
>   throw std::runtime_error("d2i_X509() failed for
> authoritys certificate");
>   }
>   }
> 
>   // Add the authoritys certificate to the store
>   rc = X509_STORE_add_cert(x509_store, auth_cert);
>   if (rc != 1) {
>   throw std::runtime_error("X509_STORE_add_cert()
> failed");
>   }
> 
>   // Make a new store context
>   X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
>   if (x509_store_ctx == NULL) {
>   throw std::runtime_error("X509_STORE_CTX_new()
> failed");
>   }
> 
>   // Load and convert the certificate to be verified to a
> compatible form
>   X509 *myself = NULL;
>   {
>   const unsigned char *my_cert_ptr = g_cert;
>   myself = d2i_X509(NULL, _cert_ptr, sizeof(g_cert));
>   if (myself == NULL) {
>   throw std::runtime_error("d2i_X509() failed for
> own certificate");
>   }
>   }
> 
>   rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself,
> NULL);
>   if (rc != 1) {
>   throw std::runtime_error("X509_STORE_CTX_init()
> failed");
>   }
> 
>   rc = X509_verify_cert(x509_store_ctx);
> 
>   X509_STORE_free(x509_store);
>   X509_STORE_CTX_free(x509_store_ctx);
> 
>   if (rc > 0) {
>   std::cout <<
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx
> )) << std::endl;
>   return 0;
>   } else {
>   std::cerr <<
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx
> )) << std::endl;
>   std::cerr << "Error depth: " <<
> X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
>   return 1;
>   }
> }
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: Padding for RSA signatures

2017-12-21 Thread Gelareh Taban 
Hi all,

I am playing around with RSA signatures with different padding options and
I have some questions.

I am trying to define different padding options and so am defining and
using a EVP_PKEY_CTX . However I am not sure if this padding is getting
used in the signature since  my Verify outputs OK regardless of which
option my Sign uses. Which leads to:

1 - Do I need to use a EVP_PKEY_CTX with the same options when doing
verify? If so, I assume I can't reuse the same PKey_Ctx and I have to
define another one. Right now even when I don't use any EVP_PKEY_CTX in
Verify, I still verify OK, which makes me question if the padding option
has been set.

2 - Is there a way to figure out what padding/hashing/etc option was used
for the Sign/verify operation? This way I can be sure what algorithm or
standard is being used.

3 - Do I need to set the hash function I am using in both EVP_PKEY_CTX  as
well as EVP_MD_CTX ? Or the latter is what defines this for the signing
option?

4 - In general, is there a way of making the Signature/Encryptions in
OpenSSL be deterministic for debugging/testing purposes?

5 - I noticed that there are two ways of determining the signature size:
(a) by calling EVP_PKEY_size(rsaKeypair) as I am doing below, as well as
(b) calling EVP_DigestSignFinal(md_ctx, nil, _len) . Is one better than
the other?

My sample code is below for reference. It's in Swift (but it should still
be close enough to C to be readable). Also in Swift, some of the complex
macros in OpenSSL have to be broken down to be compilable hence my usage of
EVP_DigestUpdate instead of EVP_DigestVerifyUpdate .

Thanks in advance for any insight in the above.

cheers!
Gelareh


let md_ctx = EVP_MD_CTX_create()

let md_ctx_verify = EVP_MD_CTX_create()



// To define padding option used in signature

let pkey_ctx = EVP_PKEY_CTX_new(rsaKeypair, nil)



// EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PADDING) -
complex macro needs to be replaced

EVP_PKEY_CTX_ctrl(pkey_ctx, EVP_PKEY_RSA, -1,
EVP_PKEY_CTRL_RSA_PADDING, RSA_X931_PADDING, nil)


// EVP_PKEY_CTX_set_signature_md() When should this be set?



//  SIGN

var rc = EVP_DigestSignInit(md_ctx, _ctx, EVP_sha256(), nil,
myRSA.rsaKeypair)

// EVP_DigestSignUpdate(md_ctx, message, message.count)

// Complex macro needs to be replaced

rc = EVP_DigestUpdate(md_ctx, message, message.count)



// allocate memory for signature

var sig_len: Int = Int(EVP_PKEY_size(rsaKeypair))

let sig = UnsafeMutablePointer.allocate(capacity: sig_len)


rc = EVP_DigestSignFinal(md_ctx, sig, _len)





// VERIFY

rc = EVP_DigestVerifyInit(md_ctx_verify, nil, EVP_sha256(), nil,
rsaKeypair)


//rc = EVP_DigestVerifyUpdate(md_ctx_verify, message,
message.count)

rc = EVP_DigestUpdate(md_ctx_verify, message, message.count)



rc = EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len)

print("signature verified = \(rc == 1 ? "OK" : "FAIL")")
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Follow up

2017-12-21 Thread Sai Teja Chowdary 
Hi all,
Marry Christmas!

Please take a look at my previous question, appreciate every bit of help
I'm stuck.
FYI the guy named ananthaneni saiteja chowdary and myself are same. This
email had a problem subscribing to the mailing list earlier hence the other
name.

Thanks
Saiteja.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Testing ports through firewall

2017-12-21 Thread Sai Teja Chowdary 
Hi,
You can test ports with OpenSSL. But you gotta need a certificate for your
s_server. You can generate a self signed certificate with openssl.
Try this

https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

And place that file in the dir were you are running the s_server command,
or can use -cert argument to give the generated certificate.

And from the s_client connect to the port that you are listening with
s_server

Client:
openssl s_client -connect hostname:port

Server:
openssl s_server -accept PORT

Regards

Saiteja.

On 21-Dec-2017 7:07 PM, "warron.french"  wrote:

> Hello Community, and Merry Christmas/Happy Seasons Greetings,
>anyway, I need some help with understanding an openssl feature -
> *s_server*.
>
> I executed the following command:  openssl s_server -accept 21937 -www &
> And immediately got the following output:
> [1] 3286
> [sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private
> key file server.pem
> 140679739017032:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:398:fopen('server.pem','r')
> 140679739017032:error:20074002:BIO routines:FILE_CTRL:system
> lib:bss_file.c:400:
> unable to load server certificate private key file
>
> In order to test ports that are not encrypted with SSL/TLS do I still have
> to generate a certificate and private key file (each)?
>
> I would like to test ports from one machine using openssl s_client against
> a remote machine on an opposing network, running a "listener", using
> openssl s_server.
>
> Perhaps I am way off?  I am not allowed to use openssl for this sort of
> thing?
> Any guidance would be greatly appreciated because I want to expand my
> understanding of the openssl suite of commands and its offerings.
>
>
> Have a nice day,
> --
> Warron French
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Testing ports through firewall

2017-12-21 Thread Jakob Bohm 

On 21/12/2017 14:36, warron.french wrote:

Hello Community, and Merry Christmas/Happy Seasons Greetings,
   anyway, I need some help with understanding an openssl feature - 
*s_server*.


I executed the following command: openssl s_server -accept 21937 -www &
And immediately got the following output:
[1] 3286
[sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate 
private key file server.pem
140679739017032:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:398:fopen('server.pem','r')
140679739017032:error:20074002:BIO routines:FILE_CTRL:system 
lib:bss_file.c:400:

unable to load server certificate private key file

In order to test ports that are not encrypted with SSL/TLS do I still 
have to generate a certificate and private key file (each)?


I would like to test ports from one machine using openssl s_client 
against a remote machine on an opposing network, running a "listener", 
using openssl s_server.


Perhaps I am way off?  I am not allowed to use openssl for this sort 
of thing?
Any guidance would be greatly appreciated because I want to expand my 
understanding of the openssl suite of commands and its offerings.




Any normal SSL/TLS server needs a certificate.  For testing the
certificate doesn't have to be "real" (from a trusted public CA).
A dummy certificate for a server named "computer.example.com" can
be generated using the command:

openssl req -x509 -days 365 -newkey:rsa:2048 -nodes -keyout server.key 
-out server.pem -subj /CN=computer.example.com/O=test/C=US



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Testing ports through firewall

2017-12-21 Thread warron.french 
Hello Community, and Merry Christmas/Happy Seasons Greetings,
   anyway, I need some help with understanding an openssl feature -
*s_server*.

I executed the following command:  openssl s_server -accept 21937 -www &
And immediately got the following output:
[1] 3286
[sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private key
file server.pem
140679739017032:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('server.pem','r')
140679739017032:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load server certificate private key file

In order to test ports that are not encrypted with SSL/TLS do I still have
to generate a certificate and private key file (each)?

I would like to test ports from one machine using openssl s_client against
a remote machine on an opposing network, running a "listener", using
openssl s_server.

Perhaps I am way off?  I am not allowed to use openssl for this sort of
thing?
Any guidance would be greatly appreciated because I want to expand my
understanding of the openssl suite of commands and its offerings.


Have a nice day,
--
Warron French
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

2017-12-21 Thread Manuel Wagesreither 
Dear all,

I forgot to mention that I'm using OpenSSL 1.0.2k.

Regards
Manuel
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

2017-12-21 Thread Manuel Wagesreither 
Dear all,

I'm struggling with programatically verifying a certificate which is solely 
stored in memory, i. e. not on the file system. The certificate and the CA seem 
to be fine though, because when I extract them from memory and store them as a 
file, and use the `openssl verify`, verification is successful. Hence I suspect 
my code is faulty.

Unfortunately, I'm under the impression that validating certificates which 
exist solely in memory is a niche application. I was yet not able to find a 
comprehensive tutorial or even a code sample on the internet. Hence, I hope you 
can help me.

Below I'm posting my sample code. (I have stripped the certificate and CA raw 
data, tough.) It can be compiled an run under a GNU/Linux system.
When this code is run, OpenSSL emits a "certificate signature failure" with an 
error depth of 0.

Thanks a lot!
Manuel



#include 
#include 
#include 

unsigned char g_authority[] = { 0x30, 0x82, 0x03, 0x00 /* and so on */ };
unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };

int main(int, char**)
{
// This holds the return codes and gets reused for most function calls
int rc = 0;

// Make a new store
X509_STORE *x509_store = X509_STORE_new();
if (x509_store == NULL) {
throw std::runtime_error("X509_STORE_new() failed");
}

// Load and convert the authoritys certificate to a compatible form
X509 *auth_cert = NULL;
{
const unsigned char* auth_cert_ptr = g_authority;
auth_cert = d2i_X509(NULL, _cert_ptr, sizeof(g_authority));
if (auth_cert == nullptr) {
throw std::runtime_error("d2i_X509() failed for 
authoritys certificate");
}
}

// Add the authoritys certificate to the store
rc = X509_STORE_add_cert(x509_store, auth_cert);
if (rc != 1) {
throw std::runtime_error("X509_STORE_add_cert() failed");
}

// Make a new store context
X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
if (x509_store_ctx == NULL) {
throw std::runtime_error("X509_STORE_CTX_new() failed");
}

// Load and convert the certificate to be verified to a compatible form
X509 *myself = NULL;
{
const unsigned char *my_cert_ptr = g_cert;
myself = d2i_X509(NULL, _cert_ptr, sizeof(g_cert));
if (myself == NULL) {
throw std::runtime_error("d2i_X509() failed for own 
certificate");
}
}

rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself, NULL);
if (rc != 1) {
throw std::runtime_error("X509_STORE_CTX_init() failed");
}

rc = X509_verify_cert(x509_store_ctx);

X509_STORE_free(x509_store);
X509_STORE_CTX_free(x509_store_ctx);

if (rc > 0) {
std::cout << 
X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << 
std::endl;
return 0;
} else {
std::cerr << 
X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << 
std::endl;
std::cerr << "Error depth: " << 
X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
return 1;
}
}
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users