RE: Output a file as a PKCS#7
PEM_write_X509 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpemSSL Hardware Random Number Generator (RNG) for Intel Chipsets .
> >excellent source of random data available to you > > I thought consensus was that since it was a closed system, > whiten it or use it as input to entropy. This is what OpenSSL does when you use RAND_screen(). It munges it up numerous items, including the PRNG, through a cryptographic hash (MD5 if I recall correctly). - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: BIO for use with Win2K IO Completion Ports
> > I am planning to use SSL with the IO completion port model under > > win2K. Does anyone know of an existing BIO suitable for this ? I > > haven't been able to find one, so thought I would write my own. > > However, there seem to be hard-coded BIO_TYPE values for > the different > > bios in the bio.h file. Does anyone know if these numbers have any > > meaning, or can I just make up my own id number ? > > The normal way of doing SSL over the top of IO completion ports is by using a BIO pair and standard NT async network calls. The BIO pair creates 2 BIO's (hence the pair): BIO 1 (Network BIO): Data written to and read from this data will be encrypted. So the data from the network is written to this BIO. Data read from this BIO should be written to the network. BIO 2 (Internal BIO): Data written to and read from this data will be unencrypted. So unencrypted data from the application is written to this BIO. The application reads it's unencrypted messages from this BIO. The BIO's are linked, so data written to the internal BIO is encrypted and placed on the network BIO as data to be sent and data written to the network BIO is unencrypted and placed on the internal BIO as data to be read. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: EVP initialization question
> So, does EVP_CIPHER_CTX_cleanup free the context's memory as well as > clearing it, or is that left to me? I can't seem to find that > in the man pages... A quick inspection of the code, suggests that NO memory is actually allocated (the EVP_CIPHER_CTX contains pre-sized buffers for all the necessary data). When the EVP_CIPEHR_CTX goes out of scope (or is deleted from the heap), everything should be free'd. N.B. You should still call EVP_CIPHER_CTX_cleanup before the context goes out of scope (or is deleted from the heap), as it reset's everything in the structure to ensure nothing sensitive remains in memory. The only memory to worry about is the application data, which you can set with the EVP_CIPHER_CTX_set_app_data() function and get with EVP_CIPHER_CTX_get_app_data(). If you choose to set it, you need to manage it (and I think you need to get it back and free it - assuming it's dynamically allocated - prior to calling EVP_CIPHER_CTX_cleanup as that will set the value to 0. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: EVP initialization question
> I guess I'm unclear about whether a context is something that's applicable to an > entire session or simply to one message. I tried it the former way, but > when I went to encrypt the second message, it included a part of the first > message that it had encrypted, which leads me to believe that I should be > cleaning that up and reinitalizing. You must cleanup the cipher context *as soon as possible* after completing the crypto operation, otherwise you're leaving sensitive information hanging around memory, i.e. immediately after calling EVP_EncryptFinal, call EVP_CIPHER_CTX_cleanup. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Representation of DN's
I'm still trying to see how X509_NAME_ENTRY objects are used to represent RDN's that contain multiple attribute-value assertions (AVA's). I assume this has something to do with the 'set' variable in the X509_NAME_ENTRY structure. Lutz? Steve? Any help would be seriously appreciated. Thanks, - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: a question about encrypt and decrypt using EVP interface
> memcpy(iv, "12345678", 8); > EVP_BytesToKey(EVP_idea_cbc(), EVP_md5(), "salt", pw, > strlen(pw), 1, key, > iv); The salt value should be at least 8 bytes long - you're getting 3 random bytes here. You don't need to specify an iv value as this function creates it. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Client Authentication Windows NT
Have a look in the archive: http://marc.theaimsgroup.com/?l=openssl-users under the author 'Dale Peakall' and look for the subject 'Client Auth in IE'. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: libeay32.lib on WinCE ???
> Is OpenSSL available on WinCE? I am using the libeay32 > library of OpenSSL > for some hashing functions, and need to have it on WinCE. Any > help/comment > on this would be greatly appreciated. Compiling OpenSSL on WinCE would be a significant challenge as there is a distict lack of a C-runtime library on many versions of WinCE and the C-runtimes on the others sometimes have some slight incompatablities. i.e. you more or less have to develop your own C-runtime if you want to compile on WinCE. Good eh. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: LIBEAY32.dll Access Violation
> I have problems with Libeay32.dll which crashes when > I use SSL in multiple threads. The code that the thread executes > is always the same. Everything works well if there is only one thread, > but when there is several threads it crashes. > I get following message: > Unhandeled exception in X.exe (LIBEAY32.DLL) 0xC005: Access violation > The crash happend every time at: mov ecx, dword ptr[eax] > Other side (server program) crashes also with same exception > at: rep movs dword ptr[edi], dword ptr[esi] > The project uses MFC and I have multithreaded DLL (/MD) on at my compiler. There are several things here: 1. Have you compiled OpenSSL with the /MD flag? 2. Have you implemented the locking callback functions? See: http://www.openssl.org/docs/crypto/threads.html for info. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: New OID in openssl.cnf
> I need a new OID in the certificate. This OID is DC
>
> The DC I want is the top level element in the Distinguished Name.
> Ie. dc = cn, ou, o, dc
>
> [ new_oids ]
> # We can add new OIDs in here for use by 'ca' and 'req'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
> dc=?
>
> I have a few questions.
>
> 1. dc=dc does not work. dc=1.2.3.4 works.
You need to specify an OID. An OID is a ordered list of numbers.
The name associated with an OID cn, dc whatever is just that a name
associated with the number. The name is never used in the ASN.1
representation of the certificate just the numbers.
> 2. What should I put after dc in the [new_oid] section in this case ?
An OID. OID's are arranged in a heirarchy.
Each national standards organisation runs a section of the heirarchy.
1.2.840 is run by ANSI
1.2.826 is run by BSI
These national standards organisations then allocate an ID to organisations
who then manage and subsidiary nodes.
e.g. 1.2.840.113549 is RSA's ID, they then allocate ID's beneath this for
things like PKCS standards (e.g. 1.2.840.113549.1.7 is PKCS#7).
> 3. It works fine if I say 1.2.3.4 - where can I find out what
> it means ?
http://www.alvestrand.no/harald/objectid/ is a good place to start.
(Lots more OID information here too).
> 4. 1.2.3.4 reads as such in the certificate ! Unlike the others E
> (for email), O (for organization) and so on ...
In the actual certificate, every OID is a numbered list. Software
generally uses known OID->name associations to make the data more
readable. Your OID is not known, and therefore has no associated
friendly name.
> So, its obvious that I am doing something wrong or totally
> ignorant here.
Totally ignorant I'm afraid ;)
Hope this helps.
- Dale.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: netscape_comment extension
> > This is a non-authenticated attribute. i.e. it's not > > signed and can be changed by the user without changing > > the certificate signature. > > Wrong. *Everything* in a certificate is signed. Don't you hate it when you're wrong. Was confusing myself with S/MIME and M$'s certificate properties (which I assumed were S/MIME style non-authenticated attributes). - Dale. P.S. Anyone know where the X.509 V3 spec can be found (without having to purchase all $92 of it from ansidocstore which seems a little excessive particularly as I've already got the '88 spec)? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: netscape_comment extension
> What do You think? May I use the netscape_comment extension to hold my > application specific information in text form (maybe in base64)? This is a non-authenticated attribute. i.e. it's not signed and can be changed by the user without changing the certificate signature. So don't use it for anything related to security. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL access to Web server
> > Not quite sure what you mean by bogus certificate. > Test certificates (Snake Oil and such). OK. > > The protection of this private-key is what's important here. > > You may rely on the hardware being physically secure to prevent the > > key being stolen, or on the operating system, or require that the > > private-key be stored on a smart-card. However you do it, your > > guarentee of client id is only as secure as that private key. > So, how do the browsers manage the private-key? Is it only > the OS that prevents unauthorized access to it? Can't speak for Netscape, haven't used it in years, but IE relies on the OS. Certificates and private keys are stored in "Certificate Stores". There is one "Certificate Store" per user, and one for the whole system. How this is implemented I really don't know, so can't tell you a whole lot more. On 2K systems, you can browse the certificate stores using an MMC plug-in. None of the default Administrative Tools include it, but start MMC.EXE and then add the plug-in. It's pretty obvious "Certificate Manager" or something like that. > > > How do I know that I'm giving the certificate to the browser that > > > requested it? > > > > You get them to include a password in the request, which is used to > > encrypt the private-key. Without that password, the private-key is > > of no use to them and they can't perform client authentication. > Do the browsers manage this by themselves? (i.e.: Do they prompt for the > passfrase as mod_ssl does on starting up?) Again speaking for IE here... IE can either ask for the password when the certificate is to be used, or you can specify the password when importing the certificate and never have to bother with it again. > > The real big question, is how do you know that they are who > > they claim to be when they make a certificate request. > Mmmhh... What sort of information can you ask for to validate? In a small to medium sized organisation, you can get them to input some detail and then phone them up to check they've made a request, check the detail (e.g. favourite colour) etc. In larger organisations, or in disperse environments, things are a little more difficult. It really all depends on your environment, weighing risks of fraud against the cost of attempting to prevent that fraud. In most organisations, the biggest risk will come from careless / trusting users who will either leave their workstation logged on and unattended (with either a session in progress or no password on their key) or tell a colleague the password so they can do something for them etc etc etc. Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL access to Web server
> I need to set up secure access to Web accessible database. > I'm going to be using Apache on a Linux machine, which I have > already started trying out with bogus certificates. However, > I need some help on the client side. Not quite sure what you mean by bogus certificate. > I know that both Netscape and IE support client certificates, > but I don't know how it works exactly. How is it that a certificate > cannot be copied between browsers? Nothing prevents a certificate being copied between browsers. Client authentication works because it proves that the client is in possession of both the certificate and the associated private key. The protection of this private-key is what's important here. You may rely on the hardware being physically secure to prevent the key being stolen, or on the operating system, or require that the private-key be stored on a smart-card. However you do it, your guarentee of client id is only as secure as that private key. > Do Netscape & IE generate a unique ID key? Nope. > Any pointers to docs on how to set that up? Maybe a client-request > web page? It's pretty easy to create certificate requests using a web-page and the openssl command line tool. Look at the documentation for 'req'. I use a simple perl script to process the contents of the web-page and generate the request. > In any case, how do the certificates get to the clients once > I've signed them? However you like, it's probably worth converting them to PKCS#12 as you'll need to provide them with the private-key as well (and this is the format browsers like to be provided client certificates). You can do this using the openssl 'pkcs12' command (again see the docs). E-mail attachments are generally a fairly reliable means of returning the appropriate data. > How do I know that I'm giving the certificate to the browser that > requested it? You get them to include a password in the request, which is used to encrypt the private-key. Without that password, the private-key is of no use to them and they can't perform client authentication. The real big question, is how do you know that they are who they claim to be when they make a certificate request. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MS Explorer Client Certificate
> The apache/mod_ssl "HowTo" states that a directory can be > defined to require >clients to be authenticated for a particular > URL based upon client certificates signed by a certificate > specified by the keyword SSLCACertificateFile. I assume > that this implies that I can use my own self-signed CA cert > file to sign these client certificates. A really nice feature for > internal control of data on the intranet. That's right. > Now what is the secret to get the Microsoft Explorer (5.+) to > accept these client certificates and pass them to the https > server? The explorer pops up a dialog box asking which cert > to use (which is good) when I connect to the https server > with the URL of the protected directory, however nothing is > in the dialog box to select! The empty dialog is a bug. It has been fixed in the most recent release of IE. However, the reason IE doesn't display any certificates in the dialog is not a bug, read on. i.e. The bug in IE is to display a dialog when it's clear there is nothing to the user can do. > No matter what I do, I cannot import a client cert into the > explorer and have it end up in the dialog box. Is this > another one of those internal Microsoft secrets or another > clever "feature" forcing the world to pay for commercial > grade client certificates? Poor (yeh right) old MS, they get blamed for some terrible things, but no this isn't a clever feature of IE. As far as I know MS are not in league with the commercial CA's. There are several things that could be wrong. 1. Did you successfully import your client certificate into your personal certificate store? You should be able to see your certificate listed if you look under Tools; Internet Options; Content; Certificates; Personal Certificates (o something like that - I'm working from memory here). When you import your certificate, you need to import it in PKCS#12 format so that you include the private key associated with the certificate. To convert a PEM certificate/private key pair to PKCS#12 format, use the 'openssl pkcs12' command. As I'm ill and working from my PDA and so can't remember the exact arguments atm, but a quick search of the archive will turn up recent posts on how to use this command. Or you can look at the docs. 2. Have you imported the CA certificate onto the client PC? I'm not 100% on this one, but I'm pretty sure IE won't use a client certificate that it doesn't trust. You obviously don't need to import this certificate as PKCS#12 with the CA's private key. Importing the PEM certificate should be OK. I seem to recall a problem with IE when trying to import PEM certificates that include other text (like a human-readable form of the certificate) before the BEGIN CERTIFICATE line. Just remove all these lines and you should be OK. 3. Does the keyUsage attribute on the client certificate include the authenticate and encrypt roles? What about the extendedKeyUsage? keyUusage et al. is a non-authenticated attribute, so you can change the current value from within the IE certificate manager. Alternatively, you can set these attributes when you create your certificates. Look at the openssl.cnf supplied. It includes an example of setting these attributes. 4. Does your server trust the CA used to sign the client certificate? The SSL protocol sends a list of CA's that the server trusts to the client when a client tries to access a resource that requires (or requests) a client certificate. In this way, the client will not choose a certificate that the server will find unacceptable. This is the most common source of confusion with client authentication. I'm not sure about how to set-up the trusted certificates in Apache, look at your docs for this one. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: class of a certificate
> I've read that 3 types of certificates exist. From "class 1" > to "class 3" (the higher the safer). How could I find, in a > certificate created thanks to openssl, the number of the class > it belongs to ? You've been misinformed. Certificates have no intrinsic class. Verisign, a commercial certificate agency, provide three different "classes" of certificate. These act in the way you describe. Each is signed by a different root CA. You determine the Verisign class by determining which Verisign CA certificate signed the certificate you are looking at. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: commerical certificates
> I'm a newbie in SSL and I need your advice. > I've just setup an Apache with OpenSSL configured using Mod_SSL. > I've created my own certificate using the command > o make certificate TYPE=custom > > I am able to start the SSL-enabled Apache. > > However, when I try to access the secure site that I've just setup, > there was this "New Certificate" message. > > What is the difference between the certificate I've created and the > Verisign's commercial certificate ? Which one should I used (under > what circumstances) ? Web-browsers have a number of different root CA certificates embeded in them. You can see the list that Internet Explorer has by looking at Tools | Internet Options | Content | Certificates | Trusted Root Certification Authorities. You'll see that there are certificates from Verisign, Thawte, GTE Cybertrust and many others. You won't see yours. That's the difference. The reason this is important is becayse these certificates are used by the browser when validating a server's certificate. Your server's self-signed certificate is obviously not signed by one of these agencies. So the browser warns the user, that the server they are communicating with isn't trusted at the moment. In a closed user community you can add your certificate to the list of trusted certificates on the browser. This is not practical (or advisable) over an open community like the Internet. What people are doing when they buy a certificate from a commercial CA is saying to the user "if you trust the CA, then you can trust me". Since the major web-browsers come with a default set of CA certificates this is totally transparent to the user (not necessarily a good thing). > I read something about the CA certificate, but I don't really know > what it is used for. Can someone enlighten me please ? Certificates are used to prove an identity. This process works because each certificate (which includes the identity of the user) is signed by an entity. You verify that you trust a certificate by verifying the signature of the certificate. This is a recursive process: you then need to verify the signer of the signer of the certificate etc. Eventually you will arrive at a self-signed certificate. This is the root (or CA) certificate. You must implicitly trust the CA certificate, because there is no-one else to vouch for it. In a browser, this is done by checking against the stored common "commercial" root CA certificates. Hope that makes sense. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: newbie what is openssl used for?
OpenSSL is a library used for developing applications that can communicate using the SSL/TLS link-layer encryption facilities. Link-layer encryption can be used to carry any other protocol. This is demonstrated by the 'stunnel' application that can be used to transparently add SSL encryption to other applications. > I would like to know what is the advantage of using openssl. The advantages to using OpenSSL are that it's: o free o well-maitained o well-supported (by this mailing list) o easy-to-use o free of any known security problems > Do openssl users still have to pay for services like verisign. If you wish to have a verisign certificate, then yes. Depending on your application you may not need a "commercial" certificate. OpenSSL provides all the facilities you need to create your own certificates. If you wish to create a certificate for use in a internet deployed web-server, then a "commercial" certificate is needed, as the users will not have your CA's root certificate embeded in the browser. > I have looked on the opensll site but my English is not that good, > if someone can give me a simple explanation it would be very much > appreciated. OpenSSL basically adds an additional set of I/O primitives: To read encrypted data, you call SSL_read(). To write encrypted data, you call SSL_write(). Before you can do this, you need to set-up a number of things first, and there are some other tasks, but nothing amazingly difficult. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DN's in CA index.txt file
A couple of questions: 1. As far as I can see the DN's stored in the index.txt file does not differentiate between a list of RDN's, and RDN's with multiple AVA's. i.e. they are all seperated by a slash '/' character. Is this correct? 2. What's the escape character used (for example to quote an '=' character that is not used to seperate attributes from their values)? - Dale. mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Installing user certs into IE
> I know this seems to have been answered before but I'm > not really having any joy with the previous solutions. > I've created a self-certified CA certificate using openssl > which has been installed into IE. I've then created a user > cert which has been signed by the CA, converted it to the > PKCS#12 format and installed that into IE. IE indicates > that all seems to have been installed okay. However, when > I try to access a secure page which requires client > authentication, it doesn't appear on the list. > Why is this and what solutions are there ? I tried the cook > book solution suggested but I think it must be out of date > as File::CounterFile can't be located. The Web-server sends a list of trusted CA's to the client so that it can determine whether any of it's certificates are appropriate. I assume that your web-server isn't set up to trust your self-signed CA. If you're trying to set-up IIS 5 (under Win2K) to trust your certificate have a look at my soon to be posted conclusion to the "Client Auth from IE" discusssion that I instigated last week. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client Auth from IE
I've got a problem performing client auth from IE.
I've created a CA cert and used this to create two key-pairs: one for a
web-server (nsCertType=server),
the other for a client (nsCertType=client,email).
I've installed the CA cert as a trusted root CA, setup IIS with the
web-server certificate, and imported
a PKCS#12 version of the client key-pair into IE.
I can communicate with the web-server using https and according to the
certificate manager in IE, I have
a Personal certificate (suitable for client auth).
The problem occurs when the web-server requests a client certificate: IE
pops up a dialog and asks which
certificate I'd like to use - the problem is no certificates are listed.
What's going on?
Cheers,
- Dale.
--
Dale Peakall
mailto:[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Private key decoding
> I have a private key created by the ssleay cert. cookbook. The > problem is that this key is encrypted , but , to make > the OpenLDAP server TLS enabled , I need to have the > private key in clear text. > > Please guide me to any tool which can do the same. Please read the FAQ. http://www.openssl.org/faq/ - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: A question about threads
> I'm still fighting against casual fall-downs with my server and OpenSSL. I > found an interesting point from OpenSSL man pages that mentioned two > important call back functions that have to be set. "locking_funktion" and > "id_function". If I understood correctly the id one is not > needed with NT or Linux... how about with Aix or Solaris? Is the > "locking_funktion" ment to offer OpenSSL some kind of locking service? F.ex. with > mutexes? If so might there be an example somewhere? I don't quite understand what kind the > function should be... Read the threads manual page http://www.openssl.org/docs/crypto/threads.html. Implementations of the functions for lots of o/s are in crypto/threads/th-lock.c - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_read problem
You need to determine what the SSL error is that you're receiving (use SSL_get_error). It may well be SSL_ERROR_WANT_READ saying that you need to call SSL_read again for it to get all the data you've requested (particularly if you're using non-blocking sockets). - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RSA key creation from an external source (i.e file)
> I need to create an RSA (or DSA) key structure in C++ program given the > fact that the key is stored in external file. This key will be the > public key used for the verification of the digital signature. I have > browsed the crypto(3) online documentation but I have found no easy way > of doing this. Could anyone recommend a solution? openssl x509 -in cert.pem -C -noout __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: transport layer question
> SSL/TLS can only work on top of TCP. Rubbish, a collegue of mine integrated SSLeay into our OSI stack, and was able to run SSL on top of TP0/X.25, TP4/(CLNP), as well as TP0/RFC 1006 -> TCP. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: DHE with DSS certificates
> I am doing that. I am using the same function which s_server uses to load > the DH parameters. But I still get this error message. Can anything else be > wrong? The "no shared ciphers" message can occur for at least one reason that has nothing to do with cipher suite negotiation per se. One I spent most of today locating was using the wrong private key with my certificate! - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
