Re: ICC and printers - wrong list

[Frans de Boer]

On 6/25/21 8:08 PM, Frans de Boer wrote:

LS,

I keep getting the message "

You need Gnome Color Management installed in order to calibrate 
devices" when I select Color Management in the System Setting under KDE.


The thing is, colord as well as the gnome-color-manager are both 
installed. So, why does it not see the the latter program?


Anybody experience with it?

Regards, Frans.

--
A: Yes, just like thatA: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek 
achterstevoren lezen
A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke 
gang uit het verhaal haalt
Q: Why is top-posting annoying?   Q: Waarom is Top-posting zo 
irritant?

Sorry, wrong list :)

ICC and printers

[Frans de Boer]

LS,

I keep getting the message "

You need Gnome Color Management installed in order to calibrate devices" 
when I select Color Management in the System Setting under KDE.


The thing is, colord as well as the gnome-color-manager are both 
installed. So, why does it not see the the latter program?


Anybody experience with it?

Regards, Frans.

--
A: Yes, just like thatA: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek 
achterstevoren lezen
A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke 
gang uit het verhaal haalt
Q: Why is top-posting annoying?   Q: Waarom is Top-posting zo 
irritant?

Re: Goodbye

[Frans de Boer]

On 03-07-2020 14:51, Salz, Rich via openssl-users wrote:


  * topic: Change some words by accepting PR#12089

 *

  * 4 against, 3 for, no absensions

I am at a loss for words.

I can’t contribute to a project that feels this way.  The OMC (list at 
[1], a picture of some of them at [2] although it includes non-OMC 
members) is, in my view, on the wrong side of history. I hope that in 
time, the four men who voted against it will develop more – what, 
empathy? – and that sometime in the future this PR [3], or similar, 
will be merged.  Until then, I will do what I have to in order to 
insure that Akamai’s needs for FIPS are met and once 3.0 is released, 
I will be fully applying my modest talents elsewhere.


I have closed all non-FIPS PR’s, and as soon as I see this message in 
my inbox, I will unsubscribe from this list. I can be reached as rsalz 
at akamai.com.


[1] https://www.openssl.org/community/omc.html

[2] https://www.openssl.org/blog/blog/2019/05/23/f2f-committers-day/

[3] https://github.com/openssl/openssl/pull/12089 



What is next, attack the jing/jang colors or renaming the night from 
black to colorless?


I think this black/white or master/slave thing is blowing things out of 
proportion.
Humans have all kind of colors, including colorless and white. And when 
I think of master/slave, it is just a principle - something is 
controlling something else. That there was a period where white people 
controlled the fate of "black" people is a colorless period in human 
history. Which should not be forgotten, but remembered as a period with 
lots of wrong doing to other human beings.


I understand that white people should not talk about "negros" or the 
like, but colorless people think they can still us this awful word. Now, 
who is dictating who? Don't do/say things you would not have it from 
others to yourself.


Black is not negative by definition, it is what your mind associate it with.

--- Frans.


--
A: Yes, just like thatA: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek 
achterstevoren lezen
A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke 
gang uit het verhaal haalt
Q: Why is top-posting annoying?   Q: Waarom is Top-posting zo 
irritant?

[openssl-users] New kernel and Dracut

[Frans de Boer]

OK, I compiled a new kernel for the 13.2 release and was installing it. 
I have to manually copy bzImage and System.map because I do not use the 
make install which requires the perl-Bootloader to be available.


Before I just did mkinitrd -B and the initrd file was made. Now that is 
part of dracut and I can't create a new initrd file. The message log 
states that many modules are not supported - like Module raid1.ko is 
not supported... This is true because I did not compiled this as a 
module, but as a build-in.


My system is not booting because it is waiting for my drives to appear. 
The exact same config is used under 12.3 and of course working. Now with 
dracut I run into problems.


Any suggestions?
Regards, Frans
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Grub troubles

[Frans de Boer]

Hi,

I have a server running 12.3 and want to install on a different 
partition the newer 13.2 distribution. Alas, after installation I can't 
boot 12.3 anymore because of wrong references. Every time I install a 
fresh kernel I have to manually edit the grub.cfg files to get 12.3 
booted again.


I also want to install a third system (LFS) without having to manually 
edit grub.cfg every time.
So, is it possible to install the GRUB core image in a different 
partition and have the kernels be placed in the /boot directory of their 
respective partitions? Using this method I just need to chain to the 
relevant partition to start the local GRUB menu handler.


- Between MBR and first partition: GRUB bootloader.
- First partition: GRUB core and simple menu.
- Second partition contains swap space
- partitions 3..n Contain GRUB menu handlers and local linux kernels in 
local /boot dir.


I need local GRUB handlers because of preserving the kernel version as 
supported by openSuse and newer standard kernels with better or newer 
support modules.


Reading the GRUB 2.00 manual is not so helpful - to me - because of lack 
of unambiguous explanations or examples.


Any suggestions?

Regards, Frans.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Grub troubles CANCEL

[Frans de Boer]

On 02/20/2015 11:42 AM, Frans de Boer wrote:

Hi,

I have a server running 12.3 and want to install on a different
partition the newer 13.2 distribution. Alas, after installation I can't
boot 12.3 anymore because of wrong references. Every time I install a
fresh kernel I have to manually edit the grub.cfg files to get 12.3
booted again.

I also want to install a third system (LFS) without having to manually
edit grub.cfg every time.
So, is it possible to install the GRUB core image in a different
partition and have the kernels be placed in the /boot directory of their
respective partitions? Using this method I just need to chain to the
relevant partition to start the local GRUB menu handler.

- Between MBR and first partition: GRUB bootloader.
- First partition: GRUB core and simple menu.
- Second partition contains swap space
- partitions 3..n Contain GRUB menu handlers and local linux kernels in
local /boot dir.

I need local GRUB handlers because of preserving the kernel version as
supported by openSuse and newer standard kernels with better or newer
support modules.

Reading the GRUB 2.00 manual is not so helpful - to me - because of lack
of unambiguous explanations or examples.

Any suggestions?

Regards, Frans.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Sorry wrong list posting
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: Platinum Sponsorship by Huawei

[Frans de Boer]

On 05/29/2014 02:52 AM, Salz, Rich wrote:

Please don't feed the troll

--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz


Being cynical is equal to being a troll?

The initial remarks made by an openssl representative was that that most 
contributors are interested in features and nobody get credits for being 
quality aware.


I have seen more OSS projects being forked because original developers 
where only interested in bringing the next great feature and called 
everybody who has a remark about quality a troll.


Then again, many developers do have a social handicap - that's why they 
are so good a developer.


Frans.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Platinum Sponsorship by Huawei

[Frans de Boer]

On 05/29/2014 09:52 PM, Jeremy Gray wrote:

government of North Korea... Even if no strings, it would damage the
perception people have of OpenSSL just being associated with that
entity. So, just be mindful of people's perceptions when accepting
anything.


+1.

Dennis Rodman goes to North Korea and says its just basketball, not
political. Everyone except him knows he was used. OpenSSL cannot
metaphorically go to North Korea without damage to its brand --
especially now that real financial support is forthcoming.

Perhaps donations that would come with a public-relations risk could be
rerouted: gently declined with the suggestion that they be given no
strings attached a 3rd party that *already* supports OpenSSL
development, like the Linux Core Infrastructure folks. Public-relations
risk is real. Avoiding conflicts of interest (no strings attached) is
essential but not enough--its best to avoid even the appearance of a
conflict of interest. The psychological gains to be had from a donation
are real--that's the motivation for making them.

--Jeremy


On Thu, May 29, 2014 at 3:04 PM, Nikola Vassilev n...@greensoldiers.ca
mailto:n...@greensoldiers.ca wrote:

Good on you for sending that apology.  I thought it was
inappropriate to label that commenter to dismiss his point of view.
I also think Steve addressed his cynical comments well, the part
about taking money from anyone as long as it comes with no strings
attached is wrong, IMHO. That can be easily tested by imagining the
worst possible source of money and it may be different for each
person, but let's say it's the government of North Korea... Even if
no strings, it would damage the perception people have of OpenSSL
just being associated with that entity. So, just be mindful of
people's perceptions when accepting anything.

Nick




 Original message 
From: Salz, Rich __
Date:05-29-2014 07:02 (GMT-05:00)
To: openssl-users@openssl.org mailto:openssl-users@openssl.org
Subject: RE: Platinum Sponsorship by Huawei

Frans,

I apologize.  My posting was a mistake. (I meant to cancel my
posting, but instead my fingers hit control-return rather than escape.)

I am sorry that, on the basis of one posting, I called you a troll,
or implied that you had anything other than concern and interest in
seeing the best possible outcomes.

The only other thing I can say in my defense is that, if you look
through the archives, you would hopefully see that I usually don't
write that kind of message.

/r$

--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me mailto:rs...@jabber.me; Twitter: RichSalz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
mailto:openssl-users@openssl.org
Automated List Manager majord...@openssl.org
mailto:majord...@openssl.org


Ok, I accept the above apologies as I just want to express my worries. 
Yes, it was cynical - I used one line from Huwai, which triggered my 
response. The initial comment from the OpenSSL spokesperson about the 
focused interest of developers was also not forgotten yet.
So, normally I do not react on those messages, but both combined was too 
good a chance to let it pass. Sorry if I caused some grief.


Also, in light of recent events (NSA cs.)and accusations between two 
major players, it is not only political. I expressed the general fear of 
who we can trust. As it turns out, no single government can be trusted 
with our privacy and/or assume they are there for us. So when relying on 
software which can shield us (somewhat) from there intrusive behavior, 
any direct or indirect reference to governments are hard to defend to 
the general public.


Looking at the fork by the OpenBSD community and hearing them say 
cleaning up does not strengthen the believe in OpenSSL but rather in 
those who use the right words. So, OpenSSL has some damage control to 
do, more so after the words from the spokesperson.


As of the point of not making it political. Sorry, politics is already 
involved. Some parliaments have been asking questions about the 
safety/privacy of citizens. I know that in the USA and many other 
countries privacy is not well guarded, but in Europe we are very 
conscious of that issue. High rankings civil servants and even ministers 
have fallen/been damaged in the past because they showed disrespect for 
privacy.
Yes, I am working for a government who - in the past and currently again 
- has thrown out products of untrusted suppliers. One of them being .S. 
(fill in the dots). Alas, have them finally persuaded to look at OSS 
products, along comes a remark or certain sponsorship which destroys 
that fragile trust again.


Trust comes by foot and leaves on horseback.
Trust comes by foot and leaves by 

Re: Platinum Sponsorship by Huawei

[Frans de Boer]

On 05/28/2014 10:05 PM, Steve Marquess wrote:

Please accept our thanks as you have saved
us a lot of time and money


Yes, quite an understatement :\

Now a state sponsored company is sponsoring openssl.org? The bigger the 
country, the higher the stakes and thus also the measures to safeguard them.


And what does it help if the developers of openssl are still not taking 
their responsibility for the quality of their product(s)?!


 -- Frans.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: One CA for many clients (a silly question)

[Frans de Boer]

On Thu, 2009-07-16 at 13:50 -0700, Kyle Hamilton wrote:
 Create sub-CAs for each purpose, and have each device only
 authenticate its own CA's stuff (by making that subCA the CAfile).
 The root is a convenience at that point to be able to authenticate the
 entire chain of anything produced by it.
 
 -Kyle H
 
 On Wed, Jul 15, 2009 at 11:29 PM, stortoarancibid...@lucullo.it wrote:
 
  Hi All,
 
  I just have a silly question on Openssl.
 
  I use a self-signed CA to sign several server/clients cert.
 
  For example I could use signed certs to implement an OpenVPN LAN and one
  Wi-FI RADIUS auth for different clients.
 
  The question is: how to be sure that a client allowed to use the wifi do
  not use the same cert on the OpenVPN LAN?
 
  In other words, how could I segratate clients using the same CA?
@Kyle, one site using multiple CA's? When not just create different
authorizations with each specific cert? So, you would have a cert for
the CA, a cert for the openVPN server, different client certs to be used
with the openVPN service. etc.

Frans. 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: I want you to do my homework for me.

[Frans de Boer]

On Sat, 2009-05-02 at 07:19 -0700, Miguel Ghobangieno wrote:
 I'd like to do some crypto homework. It entails rebuilding the openssl
 library on windows 8 (C###). I'd like you to deatail the _EXACT_
 procedure for rebuilding/recoding/synergising the openssl library in
 windows 8's C###. You have to do this because I told you to, requested
 it of you, demanded it of you. 
 
 Accusations such as think of the code or learn openssl by reading
 the code etc will be forwarded to the Equal Empolyment Oppourtunity
 Commission.
 
 Furthermore I am aware that you opensource coders are all a buch of
 mysoginist sexists; for the most part you are all _men_. The EEOC is
 going to hear of THAT aswell.
 
 Period.
 Slash
 
Normally I do not react, but this message must be written by a child,
looking by the many spelling errors. So who can take this person
seriously? 'It' clearly has no clue about the real world. Or is it an
attempt to gobble up bandwidth on the Internet? In which case it
succeeded moderately.

Frans.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: X509 V1 version info

[Frans de Boer]

The version field is offset by one. So, 0=v1, 1=v2, 2=v3

Frans.

On Thu, 2008-08-28 at 12:21 +0530, Madhusudhan reddy wrote:
 Hi All,
  
   I am newbie to OpenSSL. I am facing problem verifying root
 certificate version X509V1. While debugging found the signature
 verification is not matching, it is because the calculated hash value
 is not correct for the root certificate. 

  And observed the version field X509-cert_info-version in
 X509 certificate is NULL. The wrong hash value is because of version
 field? Is something i am missing?
  
I am attaching the root Certificate with the mail.
  
Any help in this is greately appreciated.
  
 Thanks,
 Madhu
  


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssl.cnf - two questions

[Frans de Boer]

Dear people,

 1. I seem to remember that you could place an include statement
in de openssl.cnf file. I wonder if I am mistaken, since that
does not work.
 2. Secondly, is there a proper description of the contents of the
openssl.cnf file, especially with the specific openssl.cnf
words.The distributed openssl.cnf is quite outdated (it still
uses nsComment and the like) and the used statements are not
always clear.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssl.cnf - two questions

[Frans de Boer]

Dear people,

 1. I seem to remember that you could place an include statement
in de openssl.cnf file. I wonder if I am mistaken, since that
does not work.
 2. Secondly, is there a proper description of the contents of the
openssl.cnf file, especially with the specific openssl.cnf
words.The distributed openssl.cnf is quite outdated (it still
uses nsComment and the like) and the used statements are not
always clear.

Thanks for any positive advice.
Frans de Boer.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: caRepository

[Frans de Boer]

Okay, this message needs to be forwarded to the organisation behind the
Grid certificate project. They found that openssl (back in 2006) did not
support the caRepsitory OID. They advised to use the caIssuers OID
instead but warned of incompatibility with software who do use that OID
correctly.

RFC3280 is already dated, why has openssl not implemented this? I am not
the first one to ask, but the first to get a workable answer. for that,
many thanks.

KR,
Frans.


On Thu, 2007-11-22 at 22:11 +0100, Dr. Stephen Henson wrote:
 On Thu, Nov 22, 2007, Frans de Boer wrote:
 
  Okay, but what is the numerical form? Must I dive into the source code -
  if it is documented at all? I remember discussions way back that the
  subjectInfoAccess object was removed anyhow to be reinserted later. Has
  it been removed again? I use version 0.9.8e.
  
  The line subjectInfoAccess = caRepository;URI:http://etc generates a
  syntax error
  
 
 It is the numerical form of the OID. Currently caRepository is not a
 recognized OID.
 
 You can use its numerical form which is 1.3.6.1.5.5.7.48.5 instead.
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
 OpenSSL project core developer and freelance consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: caRepository

[Frans de Boer]

Okay, in 2006 a laura asked the same question (more or less) and the
grid project also mentioned it in their papers. Another person asked
that too, but the response he got...plain unsensitive. So I have found
three references in total. Indeed not much, but the Grid project is the
most important one. 

Question: why not include all the OID's mentioned in RFC3280 and
beyound? If you do not, where can we find these numeric representations
(and why have they not been included in the RFC in the first place)?

And finaly, when is the example openssl.cnf replaced by one which does
not include deprecated objects like nsComment etc.

Tomorrow, I will try the OID you have given before.

Again, thanks for the effort,
Frans.

On Thu, 2007-11-22 at 23:40 +0100, Dr. Stephen Henson wrote:
 On Thu, Nov 22, 2007, Frans de Boer wrote:
 
  
  RFC3280 is already dated, why has openssl not implemented this? I am not
  the first one to ask, but the first to get a workable answer. for that,
  many thanks.
  
 
 OpenSSL doesn't include every OID in existence especially those which it may
 not have any use for. 
 
 Several mechanisms exist to add custom OIDs to OpenSSL so even if an OID
 doesn't have a human readable name it can still be used.
 
 Occasionally we miss one of the more common ones and they get added when it is
 brought to our attention.
 
 This is the first time I've seen anyone mention the lack of caRepository in
 OpenSSL.  I'll add the OID so OpenSSL will understand the text format in
 future versions.
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
 OpenSSL project core developer and freelance consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: caRepository

[Frans de Boer]

Hello Steve,

Where would I be without your exellent help. You have given pointers
sofar I have not seen before. I read ASN1 books but no explaination you
have given. Many thanks again, this info helps me to better understand
ASN1 as well as how to fill in the blanks.

One last question. The error message stated syntax error, why not
missing or unknown OID? It now does suggests that the subjectInfoAccess
was at fault. So I was looking in the wrong places to start with.

Kind regards,
Frans.


On Fri, 2007-11-23 at 00:50 +0100, Dr. Stephen Henson wrote:
 On Thu, Nov 22, 2007, Frans de Boer wrote:
 
  
  Question: why not include all the OID's mentioned in RFC3280 and
  beyound? If you do not, where can we find these numeric representations
  (and why have they not been included in the RFC in the first place)?
  
 
 The OID is mentioned in the ASN1 module. But you have to expand each part.
 from RFC3280:
 
 id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
 id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
 
 id-pkix  OBJECT IDENTIFIER  ::=
  { iso(1) identified-organization(3) dod(6) internet(1)
 security(5) mechanisms(5) pkix(7) }
 
 Which expands to 1.3.6.1.5.5.7.48.5 as I said before.
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
 OpenSSL project core developer and freelance consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: caRepository

[Frans de Boer]

Hello Steve,

I will come back on that subject soon. My bedtime is long overdue, so I
will respond this weekend or sooner if I have time.

KR,
Frans.


On Fri, 2007-11-23 at 01:50 +0100, Dr. Stephen Henson wrote:
 On Fri, Nov 23, 2007, Frans de Boer wrote:
 
  
  One last question. The error message stated syntax error, why not
  missing or unknown OID? It now does suggests that the subjectInfoAccess
  was at fault. So I was looking in the wrong places to start with.
  
 
 With the openssl command line utility you get:
 
 Error Loading extension section v3_ca
 21647:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too
 large:a_object.c:108:
 21647:error:2208B077:X509 V3 routines:V2I_AUTHORITY_INFO_ACCESS:bad
 object:v3_info.c:172:value=caRepository
 21647:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
 extension:v3_conf.c:93:name=subjectInfoAccess,
 value=caRepository;URI:http://www.foo.com/
 
 Now admittedly the first number too large is a bit misleading but the second
 error indicates a bad OID and that it doesn't like caRepository.
 
 Perhaps whatever you are using isn't printing out the full error message?
 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
 OpenSSL project core developer and freelance consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake problem.

[Frans de Boer]

Unless someone recognizes the text, it might be helpful if you tell a
little more about the server and client side.

frans.

On Wed, 2007-10-10 at 00:09 +0200, Alessandro Baggi wrote:
 I'm trying to make a client/server application with ssl connection but 
 the handshake doesn't work.
 
 Reading the manual page I've tried to do this to make ssl connection:
 
 Server layer:
 
 SSL_CTX *ssl = NULL;
 SSL *new = NULL;
 socketdescriptor = socketcreation();
 bind(...);
 listen(...);
 accept(...);
 ssl = SSL_CTX_new(SSLv3_server_method());
 new = SSL_new(ssl);
 SSL_set_fd(ssl, socketdescriptor);
 SSL_accept(new);
 
 Client layer:
 
 SSL_CTX *ssl = NULL;
 SSL *new = NULL;
 socketdescriptor = socketcreation(...);
 connect(..);
 ssl = SSL_CTX_new(SSLv3_client_method());
 new = SSL_new(ssl);
 SSL_set_fd(ssl, socketdescriptor);
 SSL_connect(new);
 
 When I try to get SSL connection Server give me an error on SSL_accept, 
 that return -1 with message: Operation not permitted and Client give me 
 on SSL_connect 0 with the same message.
 What is the right way to make an ssl connection?
 
 Thanks in advice.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Various questions

[Frans de Boer]

I have various questions:

1) The example openssl.cnf (9.8x) still contains the deprecated ns**
directives. Why, and why not using the RFC3280 (and later) directives.

2) I seem to fail to understand how I can provide the path to the root
certificate for verification of an end entity certificate. I can use the
ns** directives, but since they are deprecated, how can I provide a path
(URI) to the cacert.pem (or similair) file.

3) Is the string_mask directive an openssl directive (I am missing
IA5String then) or what it's purpose.

4) RFC3280 and additional RFC's are not that clear to me. I assume that
if I really took up a study for the ASN.1 (1993?) specification, I might
understand a bit more. However, not everybody has the time or energy for
that mater to take up that kind of study effort. I have sofare not found
a comprehensive tutorial or howto to guide in this matter. But I really
have the urge to do it right this time. Being my own CA, having my own
services etc.
Any suggestions?

Okay, I hope to see some positive feedback

Kind regards,
Frans de Boer.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]