Re: Year 2038 problem
Hi, > How does openssl address this problem? Is there a patch so that it does > not set the expiration date beyond the 2038 wrap around time? We just experienced exactly the same problem, and would be happy if it got solved by OpenSSL. There is a workaround available for this specific problem: openssl ca -in CSR.csr -batch -enddate 400102030405Z The biggest Problem with the Y2038 problem I see is that most people believe that it will go away due to the migration to 64 Bit machines. But this isn't going to happen. We have to start fixing 2038 now, also for all our 32 Bit platforms, 16 Bit platforms and 8 Bit platforms. Best regards, Philipp Gühring __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl and Multi-Sites Certificats SSL
Hi, > New to this mailling lists. Hope you can help me in compelting my task. > I d'like to generate a Sefl Signed SSL Certificates which will be serve for > multi hosted sites on the same server. > > Can someone tell me how to that please ? Here is the overview, best currently possible solution, and a tool to do it for you: http://wiki.cacert.org/wiki/VhostTaskForce Best regards, Philipp Gühring __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL Storage
Hi, Is it possible to save the content that was transmitted in a SSL session, in a way that the signature of the SSL session is still preserved, but the encryption is decrypted? So that the SSL session can be stored, and the content be verified afterwards offline again? With simple tcpdump, I can save the SSL session in encrypted form (from outside the tunnel). With stunnel, I can save the the content inside the SSL session, but without the signature. Is it theoretically possible? Is it practically possible with OpenSSL? Regards, Philipp Gühring __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Non-std attributes in certificate requests
Hi, > OpenSSL can include arbitrary data in *extensions* in certificates. > Similarly you can also do that in *extensions* in certificate requests. I tried to put it into extensions before, without luck. > What you have above is an attribute in a certificate request the contents > of which are assumed to be an ASCII (well normally ASCII) string. You get a > similar result if you tried to but "DER" in a certificate DN component. Ok. Accepted > If you do put arbitrary unstructured data in a certificate or request > that's likely to choke some ASN1 parsers. A better way is to enclose that > data in an OCTET STRING (or whatever is appropriate) using the OpenSSL > 0.9.8 mini-ASN1 compiler. Yes, OCTET STRING would be also fine. I just need an efficient method to encode binary data into a certificate request extension, which the CA has to extract and ignore afterwards. (It is meta-information for the CA, and does not go into the certificate) Could you give me a short configuration example how I can put my binary data through hex encoding (or something else) into an Octet String typed extension into a certificate request? (The examples and documentation I could find only covers the certificates, not the requests) Regards, Philipp Gühring __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Non-std attributes in certificate requests
Hi, How can I include arbitrary binary data in a certificate request with OpenSSL? Currently, I am trying it the following way: [ new_oids ] qcsr=1.3.6.1.4.1.18506.1.1 [ req_attributes ] qcsr = Qualified Public Key Signature qcsr_default=DER:3CB63813C2F6468422BE2A07A1115D218D8b Do you notice the small "b" at the end? If it were encoded binary correctly, all hex-characters would be uppercase or lowercase together. Bit the result is still mixed-case: 1.3.6.1.4.1.18506.1.1:DER:3CB63813C2F6468422BE2A07A1115D218D8b Could it be that OpenSSL can only encode arbitrary data in x.509 certificates, but not in certificate requests? Regards, Philipp Gühring __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Off-Topic: Wildcard Certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I read somewhere, that wildcard certificates are generally possible. (With the exception that not every implementation might like it) What about a certificate for *.com, *.org or *.net ? I guess, I will have to try, whether any of the certificate authorities accepts a certificate request like that. I think some of them look through the wildcard requests manually ... Many greetings, - -- ~ Philipp Gühring [EMAIL PROTECTED] ~ http://www.livingxml.net/ ICQ UIN: 6588261 ~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8jn03lqQ+F+0wB3oRAvJEAJ474RbyF1Cgjafyn+CBFnpB/JXcbwCglk99 bRAFLGJLCjNKpLjC0EhxZLc= =b1n8 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
XMLDSig
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! I want to sign XML documents. So I am searching for a OpenSSL based XMLDSig (Digital Signatures in XML) implementation, that would be useable from Perl scripts. (I guess I could live with a XMLDSig compliant implementation of Digital Signautures for XML too, at least for the moment) Is anyone working on that topic, or are there already useable solutions? As far as I can see, there are only Java Based XMLDSig implementations available ... Many greetings, - -- ~ Philipp Gühring [EMAIL PROTECTED] ~ http://www.livingxml.net/ ICQ UIN: 6588261 ~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8WYJRlqQ+F+0wB3oRAoppAJ98d6A0UgbI8PtAsaGlpqiwBgZEIgCfdz8J eKK58IAiYLdGA1ZddVgexmA= =/jn7 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IE problem with self-signed certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Which is fine. However, IE simply fails to display the image. No dialog > asking > to accept the certificate, no nothing. That is, for me and all but one of > my co-workers. Could it be that you and them already accepted the certificate as valid, and therefore get not asked anymore? Many greetings, - -- ~ Philipp Gühring [EMAIL PROTECTED] ~ http://www.livingxml.net/ ICQ UIN: 6588261 ~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8IhYalqQ+F+0wB3oRAnfeAKCal3E9wN7pWW3wRiNCK8bn0/Jz5wCfWrlP ioR1Pjrf9MlyJYife3zxie4= =Qn5g -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
