List of supported CipherSuite and CompressionMethod
Hi all, I was wondering if there is a list of all CipherSuite[s] and CompressionMethod[s] supported by OpenSSL. At this point, I would prefer not to go through the code to get an answer, but if you guys would point me at a file name, I would gladly take that, as well :) Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: List of supported CipherSuite and CompressionMethod
On Wed, Jun 25, 2008 at 16:26, Bill Colvin [EMAIL PROTECTED] wrote: http://openssl.hoxt.com/openssl-web/docs/apps/ciphers.html Thanks! From the man page of ciphers, I assume I need to bake my own OpenSSL binaries to enable NULL ciphers? And yes, I know what I am doing and yes, in this stage, I do want NULL ciphers. Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[SOLVED] Re: Strange OpenSSL error when trying to use OpenVPN
My certificate uses a SHA256 hash and the client has OpenSSL 0.9.7. 0.9.8 is needed to support SHA256 hashes. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Strange OpenSSL error when trying to use OpenVPN
Hi all,
I have my own CA tree, with the relevant part being:
root CA {1}
\- VPN CA {2}
\- server CA {3}
|- server certificate {4}
\- client certificate {5}
I put 1 2 into /etc/ssl/certs/ of the server and 3 into
/etc/openvpn/default/default-ca.pem . The server does, of course, use
its server certificate privkey.
The client has a single CA file with 1, 2 3's certificates
concatenated. It also has its own client certificate privkey.
Verifying the trust chain with openssl verify -verbose -CAfile foo works
for all five certificates with foo holding 1, 2 3.
Yet, when I want to connect to the server, OpenVPN dies with:
Tue Mar 25 15:04:53 2008 us=886000 Incoming Ciphertext - TLS
Tue Mar 25 15:04:53 2008 us=886000 VERIFY OK: depth=3, /CN=root_CA
Tue Mar 25 15:04:53 2008 us=886000 VERIFY ERROR: depth=2,
error=certificate signature failure: /CN=VPN_CA
Tue Mar 25 15:04:53 2008 us=886000 SSL alert (write): fatal: decrypt error
Tue Mar 25 15:04:53 2008 us=886000 TLS_ERROR: BIO read
tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS object - incoming
plaintext read error
Tue Mar 25 15:04:53 2008 us=886000 TLS Error: TLS handshake failed
(The name strings for 1 2 being shortened to root_CA VPN_CA respectively)
man verify tells me:
7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
the signature of the certificate is invalid.
which does not make sense, seeing as the path verifies OK when doing the
same thing manually and even using the very same file for the
verification that the OpenVPN client is using.
So, if anyone has any idea or an educated guess about the cause or hints
to get better debug output, please tell me.
Thanks in advance :)
Richard
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Difference between signing a CSR and a public key with server-side options?
Hi all, basically, I am wondering if there is a real difference between signing a normal CSR and signing a plain public key while defining the appropriate X509 v3 extensions at sign time. I suspect that there is no difference that would matter from the end user's perspective, but I am far from sure. If you can point me to some docs that explain any issues in depth, I am more than willing to rtfm, as well :) Any help appreciated, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Are there any CA packages that support XMLRPC?
On 20/09/2007, Rodney Thayer [EMAIL PROTECTED] wrote: That being said the existence of any code that handles that sort of thing is interesting, since there are so few implementations. Yes, it seems that everyone who does any real work in this direction keeps the fruits to themselves :/ If I were to modify/enhance a command line solution that is under the GPL, I might be able to give back. If I bake our own, I am not so sure. So, as there do not seem to be any solutions that do what I need, does anyone know of a command line based Perl CA that is able to create root and sub CAs and person/email/server certificates automagically that I could enhance to speak XMLRPC? Any and all suggestions are welcome, even if they do not fit the above exactly. Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Are there any CA packages that support XMLRPC?
I am replying to myself to clarify somthing which I should have put better: I want to run my own CA, not buy certificates from established ones. Sorry for asking a misleading question :/ Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Are there any CA packages that support XMLRPC?
Hi all, I am looking for existing implementation of a CA that supports external APIs. Ideally, it should be able to speak XMLRPC or, at least, offer an API. Thanks, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Are there any CA packages that support XMLRPC?
On 13/09/2007, Rodney Thayer [EMAIL PROTECTED] wrote: Why XMLRPC instead of any of the existing online enrollment protocols? Well, the main reason is that, like it or not, XMLRPC is developing into a kind of lingua franca when it comes to interoperability. The easy availablity of TLS for this path is an obvious plus. Not that I am trying to defend the existing online enrollment protocols, mind you... Well, if there is anything that works in a secure and reliable way, I am all ears :) What CLIENT do you think would interoperate with such a CA, should it exist? A self-baked one. Thanks for your reply :) Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
