Issue with SSL sockets pthreads
I'm having a bit of an issue with something I encountered while unit
testing my socket classes - each test basically creates a thread on
which a server socket listens. From the main thread I connect a client
to the server socket. I've found that after about 10-15 such tests I
cannot create new threads - so I was wondering if I might have missed
something clearing up resources (the pthread_create method returns with
EAGAIN, which means insufficient resources). This only happens with ssl
sockets when I connect a client, if I use normal sockets everything
works well.
I have the following code, stripped of error handling for clarity (I've
marked with * lines which are missing/different in the normal socket
implementation versus the ssl socket one):
ClientSocket:
connect():
this-socket = BIO_new_ssl_connect(ssl_context); *
BIO_get_ssl(this-socket, this-ssl); *
BIO_set_nbio(this-socket, NON_BLOCKING);
BIO_set_conn_hostname(this-socket, this-host);
BIO_set_conn_port(this-socket, port_str);
bool keep_connecting = true;
while (keep_connecting)
{
if (BIO_do_connect(this-socket) 0)
{
if (this-do_verify_handshake_result()) this-connected = true;
keep_connecting = false;
}
else if (!BIO_should_retry(this-socket)) keep_connecting = false;
}
--
do_verify_handshake_result(): * (just returns true for normal sockets)
bool keep_trying = true;
while (keep_trying)
{
if (BIO_do_handshake(this-socket) 0)
{
if (SSL_get_verify_result(this-ssl) == X509_V_OK) result = true;
keep_trying = false;
}
else if (!BIO_should_retry(this-socket)) keep_trying = false;
}
--
ServerSocket:
listen():
this-ssl_socket = BIO_new_ssl(ssl_context, SERVER_CONNECTION); *
BIO_get_ssl(this-ssl_socket, this-ssl); *
this-accept_socket = BIO_new_accept(port_str);
BIO_set_accept_bios(this-accept_socket, this-ssl_socket); *
BIO_set_nbio(this-accept_socket, NON_BLOCKING);
BIO_do_accept(this-accept_socket);
while (!this-shutdown_requested)
{
if (BIO_do_accept(this-accept_socket) 0)
{
ClientSocket *incoming_client=
new_client_socket(BIO_pop(this-accept_socket));
incoming_client-do_verify_handshake_result();
connection_complete(incoming_client)
}
}
--
connection_complete(): (this is just a test method)
delete incoming_client;
--
Test code:
typedef struct str_thdata
{
int thread_no;
ServerSocket *socket;
} thdata;
void *print_message_function ( void *ptr )
{
thdata *data = (thdata *) ptr;
printf(Thread %d s\n, data-thread_no);fflush(stdout);
data-socket-listen();
return NULL;
}
int test()
{
for (int i = 0; i 200; i++)
{
pthread_t thr;
thdata data;
data.thread_no = i;
ServerSocket *socket = SocketFactory::new_server_socket(SSL,
TEST_PORT);
data.socket = socket;
if (pthread_create (thr, NULL, print_message_function, (void *)
data) != 0)
printf(Warning, create did not work for thread #%d\n,
i);fflush(stdout);
else
{
Sleep(1000);
ClientSocket *client = SocketFactory::new_client_socket(SSL,
(char *) 127.0.0.1, TEST_PORT);
if (client-connect())
client-disconnect();
delete client;
socket-shutdown();
pthread_join(thr, NULL);
}
delete socket;
}
}
If I use normal serverclient sockets, all threads work as expected (can
create 200). Also, if I use an SSL server, but with no client connecting
to it (creating a server socket thread and then closing them 200
times) - everything works as expected.
If I connect an SSL client socket, no resources after 10-15 threads - I
can get this to happen reliably. Sometimes I get a few error messages
and then I can create threads again for a while.
Initially, I had SSL_MODE_AUTO_RETRY set on the server socket (left
over from when the two classes were using blocking sockets) - removing
it improved the situation a bit, but not by much (ie before I got thread
creation errors on each run, now I get them about once for every two runs).
The disconnect/shutdown methods both for client and server just do
BIO_free_all(this-socket);, besides setting some bool variables such
as connected/shutdown_requested. The destructors call
disconnect/shutdown if sockets are not already closed.
Any ideas on what I'm doing wrong with this? I think I'm neglecting to
release some resources, but I don't see what could those be - everything
is closed before each new loop iteration. Setting a Sleep() right
before the loop restarts did not help either.
Thanks in advance,
--
Laura
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: blocking BIO_read
Thank you very much!
Ger Hobbelt wrote:
On Thu, Aug 27, 2009 at 2:24 PM, Laura
Arhirelaura.arh...@endion-software.com wrote:
Hey
I'm using the BIO abstraction for reading/writing to sockets - a small part
of the BIO_read method is unclear: For a blocking socket, will the BIO_read
call block until the length provided in the call is filled in the buffer,
or will it return as soon as it managed to read anything from the socket?
I see that the underlying implementation uses recv() - recv blocks until
something is available: when something is available for reading, read up to
len bytes and copy it to the provided buffer, then return, i.e. the length
is used as a maximum value. From reading the openssl code I think that
BIO_read behaves in the same way as recv - which means that if I want to
read a specific number of bytes (no more, no less), I need to loop until I
get everything I need. Can anyone confirm this ?
Confirmed.
BIO_read won't wait/guarantee that the requested number of bytes are
delivered all, so you'll indeed need to loop to get them all (or an
error due to connection issues) if you want to receive a predetermined
number of bytes.
For completeness / additive: note that 'officially', you should check
the BIO_should_retry() call on error (negative error code return),
i.e.
---snip[stripped]---
...
i = BIO_read(bio,buf,bufsize);
if (i 0)
{
// error condition - possibly
if (BIO_should_retry(bio))
{
if (BIO_should_read(bio))
...
if (BIO_should_write(bio))
...
}
else
{
// real error. process the error the way you want/need
ERR_print_errors(bio_err);
got fail_dramatically;
}
}
else if (i == 0)
{
// blocking -- conn termination
...
break;
}
else
{
// collect the returned bytes; shift buf, etc., then wait for the rest
...
}
---snip---
as this is what it should look like for any and all BIOs, i.e. when
your BIO-using code layer should not be specifically aware of the
chain/device peculiarities accessed through the BIO abstraction layer.
In the case of raw socket I/O, the 'should_retry' won't fire, at least
not with the current implementation on UNIX. Which might be a bother
regarding testability versus 'correct' use/implementation of the i/o
abstraction. Once you're stacking, say, and SSL BIO into this BIO
chain however, things will certainly look /very/ different and you'll
surely need that should_retry/etc. code in there.
Take care,
Ger
--
Laura
blocking BIO_read
Hey I'm using the BIO abstraction for reading/writing to sockets - a small part of the BIO_read method is unclear: For a blocking socket, will the BIO_read call block until the length provided in the call is filled in the buffer, or will it return as soon as it managed to read anything from the socket? I see that the underlying implementation uses recv() - recv blocks until something is available: when something is available for reading, read up to len bytes and copy it to the provided buffer, then return, i.e. the length is used as a maximum value. From reading the openssl code I think that BIO_read behaves in the same way as recv - which means that if I want to read a specific number of bytes (no more, no less), I need to loop until I get everything I need. Can anyone confirm this ? Thank you, -- Laura __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ecdsa public key output
Hello
I generated the certificate programmatically, but I shall look at the
ecparam.c file and see how the public key is generated there and do the
same. The jave keytool-generated certificate did not have any extensions
attached, so I am guessing those can be stripped.
The code I used for generating a self-signed certificate is below,
stripped of error handling:
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp160r1);
EC_KEY_generate_key(ec_key);
EC_KEY_check_key(ec_key);
EVP_PKEY *pk = EVP_PKEY_new();
EVP_PKEY_assign_EC_KEY(pk, ec_key);
f = fopen(root-ecdsa160.key, w);
PEM_write_PrivateKey(f, pk, NULL, NULL, 0, 0, NULL);
fclose(f);
FILE *f;
X509 *x;
x=X509_new();
X509_NAME *name = X509_get_subject_name(x);
X509_set_version(x, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x), 3);
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_gmtime_adj(X509_get_notAfter(x), (long) 60 * 60 * 24 * 365);
X509_set_pubkey(x, pk);
X509_NAME_add_entry_by_txt(name, CN, MBSTRING_ASC, (const unsigned
char*) Testing Team, -1, -1, 0);
X509_NAME_add_entry_by_txt(name, O, MBSTRING_ASC, (const unsigned
char*) client, -1, -1, 0);
X509_set_issuer_name(x, name);
X509_sign(x, pk, EVP_ecdsa());
f = fopen(root-ecdsa160.crt, w);
PEM_write_X509(f, x);
fclose(f);
Thank you for the help.
Laura
Carlo Milono wrote:
How did you make your EC certificates?
Here is the result (truncated as yours is) by using OpenSSL - I had to
use a Name Constraint and a prime curve @ 384 for a proof-of-concept:
...
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:fa:b7:e7:c8:15:0b:26:5c:b4:d6:53:62:09:66:
7e:6e:15:05:ee:cc:2b:ff:f9:dd:8d:4f:ed:de:35:
56:41:ce:b4:52:4e:c5:99:46:30:b7:81:31:29:cd:
5f:0d:b9:a3:ec:12:c5:47:f1:0b:09:1c:76:fe:e5:
e2:d3:04:97:3c:ac:ad:b6:e8:83:8b:b0:c2:39:ac:
8e:a2:86:59:a0:0b:0a:09:b1:75:5b:2e:83:b6:7e:
c0:ad:8f:24:54:d4:9a
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Name Constraints:
Excluded:
IP:10.105.150.234/255.255.254.0
...
The above is the result of the following command-lines:
openssl ecparam -out myECkey.pem -name secp384r1 -genkey
openssl req -new -key myECkey.pem -out req.out
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Laura Arhire
Sent: Tuesday, August 18, 2009 12:55 AM
To: openssl-users@openssl.org
Subject: ecdsa public key output
Hello
I'm trying to import ecdsa certificates for a java server using the java
keytool utility. After having had trouble with openssl generated
certificates, I generated a certificate using the keytool utility to see
what the difference is. Upon running the openssl x509 -in cert.crt
-noout -text command on this certificate, the output I get is (only
public key info for brevity):
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:99:cc:aa:5b:7d:fc:e1:aa:c8:0e:d0:98:b2:ed:
79:65:cb:66:7e:0f:c2:b9:7b:28:42:1b:65:1a:86:
4b:02:dc:7c:5f:d1:21:1f:ca:f2:ac
* ASN1 OID: secp160k1*
Which is different from the openssl generated certificates in that it
has the curve name in the public key, instead of the curve parameters.
The same data (ASN1 OID: secp160k1) in an openssl certificate is:
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:fe:ff:ff:ac:73
A:0
B:7 (0x7)
Generator (uncompressed):
04:3b:4c:38:2c:e3:7a:a1:92:a4:01:9e:76:30:36:
f4:f5:dd:4d:7e:bb:93:8c:f9:35:31:8f:dc:ed:6b:
c2:82:86:53:17:33:c3:f0:3c:4f:ee
Order:
01:00:00:00:00:00:00:00:00:00:01:b8:fa:16:df:
ab:9a:ca:16:b6:b3
Cofactor: 1 (0x1)
The keytool output does not seem to be incorrect according to RFC 5280,
which defines
SubjectPublicKeyInfo ::= SEQUENCE {
algoritmAlgorithmIdentifier
subjectPublicKey BIT STRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
unless I am reading this wrong, but the way algorithm parameters are
defined seem to allow for both variants.
I'm looking into making the java certificate store understand
openssl-generated certificates (possibly with 3rd party APIs) as that
would make my life easier.
However, at the same time I'm trying to tackle the problem at the other
end, so I was also wondering if I can get (maybe programatically ?),
openssl to output the public key info in the way in which the keytool
understands
ecdsa public key output
Hello
I'm trying to import ecdsa certificates for a java server using the java
keytool utility. After having had trouble with openssl generated
certificates, I generated a certificate using the keytool utility to see
what the difference is. Upon running the openssl x509 -in cert.crt
-noout -text command on this certificate, the output I get is (only
public key info for brevity):
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:99:cc:aa:5b:7d:fc:e1:aa:c8:0e:d0:98:b2:ed:
79:65:cb:66:7e:0f:c2:b9:7b:28:42:1b:65:1a:86:
4b:02:dc:7c:5f:d1:21:1f:ca:f2:ac
* ASN1 OID: secp160k1*
Which is different from the openssl generated certificates in that it
has the curve name in the public key, instead of the curve parameters.
The same data (ASN1 OID: secp160k1) in an openssl certificate is:
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:fe:ff:ff:ac:73
A:0
B:7 (0x7)
Generator (uncompressed):
04:3b:4c:38:2c:e3:7a:a1:92:a4:01:9e:76:30:36:
f4:f5:dd:4d:7e:bb:93:8c:f9:35:31:8f:dc:ed:6b:
c2:82:86:53:17:33:c3:f0:3c:4f:ee
Order:
01:00:00:00:00:00:00:00:00:00:01:b8:fa:16:df:
ab:9a:ca:16:b6:b3
Cofactor: 1 (0x1)
The keytool output does not seem to be incorrect according to RFC 5280,
which defines
SubjectPublicKeyInfo ::= SEQUENCE {
algoritmAlgorithmIdentifier
subjectPublicKey BIT STRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
unless I am reading this wrong, but the way algorithm parameters are
defined seem to allow for both variants.
I'm looking into making the java certificate store understand
openssl-generated certificates (possibly with 3rd party APIs) as that
would make my life easier.
However, at the same time I'm trying to tackle the problem at the other
end, so I was also wondering if I can get (maybe programatically ?),
openssl to output the public key info in the way in which the keytool
understands: the curve name instead of the curve parameters.
I've had no trouble using a client written in C with openssl to connect
to the above mentioned server (using the keytool generated certificate
as the server certificate), but since I need some certificate request
interaction between the java and C sides, I need to look into this issue
further.
Any ideas on how to get the curve name in the certificate instead of the
curve parameters ?
Thanks in advance,
--
Laura
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
ecdsa-signed certificates algorithm recognition problems
:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:7f:ff:ff:fc B: 1c:97:be:fc:54:bd:7a:8b:65:ac:f8:9f:81:d4:d4: ad:c5:65:fa:45 Generator (uncompressed): 04:4a:96:b5:68:8e:f5:73:28:46:64:69:89:68:c3: 8b:b9:13:cb:fc:82:23:a6:28:55:31:68:94:7d:59: dc:c9:12:04:23:51:37:7a:c5:fb:32 Order: 01:00:00:00:00:00:00:00:00:00:01:f4:c8:f9:27: ae:d3:ca:75:22:57 Cofactor: 1 (0x1) Seed: 10:53:cd:e4:2c:14:d6:96:e6:76:87:56:15:17:53: 3b:f3:f8:33:45 Signature Algorithm: ecdsa-with-SHA1 30:2e:02:15:00:9f:4d:cc:30:d1:0b:8e:ff:3b:39:07:3f:5d: 13:7c:4f:db:ba:8a:da:02:15:00:d9:89:e4:24:15:f2:ca:9e: f8:39:d3:14:f4:4e:eb:20:d2:cd:1e:87 Thanks in advance, Laura __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ecdsa-signed certificates algorithm recognition problems
Just a quick note. openss x509 prints out the correct thing if I use 0.9.8h (the default openssl on my machine is 0.9.7-something). Now just the java part of my problem remains, but I suspect that has something to do with my setup. Sorry for the previous message. Laura Laura Arhire wrote: Hello I have successfully managed to create and use certificates which contained and were signed by ecdsa keys in my own prototype program. However, upon attempting to import such a certificate in the java certificate store, I came upon some trouble. It seems there is something wrong with the way I am generating these certificates, as the signature algorithm and the public key algorithm come up as unknown. Sorry for lengthy message which follows. In short, I have the following certificate in PEM format: -BEGIN CERTIFICATE- MIIB+DCCAbagAwIBAgIBAzAJBgcqhkjOPQQBMEkxCzAJBgNVBAYTAlJPMR8wHQYD VQQDExZJbmNvcnJlY3QgVGVzdGluZyBUZWFtMRkwFwYDVQQKExBpbmNvcnJlY3Qt Y2xpZW50MB4XDTA5MDgxNzA5MTkxM1oXDTEwMDgxNzA5MTkxM1owSTELMAkGA1UE BhMCUk8xHzAdBgNVBAMTFkluY29ycmVjdCBUZXN0aW5nIFRlYW0xGTAXBgNVBAoT EGluY29ycmVjdC1jbGllbnQwgeowgbsGByqGSM49AgEwga8CAQEwIAYHKoZIzj0B AQIVAP9/MEMEFP98 BBQcl778VL16i2Ws+J+B1NStxWX6RQMVABBTzeQsFNaW5naHVhUXUzvz+DNFBCkE Spa1aI71cyhGZGmJaMOLuRPL/IIjpihVMWiUfVncyRIEI1E3esX7MgIVAQAA AAH0yPknrtPKdSJXAgEBAyoABAm8/G3NfWWhjeRofpq+hNTibLFO/qRFRPoK yjjVrr53ZII/d++boA8wCQYHKoZIzj0EAQMxADAuAhUAn03MMNELjv87OQc/XRN8 T9u6itoCFQDZieQkFfLKnvg50xT0Tusg0s0ehw== -END CERTIFICATE- (prettyfied version to be found at bottom). When running openssl x509 -in wrong-root-ecdsa160.crt -noout -text on it, I get: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: UNKNOWN Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client Validity Not Before: Aug 17 09:19:13 2009 GMT Not After : Aug 17 09:19:13 2010 GMT Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client Subject Public Key Info: Public Key Algorithm: UNKNOWN Unable to load Public Key 3104:error:0D09C08F:asn1 encoding routines:d2i_PublicKey:unknown public key type:d2i_pu.c:104: 3104:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib:x_pubkey.c:228: Signature Algorithm: UNKNOWN 30:2e:02:15:00:9f:4d:cc:30:d1:0b:8e:ff:3b:39:07:3f:5d: 13:7c:4f:db:ba:8a:da:02:15:00:d9:89:e4:24:15:f2:ca:9e: f8:39:d3:14:f4:4e:eb:20:d2:cd:1e:87 I suspect the reason why the signature/public key algorithms come up as unknown is the same reason I can't get java to load up this certificate as well. The code used to generate this certificate is (removed return-value testing for brevity): EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp160r1); EC_KEY_generate_key(ec_key); EC_KEY_check_key(ec_key); FILE *f; X509 *x; EVP_PKEY *pk; X509_NAME *name = NULL; pk=EVP_PKEY_new(); x=X509_new(); EVP_PKEY_assign_EC_KEY(pk, ec_key); f = fopen(wrong-root-ecdsa160.key, w); PEM_write_PrivateKey(f, pk, NULL, NULL, 0, 0, NULL); fclose(f); X509_set_version(x, 2); ASN1_INTEGER_set(X509_get_serialNumber(x), 3); // certificate validity X509_gmtime_adj(X509_get_notBefore(x), 0); X509_gmtime_adj(X509_get_notAfter(x), (long) 60 * 60 * 24 * 365); X509_set_pubkey(x, pk); name = X509_get_subject_name(x); const char *grp = incorrect-client; X509_NAME_add_entry_by_txt(name, C, MBSTRING_ASC, (const unsigned char*) RO, -1, -1, 0); X509_NAME_add_entry_by_txt(name, CN, MBSTRING_ASC, (const unsigned char*) Incorrect Testing Team, -1, -1, 0); X509_NAME_add_entry_by_txt(name, O, MBSTRING_ASC, (const unsigned char*) grp, -1, -1, 0); X509_set_issuer_name(x, name); X509_sign(x, pk, EVP_ecdsa()); f = fopen(wrong-root-ecdsa160.crt, w); PEM_write_X509(f, x); fclose(f); I can use such the certificate without a problem in my prototype, add it to the trusted CAs, use it in client-server handshake etc. Any ideas on what I'm doing wrong and how can i get the openssl x509 command to output the correct certificate? If I run: FILE *root_file = fopen(wrong-root-ecdsa160.crt, r); X509 *root_cert = PEM_read_X509(root_file, NULL, NULL, NULL); X509_print_fp(stdout, root_cert); everything prints out as expected: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: ecdsa-with-SHA1 Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client Validity Not Before: Aug 17 09:19:13 2009 GMT Not After : Aug 17 09:19:13 2010 GMT Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:09:bc:fc:6d:cd:7d:65:a1:8d:e4:68:7e:9a:be: 84:d4:e2
Retrieving hostname after accept
Hello
I have a simple question that I can't find an answer to. I'm writing an
application where every instance is both client and server (a thread is
listening for incoming connections on a predefined port, and at the same
time connections are created to others whenever they're needed).
Whenever I accept an incoming connection, I'd like to be able to retain
the IP address which has just connected (for future use and logging).
I thought I'd be able to achieve this by using the following code
(truncated to essentials, left out error handling):
if (BIO_do_accept(accept_bio) 0)
{
client = BIO_pop(accept_bio);
BIO_get_conn_hostname(client); // returns NULL
}
However, I've found that BIO_get_conn_hostname() always returns NULL on
incoming connections. This happens for all connections (plain/SSL). The
connections, however, work fine and transmit data as they should. I
assume this is intended - that the hostname is null, but I don't know
how to go about actually retrieving it. I'd like to keep using the BIO
abstraction if possible. How would I go on from here?
Thanks in advance,
Laura
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Re: Spam: POLICY_MAPPING_free?
Thanks! but i can't use them. The error isundefined reference to `POLICY_CONSTRAINTS_free'. i can't find any files including these macros. === 2006-12-21 14:47:00 === On Thu, Dec 21, 2006, laura wrote: hi where can i find the definition of these functions: POLICY_MAPPING_free,NAME_CONSTRAINTS_free,POLICY_CONSTRAINTS_free etc? i can't find them in openssl0.9.8b. They are defined through the ASN1 macros. All they do is to free up the corresponding struture. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] . = = = = = = = = = = = = = = = = = = = = 致 礼! laura [EMAIL PROTECTED] 2006-12-22 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
subjectinfoaccess?
hi, I want to use SIA(subjectinfoaccess) to get the url of caRepository. but i can't find the accessmethod. it should be nid_ad_caRepository defined in rfc3280. does openssl support it? laura [EMAIL PROTECTED] 2006-09-20 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
