Hello,
It seems me logic verification logic for X.509 certificates is changed
in a minor release.
$ cd BUILDDIR/test
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ openssl verify certCA.ss; echo $?
certCA.ss: C = AU, O = Dodgy Brothers, CN = Dodgy CA
error 18 at 0 depth lookup:self signed
On Mon, Mar 03, 2014, Roumen Petrov wrote:
Hello,
It seems me logic verification logic for X.509 certificates is
changed in a minor release.
$ cd BUILDDIR/test
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ openssl verify certCA.ss; echo $?
certCA.ss: C = AU, O = Dodgy Brothers, CN =
Hi All
I am using SSL_CTX_set_cert_verify_callback(ctx, callback, (void *)arg)
API to register the callback function for certificate verification.
However I need to set the mode (SSL_VERIFY_PEER) for SSL Context.
I am using below code to set mode and callback function. Is it right way
of doing
On Mon, Nov 03, 2008, Aravinda babu wrote:
Hi all,
Normally , During HTTPS connection establishment peer server produces it's
certificate to the client.I want to know how openssl checks this certificate
? I want to know the exact API which does this so that i will check the code
of that
Hi all,
Normally , During HTTPS connection establishment peer server produces it's
certificate to the client.I want to know how openssl checks this certificate
? I want to know the exact API which does this so that i will check the code
of that API. Please tell me the related things regarding
The algorithm for checking of the digital signature of the peer
certificate is covered in PKIX (RFC 3280, obsoleted by RFC 5280) and
the ITU standard X.509.
The library-client code for verifying a certificate can be found in
the apps/verify.c .
You might want to look at the man pages for
OpenSSL 0.9.8a 11 Oct 2005, SUSE Linux Enterprise
I have 2 root self signed certificates. If I do an SSL handshake with
the first:
-BEGIN CERTIFICATE-
MIICxTCCAi4CCQDJK3jKqJ/pqTANBgkqhkiG9w0BAQUFADCBpjEjMCEGA1UEAxMa
On Mon, Oct 08, 2007, Heit, James R via RT wrote:
I get a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18) error in the verify
callback function.
That happens when there is a root CA sent by the server but it doesn't match
the trusted one.
I suggest you dump the root CA using the -showcerts
Hi,
I am trying to perform certification verification for a self-signed CA
certificate as well as another certificate signed by this CA. The problem is
that the verification always fails.
Here is what I do:
/* Convert the DER encoded certificate into an X509 structure used by SSL. */
On Thu, Sep 20, 2007, [EMAIL PROTECTED] wrote:
Hi,
I am trying to perform certification verification for a self-signed CA
certificate as well as another certificate signed by this CA. The problem is
that the verification always fails.
Here is what I do:
/* Convert the DER encoded
I have a certificate that I need to get verified by a CA like Verisign.
How can I programmatically do so from within my C program running on Linux ?
Thanks!
__
OpenSSL Project http://www.openssl.org
During certificate verification in internal_verify() function if certificate
signature and not before time are valid certificate is set valid.
Subsequent call to verification process then assume signature and not before
time valid without check them.
If check time changes (decreased) before
So I'm attempting to verify a certificate with OpenSSL 0.9.7 snapshot
(various versions). I trust my own CA, who's certificate is issued by a
Root (self-signed) CA that I do not wish to trust, because it has also
issued a CA certificate to Bad Guy Incorporated.
Right now if I build a chain up to
Hi,
I am using my own callback function set by
SSL_CTX_ser_verify( , , fn_name)
for client my function is like :
the function is printing one (I gave
thethe server root CA installed the the trusted root CA using the function
SSL_CTX_load_verify_locations() )
sslcallbackClient( int ok ,
Dr S N Henson wrote:
Jean-Marc Desperrier wrote:
I have some code that I could use to verify certificate, and that's not
able to do it anymore when compiled with 0.9.6
I traced this to the following line (330) in the file by_dir.c
- if(j != -1)
Dr S N Henson wrote:
I make the verification using a call to X509_verify_cert.
When the call returns, they are some errors left in the error stack from
a call to check_issued to check if the check is self-signed or not.
Is this a normal behaviour ?
That shouldn't happen unless you
I have some code that I could use to verify certificate, and that's not
able to do it anymore when compiled with 0.9.6
I traced this to the following line (330) in the file by_dir.c
This line has been changed from 0.9.5 to 0.9.6.
I think the last argument in the call to sk_X509_OBJECT_value
Jean-Marc Desperrier wrote:
I have some code that I could use to verify certificate, and that's not
able to do it anymore when compiled with 0.9.6
I traced this to the following line (330) in the file by_dir.c
This line has been changed from 0.9.5 to 0.9.6.
I think the last argument in
Still no good.
Let's recap what I have done to generate the certificates. Maybe I'm
doing something wrong there. Im using the CA.sh script under
openssl/apps to generate the certificates.
1) Generate new CA files using "CA.sh -newca". This generates CA
certificate cacert.pem and CA key
On Mon, Mar 27, 2000 at 06:36:32PM +1000, Douglas Lee wrote:
2) Generate new CR file using "CA.sh -newreq". This generates the file
certificate request file newreq.pem.
And the private key in newkey.pem.
3) Sign the CR file using the CA file by "CA.sh -sign". This generates
the certificate
See below...
Douglas Lee wrote:
2) Generate new CR file using "CA.sh -newreq". This generates the file
certificate request file newreq.pem.
It also generates a new private key in privkey.pem
3) Sign the CR file using the CA file by "CA.sh -sign". This generates
the certificate file
Douglas Lee wrote:
Still no good.
Sounds like you followed the steps correctly, but that your server still can't
find the private key needed to use the cert. Did you concatenate newreq.pem
onto newcert.pem? Doing so puts both the cert and the key in the same file,
which you can pass to both
Hi there,
I'm having problem verifying the certificate between server and client on
the sample programs serv.cc and cli.cc in the demo/ssl directory. I've
modified it slightly by adding a SSL_set_verify() callback on both the
server and the client side (so that the certifcates are verified at
Sounds like your client can't get its hands on the CA cert needed to
verify the server's cert.
SSL_CTX_use_certificate_file and SSL_CTX_use_RSAPrivateKey_file load the
client-side cert and key you need to present to the server IF the server
requires authentication of clients (which it
At 12:43 04.01.00 +0200, you wrote:
Hello all!
Hello,
For each certificate in chain I do next:
i = X509_verify(x, X509_get_pubkey(x));
For many sites (www.chase.com, www.ubs.com, ...) I have that first
certificate
in chain has unmatched signature (i == 0). Only last certificate (from RSA
)
handle certificate verification,
check out apps/verify.c for an example.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http
i = X509_verify(x, X509_get_pubkey(x))
will only succeed on self-signed (CA) certificates like Verisign.
What you need to do is verify the cert using the pubkey of it's issuer:
i = X509_verify(x, X509_get_pubkey(issuer_of_x))
but this will leak memory since X509_get_pubkey(x) adds one to the
Hi,
after first establishing a session, the verify_result can be obtained
via SSL_get_verify_result(SSL *con), it may yield X509_V_OK or not!
When reloading an old session, the certificate is not checked again;
as verify_result is not stored in SSL_SESSION (at least I didnĀ“t find it)
and the
28 matches
Mail list logo
